Privacy Policy

Who we are

The Oxford and Cambridge Club, registered office at 71 Pall Mall, London, SW1Y 5HD.

Introduction

The Oxford and Cambridge Club complies with the relevant national data protection regulations. We are committed to keeping personal information accurate, up-to-date, safe, secure and will not keep personal information longer than necessary. This privacy notice explains how we use personal information, who we share it with and the ways in which we protect and account for the protections to privacy. This notice applies to all personal data collected for and on behalf of the Oxford and Cambridge Club. This pertains to information collected in analogue (forms, documents, in writing) and through technological means such as information systems and email.

From time to time, we will make you aware when we require additional personal information for processing through a separate specific privacy notice.

The type of personal information we collect

The Oxford and Cambridge Club collects personal information for the purposes of communicating with individuals who have expressed an interest in the Club, who are members of the Club, who are members of associated organisations, who are employed by an organisation contracted to the Club for the delivery of services or have or are entering a business relationship with the Club.

We currently collect and process the following information:

  • Personal identifiers such as name, home address, work address, nationality, telephone number, email address for contact purposes.
  • Identity documents such as passports and driving license for verifying ID
  • Member information such as profession, university/college attended, photograph in order to maintain a record of members and their backgrounds in order to support the social and networking purposes of the Club.
  • IP addresses, web browser data, cookies, and other technical data for logging and audit in the use of our website and IT systems.
  • photographs and videos taken by staff or approved photographer for the purposes of recording events and communication of Oxford and Cambridge Club activities to members.
  • CCTV images for security and safety of the Club and its members/guests.
  • Transaction data (including credit card data and direct debit data) for payments of bills and membership fees.
  • Recruitment data to identify candidates’ suitability for positions at the club.
  • Employee data to facilitate and manage the employment of staff as stated in our separate employee privacy policy. This includes special category health data such as sickness/illness or maternity/paternity leave.

How we obtain the personal information and why we have it

Most of the personal information we process is provided to us directly by you for one of the following reasons:

  • As part of membership application so that we can identify you to maintain a register of members. This includes purposes such as application, renewals and subscriptions,
  • As part of membership services to enable you to partake in Club activities and to make bookings or reservations. The data also helps us to investigate any concerns or complaints you may have.
  • As part of communication services so that we can tell you about events and activities that might be of interest to you, including those that require payment.
  • As part of a financial transaction relating to purchases of food, beverages, accommodation and other services.
  • As part of recruitment to identify suitable candidates for employment.
  • As part of the employment process to enable management of human resources and payroll. This also includes developing a comprehensive picture of the workforce and how it is deployed as well as to support and develop our employees in the performance of their duties.

We also receive personal information indirectly, from the following sources in the following scenarios:

  • Through CCTV surveillance cameras in place for security and safety.

Under the UK General Data Protection Regulation (GDPR), the lawful bases we rely on for processing this information are:

(a) Your consent. You are able to remove your consent at any time. You can do this by contacting dpo@oandc.uk.com
(b) We have a contractual obligation.
(c) We have a legal obligation.
(d) We have a legitimate interest

Retention and storing of personal data
The Oxford and Cambridge Club recognises that by efficiently managing its records, it will be able to comply with its legal and regulatory obligations. All personal information is always kept securely. Paper and electronic records have appropriate security measures in place ensuring that confidentiality is maintained. Personal information is only kept for the time required to undertake the purposes it is used for.

The Club maintains a separate Records Management Policy and Schedule which includes the following retention periods:

  • Member data is held for as long as the individual is a member of the club plus 3 months.Financial transaction data is held for 6 years.
  • CCTV data is held for a maximum of 30 days.
  • Employee data is held for as long as the individual is an employee of the club plus 6 years.
  • Recruitment data of individuals not employed is kept for 6 months after a decision is made not to progress with an employment offer.

Security

Using appropriate technical and organisational measures we store and use your personal data applying security protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.

Who do we share personal information with?

We do not share any personal information with anyone unless we have a lawful basis to do so.

The Club may, at times, share Club related information with members of the elected Committees for the purpose of supporting the Club’s activities. All Committees adhere to Terms of Reference to ensure that papers and electronic correspondence containing personal data are handled in accordance with the requirements of the UK GDPR and the Data Protection Act 2018, and in accordance with the Club’s policies on Data Protection.

Who do we share workforce information with?

We do not share information about workforce members with anyone without consent unless the law and our policies allow us to do so.

Processing and transfers to third countries

We do not transfer any personal information to third countries.

Automated Profiling

We do not undertake any automated profiling.

CCTV
We collect information in the form of Closed-Circuit Television (CCTV) to ensure the safety and security of those with a lawful reason for being on the Club’s premises. We retain CCTV images for a maximum of 30 days after which they are deleted. Access to these images can be requested through the Data Protection Lead (contact details below). Please refer to our CCTV Policy for further information.

IT Systems

For the purposes of IT hosting and maintenance all the Club’s information including personal data is located within hosted servers provided by our service providers. No third parties have access to your personal data unless the law allows them to do so. Where the law allows, and information is shared with third parties, we ensure they have the same protections in place as we do. We cannot deliver our membership services without processing the data we collect and share.

In following the principles of Article 32 – Security of Processing of the GDPR, we have in place proportionate organisational and technical measures to protect your personal information. We actively assess our cyber and physical security on a regular basis.

Cookies

We use cookies. The Club’s website stores cookies on your computer. These cookies are used to improve the Club’s website, provide more personalised services to you, both on this website and through any marketing communications you opt into.

Requesting access to your personal data

Under data protection legislation you have the right to request access to information that we hold.

You also have certain additional rights to:

  • be informed of how we are processing your personal information – this Privacy Notice explains this to you but do get in touch if you have any questions
  • have your data corrected if it is inaccurate or incomplete
  • have your information erased (the right to be forgotten) in certain circumstances – e.g. where it is no longer needed by us for the purpose for which it was collected, or you have withdrawn your consent
  • restrict the use of your data in certain circumstances
  • object to the processing of your data in certain circumstances – e.g. you may object to processing of your data for direct marketing purposes
  • object to decisions being taken by automated means
  • object to processing of personal data that is likely to cause, or is causing, damage or distress
  • in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
  • claim compensation for damages caused by a breach of the Data Protection regulations

If you have any concerns about the way we are collecting or using your personal data, you should raise your concern with us in the first instance.

You can also directly contact the Supervisory Authority in the UK which is:

https://ico.org.uk/global/contact-us/

Contact:

If you would like to discuss anything in this privacy notice, please contact:

dpo@oandc.uk.com