Policy dated: 19 June 2025
Version: 2025.2
This policy is reviewed annually or in response to legal changes and operational changes.
Next review date: 19 June 2026
1.1 All individuals have rights under UK data protection law regarding how their personal data is handled. London Dynamo (the “Club”) is committed to processing personal data responsibly, transparently, and in compliance with legal obligations.
1.2 This policy outlines the Club’s responsibilities under the UK General Data Protection Regulation (UK GDPR), Data Protection Act 2018, the Privacy and Electronic Communications Regulations (PECR), and any applicable updates or successor legislation (collectively, “Data Protection Law”).
1.3 The Club processes personal data of members, suppliers, partners, and other stakeholders (“Data Subjects”) for legitimate purposes, including but not limited to membership management, event organisation, communications, and compliance.
1.4 All officers, volunteers, and those working on behalf of the Club must adhere to this policy. Any breach of this policy may result in disciplinary action and/or legal liability.
2.1 This document governs the processing of personal data, whether collected via digital platforms, email, written communication, or other channels.
2.2 The policy applies to all personal data processed by or on behalf of the Club, regardless of format or storage location, including cloud services and third-party applications.
2.3 This policy will be reviewed annually and may be updated to reflect changes in law or Club operations. Updates will be approved by the Committee and published on the Club’s member Forum.
2.4 The Chairperson of the Club acts as the de facto Data Protection Officer (DPO) unless a formal DPO is appointed. Enquiries should be directed to: [email protected].
2.5 Where applicable, this policy aligns with the Club’s obligations under the Online Safety Act 2023, particularly in relation to protecting children and moderating harmful or unlawful content on our digital platforms.
The Club adheres to the following principles under Article 5 of the UK GDPR:
Processing will only occur where a legal basis exists, such as:
Special category data will only be processed under specific Article 9 conditions, with appropriate safeguards.
6.1 Data is collected solely for the purposes identified in this policy.
6.2 Any new processing activity must be preceded by a Data Protection Impact Assessment (DPIA) where required under UK GDPR Article 35.
7.1 Data Subjects are informed at the point of collection about:
The Club collects only data that is necessary, relevant, and limited to the purpose for which it is processed. Officers must ensure personal data is not retained or requested unnecessarily.
The Club strives to maintain accurate records:
10.1 Personal data is stored only as long as necessary and is based on purpose, legal requirements, and operational need.
10.2 At the end of retention periods, data is securely erased or anonymised.
Data Subjects have the following rights:
To enact your rights please contact the Club to inform us of the details that you require or the changes you wish to make. Verification of identity may be required.
12.1 The Club adopts technical and organisational measures, including:
12.2 For some business activities, we share your personal data with our carefully selected third-party service providers. Where we contract with third-party service providers, we ensure that we have entered into appropriate contractual terms to protect the Personal Data that we share.
13.1 The Club only transfers personal data outside the UK/EEA where one of the following applies:
14.1 The Club may share personal data with:
15.1 We will acknowledge all requests within one calendar month.
15.2 We will inform you within one claendar month if an extension is needed.
15.3 The Club reserves the right to refuse clearly unfounded, repetitive, or excessive requests under Article 12(5) UK GDPR.
15.4 No fee will be charged unless requests are manifestly excessive.
16.1 The Club will conduct periodic Data Protection Audits to ensure compliance.
16.2 Officers receive training in:
16.3 A Privacy by Design approach is followed in all new projects, systems, or services.
17.1 The Club maintains a Data Breach Register and notifies the ICO within 72 hours of any breach likely to result in a risk to rights and freedoms.
17.2 Affected individuals will be notified where required by law.
Our website uses cookies to improve your experience. For more information, see our Cookie Policy.
This policy is approved by the Committee and reviewed annually or upon major legal or operational change.
For enquiries, contact: Chairperson – London Dynamo
For any queries about your personal data or to exercise your rights, please contact Chairperson
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO).
| Type of Data | Names, email addresses, emergency contacts, gender, DOB, membership status, financial details, club photos |
|---|---|
| Subjects | Members, volunteers, suppliers, partners |
| Processing Activities | Collection, storage, communication, secure deletion |
| Purpose | Membership management, events, insurance, club operations |
| Third-Party Recipients | CRM providers, payment platforms, insurers |
| Retention Period | Duration of membership + 6 years, or as legally required |
All officers and volunteers are required to:
All data is stored: