General Data Protection Regulation (GDPR) and The First Class CW Operators’ Club (FOC)
Document created: 29 April 2018, revised April 2024.
The General Data Protection Regulation (GDPR) which comes into force across Europe on 25th May 2018, and any organisation that keeps personal data must comply. This article explains FOC’s responsibilities, describes how we discharge them in a compliant manner and informs you of your rights under the new legislation.
What is GDPR?
GDPR expands existing Data Protection Regulations and widens their scope. It requires that personal data on members (“data subjects”) must be:
a) processed lawfully, fairly and in a transparent manner in relation to individuals;
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
How does FOC comply?
Under the legislation, FOC becomes the Data Controller for the personal data it holds on current members, past members and prospective members. That personal data is held in a database within the WordPress CMS, hosted at QTH.com and in other secure storage tools used by the Committee in the course of their duties for the Club.
We also rely on Stripe for payment of membership dues. Details of members’ payment information provided to Stripe is not shared with FOC. Stripe’s privacy policy may be found at: https://stripe.com/en-gr/privacy
Our policy for compliance with GDPR is as follows:
(i) FOC has a legitimate reason to hold your personal data: FOC holds personal data to allow it to service members in regard to subscriptions, FOCUS circulation, event organisation and general communications. We also archive ex-members’ personal data to allow us to re-engage with them at a future date.
(ii) FOC holds your personal data securely:
a. FOC’s record of members’ personal data is held securely on WordPress CMS at QTH.com. QTH.com is a Web and Email Hosting provider, located outside the EU at the following address:
DigiSage, Inc. DBA QTH Hosting
P.O. Box 3636
La Crosse, WI 54602-3636
United States
QTH.com uses appropriate technical measures to keep FOC’s data secure. The QTH.com Acceptable Use Policy can be found at: https://hosting.qth.com/aup.php
b. The Committee Secretary maintains notes, records, accounts and meeting agendas/minutes on our ownCloud file server hosted at QTH.com, located in U.S.A at the following address:
DigiSage, Inc. DBA QTH Hosting
P.O. Box 3636
La Crosse, WI 54602-3636
United States
OwnCloud is protected by appropriate technical measures to keep the Committee Secretary’s data secure. The QTH.com Acceptable Use Policy can be found at: https://hosting.qth.com/aup.php
c. The contents of the Committee Secretary’s ownCloud file server are made available in read-only form to other members of the Committee to allow them to conduct the business of the Club. All Committee members are legally required to comply with the conditions of GDPR when handling personal data, including using appropriate technical measures to keep copies of that data secure.
iii) FOC uses your personal data responsibly: FOC uses the personal data it holds for the purposes of administering the Club. When new members join the Club, they will be required to provide their consent to having their personal data processed by the Club and included, if they wish, in the Yearbook. With the exception of providing the FOCUS mailing list to our printers, FOC does not otherwise disclose, share, sell or distribute personal data in its database. For example: if a Member orders merchandise, then as part of their order whatever necessary personal data is required (such as their name for an FOC badge) will be provided by the Member in their order, rather than relying on FOC acting as a Controller is such cases; Members may, under password control, download a list of current members, but that download contains only Salutation and Callsign and FOC Membership Number, which we consider to be pieces of information that are in the
public domain in the context of amateur radio.
iv) FOC allows members to know what we keep and why: FOC keeps the following personal data for entries on the database (note that not all entries have all of the following fields completed):
• Full name and title, salutation (on air name),
• Primary callsign,
• Partner’s name,
• FOC membership number,
• Other callsign(s),
• Profession,
• Hobbies other than ham radio,
• Skills or areas of expertise or interest,
• Postal address,
• E-mail address,
• Personal web site
• Telephone number(s),
• FOCUS mailing preference,
• Information related to subscription renewal dates (but not any bank or PayPal information),
• Date of last log-on to the system,
• Joining date,
• Renewal date,
• Donations made,
• Attendance at events,
• Yearbook privacy preferences,
• General administrator’s notes.
In addition, for each email sent from WordPress, we use a feature to help us know if the email has been delivered and opened.
Under GDPR, we will be retaining existing data as it is necessary for FOC and in members’ interests (forming a “legitimate interest” under recital 47 of the GDPR) but we’ll be reminding members to check that their personal data is accurate, and we’ll ask new members for their explicit consent.
v) FOC allows that those whose personal data we keep may request some or all of it to be updated or deleted: Only Administrators can delete data from the system. If any person would like personal data removed from their database record they should contact the Committee Secretary with a request.
Members may access and update their own primary data by using their secure log in password on the FOC web site. This is also how any inaccuracies or changes in your personal data can be updated at any time. Individual passwords are not visible to any other users (including Administrators). Administrators, who would normally be Committee members, can access all data on the system and help with any requests to edit or remove data if requested, to comply with the GDPR legislation.
With respect to a legitimate interest existing member FOC and its members:
a. The Club will continue to publish the members’ directory in the Yearbook and include all existing members. All new members will be asked to provide their consent to appear in the Yearbook. Any member may withdraw their consent to be included in the Yearbook at any time.
b. With respect to the personal data stored in WordPress CMS website or held by the Membership Secretary, whilst it is the right of any person to have their personal data deleted, removal of personal data that would result in FOC being unable to service a membership or which created a significant ongoing load on any of our volunteers may result in that person’s membership being suspended. This will only happen after a proper level of discussion has taken place and no reasonable arrangement could be found, or when the request could reasonably be deemed to be vexatious.
vi) FOC does not retain personal data for longer than is necessary for the reasons it was held in the first place: FOC Committee believe the following periods to be reasonable to allow it to function in a responsive manner:
a) Members: All data to be retained for the period of their membership.
b) Ex-Members: All personal data to be retained for seven years after cessation of membership, and a record of their callsign and FOC number will be retained indefinitely along with the dates of the period of their membership.
c) Non-Members: FOC will delete personal data relating to persons who are nominated, but fail to become members after 3 years. This is necessary to comply with items in the FOC constitution.
vii) FOC has a nominated Data Protection Officer: The Data Protection Officer for FOC will be the Committee Secretary who may be contacted at the address listed on the Club web site, or in the inside cover of FOCUS. The Data Protection Officer will be responsible for informing the Information Commissioners Office within 72 hours, if there is a suspected breach of security affecting personal data.
