We take the privacy of your personal information very seriously and take reasonable care to comply with the requirements of the General Data Protection Regulations (GDPR) which came into force on May 25, 2018 relating to the personal information you supply to be a member of Cardiff Reform Synagogue (CRS) and on the website. For the purpose of GDPR, the data controller is Cardiff Reform Congregation, whose office is at the address above.
2) Your Personal Data
The types of information we collect for your membership are described below. By becoming a member of CRS you consent to the collection and use of any personal information in the manner described. When subscriptions are renewed, re-consent will be sought to ensure compliance with GDPR. The information we gather (‘Information’) may include your name, address, email address, and any other personal information you submit to CRS. This includes information about children under the age of 16 which we need to hold to deliver our objectives, e.g. the advancement of Judaism through educational activities. As CRS is a constituent member of the Movement for Reform Judaism, we may wish to share your data with them so that you can be informed of national events and news. We shall only share your data with them if you have opted-in to this service. As part of your membership you are invited to opt-in to our mailing lists so that we can send you newsletters and announcements. We may from time to time offer you the opportunity to sign up to a mailing list and/or additional newsletter, to participate in a survey or a competition and to receive information by email about third parties’ products and services or any other products and services which we provide. We may also contact you in relation to fund-raising. You may change your options to receive these communications at any time by notifying us at firstname.lastname@example.org. We use the Information we collect from you to keep you informed about events and activities, which we believe will be of interest to you. As an integral part of your membership we use the Information to draw up and circulate lists of names towards fulfilment of our objectives as we practice and develop Judaism, e.g. lists of yahrzeits and lists to promote the safety and security of members. As a communal organisation we have members and friends who volunteer their services to organise activities and functions. They may have access to your personal data so that they can contact you and facilitate your involvement. We endeavour to ensure that any person who has such access to your data is committed to limiting the use of your data to CRS activities and functions. We do not permit the use of your data for any purpose outside the remit of CRS. We will not sell, distribute or disclose your Information without your consent, unless required or permitted to do so by law. In some circumstances the law may require us to disclose sensitive personal information.
3) Updating your Information and Retention
If any of your information is inaccurate or if it changes, please notify us by email. We will retain personal information for the legally required period, e.g. 7 years for Charity Commission requirements and HM Revenue and Customs (HMRC) and otherwise only whilst it serves to support your membership of CRS. On termination of membership or a member’s death, the information will normally be retained for five years for demographic and statistical purposes.
4) Access to Personal Data
You have the right to obtain confirmation that we process your data and access to your personal data and to information corresponding to that in this privacy notice. The information will be provided free of charge except where excessive, repeated or duplicate requests are made. In such a case a fee to cover the costs of administration will be made. The information will generally be provided electronically within one month of the request. Should an extension of up to two months be required we will inform you of the reason.
5) Links to Third Parties’ Sites
7) Internet and Data Storage
The CRS website uses a security system that protects your Information from unauthorised use. However, as no data transmissions over the Internet can be guaranteed to be 100% secure, we cannot take responsibility for any unauthorised access or loss of personal information that is beyond our control, e.g. whilst in transit. Any data you send is at your own risk. We have procedures and security features in place to keep your data secure once we receive it. Your data is held in the UK only and only shared with the third parties mentioned in sections 2 and 3 above. Please remember that other methods of Internet communication, such as emails and messages sent via a website, are not secure, unless they are encrypted. We take no responsibility for any unauthorised access or loss of personal information that is beyond our control.
8) Complaints about a data breach
When we receive a complaint from a person we shall make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint. The complaint will be allocated to Council of CRS to investigate. We will only use the personal information we collect to process the complaint and to check on the level of service we provide. We may have to disclose the complainant’s identity to a person or persons who might have been responsible for the alleged breach. This may be necessary when, for example, the accuracy of a person’s record is in dispute. If a complainant does not want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis. We will keep personal information contained in complaint files in line with our retention policy. This means that information relating to a complaint will be retained for two years from closure. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.
9) Data Breach
In the event of a personal data breach that is likely to result in a risk to people’s rights and freedoms, CRS will adhere to the mandatory regulation to report it to the Information Commissioner’s Office (ICO) within 72 hours. High-risk situations would be where there is the potential of people suffering significant detrimental effect such as discrimination, damage to reputation, financial loss, or any other significant economic or social disadvantage. We shall notify the relevant supervisory authority about a loss of personal details where the breach leaves individuals open to identity theft.