Personal data is held solely in order to provide services to members and the lawful basis for processing personal data is that it is necessary for the performance of a contract with the data subject: the provision of those services. It is available to those within the organisation who provide those services but will not be shared with other organisations. Members’ data will be kept for seven years after they leave to satisfy expectations on the retention of financial records and will be deleted after that date. Members are the only source of data held. Members have each of the eight rights conferred by the General Data Protection Regulation, including the right to withdraw consent for holding data and the right to complain to the Information Commissioner’s Office. No automated decision making takes place. The controller of personal data is the Treasurer. The Secretary holds the formal role of Data Protection Officer for the organisation.