Privacy Policy

Section 1: TechFest-SetPoint Security Policy Statement

TechFest is committed to a policy of protecting the rights and privacy of individuals (including staff and individuals it has dealings with) in accordance with the principles of the General Data Protection Regulation (GDPR).

TechFest-SetPoint in the conduct of its business needs to process certain information about individuals for administrative purposes, e.g. administration of programmes, to collect fees, to pursue it’s legitimate interests and for purposes of complying with the legal obligations to funding bodies and government.

Section 2: General data Protection Regulation May 2018

The General Data Protection Regulation (GDPR) replaces the Data Protection Act 1998. The GDPR is European Legislation that takes effect in all EU member states on 25th May 2018.

Section 3: Definitions

Personal Data: Data relating to an identified or identifiable living individual and other information which is in the possession of, or is likely to come into the possession of, the data controller. This includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

Data Subject: The identified or identifiable living individual to whom personal data relates.

Special Categories of Personal Data: Personal data revealing racial or ethnic origin, political opinions, religious or philsophical beliefs, trade union membership: genetic data or biometric data when processed to identify a person; or data concerning a person’s health, sex life or sexual orientation.

Criminal Offence Data: Personal data relating to criminal convictions and offences, or related security measures.

Data Controller: A person, pubic authority or body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Data Processor: A person, public authority or body which processes personal data on behalf of the data controller.

Processing: Any operation which is performed on personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available and the alignment or combination, restriction, erasure or destruction of the data.

Data Sharing: The disclosure of data from one or more organisations to a third party or organisation, or the sharing of data between different parts of an organisation. Personal data can be shared with other organisations if it is done responsibly and securely.

Anonymised information: Information from which no individual can be identified.

Filing System: Any structured set of personal data which is accessible according to specific criteria, whether held by automated means or manually and whether centralised or dispersed on a functional or geographical basis.

Section 4: Responsibilities under the GDPR 2018

TechFest-SetPoint as a body corporate is the data controller as defined by the regulations.

All staff of TechFest-SetPoint shall be responsible for, and be able to demonstrate, compliance with the GDPR principles.

All staff of TechFest-SetPoint are responsible for ensuring that any personal data supplied to TechFest-SetPoint are accurate and up to date

Section 5: Notification

Notification is the responsibility of the Managing Director.

Section 6: TechFest Website

Website usage information is collected using cookies. This information is used to track visitor use of the website and to compile statistical reports on website activity. TechFest does not intend to use them to gather personal information. For further information see www.aboutcookies.org

Section 7: Data Protection Principles

1. Personal data shall be processed fairly and lawfully and in a transparent manner in relation to individuals.

2. Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purpose.

3. Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

4. Personal data shall be accurate and where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed are erased or rectified without delay.

5. Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.

6. Personal Data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

7. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Data must not be transferred outside of the European Economic Area (EEA) –EU member states together with Iceland, Liechtenstein and Norway – without the explicit consent of the individual. 

Section 8: Data Subject Rights

The GDPR provides the following rights for individuals:

The right to be informed – TechFest-SetPoint will provide privacy information to individuals at the time it collects their personal data.

The right of access – TechFest-SetPoint will allow individuals to access their personal data so that they are aware of and can verify the lawfulness of the processing. Any individual who wishes to exercise this right should apply via e-mail to the data controller TechFest-SetPoint will provide a copy of the information free of charge within one month of receipt of the request.

The right to rectification – TechFest-SetPoint will recognise a request for rectification received either by e-mail, or in writing and will respond within one month of receipt of the request.

The right to erasure - TechFest-SetPoint will recognise a request for personal data to be erased received either by e-mail, or in writing and will respond within one month of receipt of the request.

The right to restrict processing - TechFest-SetPoint will recognise a request for restriction received either by e-mail, or in writing and will respond within one month of receipt of the request.

The right to object - TechFest-SetPoint recognises that individuals have the right to object to processing based on legitimate interests or direct marketing or processing for purposes of statistics. TechFest-SetPoint will recognise an objection either by e-mail, or in writing and will respond within one month of receipt of the request.

 

Section 9: The Lawful Bases for Data Processing

Consent: The individual has given consent for TechFest-SetPoint to process their personal data for a specific purpose.

TechFest-SetPoint will use this legal basis when seeking consent to process information, it must be clear and freely given and involve an opt-in action and give people genuine ongoing choice and control over how we use their data. There is no set time limit for consent. How long it lasts will depend on the context. Individuals can withdraw consent at any time they choose.

Contract: The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

TechFest-SetPoint will use this lawful basis if it needs to process someone’s personal data to fulfil it’s contractual obligations to them.

Legal Obligation: The processing is necessary for you to comply with the law (not including contractual obligations)
TechFest-SetPoint will use this lawful basis if it needs to process the personal data to comply with a common law or statutory obligation.

Vital Interests: The information is necessary to protect someone’s life.

a) Public Task: The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

b) Legitimate Interests: The processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is good reason to protect the individual’s personal data which overrides those legitimate interests.

TechFest-SetPoint will use this lawful basis if it needs to process people’s personal data in ways that they would reasonably expect and which will have a minimal privacy impact, or where there is a compelling justification for the processing. TechFest-SetPoint will carry out a legitimate interests assessment (LIA) before deciding whether it applies and will do so before starting the processing.

TechFest-SetPoint considers that the processing of personal data is sometimes necessary and is a targeted and proportionate way of achieving it’s purpose. TechFest will properly consider which lawful basis (or bases if more than one applies) applies to each processing purpose.

TechFest-SetPoint will give individuals the intended purposes for processing the personal data and the lawful basis for the processing.

Section 10: Accountability and Governance

TechFest-SetPoint has comprehensive but proportionate governance measures in place. It ensures that it complies with the accountability principle by carrying out staff training and internal audits of processing activities. It will maintain relevant documentation on processing activities. It will implement measures that meet the principles of data protection by design and data protection by default.

Section 11: Security

TechFest-SetPoint will process personal data in a manner that ensures it’s security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage using appropriate technical and organisational measures. TechFest-SetPoint will ensure that it is not disclosed to any unauthorised third party in any form either accidentally or otherwise.

Section 12: Disclosure of data

Personal data may be legitimately disclosed where one of the following conditions applies:

1. The individual gives their consent

2. Where the disclosure is in the legitimate interests of the organisation

3. Where the organisation is legally obliged to disclose the data

4. Where disclosure of information is required for the performance of a contract

The GDPR enables Member States to introduce derogations in certain circumstances

  • To safeguard national security or defence*
  • The prevention, investigation, detection or prosecution of criminal offences*
  • Important public interests, including taxation matters, public health and security
  • The protection of the individual, or the rights and freedom of others

* Requests must be supported by appropriate paperwork

 

Section 13: Children

TechFest-SetPoint recognises that children require particular protection when it is collecting and processing their personal data because they may be less aware of the risks involved. TechFest-SetPoint will design it’s systems and processes with this in mind. TechFest-SetPoint recognises that children have the same rights as adults over their personal data. These include the rights to access their personal data, request rectification, object to processing and request to have their personal data erased. The right to erasure is particularly relevant if they gave their consent, or consent was given on their behalf, to processing when they were a child (aged 13 or under).

Section 14: Further Information

TechFest-SetPoint’s IT system comes under the security of our host: The University of Aberdeen.
Our Email and Shared Drive Network is secured by Nimbus Blue.

For further information please go to:

Nimbus Blue www.nimbus-blue.com

The University of Aberdeen: www.abdn.ac.uk/dit/policy.php

The Information Commissioner: www.ico.gov.uk

HESA Data Protection: www.hesa.ac.uk