The Union Jack Club
1. Who are we?
The Union Jack Club (‘we’, ‘us’, our’) is a Service charity for serving and veteran enlisted members of HM Armed Forces and their families. We are committed to protecting and respecting your privacy. This policy, together with any other documents referred to on it, sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our practices regarding your personal data and how we will treat it.
Our address is Sandell Street, London, SE1 8UJ.
Our website is www.ujc.org.uk that is owned and operate by The Union Jack Club.
2. Your personal data – what is it?
Under the UK General Data Protection Regulation (‘UK GDPR’), personal data is defined as ‘any information relating to an identified or identifiable natural person (‘data subject’), by reference to an identifier such as a name, telephone number, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’.
3. Who is the data controller?
The Union Jack Club is the data controller. This means that we are responsible for your personal data once we collect it, we decide how your personal data is processed and for what purposes and how long we store it for.
4. Personal Data we collect:
• Date of Birth
• Email address
• Telephone number (mobile and/or landline)
• Bank details
• Military service and rank
• Booking and purchasing information e.g. accommodation and events
• Customer feedback
5. Lawful Processing
The lawful bases for processing are set out in Article 6 of the UK GDPR. At least one of these must apply whenever personal data is to be processed:
The Union Jack Club processes your data under the basis of legitimate interest, in order to enable you to become or continue being a member of the Club, whether this be temporary or permanent,
6. How do we process your personal data?
The Union Jack Club complies with its obligations under the Data Protection Act (the Act) and the UK GDPR by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure, and by ensuring that appropriate technical measures are in place to protect personal data, as well as providing data protection training to our staff.
We use your personal data for the following purposes:
• Where we engage with service users for membership, accommodation, and dining. We may collect and process personal data in order to satisfy a membership obligation.
• Personal data from our service users, which covers both potential and prior users to manage the membership, accommodation, and other facilities of the Union Jack Club, is held securely in our internal systems. This information is entered into the system after contact is made between a staff member of The Union Jack Club and an individual
• We collect personal data for employees as part of the administration, management, and promotion of our business activities. Our staff handbook explains further how personal data is held and processed for our employees.
• Where an individual is applying to work for The Union Jack Club, personal data is collected through the application process. Data collected for this purpose will be used for employment and to make informed management decisions and for administration purposes. Unsuccessful candidates’ information is destroyed within 6 months of an application, unless advised that we will hold their information.
• We collect and process personal data about our suppliers, subcontractors, and individuals associated with them. The data is held to manage our relationship, to contract and receive services from them.
• We have a contact form on our website where we may collect your name, email address and telephone number. We also ask to collect your opt-in consent to keep you up to date with our news.
• When you make a phone call or send an e-mail to seek information about our services
• When you register for events
7. Sharing your personal data
We will only share personal data with others when we are legally permitted to do so. When we share data with others, we put contractual arrangements and security mechanisms in place to protect the data and to comply with our data protection, confidentiality, and security standards.
Personal data held by us may be transferred to:
• Third party organisations that provide applications/functionality, data processing or IT services to us.
We use third parties to support us in providing our services and to help provide, run, and manage our internal IT systems. For example, providers of information technology, cloud-based software as a service provider, identity management, website hosting and management, data analysis, data back-up, security, and storage services. The servers powering and facilitating that cloud infrastructure are in secure data centres around the world, and personal data may be stored in any one of them.
• Third party organisations that otherwise assist us in providing goods, services, or information.
• Auditors and other professional advisers
• Law enforcement or regulatory agencies or those required by law or regulations.
Occasionally, we may receive requests from third parties with authority to obtain disclosure of personal data, such as to check that we are complying with applicable law and regulation, to investigate an alleged crime, to establish, exercise or defend legal rights. We will only fulfil requests for personal data where we are permitted to do so in accordance with applicable law or regulation.
8. Third Party Websites
Our site may, from time to time, contain links to and from the websites of our partner networks, advertisers, and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
9. Protecting your personal data
The data that we collect from you will be processed at our servers in the UK.
To help protect the privacy of data and personally identifiable information you transmit through use of our website, we maintain physical, technical, and administrative safeguards. We update and test our security technology on an ongoing basis. We restrict access to your personal data to those employees who need to know that information to provide benefits or services to you. In addition, we train our employees about the importance of confidentiality and maintaining the privacy and security of your information. We commit to taking appropriate disciplinary measures to enforce our employees’ privacy responsibilities.
10. How long do we keep your personal data?
We retain the personal data processed by us in a live environment for as long as is considered necessary for the purpose(s) for which it was collected (including as required by applicable law or regulation, typically six years). We may keep data for longer in order to establish, exercise, or defend our legal rights and the legal rights of our clients. In addition, personal data may be securely archived with restricted access and other appropriate safeguards where there is a need to continue to retain it.
11. Data Rights
Your data subject rights are listed below:
• the right of access.
• the right to rectification.
• the right to erasure or right to be forgotten.
• the right to restriction of processing.
• the right to be informed.
• the right to data portability.
• the right to object.
• the right not to be subject to a decision based solely on automated processing.
If you wish you exercise any of the above rights, please contact us at email@example.com
or write to The Data Controller. The Union Jack Club, Sandell Street, London, SE1 8UJ
12. Further processing
If we wish to use your personal data for a new purpose, not covered by this Data Protection Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.
For further information on your rights and how to complain to the ICO, please refer to the ICO website https://ico.org.uk/concerns
Information Commissioner’s Office
Tel: 0303 123 1113 (local rate)
1.1 This policy covers all activities of the UNION JACK CLUB, where personal data is controlled or processed as defined by the Data Protection Act 2018 and the UK General Data Protection Regulation (“UK GDPR”).
1.2 Protecting personal data is vital not only to maintain the trust placed in UNION JACK CLUB by its members but also to demonstrate UNION JACK CLUB’s commitment to data protection. As such, adherence to this policy and its intent is a mandatory obligation for UNION JACK CLUB Trustees, staff, consultants, and contractors.
1.3 Should UNION JACK CLUB’s Trustees come to the view that data held by UNION JACK CLUB falls out of the scope of this policy, then written confirmation of such must be obtained from the Data Protection Officer (DPO) in advance of any potential divergence from full adherence to this policy. The Chief Executive Officer (CEO) will lead on such discussions.
2.1 Background: The UK GDPR supersedes the EU General Data Protection Regulation (“EU UK GDPR”) (EU Regulation 2016/679), on the protection of natural persons relative to the processing of personal data and on the free movement of such data. The purpose of the UK GDPR is to protect the “rights and freedoms” of natural persons (i.e., living individuals) by ensuring that data controllers are accountable for ensuring that personal data is processed according to the six data processing principles.
2.2 Material scope: The UK GDPR applies to the processing of personal data wholly or partly by automated means (e.g., by computer) and to the processing other than by automated means of personal data (e.g., paper records) which form part of a filing system or are intended to form part of a filing system.
2.3 Territorial scope: The UK GDPR applies to all data controllers established in the UK that process the personal data of data subjects, in the context of that establishment. It also applies to controllers outside of the UK who process personal data to offer goods and services or monitor the behaviour of data subjects who are resident in the UK.
2.5 Terminology: A comprehensive list of terms used in the UK GDPR is at Appendix 1.
3. Policy statement
3.1 UNION JACK CLUB is committed to compliance with all relevant EU and Member State laws in respect of personal data and to the protection of the “rights and freedoms” of individuals whose information has been collected and processed in accordance with the UK GDPR.
3.2 Compliance with the UK GDPR is described by this policy and other relevant policies, along with connected processes and procedures.
3.3 The UK GDPR and this policy apply to all personal data processing functions, including those performed on members’ personal data, and any other personal data which UNION JACK CLUB processes from any source.
3.4 The Financial Controller shall ensure that the Record of Processing Activities (“RoPA”) is reviewed annually in light of any changes to UNION JACK CLUB’s processing activities and for any additional requirements identified by means of any data protection impact assessments (“DPIA”).
3.5 This policy applies to all UNION JACK CLUB members wherever they work. Any breach of the UK GDPR will be dealt with under UNION JACK CLUB’s Disciplinary Policy.
3.6 Partners and any third parties working with or for any part of UNION JACK CLUB and who have or may have access to personal data, will be expected to have read, understood and to comply with this policy. No third party may access personal data held by UNION JACK CLUB without having first entered into non-disclosure agreement (NDA) which imposes on the third-party obligations no less onerous than those to which UNION JACK CLUB is committed and which gives UNION JACK CLUB the right to audit compliance with the NDA.
4. Roles and responsibilities
4.1 UNION JACK CLUB is the data controller and/or data processor as defined in the UK GDPR.
4.2 The Trustees and all those in managerial or supervisory roles throughout UNION JACK CLUB are responsible for developing and encouraging good information handling practices within their respective areas of responsibility.
4.3 The responsibilities for managing this procedure are further set out in individual job descriptions, the Information Security Policy (“ISP”) and Individual User Agreements.
4.4 The DPO (Clear Comm) is accountable to the Trustees for the management of personal data within UNION JACK CLUB and for ensuring that compliance with data protection legislation and good practice can be demonstrated. This accountability includes:
a. The development and implementation of the UK GDPR as required by this policy; and
b. In cooperation with the Financial Controller, the resolution of any issues raised by UNION JACK CLUB’s security and risk assessment process that may impact upon compliance to this policy.
4.5 The DPO, whom the Trustees considers to be suitably qualified and experienced, has been appointed to take responsibility for UNION JACK CLUB’s compliance with this policy on a day-to-day basis and, in particular, has direct responsibility for ensuring that UNION JACK CLUB complies with the UK GDPR, as do all members in respect of data processing that takes place within their area of responsibility.
4.6 The DPO has responsibilities in respect of procedures such as the Data Subject Access Request Procedure and is the first point of call for members seeking clarification on any aspect of data protection compliance.
4.7 Compliance with data protection legislation is the responsibility of all employees of UNION JACK CLUB who process personal data.
4.8 UNION JACK CLUB’s new joiner and induction process set out specific training and awareness requirements in relation to specific roles and members generally.
4.9 UNION JACK CLUB employees are responsible for ensuring that any personal data about them and supplied by them to UNION JACK CLUB is accurate and up to date.
4.10 A online portal through Sage HR for each employee is used to store important information which the employee has access to through their personal login and password.
5. Data protection principles
5.1 All processing of personal data must be conducted in accordance with the data protection principles as set out in Article 5 of the UK GDPR and as detailed below. UNION JACK CLUB policies and procedures are designed to ensure compliance with the principles. Individual policies and procedures define the responsibilities of members in respect to their accountabilities.
5.2 Principle 1: Personal data must be processed lawfully, fairly, and transparently.
5.2.1 Lawful: Identify a lawful basis before you can process personal data. These are often referred to as the “conditions for processing”, for example consent or legitimate interests.
5.2.2 Fairly: For processing to be fair, the data controller has to make certain information available to the data subjects as practicable. This applies whether the personal data was obtained directly from the data subjects or from other sources.
5.2.3 Transparency: The UK GDPR includes rules on giving privacy information to data subjects in Articles 12, 13 and 14. These are detailed and specific, placing an emphasis on making privacy notices understandable and accessible. Information must be communicated to the data subject in an intelligible form using clear and plain language. The specific information that must be provided to the data subject must, as a minimum, include:
a. the identity and the contact details of the controller and, if any, of the controller’s representative.
b. the contact details of the data controller.
c. the purposes of the processing for which the personal data are intended as well as the legal basis for the processing.
d. the period for which the personal data will be stored.
e. the existence of the rights to request access, rectification, erasure or to object to the processing, and the conditions (or lack of) relating to exercising these rights, such as whether the lawfulness of previous processing will be affected.
f. the categories of personal data concerned.
g. the recipients or categories of recipients of the personal data, where applicable.
h. where applicable, that the controller intends to transfer personal data to a recipient in a third country and the level of protection afforded to the data.
i. any further information necessary to guarantee fair processing.
5.3 Principle 2: Personal data can only be collected and processed for specific, explicit, and legitimate purposes.
5.3.1 Personal data collected must not be processed in a manner which is incompatible with the purpose for which it originally was collected.
5.4 Principle 3: Personal data must be adequate, relevant, and limited to what is necessary for processing.
5.4.1 The DPO is responsible for ensuring UNION JACK CLUB does not collect information which is not strictly necessary for the purpose for which it is obtained.
5.4.2 All data collection forms (electronic or paper-based), including data collection requirements in new information systems, must include a privacy notice or link to a privacy notice that is approved by the DPO.
5.4.3 On a regular basis, the DPO will review all data collection methods to ensure that collected data continues to be adequate, relevant, and not excessive.
5.5 Principle 4: Personal data must be reasonably accurate, kept up to date in the context of the purposes for which it was collected, and retained in accordance with the Record Retention & Disposal (“RR&D”) Policy and associated Record Retention & Disposal (“RR&D”) Schedule.
5.5.1 Data stored by UNION JACK CLUB must be reviewed and updated, as necessary. No data should be kept unless it is reasonable to assume that it is accurate.
5.5.2 The DPO is responsible for ensuring that all employees are trained appropriately in the importance of collecting accurate data and maintaining it.
5.5.3 Employees are responsible for ensuring that data held by UNION JACK CLUB is accurate and up to date.
5.5.4 Employees are required to notify UNION JACK CLUB of any changes in circumstance to enable personal records to be updated accordingly. It is the responsibility of UNION JACK CLUB to ensure that any notification regarding change of circumstances is recorded and acted upon.
5.5.5 The DPO is responsible for ensuring that appropriate procedures and policies are in place to keep personal data accurate and up to date, taking into account the volume of data collected, the speed with which it might change and any other relevant factors.
5.5.6 On at least an annual basis, the DPO will review the retention dates of all the personal data processed by UNION JACK CLUB and will identify any data that is no longer required in the context of the registered purpose. This data will be securely deleted/destroyed in line with UNION JACK CLUB procedures.
5.5.7 The DPO is responsible for responding to requests for rectification from data subjects within one month. This can be extended to a further two months for complex requests.
5.5.8 If, for legitimate reasons, the request is denied, the DPO must respond to the data subject to explain the reasoning and inform the data subject of their right to complain to the UK’s Information Commissioner’s Office and to seek judicial remedy. This activity does not preclude normal data quality improvement actions that are managed under business as usual.
5.5.9 The DPO is responsible for making appropriate arrangements, where third-party organisations may have been passed inaccurate or out-of-date personal data, to inform them that the information is inaccurate and/or out of date and is not to be used to inform decisions about the individuals concerned, and for passing any correction to the personal data to the third party where this is required.
5.6 Principle 5: Personal data processed must be kept for no longer than is necessary for the purpose for which it is processed.
5.6.1 Where personal data is retained beyond the period defined within the RR&D Schedule, it will be minimised, encrypted or pseudonymised where possible to protect the identity of the data subject in the event of a data breach. Prior to this happening a lawful basis to do so must be established and approved by the DPO, see section 5.6.3.
5.6.2 Personal data will be retained in line with the RR&D Schedule and, once its retention date is passed, it must be securely destroyed as set out in this procedure.
5.6.3 The DPO must specifically approve any data retention that exceeds the retention periods defined in RR&D Schedule and must ensure that the justification is identified clearly and in line with the requirements of the data protection legislation. This approval must be in writing.
5.7 Principle 6. Personal data must be processed in a manner that ensures appropriate security.
5.7.1 Where necessary, the DPO will ensure a risk assessment is completed taking into the account the processing operations of UNION JACK CLUB.
5.7.2 In determining the appropriateness of the processing, DPO also should consider the extent of possible damage or loss that might be caused to members if a security breach occurs, the effect of any security breach on UNION JACK CLUB and any likely reputational damage, including the possible loss of public trust.
5.7.3 UNION JACK CLUB’s compliance with this principle is contained in its Information Security Management System (“ISMS”), which has been developed in line with ISO/IEC 27001:2013 and the ISP.
5.8 Accountability. As a data controller, UNION JACK CLUB must be able to demonstrate compliance with the six data processing Principles detailed above. To this end, the DPO shall ensure that this policy is reviewed annually by the Trustees. This review shall determine the ongoing suitability of the policy that the policy is deployed effectively throughout UNION JACK CLUB and that adequate resources are available to ensure its ongoing effectiveness.
6. Data subjects’ rights
6.1 Data subjects have the following rights regarding data processing, and the data that is recorded about them:
• The right to be informed – Article 12.
• The right of access – Article 15.
• The right to rectification – Article 16.
• The right to erasure (right to be forgotten) – Article 17.
• The right to restrict processing – Article 18.
• The right to data portability – Article 20.
• The right to object – Article 21.
• Rights in relation to automated decision making and profiling - Article 22.
6.2 UNION JACK CLUB is mandated under Article 12 of the UK GDPR to facilitate the rights of data subjects for instance, responding to subject access requests as described in the Data Subject Access Request Procedure.
7. Basis of processing
7.1 UNION JACK CLUB will determine the appropriate lawful basis of processing for all personal data obtained directly or indirectly from data subjects, including members.
7.2 Data subjects will be informed of the purpose for processing using privacy notice published on UNION JACK CLUB website or by similar means.
7.3 Where personal data is obtained from third parties, the data subject will be sent a notice in compliance with Article 14 of the UK GDPR.
7.4 Where a special category of personal data, as defined by Article 9 of the UK GDPR, is processed, this shall be for one of the defined 10 exceptions as defined in the Article 9.
8. Security of data
8.1 All members are responsible for ensuring that any personal data which UNION JACK CLUB holds and for which it is responsible is kept secure and is not, under any conditions, disclosed to any third party unless that third party has been specifically authorised to receive the personal data and, where required, signed an NDA.
8.2 New Trustees , Heads of Department and employees, at all levels, as part of their induction process, are given guidance on where these documents can be found on the Shared drive. Their need to comply with this policy is to be recorded.
9. Disclosure of data
9.1 UNION JACK CLUB is under a lawful obligation to ensure that personal data is not disclosed to unauthorised third parties which includes family members, friends, government bodies, and in certain circumstances, the police.
9.2 All members should exercise caution when asked to disclose personal data held on another individual to a third party and will be required to attend specific training that enables them to deal effectively with the risk associated with any such disclosure of personal data.
9.3 Notwithstanding the foregoing it should be borne in mind that the disclosure of information is relevant to, and necessary for, the conduct of the business.
9.4 Requests to provide data for one of these reasons must be supported by appropriate paperwork and all such disclosures must be specifically authorised by the DPO.
10. Retention and disposal of data
10.1 The retention period for each category of personal data will be set out in the RR&D Policy along with the criteria used to determine this period including any statutory obligations to retain personal data. UNION JACK CLUB’s data retention and disposal procedures (Storage Removal Procedure) as defined in the RR&D Schedule will apply in all cases.
10.2 Personal data must be disposed of securely in accordance with the sixth data processing principle – processed in an appropriate manner to maintain security, thereby protecting the “rights and freedoms” of data subjects.
10.3 Data is to be disposed of out in accordance with the secure disposal procedure.
11. Data transfers
11.1 All exports of data from within the European Economic Area (EEA) to non-European Economic Area countries (referred to in the UK GDPR as ‘third countries’) are unlawful unless there is an appropriate “level of protection for the fundamental rights of the data subjects”.
11.2 The transfer of personal data outside of the EEA is prohibited unless one or more of the specified safeguards, or exceptions apply:
• Adequacy decision
• Standard contract clauses (otherwise referred to as ‘Model contract clauses’)
• Binding corporate rules (“BCR”)
• International Agreements
• Derogation e.g., transfers made with the consent of the data subject.
11.3 In the absence of an adequacy decision, binding corporate rules and/or model contract clauses, a transfer of personal data to a third country or international organisation shall only take place on one of the following conditions:
• the data subject has consented explicitly to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards.
• the transfer is necessary for the performance of a contract between the data subject and the controller, or the implementation of pre-contractual measures taken at the data subject’s request.
• the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person.
• the transfer is necessary for important reasons of public interest.
• the transfer is necessary for the establishment, exercise, or defence of legal claims.
• the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent.
12. Disciplinary Action
12.1 All staff are to adhere to this policy and its intent. Failure to do so may result in disciplinary action being taken. Such action might include written or verbal warnings or instant dismissal in circumstances that amount to gross misconduct.
12.2 UNION JACK CLUB reserves the right to take appropriate disciplinary action against contractors and self-employed service providers who fail to comply with this policy. Such actions include, but are not limited to, the termination of any contract with UNION JACK CLUB.
12.3 Near misses /breaches may be reported to the Information Commissioner’s Office (ICO).