Membership information

​

Cardiff Pedal Power holds membership data in order to deliver services to members, which includes offering bike hire, assessments, contacting them in regard to events and their membership renewals. Additionally, assessment information including health and ethnic origin data is classified as special category data and therefore the legal basis for processing this information is best covered under:

​

Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract

Additionally, as Cardiff Pedal Power is a not-for-profit organisation, Article. 9 of GDPR provides the legal basis of ‘processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;’

​

Therefore, Cardiff Pedal Power has a legal reason for processing and holding members data.

​

Staff and volunteer records

 

Both staff and volunteer records are held for a variety of reasons. For example, pay role data is held in order that Cardiff Pedal Power is able to meet its obligations to pay staff under Staff contracts, 

 

Therefore depending on the data the following legal basis are the most fitting.

 

For contract based information, staff or volunteer contracts, terms and conditions and or pay role etc.

 

Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract

 

Is the most fitting legal basis for data processing

 

For information in relation to safeguarding service users, tax purposes, benefit purposes or other legal obligations the charity holds on staff or volunteers…

 

Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

 

Is the most fitting legal basis for data processing

 

For other data such as contacts for ICE purpose or general marketing then

 

Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

 

Is the most fitting legal basis for data processing

 

For data in relation to accidents, incidents, employment issues, disciplinaries etc. then

 

Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

 

Is the most fitting legal basis for data processing, this is because this data is required and covered under article.9 of GDPR

‘processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;’

​

General customers information 

 

General customer information is held for the purposes of undertaking customer works, either providing a bike as part of a hire contract or to undertake customer repair work. Additionally Cardiff Pedal Power may hold and  process data for marketing purposes. As such the following legal basis apply.

 

For contract based data, i.e. to deliver bike repair or bike hire services 

 

Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract

 

Is the most fitting legal basis for data processing

 

For other data such as contacts for ICE purpose or general marketing then

 

Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

 

Is the most fitting legal basis for data processing

 

Third party data storage

 

Cardiff Pedal Power utilises a number of third party IT solutions that involve data processing. As many of these services are international companies, special attention has been paid in order to ensure that these services are GDPR compliant.

 

Where new services are purchased these too will have to be GDPR compliant and audit of their compliance will need to be completed in each circumstance.