Personal data is considered any information relating to an identified or identifiable individual. So in addition to the more apparent personal data such as names, addresses, emails, birthdays, etc., it also includes information such as IP addresses, behavioral data, location data, financial data, etc. Sensitive personal data, such as health information or data that reveals a person’s racial or ethnic origin, will require even greater protection. You should not store data of this nature within your ClubRunner account.

Processing is referred to in the GDPR as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.” Essentially, it means collecting, managing, using or storing personal data.

 

There are different requirements and obligations for these two categories. A controller is the organization that determines the specific personal data to collect, as well as the purpose and means of processing it. A processor is the organization that processes the data on behalf of the controller. For instance, a club or district is a controller, and ClubRunner is the processor that houses the data that the organization collects on its behalf.

 

Here are the key principles that are of interest, although this is not an exhaustive list.

 

While the established EU laws from 1995 require data to be lawfully and fairly processed, GDPR now requires that Controllers and Processors fully disclose how and why data is processed in clear and simple terms. Privacy Policies and Terms and Conditions documents can no longer be written in complex language and hidden in hard to find places. They must be both easy to access and easy to understand.

While this section of the GDPR (Article 6) can be ambiguous, it states that processing is lawful, as long as the “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.” This provides the possibility to develop justification for processing data while avoiding the management of consent, and applies both to the data controller and the processor. While we still recommend updating your membership agreements to gain explicit consent by your members to have their data processed, this would apply to managing your membership database. Keep in mind however, that this only applies if the interests, rights or freedoms of these individuals do not override the legitimate interests.

There are some scenarios that do require that you process data for lawful basis, such as the issuance of tax receipts or online payments for event registrations and other eCommerce activities you may carry out on your website. So long as this data is not used for any other purposes without consent, you have justification for doing so.

 

The GDPR states that consent must be “freely given, specific, informed and unambiguous” and is one of several reasons Processors and Controllers may use to justify the processing of data, along with lawful basis. This must be carefully tracked and managed, and readily available in the event an individual requests to see proof that they consented to their data being processed.

EU citizens will have several new rights under GDPR. All organizations must ensure that they can accommodate these rights if they process the personal data of EU citizens:

We’ve been busy over the past several months updating various aspects of our platform to help you become GDPR compliant and to fulfil our obligations as data processors. Here’s a snapshot of some of these changes that will affect your users’ experience:

 

We’re making it easy for users to become more aware of how their data will be processed, including your non-members that may interact with and be stored on your site. An example of this includes email notifications that are automatically sent whenever a new contact is added to your database, informing them that their contact information has been stored, the reason why, and how they can request for it to be reviewed, updated, or deleted.

 

We’re making it mandatory that whenever private information is entered into ClubRunner, the person adding the data consents to it, or for those entering data on behalf of individuals, confirm that they have received consent.

 

We’ll be tracking this information so that if your club is ever asked who entered the data or whether it was done with consent, you’ll have a timestamp, IP address, and other useful information to validate it.

 

This has been added into all modules of ClubRunner, such as our Events and Volunteers modules, MyEventRunner, and more.

 

Part of GDPR compliance is the ability for anyone to ask to see what data you have on them (search) and ask for this information to be edited, deleted or anonymized. We’ve created a cross-platform search (within your account) for names and emails and a deletion function that will anonymize all personal data.

 

We’ve made it easier to have your organization’s privacy policy linked throughout the website, application, signup pages and emails by creating an account-specific holding page for you to enter your privacy notice. We’re also tracking when it was last updated to keep your users aware of any changes that they take note of.

 

To access and update your privacy policy, any administrator can login to your site and access this screen from the Admin menu tab. We recommend that you seek legal advice to draft your privacy policy, and that you ensure you list ClubRunner as a data processor for your organization.

 

We’ve engaged GDPR experts in the European Union and have been working with them to ensure our compliance not only for our platform but our own operation.

 

We’re also updating our Privacy Policy and subscription agreements to be more transparent about our processing, how data is shared, and the rights that individuals have with their information.

We’ve signed Data Processing Addendums with all of our sub-processors, and made sure that any trusted party that we share data with is in compliance with GDPR.

We’ve also drafted internal policies and notices outlining all our procedures including internal security procedures, data breach reporting, data retention schedules, and others.

 

If you have any questions regarding the above information, or to inquire into ClubRunner's compliance, please get in touch with us at:

 

ClubRunner

c/o Privacy Officer

2010 Winston Park Drive, Suite 200

Oakville, Ontario

L6H 5R7  Canada

 

You can also email us at support@clubrunner.ca with your inquiry.