This document outlines the data protection and handling policy for SPIC MACAY 10th International Convention Website. It specifies how personal data is collected, processed, and stored in compliance with relevant laws, including the EU General Data Protection Regulation (GDPR). The policy aims to ensure the protection of members, staff, and others using the services of SPIC MACAY.
| Section | Title | Link |
|---|---|---|
| Section 1 | Summary | Go to Section 1 |
| Section 2 | Introduction | Go to Section 2 |
| Section 3 | Responsibilities | Go to Section 3 |
| Section 4 | Security | Go to Section 4 |
| Section 5 | Data Recording and Storage | Go to Section 5 |
| Section 6 | Data Transparency and Member Rights | Go to Section 6 |
| Section 7 | Right of Access | Go to Section 7 |
| Section 8 | Right of Rectification | Go to Section 8 |
| Section 9 | Lawful Basis | Go to Section 9 |
| Section 10 | Right of Erasure | Go to Section 10 |
| Section 11 | Changes to This Policy | Go to Section 11 |
The following key terms used in this document must be interpreted as described in RFC 2119:
SPIC MACAY refers to the organization at https://spicmacayintcon.co.in/.
This policy has been established to achieve the following objectives:
SPIC MACAY collects a variety of personal data, both provided directly by the members and obtained from third parties.
While using SPIC MACAY services or registering to join SPIC MACAY, data is transmitted from the central system to SPIC MACAY to ensure efficient service delivery and provide the requested user experience. This data includes:
This data is collected to enable the efficient operation of SPIC MACAY services and to ensure an enhanced user experience.
SPIC MACAY has an unequivocal commitment to:
Key risks are detailed in Section 4.5 of this document.
The overall responsibility for ensuring data protection and compliance with relevant standards and legislation is shared collectively by the SPIC MACAY National Executive Office Bearers (NEOB).
The National Executive Office Bearers (NEOB) are primarily responsible for overseeing the control and storage of data. The list of NEOB members can be found on the SPIC MACAY staff page here: https://spicmacay.com/staff.
From time to time, specific responsibilities related to data control and storage may be assigned to other members of the NEOB.
All staff and volunteers are required to read, understand, and comply with the policies and procedures regarding the handling of personal data in their work with SPIC MACAY, as outlined in this policy. SPIC MACAY expects the highest standards of integrity from all staff at all levels. Data access will only be permitted when there is a valid, network-related reason for such access.
SPIC MACAY enforces a zero-tolerance policy towards unauthorized access to personal data stored in its systems. Any individual found to have inappropriately accessed data will be prohibited from further access until the risk to personal data is adequately addressed.
This section applies to all SPIC MACAY's servers, whether belonging to or donated to the SPIC MACAY , including, but not limited to, Data Servers, Statistic Servers, or Web Servers.
SPIC MACAY operates on a segmented security approach, where only the access required (with approval from members holding the status of “Privileged Access”) to complete a required job is granted. SPIC MACAY employs access monitoring systems to ensure that access is not being abused and can be traced back to a specific individual.
SPIC MACAY employs standard methods of encryption to safeguard data, such as TLS encryption for accessing data via a web browser. SPIC MACAY also implements additional change-audit scripts and monitors to provide visibility into server activity. IP Address and asymmetric-based security settings are used to only allow server access to authorised users or servers.
Passwords (excluding your network password, which is nevvgver passed to SPIC MACAY are stored as salted hashes, preventing them from being viewed in plain text. This includes your secondary password for Core, if set.
In order to ensure business continuity, SPIC MACAY retains data backups of relevant systems to ensure a speedy recovery of impacted systems while maintaining data integrity and security.
These backups are encrypted, and access is granted only to authorised individuals.
The main specific risks to the security of data are:
Mitigation of the first two risks is primarily through screening all individuals before granting access and secondly, encouraging members who have a higher level of access to ensure they adhere to good security practices on their personal systems. The last risk is mitigated by access logging and reverting changes made by those who misuse access.
The majority of membership data is passed to SPIC MACAY by SPIC MACAY's central system. As such, we assume that this data is accurate. Where it is not, we facilitate the rectification of this, as set out in section 8 of this policy.
A SPIC MACAY member may request an update of his/her retained information by making a request in writing to registration@spicmacay.com.
Data is stored in standard file systems and databases. Access to these systems is controlled by secure direct access to the controlling machine or application, or via a secure web interface. Access is further controlled and protected against unauthorized access using standard measures, such as role-based access control.
SPIC MACAY is bound by the retention periods of its own data management policies. Requests for erasure can be processed by SPIC MACAY but may need escalating to SPIC MACAY's central system to fulfil the entirety of the request.
SPIC MACAY does not archive any data to other servers for long-term storage at this point in time. Data is either maintained within the production environment and backed up as per section 4.4, or deleted entirely.
SPIC MACAY is committed to ensuring all members are aware of what data is collected and why we do so.
As outlined in the statement of legitimate interests within the SPIC MACAY Privacy Policy, data is collected for the purpose of ensuring the provision and smooth operation of the SPIC MACAY so that members can jointly enjoy the environment it provides.
Data may be transferred to other organizations affiliated with, or associated with, SPIC MACAY to provide services to enhance and extend the environment. Who we transfer data to is covered within the SPIC MACAY Privacy Policy. Where it is not covered, we will seek your permission to pass on personally identifiable data before doing so.
Details on how to exercise rights in relation to the data held are detailed in the relevant sections of this policy.
All team members within SPIC MACAY are responsible for the data they access at all times. The various departments most closely associated with members' data are the Developers, Core Team Members or State Coordinators
Where team members are required to use data for statistical and management purposes, anonymous aggregated or pseudonymised data will be used where possible.
Requests for personal data under the Right of Access are the responsibility of the appointed National Executive Office Bearers (NEOB) and their team. Such requests are required to be complied with within one month of the request being received. If circumstances prevent this from occurring, an extension of a further two months may be instituted by SPIC MACAY, providing that the member making the request is informed of this fact before the expiration of the original one-month deadline.
Right of access requests must be sent via email to registration@spicmacay.com.
If team member at a lower level receive anything that might reasonably be construed to be a request for access, they have a responsibility to pass this to the appointed National Executive Office Bearers (NEOB), as defined in section 3.2.
Where the person managing the access procedure does not know the individual personally, the individual's identity will be verified before handing over any information.
SPIC MACAY will not charge any fee for processing or providing data for requests under the Right of Access.
The appointed National Executive Office Bearers (NEOB) is responsible for handling requests under the Right of Access provisions. Requests will be made via registration@spicmacay.com.
Only personal data will be shared with the member. Other individuals’ personal data will be redacted.
Accurate data is in the best interests of the organisation. The appointed National Executive Office Bearers (NEOB) is responsible for the management of such requests.
Right of rectification requests should be made to registration@spicmacay.com.
If team member at a lower level receive anything that might reasonably be construed to be a request for rectification, they have a responsibility to direct the member to the above email address.
SPIC MACAY will not charge any fee for requests under the Right of Rectification.
SPIC MACAY asserts that it has a legitimate interest in collecting and storing the personal data outlined above. The reasons for this claim are:
SPIC MACAY ensures that parental consent is collected from users unable to provide their own consent (because they fall below the minimum age to do so, as defined under the GDPR or other local regulations).
SPIC MACAY acknowledges its responsibility of any members that may be below this age and are actively participating the organisation and its conventions
Notwithstanding SPIC MACAY's claim of legitimate interest, members may object to this claim and/or request that SPIC MACAY cease processing a member’s personal data. These two rights are known as the Right to Object, and the Right to Restrict Processing.
Members must be aware that if they choose to exercise either of these rights, SPIC MACAY is obliged to lock their accounts in order to comply with their wishes. Additionally, their request may be referred to SPIC MACAY to take the appropriate action for their network account as well.
While a notification of an objection to SPIC MACAY’s claim of legitimate interest, or a request to suspend processing may be made at any time, such claims may not be made retrospectively.
Requests for deletion of personal data under the Right of Erasure are the responsibility of the appointed National Executive Office Bearers (NEOB) and their team. Such requests are required to be complied with within one calendar month of the request being received.
If circumstances prevent this from occurring, an extension of a further two months may be instituted by SPIC MACAY, providing that the member making the request is informed of this fact before the expiration of the original one-month deadline.
The appointed National Executive Office Bearers (NEOB) is responsible for handling requests under the Right of Erasure provisions.
Requests will be made via registration@spicmacay.com.
If staff at a lower level receive anything that might reasonably be construed to be a request for erasure, they have a responsibility to pass this to the appointed National Executive Office Bearers (NEOB) without delay.
Where the person managing the erasure procedure does not know the individual personally, the individual's identity will be verified before handing over any information.
SPIC MACAY will not charge any fee for deleting data under the Right of Erasure.
SPIC MACAY shall evaluate all requests for erasure. SPIC MACAY reserves the right to retain any data that it believes is in its legitimate interest to do so, or that is required to establish, exercise, or defend any legal claims.
The responsibility for review of this policy rests with the nominated National Executive Office Bearers (NEOB), as defined in section 3.2 of this policy.
At a minimum, this review shall require: