General Data Protection Regulation
Privacy Notice
1. Introduction
1.1. Tamar Valley Archers (TVA), as a data controller, and as a data processor, can process your personal / professional identity data (PPID) and electronic signatures. The EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 requires that those organisations disclose to you (the identity owner) the following information as part of a Privacy Notice:
1.2. The name and contact details of the organisation.
1.3. The name and contact details of their representative (if applicable).
1.4. The contact details of their data protection officer (if applicable).
1.5. The right to lodge a complaint with the appropriate supervisory authority (Data Protection Commissioner Office).
1.6. The following Privacy notice provides transparency to you, a natural living person, about your fundamental right to the protection of your personal / professional identity data.
2. Privacy
2.1. Is your Personal Data (PPID) processed fairly and lawfully – how do you know? Articles 12 and 13 and Recitals 58 and 60 of the General Data Protection Regulation (GDPR) provides you (the data subject) with rights to be informed. It is a principle of GDPR (Article 5) that the collection and processing of your personal / professional data must be lawful, fair and transparent. This Privacy Notice outlines the reasons why processing is performed on your personal / professional identity data (PPID) which is a key transparency requirement under GDPR that serve you, the identity owner.
2.2. Sharing your Personal Data (PPID) – with whom? TVA does not obtain your identity data from any source other than you, the person it relates to, whom we refer to as the identity owner. TVA does not disclose, transfer or share your identity data (PPID) with any 3rd party or recipient except where required by a legal obligation to disclose.
2.3. What is the purpose and legal basis for processing your Identity Data (PPID)? The legitimate purposes for which TVA processes your identity data are specified explicitly as follows:
2.3.1. To record and process attestations you present that accurately corroborate your claim to genuine ownership of your identifying information and attributes. Identifying information presented must NOT be ‘inaccurate’ which means “incorrect or misleading as to any matter of fact” as defined in the UK Data Protection Act 2018. The lawful basis for this processing requires your prior consent. The validity period of your consent expires automatically when your electronic signature is no longer valid. In the event your electronic signature is terminated (e.g. revoked) before normal expiry, this will mean you have withdrawn your consent to process your PPID.
2.3.2. To establish a level of assurance (LoA) of genuine identity ownership that others can rely on, and enable binding with your unique electronic signature. The lawful basis for this processing requires your prior consent. The validity period of your consent expires automatically when your electronic signature is no longer valid. In the event your electronic signature is terminated (e.g. revoked) before normal expiry, this will mean you have withdrawn your consent to process your PPID.
2.3.3. To provide for you the choice to have your public key part of your electronic signature published (or not) to some public directory or your Personal Online Datastore (POD), as examples. The lawful basis for this processing requires your prior consent. The validity period of your consent expires automatically when your electronic signature is no longer valid. In the event your electronic signature is terminated (e.g. revoked) before normal expiry, this will mean you have withdrawn your consent to process your PPID.
2.3.4. You, the identity owner and TVA, as a data processor of your identity data (PPID), collaborate to protect the integrity of your personal and professional identifiable data by undertaking to guard against all criminal activity that includes identity fraud and impersonation, identity theft, plagiarism and synthesis. The lawful basis for this processing is the collective legitimate interest to protect your genuine identity information, and to place this under your sole-
2.4. What limitations exist on processing your Personal Data (PPID)? The collection and processing of your personal and professional identifiable data is limited to the legitimate purposes stated and no more. There is no further processing for any other purpose which is not clearly stated. If a new future purpose(s) for processing your personal / professional data emerges and is not compatible with the legitimate purposes stated above, this will require your specific consent for the new purpose(s) before processing can proceed.
2.5. What Personal Data is necessary – how much personal data is necessary? It is a principle of GDPR (Article 5(1)(c)) that Personal data shall be:
“adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation)”.
TVA only collects and processes the minimum (limited) amount of personal / professional data that is necessary to achieve the specified purposes stated above. No more and no less personal / professional data than that needed for the stated purposes are recorded. In particular, it is only your personal / professional identifiers and attestations that are relevant to your electronic signature context that is corroborated and processed. Equally, your personal / professional identifiers and attestations must be sufficient (adequate) in number to fulfil the specified purpose to establish a level of assurance (LoA) about the genuine ownership of your personal / professional identity data.
2.6. How long is it necessary to store your identity data (PPID)? The storage limitation principle of GDPR (Article 5(1)(e)) permits identification of data subjects (you, the identity owner) for no longer than is necessary for the purposes for which the personal / professional identification data are processed.