GENERAL DATA PROTECTION REGULATION – CBAI
What is GDPR?
The General Data Protection Regulation (GDPR) is a new EU regulation which comes into effect on 25 May 2018. GDPR will update existing data protection laws and will place greater accountability and transparency obligations on organisations when using a member’s personal information. It gives the individual greater control over their personal information.
This will apply to all clubs, groupings of clubs e.g. Counties / Regions and the Contract Bridge Association of Ireland.. Each of these is identified as Data Controllers and has responsibilities in respect to the data they hold. It is possible that the entity operating as the first grouping of clubs, (County, region, etc) may not require separate identification as a Data Controller from the NBO, but the responsibility of safeguarding personal data is in no way diminished.
All information that is collected on an individual member is regarded as Personal Data. It must be kept secure and only to be used for the express purpose for which it was collected – bridge or other activities for the body involved. Similarly, if you have a visitor/guest to your club, their information is also personal data.
Do not pass on any Personal Data to anyone unless the purpose was specifically covered when the information was collected.
Maintenance of Records
If you keep paper records, they should be kept in a secure location, e.g. locked in a cabinet, with regulated key holders for the location. If you dispose of any of these paper records, they must be shredded before disposal.
If you keep your records on a computer, they should only be accessible by authorised people; the computer and/or folders in which the information is kept should be locked and/or encrypted.
Access to records should only be available to authorised committee members, Officers or managers. When new individuals take up these positions access methods e.g. passwords, should be changed,
Usage of Personal Data
When using personal data entrusted to you, care must be taken not to share any information with others, either deliberately or by accident; for example, if sending a group email, the blind copy (Bcc) facility or a mailshot programme that does not show other addressees must be used.
Clubs should not circulate lists of members with contact details within their own membership – unless they have specific agreement from their members. Clubs should regard this time as being a completely fresh start for all their practices, seeking specific permission from members to make use of their personal data. Previous practice of “opting out” will no longer apply – all members must be asked to “opt in” – by specifically giving permission to use personal data.
You must inform everyone from whom you collect data:
This will usually be done via a Privacy Notice, which may be on your club’s website, but a printed copy should also be available in the club and be sent to those who request it. Your members should be directed to this Privacy Notice on every occasion when you collect data, so it should be referred to on your membership application form. A Privacy Notice will also be displayed on the CBAI Website.
Template for Club Privacy Notice is attached.
Publication of Personal Data
In a situation where a member is an office holder in a club or other grouping, and it is necessary to publish contact information for them either on paper or on another medium, specific permission must be sought from the individual for that purpose.
Your application form for membership at Club level should contain a request for permission to use Personal Data for purposes of bridge and include a request for permission to reproduce photographs of members to record their winning of a prize or prizes for bridge and promotion of bridge.
See attached template. This form will be printed and circulated to all Clubs for ALL Club members to complete. It will be in 2 parts – the original to be retained by the club and the copy to be returned to the CBAI.
RIGHTS OF THE INDIVIDUAL
An individual has a right to data protection when their details are
Data Protection rights help the individual to make sure the information stored about them is
The bridge grouping (Data Controller) who holds information about the individual must –
REGISTRATION WITH DATA PROTECTION COMMISSIONER
Bridge organisations do not fall within any category that requires registration with the Data Protection Commissioner, so that is usually not necessary. To satisfy yourselves that this is the case, check with the Regulator. (Website details below)
NB Before publication, each club should check the items shown in red below, and adjust to their own name / circumstances
Privacy Notice for XXX Bridge Club
What personal data does XXX Bridge Club collect, and what is it used for?
Who is your data shared with?
Where does this data come from?
How is your data stored?
Who is responsible for ensuring compliance with the relevant laws and regulations?
Who has access to your data?
What is the legal basis for collecting this data?
How you can check what data we have about you?
Does XXX Bridge Club collect any “special” data?
How can you ask for data to be removed, limited or corrected?
How long we keep your data for, and why?
What happens if a member dies?
What personal data does XXX Bridge Club collect?
The data we routinely collect includes members’ names, addresses, email addresses . We collect this data directly from our members when they join the club.
For some of our members we may have additional information such as committee memberships, teaching qualifications, or tournament director roles. [We will also keep information relating to disciplinary matters and sanctions].
We collect the scores from games you play, which are displayed on our results pages and used in maintaining the CBAI’s Master Point scheme.
What is this personal data used for?
We use members’ data for the administration of your membership; the communication of information, and the organisation of events. We provide your data to CBAI for their use as explained in the section below.
Your membership data is passed on to CBAI, of which you become a member when you join XXX Bridge Club. CBAI shares data with ABCDE [County/Region] or any other [County/Region] in which you may have joined a club.
Information from your results is also passed on to CBAI for use in its master point scheme and, this may also be used for seeding /stratification and handicap purposes.
Some of your data will be available for use by [Bridgewebs] acting as a Data Processor on our behalf. They are not free to pass this on to other organisations that are not connected with XXX Bridge Club.
In the event that a club member agrees to act as XXX Secretary / XXX contact, it is necessary to have specific permission from them to use their contact information on behalf of the other members of the Club
Your personal data is not passed on by us to organisations other than those indicated above, whether or not connected with bridge.
Data for most of our members comes from them when they join XXX Bridge Club or when they update their information either directly with the Club or CBAI.
The information held by CBAI will be updated by your club, if you provide updates.
Scoring data comes directly from the results of the club games in which you play.
This information is mainly stored [in digital form on computers] and [in the form of written documents] stored at [location]. [We use Bridgewebs/other facility as our data processor for this purpose.] Any information that is stored remotely is stored [in the EU/ in compliance with the GDPR].
Under the GDPR (General Data Protection Regulation) we do not have a statutory requirement to have a Data Protection Officer. The person who is responsible for ensuring XXX Bridge Club discharges its obligations under the GDPR is our Club Secretary..
Members of the committee [and staff] of XXX Bridge Club have access to members’ data in order for them to carry out their legitimate tasks for the Club and CBAI.
Sub-contractors of XXX Bridge Club may be given access to data for specific tasks, such as sending mailings. They are not free to use it for any other purpose.
XXX Bridge Club collects personal data that is necessary for the purposes of its legitimate interests as a membership organisation and participant in an internationally recognised and regulated, competitive mind sport.
For some data, such as that relating to financial matters, the basis for its collection and retention is to comply with our legal obligations.
If you want to see the basic membership data we hold about you, you should contact the Club Secretary.
You can contact us with a ”Subject Access Request” if you want to ask us to provide you with any other information we hold about you. If you are interested in any particular aspects, specifying them will help us to provide you with what you need quickly and efficiently. We are required to provide this to you within one month.
The GDPR refers to sensitive personal data as “special categories of personal data”.
[We do not record any such special data/Of these categories, the only data we record relates to the disabilities of members who have explicitly requested it to be recorded for the purpose of giving them stationary positions in our competitions (which we aim to do wherever feasible)]. If you wish to change this data on your record you can do so at any time by contacting the Club Secretary.
There are various ways in which you can limit how your data is used.
We normally keep members’ data after they resign or their membership lapses in case they later wish to re-join. However, we will delete any former member’s contact details entirely on request.
Since underlying statistical data, like scores from bridge games, continues to be necessary in relation to the purpose for which it was originally collected and processed, results from events used for the Master Points Scheme are not deleted by XXX Bridge Club or CBAI although they will no longer be attributed to a player who does not want their data to be kept.
Historical ranking lists and prize lists are required for archiving purposes and names cannot be removed from them.
Other data, such as that relating to accounting or personnel matters, is kept for the legally required period.
We normally keep members’ information after they die. If requested by their next-of-kin to delete it we will do so, on the same basis as when requested to remove data by a former member.
MEMBERSHIP APPLICATION FORM
LIKE MINDS BRIDGE CLUB
Other / Previous Club if any
By becoming a member of Like Minds Bridge Club, you automatically become a member of CBAI.
CBAI will receive your contact details and will enter them in its Membership Database.
Like Minds Bridge Club undertakes to collect and use your personal data in compliance with the General
Data Protection Regulation (GDPR).Our legal basis for processing this data is our legitimate interest as a
bridge club; we use the data for the administration of your membership, the communication of information
and the organisation of events.
This information will be recorded in our membership database, which is stored in compliance with the GDPR.
Our membership data is shared with CBAI, the governing body of the game of bridge in this country,
and they will pass to your county / region, which looks after the clubs in your area.
A limited amount of your information (Name, CBAI Number, Grade) will be listed in the online competition
entry database, made available for Competition and Congress Organisers and Tournament Directors.
This is to correctly identify players for competition entry and master point award purposes.
Your data may be processed by Bridgewebs/other organisations that act as Data Processors on behalf of
Like Minds Bridge Club. They may only use it for the specific purposes for which they act as the Club's data
processors, and they are not free to pass this on to other organisations that are not connected with Like Minds
Your personal data is not passed on by us for use by any other third parties whether connected to bridge or not.
Full information about our data use policies, including how you can see what data we hold about you, how you
can limit its use and how you can ask for inaccuracies in data to be corrected, may be found at
The CBAI's equivalent information can found at www.CBAI.com/gdpr
I apply to become a member of Like Minds Bridge Club
I confirm that the information I have provided is accurate
I confirm that I have read and accepted the Club's Constitution and ByLaws.
FOR NEW PLAYERS ONLY
My teacher was:
I started classes on: