Data Protection Policy
Wellingore Memorial Hall is committed to protecting the rights and freedoms of individuals whose
personal data we collect, use, and store. This policy outlines how we comply with our data
protection obligations under the UK General Data Protection Regulation (UK GDPR) and the Data
Protection Act 2018.
This policy applies to: Trustees and Committee members, Volunteers, Staff (if any), Contractors and
third parties handling data on our behalf.
Data We Collect
We may collect and process the following personal data: Names, addresses, phone numbers, and
emails of hirers, customers booking tickets, committee members, volunteers, suppliers, persons
involved in incidents or accidents
We do not collect or store sensitive personal data (special category data) unless absolutely
necessary.
Lawful Basis for Processing
We only process personal data where we have a lawful basis, including: Contractual necessity
(e.g. processing booking forms), Legal obligation (e.g. accident records), Consent (e.g. mailing list
subscriptions), Legitimate interest (e.g. managing the hall effectively and securely)
Data Storage and Retention
Personal data is stored securely, either in locked physical files or in password-protected digital
systems.
We retain data only as long as necessary: Booking records: 6 years (for accounting/legal reasons),
Mailing lists: until consent is withdrawn, CCTV footage: typically 30 days, unless needed for an
investigation
​
Data Sharing
We do not sell or share personal data with third parties for marketing purposes. We may share
data with: HMRC (for financial compliance), Insurers (in case of incidents), IT and support service
providers (under contract). All third parties must comply with data protection law.
​
Data Subject Rights
Individuals have the right to: Access their personal data,request correction or deletion, object to
processing, request data portability (where applicable), withdraw consent (where consent is the
legal basis). Requests should be made in writing by email to wellingorememhall@gmail.com
We will respond within one month.
​
Data Security
We take appropriate measures to: Prevent unauthorised access or data loss, regularly review data
handling processes, provide training to committee members and volunteers, use secure passwords
and antivirus protection.
​
Breaches
Any data breaches must be reported immediately to the Chair or Secretary. Where required, we will
notify the Information Commissioner’s Office (ICO) and affected individuals within 72 hours.
​
Responsibilities
The Memorial Hall Committee is the data controller and is responsible for ensuring compliance. A
designated committee member may act as the Data Protection Lead.
​
Policy Review
This policy will be reviewed in response to significant changes in data protection law or Memorial Hall operations.
​
Approved by the Memorial Hall Committee: July 2025