GDPR – Volunteer Data Handling Policy

Princes Risborough Golf Club

Volunteer Data Protection Policy (Aligned with England Golf)

1. Purpose

To ensure volunteers handling member data comply with the UK GDPR and reflect the standards set by England Golf.

2. Scope

Applies to all volunteers with access to personal data of club members, including names, contact details, handicap indexes, and competition records.

3. England Golf Alignment

This policy mirrors England Golf’s, which emphasizes:

  • Lawful and transparent data processing
  • Secure data handling
  • Respect for individual rights
  • Accountability

4. Roles and Responsibilities

  • Data Controller: Princes Risborough Golf Club (PRGolfClub.com Ltd - Management company.)
  • Data Processor: Volunteers acting under Management instruction
  • Data Protection Lead: Gary Tubb  (liaises with England Golf if needed)

5. Volunteer Obligations

Volunteers must:

  • Only access data necessary for their role and to expedite their role
  • Use secure systems approved by the club
  • Never share data externally or with any other member, without authorization from the Management
  • Never use data for personal purposes

6. Data Handling Principles

Volunteers must follow these principles:

  • Minimization: Only collect and use data that’s strictly necessary to perform the purpose agreed with the Management
  • Retention: Keep data only as long as needed for club operations
  • Security: Use password-protected devices and avoid paper records unless securely stored
  • Transparency: Management should inform members how their data is used via privacy notices

7. Communication Rules

  • Operational messages (e.g. tee times, golf event updates, handicap updates, new club news from proprietor): Permitted under legitimate interest
  • Volunteers must strictly abide by the rules with sections 5 and 6, in particular
    • Only access data necessary for their role and to expedite their role
    • Only collect and use data that’s strictly necessary to perform the purpose agreed with the Management
  • Data should not be considered as an 'email list' for topics outside of the permitted legitimate interest, dictated by role.  Usage should be agreed with the data controller through the data protection lead.

9. Breach Reporting

Any suspected data breach must be reported immediately to the Data Protection Lead, who will follow England Golf’s escalation procedures if necessary.

Disciplinary action: volunteers, failing to comply with GDPR policies could lead to termination of volunteering position.
Criminal sanctions: Serious breaches could potentially result in criminal liability.

10. Review and Updates

This policy will be reviewed annually or upon changes to England Golf’s GDPR guidance. Volunteers will be notified of updates and asked to re-confirm compliance.

GDPR Commitment Document Signed By Volunteer

I acknowledge that, in undertaking my role as [INSERT ROLE] at Princes Risborough Golf Club, I will have access to the World Handicap System platform and will, therefore, be in a position to access and process personal data relating to the golf club's members, including (but not limited to) their names, email addresses, dates of birth, genders, and golfing records. 

I also acknowledge that, in accessing or processing any such personal data, I am undertaking the role of a data processor for the purposes of relevant data protection legislation, including the UK GDPR and the Data Protection Act 2018.

I agree that I shall comply with the requirements of relevant data protection legislation and adhere to PRGC's Volunteer Data Protection Policy in discharging my duties in my role. Including, I shall:

  • Process personal data lawfully, fairly, and in a transparent manner in relation to any data subjects, processing such data only where one or more of the lawful bases for processing (outlined at Article 6 of the UK GDPR) apply;
  • Process only such personal data as is adequate, relevant, and necessary in relation to my role and to the purpose for which I am processing those particular data; 
  • Ensure that any personal data processed is accurate and, where necessary, kept up-to-date; and
  • Process personal data in a manner that ensures appropriate security of those data by using prescribed organisational and/or technical measures.

I also agree that, once my term in the role of [INSERT ROLE] howsoever has ended, I shall not continue to process any personal data to which I gained access through my engagement in that role.

I acknowledge that failure to comply with the representations outlined above and with the requirements of relevant data protection legislation may result in my expulsion from the role of [INSERT ROLE] at Princes Risborough Golf Club and may also result in further action if appropriate.

 

Signed: ......................................