Data Protection Policy

Data protection policy – updated November 2019

Our Data protection policy implements the basic principles thatwe adhere to:

Lawful, fairness and transparency: Data processing must have a transparent legal basis and comply with data protection rules

Purpose limitation: When collecting data, the purposefor which the data are collected must be clear and specific.

Data minimization: Processing data, including storage, must be limited to what is relevent to fulfill the purpose.

Accuracy: data must be kept up to date, related to the purpose.

Storage limitation: When the data are nolongerneeded for the purpose, they must be anonymized or deleted

Integrity and confidentiality: Data must be protectedagainst unauthorised processing, loss or damage.

These principles are put into practice by our data controller who is responsible for the collection ofthe data and implementing the data protection principles. The controller determines the legal basis and purpose of the data processing.

Data processors are responsible for deciding how personal data is stored, the security measures to be used, the IT systems and processing operations necessary to collect and manage personal data. The data controller ensures that in collaboration with data processors, we:

1. Keep a record of processing activities (also applies to the data processor).

2. Are able to comply with the rules of the data subjects’ rights, such as the right of access.3. Report breaches to the data Inspectorate (Datatilsynet) within 72 hours.

4. Have data processor agreements in place with the data processors that process personal data on our behalf.

5. Can prove to the Data Protection Authority that we have ensured data protection with appropriate technical and organisational measures.

Purpose of data collection – what do we use your personal data for?

Sailing First collects personal data to:1. Process bookings and payments, deliver sailing courses, manage membership, examinations and registration of certificates. (Contract)

2. Obtain feedback from course participants,members and instructors in order to respond to customers needs, manage expectations and improve the way we work. (Legitimate interest)

3. Inform about future courses, events and sail training opportunities. (Consent)

4. Organise instructors for courses, check their experience and ensure they are managed and qualified. (Contract)

5. Secure facilities for courses and events (Contract)

Data minimisation:

The information obtained during the course booking process, including questions as to your health and ability will be used by us to process your booking for the course and for attending to your safety whilst you are on a course. If you undertake an exam as part of a course, information will be provided to the accrediting bodies (RYA and/or the Danish Sailing Union). They may, for some courses, further register your certificate with the Maritime Agency. In Denmark, your CPR number will be used for this.On successful completion of RYA certificate courses registered on-line, your name, contact details, date of birth, certificate number and date of issue will be shared with the RYA through a secure web portal on www.rya.org.uk. The data will be stored on the RYA’s central database. This information allows the RYA to record your qualification, to update any records they may hold for you, and to verify or replace your certificate if required.

The RYA may contact students when this is necessary for quality assurance of RYA training, for example in the investigation of a complaint or incident. In these instances the information is used solely for that purpose.For further information on how the RYA will deal with your data, please see below.On successful completion of an RYA certificate which is not required to be registered online, your name, certificate number and date of issue will be stored for 13 months from the date of the course.If we book a course to be delivered in association with another RYA Recognised Training Centre, some personal information will be exchanged with them to enable them to deliver the contracted course.

At the end of courses we will request feedback from course participants, which we will use to evaluate our performance and improve the way we work.If you express interest in receiving information about courses and sailing opportunities, and give consent, we will keep your email and name in a database until you ask to unsubscribe or we no longer provide this service.

Data processing activities: How do we manage your data?

Personal data arrives from our website (hosted by one.com – hosted in the EU), by email, through phone calls and in person. Collected data is managed in Podio (platform provided by Citrix, and hosted by Amazon Web Services in Ireland). We manage bookings and personal information in Podio, which is also used to store information about instructors, contracts and consent. Email clients (provided by Apple) are used for exchanging information you as well as communicating with partners and suppliers. Sometimes data is processed manually through forms on suppliers websites. Jyske bank and Mobile Pay provide payment services.If we run courses for members of local sailing clubs, we may also exchange information with local sailing clubs, namely KDY, Skovshoved Sailing Club and Hellerup Sailing Club.We operate with key partners and suppliers as set out below. In some instances these partners are data processors for us and in some instances they are data controllers (For example RYA and Maritime Agencies set some requirements on personal data collection).

Storage limitation – How long will we keep personal data after you participate in a course?

Some data, such as medical data and emergency contacts, we will only keep for the duration of the course.Some data we are obliged to keep for longer (for example, VHF licence exams -5 years).Otherwise we will keep personal data until certificates are registered or for 13 months (whichever is the longer). If you book a further course with us within the 13 months, we will aim to connect your customer personal data records together for efficiency.Anonymised statistical data on course participation, payments transactions as well as information provided through feedback will be kept for longer. 

Overview of suppliers, data policies and processing agreements.

NB, The RYA is headquartered in the UK, which may soon become a 3rd country from the EU perspective. If you wish us to no longer share data with the RYA or other UK based organisations when this happens, please let us know by email.

References:

RYA data protection guidelines

Datatilsynet: Vejledning Samtykke. September 2019

Justitsministeriet: Ofte Stillede spørgsmål Frivillige Foreningers behandling af personoplysninger. December 2018