Baglan Bay Photographic Society
GDPR Policy



The (BBPS) is committed to being transparent about how it collects and uses the personal data of its members, and to meeting its data protection obligations. This policy sets out the BBPS's commitment to data protection, and members' rights and obligations in relation to personal data. The wording in this policy reflects the requirements of the General Data Protection Regulation (GDPR), effective in the UK from 25 May 2018.

The BBPS has appointed a named committee member to be Data Protection Officer (DPO) and who will be the person with responsibility for data protection compliance within the BBPS. He/she can be contacted at with questions about this policy or requests for further information.


"Personal data" is any information that relates to a living member who can be identified from that information. Processing is any use that is made of data, including collecting, storing, amending, disclosing or destroying it.

"Special categories of personal data" means information about a member's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and biometric data.

"Criminal records data" means information about a member's criminal convictions and offences, and information relating to criminal allegations and proceedings.

"Data controller" means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.

"Data processor", in relation to personal data, means any person who processes the data on behalf of the data controller.

"Processing", in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including

  • a) organisation, adaptation or alteration of the information or data
  • b) retrieval, consultation or use of the information or data
  • c) disclosure of the information or data by transmission, dissemination or otherwise making available, or
  • d) alignment, combination, blocking, erasure or destruction of the information or data.

Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Data protection principles enshrined by the BBPS

The BBPS will processes personal data in accordance with the following data protection principles:

  • The BBPS processes personal data lawfully, fairly and in a transparent manner.
  • The BBPS collects personal data only for specified, explicit and legitimate purposes.
  • The BBPS processes personal data only where it is adequate, relevant and limited to what is necessary for the purposes of processing.
  • The BBPS keeps accurate personal data and takes all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay.
  • The BBPS keeps personal data only for the period necessary for processing.
  • The BBPS adopts appropriate measures to make sure that personal data is secure, and protected against unauthorised or unlawful processing, and accidental loss, destruction or damage.

The BBPS will inform members of the reasons for processing their personal data, how it uses such data and the legal basis for processing in its privacy notices: it will not process personal data of members for other reasons.

The BBPS relies on its "legitimate interests" as the basis for processing data (a copy of the assessment of legitimate interests is kept by the DPO, and is available to members on request).

The BBPS will update personal data promptly if a member advises that his/her information has changed or is inaccurate.

The BBPS will not process special categories of personal data or criminal records data.

The BBPS will not engage third parties to process personal data on its behalf. Personal data of members may be stored on commercial external cloud-based systems where access is password-restricted.

Members' rights

As a data subject, members have a number of rights in relation to their personal data.

Subject access requests

Members have the right to make a subject access request. If a member makes a subject access request, the BBPS will tell him/her:

  • whether or not his/her data is processed and if so why, the categories of personal data concerned and the source of the data if it is not collected from the member;
  • to whom his/her data is or may be disclosed, including to recipients located outside the European Economic Area (EEA) and the safeguards that apply to such transfers;
  • for how long his/her personal data is stored (or how that period is decided);
  • his/her rights to rectification or erasure of data, or to restrict or object to processing;
  • his/her right to complain to the Information Commissioner if he/she thinks the BCC has failed to comply with his/her data protection rights.

The BBPS will also provide the member with a copy of the personal data undergoing processing. This will normally be in electronic form if the member has made a request electronically unless he/she agrees otherwise. A fee will be charged should the member require additional paper copies. The BBPS is not obliged to respond to repeat requests for the same information, where the BBPS has previously responded. To make a "subject access request", the member should send the request (see Appendix) to In some cases, the BBPS may need to ask for proof of identification before the request can be processed. The BBPS will inform the member if it needs to verify his/her identity and the documents it requires. The BBPS will normally respond to a request within a period of one month from the date it is received. The BBPS will notify the member within one month of receiving the original request to tell him/her if this is not the case.

Other rights

Members have a number of other rights in relation to their personal data. They can require the BBPS to:

  • rectify inaccurate data;
  • stop processing or erase data (it should be noted that inability to collect and process relevant personal data will affect membership of the BBPS).

To ask the BBPS to take any of these steps, the member should send the request to

Data security

The BBPS takes the security of personal data seriously. Personal data is kept on passwordcontrolled Excel spreadsheets. Personal data relating to the full contact details of current members is kept by the Webmaster, acting as Membership Secretary. Personal data, limited to forename, surname, membership number, telephone number and email address, is kept by all BBPS committee members. This data will be kept for a period not exceeding 6 months in the event that membership is not renewed.

The Webmaster and all Committee members undertake to protect personal data against loss, accidental destruction, misuse or disclosure, and to ensure that data is not accessed by members not specifically mentioned above. Failure to do so will be taken seriously, and any committee member in breach of the above principles may be discharged from office.

Information given to members

At membership renewal, members will be advised that the BBPS keeps details of name, address, contact phone number(s), contact email address(es), age if under 18, consent (if given) to use the Google Group, membership type, membership number and membership status.

Members will be advised that the BBPS uses this data to contact about club activities, contact about competition results, ensure that the BBPS collects the correct membership fee, keep a record of the performance of members in club competitions, allow the members to contact each other (without the need to reveal individual email addresses) and ensure that the BBPS meets legal requirements for dealing with minors.

Member responsibilities

Members are responsible for helping the BBPS keep their personal data up to date. Members should let the BBPS know if data provided to the BBPS changes, for example if a member moves house or changes their telephone number.


New Committee members, including the Webmaster / Membership Secretary, will be given training as to their data protection responsibilities as part of the induction process [and at regular intervals thereafter].