1660

GDPR

The General Data Protection Regulation (GDPR) will come into force on the 25th May 2018, replacing the existing data protection framework under the EU Data Protection Directive.


This means that any organisations involved with data processing of any sort must be aware of the regulation and how it impacts them. 


The GDPR emphasises transparency, security and accountability by data controllers and processors, while at the same time standardising and strengthening the right of European citizens to data privacy.


The premise of the GDPR is that information that is collected is valid information and required for a service to be fulfilled. Whether you are a data collector or a data processor you need to be aware of and understand what the information is for. Consider the following questions: 

1. Why is the personal data being held?
2. How was it obtained?
3. Why was it originally gathered?
4. How long is it being retained for?
5. How secure is it?
6. Is it shared with any third parties?

Like all sports and organisations, Cycling Ireland has measures and procedures in place in line with the new regulation, and have updated our PRIVACY POLICY


Cycling Ireland has always been careful to work in conjunction with data protection guidelines, and continue to do so. Cycling Ireland members can be assured that their personal information is stored securely, and that all third party contracts also adhere to the GDPR regulations. 


See list of third party organisations HERE. 


Cycling Ireland does not pass on personal details to any other company for marketing purposes, and communicate to members and ex-members by newsletter regularly. 


Recipients of the newsletter have been given the opportunity to re-consent - it is also possible to subscribe at any time HERE


For some really useful information about how the GDPR might effect you CHECK THIS WEBSITE.

If you have a data protection query, or have further queries you can contact the Cycling Ireland Data Protection Officers Heather Boyle and Patrick Withers at compliance@cyclingireland.ie

 
  • q Who does GDPR apply to?
    A

    Within Cycling Ireland GDPR affects any individual, club, event organizer or commission official who uses people’s personal information.

     

    Below are some outlines regarding some of the main changes in behavior that may have to take place with reference to how personal information is collected, retained and used.

     

    GDPR applies to anyone considered to be a data controller, or someone who gathers and holds personal information on others. This could be club officials who look after gathering membership fees, or event organisers who are running races or sportives. It also is relevant for Commission officials or team managers who hold information on riders who communicate with them.

  • q What is a Data Controller?
    A

    The Data Controller determines the purposes for which and the manner in which any personal data are processed. 

  • q What is a Data Processor?
    A

    The Data Processor processes personal data on behalf of the Controller.

  • q What does "Personal Data" mean?
    A

    According to the Data Protection Act “personal data” means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or likely to come into, the possession of the data controller. This data can be: Name, Address, Phone number, email address, passport number, medical information, bank details or social media posts by way of examples.

     

    Note that categorizing people’s personal data in such a way that reveals aspects of the person like their ethnicity, disability status or sexual orientation is subject to more stringent rules than the processing of other personal data.

     

    If this information is relevant to the sport, and to their participation in the sport, this data may be relevant. However, it is important to have a valid reason for gathering this information. Examples of where this information could be gathered is: paracycling events or medical information that may be required in case of emergency.

  • q What is a Breach?
    A

    For the time that you hold it, you need to make sure that personal data is held securely, (e.g. using secure, non-shared passwords and encryption where necessary) and only moved between devices using secure means. Any printed copies of personal data should be stored securely and not left in public places. Where possible use Cycling Ireland systems wherever possible for collecting and using personal data.



    GDPR defines a ‘personal data breach’ as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’. 'Personal data breaches' include:

     

    • ·         breaches of confidentiality (someone gains access to information who shouldn't have access to it);
    • ·         breaches of integrity (the information you hold is amended to make it incorrect or inaccurate); and
    • ·         breaches of availability (the information can no longer be accessed; for example, in a Distributed Denial of Service (DDoS) attack).

    You will only have 72 hours from being aware of a breach to report it to the Data Commissioners. You must also keep a record of any personal data breaches. Personal data breaches can include:

    • ·         access by an unauthorised third party;
    • ·         deliberate or accidental action (or inaction) by a controller or processor;
    • ·         sending personal data to an incorrect recipient;
    • ·         computing devices containing personal data being lost or stolen;
    • ·         alteration of personal data without permission; and
    • ·         loss of availability of personal data.

     

    For example, if a club membership secretary holds the membership data unencrypted on their laptop and that laptop is stolen, that personal data has been subject to a data breach which is likely to need to be reported to the Data Commissioner. You need to make sure that personal data is held securely, (e.g. using secure, non-shared passwords and encryption where necessary) and only moved between devices using secure means. Any printed copies of personal data should be stored securely and not left in public places.

     

    You also need to make sure that your volunteers can identify when a breach has happened and that they know what they should do and who they should talk to in such a situation.

  • q What does Purpose Limitation mean?
    A

    One of the principles of the DPA and the GDPR is that you can only process data for the purpose for which it is collected. This means that if you collect the name and contact details of an individual so that they can become a member of your club then, in general, you cannot use that data for something else. Specifically, if people have provided their personal information to you so that they can join, you are not then allowed to use that data to market products or services to them (unless you have their explicit consent to do so). 

  • q What should club officials be aware of?
    A

    Gathering personal information or data is integral to the correct running of clubs. The risk of mismanaging this data is low, but nonetheless it is crucial that the data is managed, collected and stored correctly and in accordance with the GDPR.

     

    In the case of Cycling Ireland clubs, Cycling Ireland is usually considered the Data Controller, with the personal data and information on our database required for the purpose of issuing Cycling Ireland membership. Clubs, in this case, are regarded as the data processor as they are gathering personal data for this purpose. In this case Cycling Ireland is responsible for compliance with data protection legislation and GDPR, and clubs are expected to process data securely.

     

    Club officials must ensure data is processed securely;

    ·         it is updated regularly and accurately;

    ·         it is limited to what the club needs;

    ·         it is used only for the purpose for which it is collected; and

    ·         it is used for marketing purposes only if the individual has given their consent to do so. This needs to be an opt-in consent rather than an opt-out consent.

     

    Should the club ask for any information other than that required by Cycling Ireland for membership, recorded consent from the individuals and the processing of their data must take place outside of the Cycling Ireland system, and the club becomes the data controller with primary responsibility for compliance with data protection legislation including GDPR.

     

    Should clubs fail to comply with data protection and are in serious breach, there will be increased fines. While Cycling Ireland is usually the data controller of personal data on its systems, both data controllers and data processors can be issued with fines under GDPR.

     

    RECOMMENDATION

    Club officials should not be using personal email addresses, instead a “club” email address should be used. This increases the likelihood of transparency and maintains continuity. It also keeps the data stored in one place that is only controlled by the club official or data controller.

  • q Information for Cycling Ireland Club Members
    A

    New Members


    If you are a new Cycling Ireland member you log into the Cycling Ireland Azolve Membership system HERE and create your own profile, selecting the club you wish to join. The club official will get a notification and approve your request to join. Your information will now appear in Cycling Ireland club official’s profile on the membership system. This personal information can only be used for the purpose of valid activities relating to the club and not for external marketing reasons. Your information will be held for 7 years in line with the statutory limitations in Cycling Ireland. Even if your membership has lapsed you can log into your profile at any stage and either request to be transferred out of the club or to renew your licence.

    Transferring to another club


    Cycling Ireland members can request to transfer to another club. Once their request for transfer is approved by both the club they are leaving and the club to which they are moving, their personal data and profile will be removed from the previous club and appear in the profile of the club official or data processor in the club to which they are moving. 

  • q Cycling Ireland Members Unaffiliated to a Club
    A

    If you are not a member of a Cycling Ireland club, the only people who have access to your membership data are the staff of Cycling Ireland.

     

    If you wish to transfer to a club, then the official of the club into which you are transferring will have access to your data. 

  • q Does the GDPR refer to digital data or paper records?
    A

    All personal data, regardless of whether it is collected manually or digitally, must be managed in accordance with GDPR. This means that the same levels of caution must be used at all times when collecting, retaining and using personal data. A data breach would occur if any personal data were to be passed to someone who has not been permitted to have that data, whether it is in paper form or online.


    Cycling Ireland membership has moved almost exclusively to an online membership, with manual forms no longer accepted. Transportation of personal data in any format, including paper, is seen as a risk, and to this end processing membership online is the safest and most secure way to do that.


    Event organisers are increasingly moving towards online registration, where there is less risk involved in terms of transporting personal data and processing information.

  • q Newsletters and Email Communications
    A

    Cycling Ireland uses the membership portal to access email addresses of Cycling Ireland members for newsletters relating to Cycling Ireland activities. When members are joining Cycling Ireland or renewing their membership they will have the choice to “opt in” to receiving these emails. They will also be sent a once off email asking them if they want to continue receiving these newsletters.

     

    Club officials have the function to download personal details of club members to use for communication purposes. They must ensure that emails or newsletters that they send should not include any personal details of any club members, unless they have consent to do so. They also should only be communicating information relevant to their particular club or club’s activities.

  • q In Case of Emergency Information
    A

    Cycling Ireland members store their “In Case of Emergency” (ICE) contact information in their profile on the Cycling Ireland portal. This information can be accessed only by Cycling Ireland designated officials, or by the designated club officials in their club.

     

    Because of the limitations in accessing this information should an incident occur in an event, it is considered good practice for event organisers to capture valid information on riders such as emergency contact details and relevant health and medical information, such as allergies or current medication.

     

    This information should be stored securely and destroyed once they are no longer needed. When riders are signing up for events this information should be disclosed, with details of how long the information will be stored.

     

  • q Who can use personal data at events?
    A

    Note that personal data and information on riders will be captured by event organisers and commissaires, in the case of competitive events. Both event organisers and commissaires should store information in a secure place at all times, using password protected files and computers.

     

    Following events Commissaires submit their report to Cycling Ireland where it will be retained for a period of time in conjunction with statutory limitation.

     

    There are occasions where paper copies of downloaded personal information may be passed to coaches or volunteers working at an event. This is acceptable if it is necessary for their particular role, and there is valid reason for this information to be passed. After the event note that all paper copies of information should be either stored securely or destroyed (shredded) after use. Information should NEVER be shared with third parties for any reason, and NEVER be used for marketing purposes, unless the explicit consent of the club member to do so have been captured and recorded.

     

    Cycling Ireland are encouraging all event organisers to move the registration for their event online to minimize the risk of data breach. Competitive events can be run through the Cycling Ireland membership database – Azolve, and Leisure events run through Event Master.

  • q Responding to Subject Access Requests (SARs)
    A

    Any Cycling Ireland member can ask for a copy of the personal data that you hold on them. The individual must make the request in writing and give any details that may be required to access the information on them. Under GDPR the SARs must be responded to within one calendar month. Note that having received the access request you cannot change or delete the personal data which you hold. You must provide the information in a clear format and only give this personal information to the individual concerned, or person acting on their behalf and with their authority. If this information is not kept on a computer or relevant filing system, they must be told within one month.

  • q Children and Safeguarding
    A

    The GDPR includes additional, specific protections for children's personal data. If you collect children's personal data, then you need to make sure that your privacy policy is written in words that they can understand and you may need to obtain consent from the child's parent or guardian.


    All members who work with children must complete Garda eVetting forms. These forms are held securely in Cycling Ireland for the appropriate number of years in accordance with statutory regulation. All files will be destroyed (shredded) following this time.


    Note that the digital age of consent for children is 13 years of age.
  • training peaks
  • spin11
  • Event Master
  • mpcc
  • bluecubes
Cycling Ireland, Kelly Roche House, 619 North Circular Road, Dublin1, Ireland
Tel: +353 (1) 8551522      Fax: +353 (1) 8551771      Contact Us

 
© 2018 Cycling Ireland. All rights reserved
Privacy Policy       Terms Of Use       Sitemap

Web Design by bluecubes
back to top cycling ireland