DATA PROTECTION POLICY DPA & GRPR IMPLEMENTATION AND PRIVACY NOTICE
Most customers in one guise or other will have come across the Data Protection Act 1998 (DPA 98)
and it forms the basis of how the Teignmouth Harbour Commission (THC) as an organisation handles
your personal data.
Your personal information is stored on the Harbour Management or Commissions databases, which
are bespoke programmes used to send you Invoices, receipts and information and record your
relationship with THC. Great care is taken to guard your information and THC will not divulge it to
anyone not authorised to receive it.
From 25 May 2018, the new EU General Data Protection Regulation comes into effect and is a
significant change to DPA 98 and the basis of the new Regulation as it affects individual customers is
laid out below.
The most important point is the new requirement for individual members to give their active
consent (opt-in) to THC holding your data.
For existing customers:
If you are a Mooring Licence Holder the Terms and Conditions of the Annual Mooring Licence will be
changed to reflect this consent and the fact that you have opted to pay your invoice or any part of it
will imply that you have “opted-in” to THC holding your data and this will be reiterated as part of the
mooring renewal process in October 2018.
If you are not a Mooring Licence Holder a form requesting your consent to “opt–in” to THC holding
your data will be attached to communication after 25 May 2018 to you for completion and it is
emphasised that you must complete and return the form, or THC will be forced to delete your
records.
Any new THC customer after the 25 May will be asked to “opt-in” to THC holding their data.
Overview of GDPR and Privacy Notice
Our intent. We are committed to safeguarding the privacy of our Customers. THC will only use the
information that we collect about you lawfully and in accordance with the DPA 98.
Changes to Data Protection Legislation
Data Protection Legislation and DPA 98 are currently going through a period of change. The
introduction of the EU General Data Protection Regulation (GDPR) and the new British Data
Protection Bill, which will replace DPA 98, is currently passing through Parliament and is the basis of
this change. This Privacy Notice is therefore intended to comply with the Act and GDPR but may
change over time.
The Data Controller
The THC is henceforth from a legal perspective classed as the Data Controller.
Data Protection Officer (DPO)
The THCs DPO is The Harbour Master. The DPO fulfils a number of roles, one of which is to be the
primary and independent point of contact for data protection matters. The formal mechanism for
members to raise concerns regarding the processing of personal data is primarily by email to:
thc@teignmouthharbour.com
or send a letter by registered mail to:
The Harbour Office,
Teignmouth Harbour Commission,
2nd Floor ABP Port Office, Quay Road,
Teignmouth, Devon
TQ14 8ES
at which point the inquiry will be actioned by the DPO. However, verbal enquiries from
Customers will be treated appropriately, although a written follow up should be sent.
Purpose of Processing Personal Data
THC collects personal data primarily to support the service THC provides to Harbour Users.
Lawful Basis of Processing Personal Data – Consent
The lawful basis of processing your personal data is Consent. Once you have agreed to a Privacy
Notice you will be registered for the processing of your personal data, based upon your consent.
Categories of Personal Data Processed
The information THC holds should be accurate and up to date. The personal information which THC
holds will be held securely in accordance with THCs internal data protection and security policies.
The type or categories of personal data THC will collect and record will include:
Name, Postal Address, e-mail Address, Land and Mobile numbers, any information contained on an
Invoice or receipt involving THC
For Mooring Licence holders in addition to the above: Name and details of boat and Emergency
Contact details as above and the history and notes of a Mooring Holders association with THC;
Qualifications and experience and any information provided on the Boat and Owners Form.
Category of Recipients of Personal Data
Name and contact details will be primarily only used internally within the THC.
Transfer of Personal Data inside or outside the EEA (European Economic Area).
Personal Data will not be transferred inside or outside the EEA.
Sensitive Personal Data
THC will never collect sensitive personal data about a Customer without your explicit consent and
clear explanation why it is required.
Sale or Passing or Personal Data to Third Parties.
THC will not sell or pass a Customers personal data to any commercial or charitable organisation and
will only pass on data if there is a statutory requirement to do so.
Retention of Personal Data
THC will retain your personal data as follows:
Information Held Under Consent
Whilst you are a Customer of THC. On stopping being a Customer, THC will request your consent to
continuing to hold your name and relevant details in support of historical and archived records.
Data Subject’s Rights
Under the Act and in even more so under the GPDR Customers have a number of Rights which are
detailed below:
Right of Access
Customers are entitled to access their personal data and are requested to assist THC by ensuring
that any changes to that data are updated so that THC can maintain up to date accurate records.
To obtain details of what THC hold, a Customer should do so through the mechanism of a Subject
Access Request (SAR) and Customers have the right to obtain confirmation that data is being
processed (held) and the right to access data held (a copy).
Fees and Timings
This information will be provided without charge, without undue delay and generally within one
month.
Identify Verification
To protect your personal data THC will have to verify your identity before releasing any information,
which will normally be in electronic format. As a customer this should normally be a simple process,
however if the SAR is made from a former customer or by the relative of a deceased customer, then
additional verification steps may be required.
Right of Erasure
Customers may request the deletion or removal of personal data where there is no compelling
reason for its continued processing. The Right to Erasure does not provide an absolute right to be
forgotten as Customer, data may form part of the THCs archives. However, it will end all routine
processing.
21.05.2018