Data Protection Policy
Thornbury Picture House
1. Data protection principles
The Society is committed to processing data in accordance with the principles
Article 5 of the GDPR requires that personal data shall be:
a. processed lawfully, fairly and in a transparent manner in relation
b. collected for specified, explicit and legitimate purposes and not further
processed in a manner that is incompatible with those purposes; further
processing for archiving purposes in the public interest, scientific or
historical research purposes or statistical purposes shall not be considered
to be incompatible with the initial purposes;
c. adequate, relevant and limited to what is necessary in relation to
the purposes for which they are processed;
d. accurate and, where necessary, kept up to date; every reasonable step
must be taken to ensure that personal data that are inaccurate, having
regard to the purposes for which they are processed, are erased or rectified
e. kept in a form which permits identification of data subjects for no
longer than is necessary for the purposes for which the personal data
are processed; personal data may be stored for longer periods insofar
as the personal data will be processed solely for archiving purposes in
the public interest, scientific or historical research purposes or statistical
purposes subject to implementation of the appropriate technical and organisational
measures required by the GDPR in order to safeguard the rights and freedoms
of individuals; and processed in a manner that ensures appropriate security
of the personal data, including protection against unauthorised or unlawful
processing and against accidental loss, destruction or damage, using appropriate
technical or organisational measures.
2. General provisions
a. This policy applies to all personal data processed by the Society.
b. The Responsible Person shall take responsibility for the Societys
ongoing compliance with this policy.
c. This policy shall be reviewed at least annually.
d. The Society need not register with the Information Commissioners
Office because although it does process personal data it is it is a recreational
society and exempt from the need to register.
3. Lawful, fair and transparent processing
a. To ensure its processing of data is lawful, fair and transparent, the
Society shall maintain a Register of Systems.
b. The Register of Systems shall be reviewed at least annually.
c. Individuals have the right to access their personal data and any such
requests made to the Society shall be dealt with in a timely manner.
4. Lawful purposes
a. All data processed by the Society must be done on one of the following
lawful bases: consent, contract, legal obligation, vital interests, public
task or legitimate interests.
b. The Society shall note the appropriate lawful basis in the Register
c. Where consent is relied upon as a lawful basis for processing data,
evidence of opt-in consent shall be kept with the personal data.
d. Where communications are sent to individuals based on their consent,
the option for the individual to revoke their consent should be clearly
available and systems should be in place to ensure such revocation is
reflected accurately in the Societys systems.
5. Data minimisation
a. The Society shall ensure that personal data are adequate, relevant
and limited to what is necessary in relation to the purposes for which
they are processed.
a. The Society shall take reasonable steps to ensure personal data is
b. Where necessary for the lawful basis on which data is processed, steps
shall be put in place to ensure that personal data is kept up to date.
7. Archiving / removal
a. To ensure that personal data is kept for no longer than necessary,
the Society shall put in place an archiving policy for each area in which
personal data is processed and review this process annually
b. The archiving policy shall consider what data should/must be
retained, for how long, and why.
a. The Society shall ensure that personal data is stored securely using
appropriate software that is kept-up-to-date.
b. Access to personal data shall be limited to personnel who need access
and appropriate security should be in place to avoid unauthorised sharing
c. When personal data is deleted this should be done safely such that
the data is irrecoverable.
d. Appropriate back-up and disaster recovery solutions shall be in place.
In the event of a breach of security leading to the accidental or unlawful
destruction, loss, alteration, unauthorised disclosure of, or access to,
personal data, the Society shall promptly assess the risk to peoples
rights and freedoms and if appropriate report this breach to the ICO.
1 GDPR sets out the responsibilities of organisations to ensure compliance
with the regulations by means of appropriate organisational and procedural
2 Organisations who only process personal data, among other things, for
domestic or recreational reasons are exempt. TPH as a recreational society
therefore does not have to register with the ICO, but intends to comply
with the GDPR as far as practicable.
3 This document sets out the manner and systems by which TPH will process,
store and use its member's personal information.
4 Data analysis shows that TPH maintains personal information in the form
of records of, the name, address, postcode, telephone and mobile numbers,
email address and TPH number, amount of subscription and subscription
date for each of its members.The personal information is processed to
inform members of upcoming events, of cancellation or changes to the film
programme, of special events and reminders for renewal of membership at
the start of each new season and to contact members who may have failed
to return a DVD or Blu ray to the TPH library.
5 Lawful basis to collect information by Consent
The personal information is collected either on paper application forms
which are self completed by the prospective member or on behalf of the
member by a colleague or spouse or other relative. The form has a tick
box to confirm that the applicant is content to opt in to
TPH to hold such records.
The lawful basis for processing such individuals person information will
be by consent
The application form contains information on what the Society intends
to do with the data and how it is stored. Members may be contacted by
phone, mobile, email or letter, depending on the urgency of the situation.
The personal information collected on paper membership application forms
will never be shared with any other organisation.
1. Lawful basis to collect information by Contract
Some members apply online through the TPH website and the Bank Transfer
system. The name and payment date and payment amount are recorded by the
bank and available to the TPH treasurer for identification of origin of
the payment. Such members may not explicitly indicate that they are content
for their personal information to be stored but nevertheless a payment
has been received. The lawful basis for processing such individuals person
information will be by contract.
Members may be contacted by phone, mobile, email or letter, depending
on the urgency of the situation.
The personal information collected by the bank will never be shared with
any other organisation.
TPH does not have access to any personal financial or credit card information
other than a payment has been accepted by the bank and credited to the
6 Register of systems
The TPH database
The personal information is stored on a laptop computer which is password
protected in an Open Office spreadsheet which is also password protected.
A backup copy of the spreadsheet is taken on a single memory stick after
each data input session has been completed.
Subsets of the data will be processed to provide relevant records (name,
email, phone number, address etc.) for the communication purpose intended,
when these communication messages have been delivered, the subset will
be deleted together with any interim lists which aided the construction
of the subset.
7 Retention of records
The personal data is held for a period of 2 years from the last annual
payment enabling former members to be contacted and given an opportunity
to enrol for the following season's film programme.
The paper enrolment forms are shredded within 4 weeks of receipt at TPH.
8 Right to erasure or rectification
Individuals who wish to be removed from the TPH register can make a request
by sending an Unsubscribe message from the website or email
email@example.com , or phone or text to 07911145337. Similarly
if members believe that data is incomplete or wrong then a request for
rectification may be submitted by email, phone or text. Such messages
are checked weekly and the action will be completed within 4 weeks.
9 Check of eligibility for admittance
No membership cards containing personal data are issued. At each screening
a alphabetical list of paid-up members is available at the door and members
are Ticked off on entry to the hall.
The completed list of ticked names is retained for statistical, research
purposes and licensing purposes and shredded at the end of each season.
Eligibility to borrow a Blu ray or DVD will be checked against the alphabetical
list and the return of the disc also noted down.
10 The data controller who determines the purpose and means of the processing
is the chairperson, currently Julie Craig.
11 The data processor who is trained to work on behalf of the controller
is the Membership Secretary, currently Terry Ray.
12 The data processor must maintain records of the personal data and
processing activities and ensure that the records are secure, accurate,
adequate, relevant, limited, and up-to-date.
13 Fees, TPH are exempt because:
A specific exemption applies to bodies or associations that are not established
or conducted for profit. However, the exemption applies only if the answer
to the following 3 questions is Yes:
1) Is TPH only processing data for the purposes of establishing or maintaining
membership or support for a body or association not established or conducted
for profit, or providing or administering activities for individuals who
are members of the body or association or have regular contact with it?
2) Does TPH hold information only about individuals whose data TPH needs
to process for this exempt purpose?
3) Is the personal data TPH processes restricted to personal information
that is necessary for this exempt purpose?
Because the answer is Yes to these 3 questions - a data protection fee
is not due.
14 Annual Review
then current policy and report of any updates or changes made to a meeting
of the TPH committee.