GENERAL DATA PROTECTION REGULATIONS AND AMRSS LIMITED

The Association of Model Railway Societies in Scotland, now incorporated as AMRSS Ltd, has always been committed to managing the information we hold on any individual securely and in confidence.
Our directors, secretary and shareholders are all responsible for maintaining the personal information we hold fairly, lawfully and transparently. We have always done this so as to comply with UK and EU laws and we also now do so in terms of the General Data Protection Regulations which came into force on 25th May 2018.
We train our people and review our procedures and compliance with the law regularly to make sure everyone we deal with has confidence in the company and feels comfortable about giving us their information.


Whose Data Do We Hold?
The shareholders of AMRSS Ltd represent all the model railway clubs in Scotland who were previously members of the Association of Model Railway Societies in Scotland and who are now part of the not-for-profit company limited by guarantee, AMRSS Ltd. We hold information about all members of every such model railway club except for those who have not given their consent for us to do so.
We hold information about the traders who take part in the model railway shows organised by AMRSS Ltd who pay for floor space at the shows.
We hold information about the preservation societies and railway related organisations who take part in the model railway shows organised by AMRSS Ltd who pay for floor space at the show.
Visitors who apply for advance tickets to the model railway shows organised by AMRSS Ltd provide us with personal information so that we can issue their tickets.
Suppliers of services connected with the staging of the model railway shows organised by AMRSS Ltd give us information which we need to record for accounting purposes.


What Type Of Data Do We Receive?
We hold the name of all members of every AMRSS Ltd shareholder club and the name of the club to which they all belong. For some individuals we hold their e-mail address. We do not hold any information for any such people who have not consented to us doing so.
We hold the name, address, business name, telephone number(s) and e-mail address of all traders who take part in our shows.
We hold the name, address, society or organisation name, telephone number(s) and e-mail address of all societies and organisations who take part in our shows.
We hold the name and address of all individuals who apply for advance tickets to our shows.
We hold the business name, address and telephone number of all suppliers who provides services to us connected with the staging of the model railway shows organised by AMRSS Ltd. We record their VAT registration numbers for accounting purposes.


How Do We Confirm the Individual’s Consent to Their Data Being Held?
We have obtained a written, positive consent from all individuals who are members of every AMRSS Ltd shareholder club and who are content for us to hold their information. As new members join, club secretaries advise us and obtain a consent from the new members and pass them to us. When we are advised that an individual has left a shareholder club we note our records to that effect.
Invitations to traders to hire a trade stand area at any show organised by AMRSS Ltd include a requirement for traders to acknowledge that their information will be held by the company for organisational and record purposes. To apply, traders must acknowledge that they positively consent to their data being held and used in that way.
Invitations to preservation societies and railway related organisations to hire a trade stand area at any show organised by AMRSS Ltd include a requirement for traders to acknowledge that their information will be held by the company for organisational and record purposes. To apply, traders must acknowledge that they positively consent to their data being held and used in that way.
Our on-line application process for advance tickets includes a link to a web page with this policy document. Applicants must confirm they have read this document and freely and positively consent to their information being held by the company for organisational and record purposes connected with the issue of their tickets.


Who Holds Personal Data Information on behalf of AMRSS Ltd?
The Chairman and Secretary of AMRSS Ltd hold the personal data of all members of every AMRSS Ltd shareholder club and the name of the club to which they all belong.
The Chairman, Treasurer, Exhibition Manager, Deputy Exhibition Manager, Publicity Manager and Accommodation Officer of Model Rail Scotland run by AMRSS Ltd hold the personal data of many or all of the traders, preservation societies and railway related organisations who exhibit at the shows organised by AMRSS Ltd.
The Advance Ticket Sales Officer holds the personal data of everyone who applies for an advance ticket for any of the shows organised by AMRSS Ltd.
The Operations Manager holds the personal data of all suppliers of services connected with the staging of the model railway shows organised by AMRSS Ltd
The Treasurer holds some personal data across some or all of these categories for accounting purposes.


How Long Do We Hold An Individual’s Data?
We keep an individual’s information for as long as we need it to perform the functions of AMRSS Ltd. In particular we keep the following information as shown below.
We hold the name of all members of every AMRSS Ltd shareholder club and the name of the club to which they all belong for so long as they remain a member of that club and for so long as the club remains a shareholder of AMRSS Ltd.
We hold information about the traders who take part in the model railway shows organised by AMRSS Ltd from year to year. The majority of traders take part in our shows every year and we only delete their records once they have indicated that they no longer wish to hire a space to trade at the show.
We hold information about the preservation societies and railway related organisations who take part in the model railway shows organised by AMRSS Ltd from year to year. The majority of preservation societies and railway related organisations take part in our shows from year to year and we only delete their records once they have indicated that they no longer wish to hire a space at the show.
We hold the name and address of all individuals who apply for advance tickets to our shows for one year. This is so that we can contact those individuals direct, should we wish to do so, to offer reduced price tickets to them for the following year’s show. Anyone not applying for tickets after that year has their details removed from our records.
We hold the business name, address and telephone number of all suppliers who provides services to us from year to year since we generally use the same suppliers every year because of good working relationship with them all.


Are There Any Exceptions To The Above?
We will hold any information we have obtained where it is required by law, for example, for annual accounting purposes.


Access To Your Information
You have a right to ask AMRSS Ltd if we hold any personal information about you, If we do, you have a right to know;
1. Why we have it.
2. What type of information we possess.
3. Whether we have, or will, send it to others.
4. How long we will keep it.
5. Where we got it from.
If you wish, you can ask us for a copy of your information.Where any of your information is incorrect you have a right to tell us to correct it promptly.

Our Policy In More Detail
Lawfulness – Personal data is collected and processed with the data subject having given consent to the processing or when processing is necessary and legitimate in terms of the current data protection legislation.
Fairness – Personal data processing takes into account the specific circumstances and context in which such personal data is processed.
Transparency – Information and communication relating to the processing of personal data is easily accessible, easy to understand and in plain English.
Purpose Limitation – Personal data is collected for specified, explicit and legitimate purposes and is not further processed in any way which is incompatible with those purposes.
Accuracy – We ensure personal data is recorded accurately and kept up to date. Inaccurate data will always be erased or rectified without undue delay.
Storage Limitation – Personal information we hold is kept in a form which enables identification of data subjects for no longer than is necessary for the purposes for which it is processed or any other lawful retention.
Integrity and Confidentiality – We process personal data in a manner that ensures appropriate security of the personal data. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical, physical and administrative measures.

The Binding Nature of Our Policy
The directors and secretary of AMRSS Ltd and all shareholders of the company as data subjects benefit from the provisions of this privacy policy. As protecting personal data is a matter of individual and organisational commitment, we must all comply with the requirements specified under this privacy policy.
AMRSS Ltd will not engage any third party to carry out processing of personal data and will observe the principles to be applied when processing personal data.
AMRSS Ltd undertakes to lawfully process personal data only where it has a valid legal basis to do so under the data protection legislation and to ascertain a lawful, fair and legitimate purpose prior to the collection or processing of personal data.
AMRSS Ltd undertakes not to transfer any personal data to anyone not authorised to obtain such data.

Procedures in the Event of a Data Breach – Notification Measures
In the case of any data breach AMRSS Ltd shall, without undue delay, and where feasible, no later than 72 hours after having become aware of it, notify the personal data breach to the AMRSS Ltd Data Protection Officer.
A data breach notification will cover at least the following information:-
1. The nature and scope of the breach including where possible the categories and number of personal data records concerned.
2. The name and contact details of the Data Protection Officer or other contact point where more information can be obtained.
3. Describe the consequences likely to result from the personal data breach.
4. Describe the measures taken or proposed to be taken by the Data Protection Officer to address the breach including, where possible, measures to mitigate its possible adverse effects.
AMRSS Ltd may also need to communicate to the data subject(s) involved that there has been such a breach where it results in a high risk to the rights and freedoms of natural persons. In such circumstances the communication shall take place without undue delay and shall cover the above-mentioned elements.

Data Storage Limitation
Where feasible, AMRSS Ltd will implement reasonable measures to have all personal data which it is no longer necessary to hold, deleted or anonymised as soon as it is no longer required.

Data Subject’s Rights
Data subjects are entitled to benefit from the following rights:-
1. Have access to the personal data relating to him or her and processed by AMRSS Ltd.
2. Request the rectification or deletion of any inaccurate or incomplete personal data relating to him or her, and of any personal data with respect to which the purpose of processing is no longer legal.
3. Request that the personal data processing relating to him or her be limited.
4. Object to the processing of their personal data at any time, unless such processing is required by applicable law and provided that the data subject demonstrates that he or she has a legitimate ground relating to his or her particular situation.
5. Receive their data in a structured, commonly used, machine readable format.

Data Subject’s Complaints Handling Procedure
Data subjects are entitled to lodge a complaint regarding the processing of personal data they consider non-compliant with this privacy policy.
Any such complaint will be handled by AMRSS Ltd in due course and with particular care and attention according to the steps and timing defined in this statement. Such
provisions are also applicable in relation to data subjects’ requests to exercise their rights to access, update or delete their personal data.
AMRSS Ltd commits to revert to a data subject with a reply to his or her complaint within one month from the date the complaint was lodged in accordance with this privacy policy.
In the event that AMRSS Ltd decides to reject a complaint made by a data subject, AMRSS Ltd undertakes to inform such data subject about its decision and to provide him or her with information regarding the reason for the rejection. In such a case AMRSS Ltd acknowledges that data subjects remain entitled to lodge a claim before a court and/or data protection authority.
In the event that AMRSS Ltd considers that a complaint made by a data subject is justified, AMRSS Ltd commits to implementing the corrective measures it deems adequate to remedy such situation as soon as reasonably possible. In addition, AMRSS Ltd will also inform the data subject once the corrective measures have been implemented and the situation is remedied.

Training and Awareness
Protection of personal data is not only a matter of compliance with the law but is also a part of the AMRSS Ltd values We will foster a privacy culture within the company to make all directors, the secretary and shareholders aware of their responsibilities in the performance of their duties in connection with the performance of their obligations under the direct control of the company.
This privacy policy will therefore be properly implemented within the company. To this end all persons handling personal data will be trained to ensure they are all aware of their legal obligations and the principles and procedures under this privacy policy.

Transparency and Co-operation
AMRSS Ltd will openly communicate this privacy policy to data subjects and make it easily accessible to any individual via its website. A copy of this privacy policy may be requested at any time and will be provided without any undue delay.
AMRSS Ltd agrees to co-operate with data protection authorities, including by enabling such data protection authorities to perform audits thereof, and to comply with any advice that may be provided in relation to this privacy policy.

AMRSS Ltd
15th April 2019