IWW Privacy and Data Protection Policy

We adhere to the principles relating to processing of personal data set out in the applicable legislation, which require personal data to be:

• Processed lawfully, fairly and in a transparent manner in relation to individuals (Lawfulness, Fairness and Transparency).
• Collected only for specified, explicit and legitimate purposes and not further Processed in a manner that is incompatible with those purposes (Purpose Limitation); further Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
• Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (Data Minimisation).
• Accurate and where necessary kept up to date (Accuracy); every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
• Not kept in a form which permits identification of Data Subjects for longer than is necessary for the purposes for which the data is processed (Storage Limitation); personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.
• Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage (Security, Integrity and Confidentiality).
• Not transferred to another country without appropriate safeguards being in place (Transfer Limitation).
• Made available to Data Subjects, and Data Subjects allowed to exercise certain rights in relation to their personal data (Data Subject’s Rights and Requests).

We are responsible for and must be able to demonstrate compliance with the data protection principles listed above (Accountability).

This policy shall be reviewed at least annually by the IWW WISE-RA Data Protection Officer (DPO), who will update it in accordance with any changes to the applicable legislation, or as judged necessary by the DPO, or as decided by the IWW WISE-RA Delegates’ Executive Council (DEC) or Annual Conference.

It is the DPO’s responsibility to review and propose amendments to the DEC or Annual Conference of any decision/motion relevant to data protection where the DPO deems the original form of the decision/motion incompatible with the applicable legislation.

We must also regularly test our systems and processes to assess compliance.

The DPO is responsible for regularly reviewing, testing and auditing all the systems and processes under our control to ensure they comply with this Privacy and Data Protection Policy, and check that adequate governance controls and resources are in place to ensure proper use and protection of personal data.

⚠ We are required to ensure that all Union officers, staff, and Data Processors undergo adequate training to enable them to comply with data privacy laws.

⚠ Union officers, staff and Data Processors must undergo any data protection-related training that is provided and deemed mandatory by the Union’s DPO.

Personal Data: any information relating to an identified or identifiable natural person (Data Subject) as defined in Data Protection Legislation. Personal Data includes Special Category Data and Pseudonymised Personal Data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour.

Special Category Data: information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data, and Personal Data relating to criminal offences and convictions.

Pseudonymisation / Pseudonymised: replacing information that directly or indirectly identifies an individual with one or more artificial identifiers or pseudonyms so that the person, to whom the data relates, cannot be identified without the use of additional information which is meant to be kept separately and secure.

Data Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data, as defined in Data Protection Legislation.

Data Subject / Service User: a Data Subject is an identified or identifiable natural person to whom Personal Data relate, who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, as defined in Data Protection Legislation. Here we use the terms “Data Subject” or “service user” interchangeably to refer to any individual (whether an IWW member or non-member) who submits their personal data to the IWW WISE-RA in the process of using the services provided by the IWW, communicating with the IWW, conducting business with the IWW, or having services provided on their behalf by the IWW, including, but not limited to: IWW members and membership applicants; IWW Personnel, officers, role holders, staff, employees or contractors; visitors or users of the IWW WISE-RA website; visitors or users of any Information Technology system, service or platform managed by the IWW WISE-RA; and/or any persons for whom the IWW WISE-RA engages to provide services or with whom the IWW WISE-RA enters into a contract for services, support contract, service agreement or data processor agreement (whether as a provider or receiver of the agreed services).

Data Processors / Union or IWW officer(s)/role holder(s)/staff: a Data Processor is a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Data Controller, as defined in Data Protection Legislation. Here we use the terms “Data processor” or “role holder” interchangeably to refer to all personnel of the IWW WISE-RA, including any members, volunteers, officers, accredited Worker’s Representatives (“Reps”), contractors, employees, workers, staff, consultants, agents, subcontractors, or any other third parties who have been authorised by the IWW WISE-RA to process the personal data in its care on its behalf.

Data Processing: any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, as defined in Data Protection Legislation, permutations such as “processing”, “process” or “processed” shall be interpreted accordingly.

Data Processor Agreement: a legally binding document to be entered into between a Data controller and a Data Processor in writing or in electronic form, which regulates the particularities of Data Processing – such as its scope and purpose – as well as the relationship between the Data Controller and the Data Processor.

Applicable Law / Applicable Legislation: unless and until no longer directly applicable in the UK, any court order, or any common law, statute, statutory instrument, order, or regulation issued by a governmental body with authority over the IWW WISE-RA, IWW WISE-RA Data Processors, and/or IWW WISE-RA members and Data Subjects from time to time in the context of their relevant rights and obligations under this Policy including the Data Protection Legislation.

Data Protection Legislation: all applicable data protection laws including, without limitation: (i) the Data Protection Act 2018 (DPA 2018), which encompasses the UK General Data Protection Regulation (UK GDPR), consisting of the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (EU GDPR) incorporating the amendments set out in the Keeling Schedule showing changes which would be affected by the Data Protection, Privacy and Electronic Communications (amendments etc)(EU exit) Regulations 2019 made on 28 February 2019 (as amended by the Data Protection, Privacy and Electronic Communications (amendments etc)(EU exit) Regulations 2020 laid on 14 October 2020); (ii) the Privacy and Electronic Communications (EC Directive) Regulations 2003; (iii), the Regulation of Investigatory Powers Act 2000; and (iv) all other laws, directives, regulations and industry guidelines having the force of law or codes of practice issued by the office of the Information Commissioner relating to the Processing of Personal Data or privacy, and/or any amendments thereto and re-enactments thereof and all rules, regulations and orders made under such legislation.

Regulatory Authority: the Information Commissioner’s Office (ICO), and any and all regulatory authorities that have responsibility for regulating Data Processing by the Union, the Union’s Data Processors, or the Union’s Service Users from time to time.

According to the IWW WISE-RA rules and policies, The role and responsibilities of the DPO is by default held by the elected Membership Officer. However, in 2020 the Membership Officer opted to appoint and deputise another IWW WISE-RA member to hold the role of DPO, and the Delegate’s Executive Council decided to deputise the role to an elected role holder starting 2023.

The DPO is the person responsible for overseeing and advising on the IWW’s compliance with this policy, all other relevant IWW WISE-RA Policies concerning data protection, security and processing, and applicable data protection laws.

Other responsibilities of the DPO are to:

• Monitor or perform specific data protection related processes as set out in this Policy, with the administrative support of the IWW WISE-RA Communications Administrator, such as: Data Protection Impact Assessments (DPIAs); Legitimate Interest Assessments (LIAs); the processing, retention & disposal of records; keeping a Register of Systems; managing Data Processor Agreements with Data Processors; data breach management and reporting, Data Protection Policy enforcement, completion of individual rights requests; reviewing and approving third-party data processors and third-party data processing platforms; completing regular system compliance tests and audits.
• Act as a point of contact with the Information Commissioner’s Officer as required.
• Act as a point of contact in responding to questions, requests and complaints relating to data protection and data handling.
• Develop and regularly review Union data drotection and processing policies, in close coordination with the IWW WISE-RA Communications Administrator, Communications Department, IT Committee, Membership Officer, Administration Department, Organising department and DEC.
• Increase IWW members’ and role holders’ awareness for data protection and puts in place adequate training tools and guidance papers (in coordination with the Training Committee).
• Manage responses to data breaches and collaborate with the Information Commissioner’s Officer in the course of investigations.
• Oversee the data protection and security related work of the IWW WISE-RA Communications Administrator and Membership Administrator as contractors.
• Oversee and Work closely with the Communications Administrator, IT Committee Secretary, and IT Committee volunteers in maintaining and developing the union’s IT systems in way that safeguards and enhances the security of data held by the IWW.
• Attend meetings of the IWW WISE-RA Administrative Department.
• Report to the IWW WISE-RA Administrative Department and Delegates Executive Council on data protection matters.

The DPO is not personally liable for data protection compliance. The IWW WISE-RA as an organisation and as the data controller, remains responsible for complying with data protection laws.

The DPO oversees and works closely especially with the Communications Administrator, who takes care of the day-to-day technical and administrative aspects of handling data, maintaining the Union’s IT systems, and implementing the IWW’s data protection and data processing policies and the DPO’s decisions. The DPO also oversees data protection related aspects of the Membership Administrator’s work of managing member records on the IWW WISE-RA membership database.

The DPO also monitors and works closely with the IT Committee Secretary and IT Committee volunteers regarding technical work they implement on the Union’s IT systems that concern data protection and security.

The IWW WISE-RA will ensure that we respect and fulfil the rights given to Data Subjects under the applicable legislation, regarding how we handle their personal data. These include rights to:

• withdraw consent to processing at any time;
• receive certain information about our processing activities as the Data Controller;
• request access to their personal data that we hold;
• prevent our use of their personal data for direct marketing purposes;
• ask us to erase personal data if it is no longer necessary in relation to the purposes for which it was collected or processed or to rectify inaccurate data or to complete incomplete data;
• restrict processing in specific circumstances;
• challenge processing which has been justified on the basis of our legitimate interests or in the public interest;
• request a copy of an agreement under which personal data is transferred outside of the EEA;
• object to decisions based solely on automated processing, including profiling;
• prevent processing that is likely to cause damage or distress to the Data Subject or anyone else;
• be notified of a personal data breach which is likely to result in high risk to their rights and freedoms;
• make a complaint to the ICO; and
• in limited circumstances, receive or ask for their personal data to be transferred to a third party in a structured, commonly used and machine-readable format;

the Union and its Data Processors will fulfil Data Subjects’ legitimate requests / Subject Access Requests (SARs) In compliance with the applicable legislation.

In the first instance, after receiving a Data Subject’s request or SAR, the Union’s Data Processors should refrain from immediately responding. Only the DPO is authorised to make decisions concerning such requests. Prior to taking any action regarding the Data Subject’s request or SAR, Data Processors must immediately forward any request they receive to the Union’s DPO and comply with the DPO’s instructions regarding the request/SAR response process. in most cases, the response process will be implemented by the Communications Administrator under direct instructions from the DPO.

The Union’s DPO must verify the identity of an individual requesting data under any of the rights listed in this section (Data Processors must not allow third parties to persuade them into disclosing personal data without proper authorisation).

Data Subjects shall have the right to obtain from the Union, as the Data Controller, confirmation as to whether or not personal data concerning them is being processed, and, where that is the case, obtain access to their personal data.

Information on how to access one’s personal data should be detailed in the Union’s relevant Privacy Notice or Data Protection Policy.

Data Subjects shall have the right to require the Union, without undue delay, to rectify any inaccurate or incomplete personal data concerning them.

Except where the data is held for purposes of legal obligation, Data Subjects shall have the right to require the Union, without undue delay, to erase any personal data concerning them. As a Trade Union, the IWW must meet statutory requirements to retain certain types of data on members, without which continued membership in the Union is not possible.

Where there is a dispute between the Data Subject and the Union about the accuracy, validity or legality of data held by the Union, the Data Subject shall have the right to require the Union to cease processing the data for a reasonable period of time to allow the dispute to be resolved.

Where data is held for purposes of consent or contract the Data Subject shall have the right to require the Union to provide them with a copy, in a structured, commonly used and machine-readable format, of the data which they have provided to the Union, and have the right to transmit that data to another Data Controller without hindrance.

the Union shall ensure that the IT platforms it provides will enable the provision of copies of personal data in commonly used and machine-readable file formats for the purposes outlined in the previous paragraph.

Data Subjects shall have the right to object, on grounds relating to their particular situation, at any time, to processing of personal data concerning them which is based on Legitimate Interest, including profiling based on those provisions. the Union shall no longer process the personal data unless it can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

Where personal data is Processed for direct marketing purposes, the Data Subject shall have the right to object at any time to processing of personal data concerning them for such marketing, which includes profiling to the extent that it is related to such direct marketing

Where the Data Subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

At the latest at the time of the first communication with the Data Subject, the right referred to in the preceding two paragraphs shall be explicitly brought to the attention of the Data Subject and shall be presented clearly and separately from any other information.

Except where it is: a) based on the Data Subject ‘s explicit consent, or b) necessary for entering into, or performance of, a contract between the Data Subject and a Data Controller; the Data Subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.

Where the Union acts as the Data Processor for a third party Data Controller of the personal data concerned by the Data Subject’s request, the Union’s DPO will immediately notify the Data Controller and act in compliance with the Data Controller’s instructions.

We may collect your personal information in the following ways:

• Via website cookies, analytics tools, site logs, server logs, or other similar methods (see ‘Cookies’ section below).
• Via our online or paper membership application forms.
• Via online contact forms for submitting queries.
• Via postal, email, SMS, mobile/online instant messaging, phone communications, or any other forms of communication you have with IWW role holders.
• Via online or offline survey forms, questionnaire forms, email contact submission forms, casework consent forms, crowdsourcing or crowdfunding campaign forms, or petitions.
• Via meetings or training sessions we may have with you, whether face to face or via video/voice teleconference.
• Via any form of communication and documentation relating to payment processing for sending or receiving payments (for example, invoices, online payment forms, or phone calls where we collect payment details or bank account information), and via any online or offline payment platforms or payment methods, including third-party financial institutions such as banks and payment processors.
• If you are an IWW staff member or contractor, or if you work for us in any other capacity, we may collect and process your relevant personal information as part of the normal purposes of administering your work for us.
• When you log into and use the functionalities of the online platforms that we maintain for our members and role holders, and when you view, search, alter, post, send, save, or upload content containing personal or personally identifying information on/via those platforms. This includes usage logs, analytics data, or any messages or content that you post, upload, send or edit on/via:
  • The IWW.org.uk website and WordPress administration/editing platform for the website;
  • our online Members’ Area;
  • our chat.iww.org.uk Wobchat platform;
  • our forum.iww.org.uk Interwob forum platform;
  • our email accounts, webmail client site, email server, and email server management system;
  • our mailing lists;
  • our cloud.iww.org.uk cloud file storage platform;
  • our CiviCRM membership database site (and the Drupal Content management System used for the database user interface) and any online forms or data input sites linked to the database;
  • Our Matomo analytics system;
  • Any other online tool or platform we may use for our activites.
• When you purchase items from our online shop.
• From other unions or organisations with which we share formal organisational or collaborative ties with around the world, for example: if we have membership transferral agreements; or so that we can administer shared communications platforms (e.g., the Interwob forum). This will always be done in a manner that respects your data rights and privacy, and complies with UK and EU Data Protection laws as well as the data protection laws and standards of your organisation and country, if you reside outside the UK or EU.
• From other potential third-party sources such as:
  • Your current or past employer (as part of the recruitment process for persons who work for the IWW or may potentially work for the IWW as staff, contractors or service providers; or in the case of our union members, only if and when the IWW supports you with casework or represents you to defend your rights and interests as a worker; we will never share your status as an IWW member with any third party without your prior consent).
  • Your current or past clients, other people you do business with, or your agent or representative, if you are a contractor or service provider we are looking to work with.
  • Public authorities, only if and when we must deal with public authorities to fulfil legal obligations.
  • Publicly available sources, only if strictly required to meet our legitimate interests as a trade union, or to fulfil our legal or contractual obligations. 

We may collect and process information about the following categories of persons or organisations: 

• Visitors to our websites and users of our online platforms
• IWW members and membership applicants
• Current or prospective IWW staff members, employees, contractors, service providers, advisers, consultants, or other persons working for the IWW.
• Employers of IWW members. (We will never inform your employer about your IWW membership, or interest in the IWW, or interactions with the IWW (including of non-members), without your prior agreement or consent.)
• Enquirers and complainants.

We may collect and process personal information in the following broad contexts:

• Membership administration: As part of the membership application process and as part of administering union membership. We will refer to this context with the shorthand notation: “Membership“. Where we make it optional for members to provide the data in this context, we denote it with the additional shorthand notation: “[optional]“.
• Communications: in contexts where persons may willingly provide those categories of personal data to us by communicating with us, or by using or posting or sending information via our online platforms. This includes responses to surveys or petitions, customers buying items from our online shop, and members using our members-only online spaces/platforms. We will refer to this context with the shorthand notation: “Communications“. Not all the categories of personal data listed in the next sub-section as collected in the “Communications” context are necessarily always collected in that context.
• Union organising and representation: In contexts where the IWW provides organising support, advice and/or representation to our union members in individual or collective cases or campaigns regarding work issues. In particular, it is often necessary to collect detailed personal data for the casework involved in accompanying, representing and defending individual workers (e.g., at meetings with employers, supporting members’ workplace grievances, supporting members facing disciplinary processes). We will refer to this organising and representation context with the shorthand notation: “Representation“. Not all the categories of personal data listed in the next sub-section as collected in the “Representation” context are necessarily always collected in that context.
• Staff administration: in the context of managing persons who work for the union as elected officers, role holders, accredited workers’ representatives, or as paid personel, including contractors and third-party service providers or data processors. We will refer to this context with the shorthand notation: “Staff“. Not all the categories of personal data listed in the next sub-section as collected in the “Staff” context are necessarily always collected in that context.

We may collect the following categories of personal information, in the following contexts:

• IP addresses of visitors and users on our online platforms. We may also retain server logs that include the IP address of every request to our servers. (Communications).
• Information about your use of our information and communications systems and online platforms, including but not limited to: cookies, usage logs, analytics logs, and any messages and other content and media that you post, upload, send or edit via our communications systems, websites or online platforms. (Communications).
• The contents of any personal information that you provide us via our digital and analog information and communications systems (via joining forms, correspondence, email, messaging, voice calls, teleconferencing, meetings, training sessions, online chat or forum posts, online file sharing, queries or complaints submitted via online contact forms, surveys, questionnaires, petitions, payment processing). (Communications).
• Personal contact details for example: name, addresses (postal/residential address and country of residence), telephone numbers, and personal or work email addresses. (Membership; Communications; Representation; Staff).
• Date of birth, age. (Communications; Representation; Staff).
• Gender. (Membership [optional]; Communications; Representation; Staff).
• contact details of next of kin, guardian, carer, lawyer, representative or emergency contacts. (Communications; Representation; Staff).
• Bank account, debit/credit card, or other details about means of payment. (Membership [optional]; Communications; Staff).
• Information about general income bracket after tax. (Membership; Communications, Representation, Staff).
• Information about income, salary or payments for services, payroll/invoice records, tax status information, annual leave, pension and benefits information. (Communications; Representation; Staff).
• Compensation history. (Communications; Representation; Staff).
• Employment/work status; employer; job title; Employer’s address. (Membership; Communications; Representation; Staff).
• Work contract type and terms. (Membership [optional]; Communications; Representation; Staff).
• Start and end date of employment/work. (Communications; Representation; Staff).
• Location of employment or workplace. (Membership [optional]; Communications; Representation; Staff).
• Recruitment information (including copies of right to work documentation, references and other information included in a CV or cover letter). (Communications; Representation; Staff).
• Immigration status. (Communications; Representation; Staff).
• Copies of or data from identity documents, driving licence, passport, birth and marriage certificates. (Communications; Representation; Staff).
• Work performance and appraisal information. (Communications; Representation; Staff).
• Workplace disciplinary and grievance information. (Communications; Representation; Staff).
• Secondary employment and volunteering information. (Membership [optional]; Communications; Representation; Staff).
• Skills and qualifications. (Membership [optional]; Communications; Representation; Staff).
• family, lifestyle and social circumstances. (Communications; Representation).
• goods and services provided. (Communications, Representation, Staff).

We may also collect the following categories of more sensitive personal information, in the following contexts (cf. definition for ‘Special Category data’ by clicking here, then clicking collapsed section on definitions of key terms):

• Information about your race or ethnicity, religious beliefs, sexual orientation and political opinions. (Communications; Representation; Staff).
• Trade union membership, including membership and roles in other trade unions than the IWW. (Membership [giving information about membership in other trade unions is optional]; Communications; Representation; Staff).
• Information about your health, including any medical condition, health and sickness records, disability or accessibility requirements, accident book, first aid records, injury at work and third-party accident information. (Membership [information about disability status or accessibility requirements is requested but optional]; Communications; Representation; Staff).
• information about criminal convictions/allegations and offences. (Membership [only in the context of Incarcerated members of our Prisoner Solidarity Network]; Communications; Representation; Staff).

Purpose limitations:

The applicable law restricts our actions regarding the processing of personal data to specified lawful purposes or bases. These restrictions are not intended to prevent processing, but rather to ensure that we process personal data fairly and without adversely affecting the Data Subject.

Personal data must be collected only for specified, explicit and legitimate purposes. It must not be processed in any manner incompatible with those purposes.

IWW Data Processors cannot use personal data for new, different or incompatible purposes from those disclosed when it was first obtained unless we have informed the Data Subject of the new purposes and they have consented where necessary.

We should document our decision to rely on any specific lawful basis and ensure that we can justify our reasoning.

Legitimate Interest:

The IWW’s principal lawful basis for collecting, storing and processing data is the IWW pursuing our legitimate interests as a trade union for purposes where they are not overridden because the processing prejudices the interests or fundamental rights and freedoms of Data Subjects.

These legitimate interests and purposes are set out in the data processing purposes listed in this section, and are further characterised in the IWW WISE-RA’s wider set of rules, policies, activities and reasonable interests as a Union, and also by common, reasonable expectations regarding Trade Union activities, and as further defined by applicable laws relating to Trade Unions’ activities.

The processing must be necessary. If we can reasonably achieve the same result in another less intrusive way, Legitimate Interests will not apply.

We must balance our interests against the Data Subject’s. If they would not reasonably expect the Processing, or if it would cause unjustified harm, their interests are likely to override our Legitimate Interests.

Legitimate Interests also include serving or supporting the legitimate interests of our members, service users, role holders and staff, particularly in meeting our contractual or legal obligations towards them.

We performed a Legitimate Interest Assessment (LIA) in 2018, prior to producing the first iteration of this Privacy and Data Protection Policy. Before we start Processing any Personal Data on the basis of Legitimate Interest, we perform and record an LIA. An LIA is a type of risk assessment used to determine whether Legitimate Interest can lawfully apply. In performing the LIA we employ the three-part-test approach as described in the ICO’s website guidance on GDPR and Legitimate Interests. This three-part test consists in:

• Identifying a legitimate interest;
• showing that the Processing is necessary to achieve it; and
• balancing it against the individual’s interests, rights and freedoms.

Consent:

Here, “consent” means an agreement which must be freely given, specific, informed and be an unambiguous indication of the Data Subject’s wishes by which they, by a statement or by a clear positive action, signify agreement to the processing of personal data relating to them. A Data Subject consents to processing of their personal data if they indicate agreement clearly either by a statement or positive action to the Processing. Consent requires affirmative action so silence, pre-ticked boxes or inactivity are not sufficient.

The IWW WISE-RA and its Data Processors must record evidence of consent captured and keep records of all consents on the IWW WISE-RA Membership Database.

Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent shall be kept with the personal data.

Data Subjects must be easily able to withdraw consent to processing at any time and withdrawal must be promptly honoured.

Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent should be clearly available and systems should be in place to ensure such revocation is reflected accurately in the Union’s systems.

Consent may need to be refreshed if you intend to process personal data for a different and incompatible purpose which was not disclosed when the Data Subject first consented.

For IWW members, while we can rely on Legitimate Interest as the basis of data processing, it is mandatory to clearly explain the purposes for collecting the data, and collecting explicit consent is strongly recommended for any supplementary/additional collection and processing of sensitive Special Category Data beyond and after the initial collection of personal data via the IWW WISE-RA membership (joining) form. The same applies for Automated Decision-Making and for cross border data transfers outside of the European Economic Area.

Clearly explaining the purposes for collecting the data, and collecting consent are mandatory whenever we solicit personal data from non-IWW IWW members for the purposes of research, promoting the union (‘marketing’), surveys or petitions.

For both IWW and non-IWW members, whenever we solicit personal data with the intention of subscribing them, sharing their data with, or processing their data using third-party data processing platforms, it is mandatory to collect consent after clearly explaining the purposes for collecting the data and informing them of the Privacy Policies of the third-party platforms.

Contract, Legal Obligation, or Vital Interest:

We consider these three further legal bases for data processing as subsumed under the principal lawful basis of Legitimate Interest on the basis of which we collect and process most personal data in our care.

By Contract: the Processing is necessary for the performance of a contract with the Data Subject. We can rely on this lawful basis if:

• The Union has a contract with an individual or organisation and we need to process personal data to comply with our obligations under the contract.;
• we have a contract with an individual or organisation and we need to process personal data so that we or they can comply with specific counter-obligations under the contract (e.g., processing payment details);
• because an individual or organisation has asked us to do something before entering into a contract that is essential to the implementation of the contract (e.g., provide a quote); or
• We have a contract or Data Processing Agreement with an individual or organisation that makes the IWW WISE-RA a Data Processor that processes the personal data of Data Subjects for which that individual or organisation acts as a Data Controller or higher-level Data Processor.



The processing on the basis of a contract must be necessary. If we could reasonably achieve the same ends by processing less data, or using personal Data in a less intrusive way, this basis will not apply.

By Legal Obligation: to meet our legal compliance obligations. This may include, but is not limited to:

• Our legal and statutory obligations under laws applying to Trade Unions or labour and employment, including any obligations to share data with the Certification Officers of the UK or Northern Ireland, or with companies we hire to perform obligatory annual financial audits of the Union; or
• legal obligations to collect, process and share personal data with HM Revenue & Customs that are relevant to the payment or payroll information on Union contractors, paid staff or employees; or
• obligations to comply with any legally binding request for disclosure of the personal data by a judicial or law enforcement authority.

By Vital Interest: where it is necessary to protect a person’s vital interests.

The data protection legislation also defines Public Tasks as a possible lawful basis for data processing. The Union undertakes no Public Tasks that require the collection, holding and/or processing of personal data.

Transparency & Privacy Notices:

The applicable legislation requires Data Controllers to provide detailed, specific information to Data Subjects depending on whether the information was collected directly from Data Subjects or from elsewhere. Such information must be provided through appropriate Privacy Notices or Fair Processing. This Privacy and Data Protection Policy text, and more specifically, the top section providing the summary of this policy, constitutes an example of such a Privacy Notice.

The Privacy Notice must be concise, transparent, intelligible, easily accessible, and in clear and plain language so that a Data Subject can easily understand it.

Whenever we collect personal data from Data Subjects, we must provide the Data Subject with all the information required by the data protection laws, including the identity of the Data Controller and the Union’s DPO, how and why we will use, Process, disclose, protect and retain that Personal Data through a Fair Processing Notice which must be presented when the Data Subject first provides the personal data.

When personal data is collected indirectly (for example, from a third party or publicly available source), we must provide the Data Subject with all the information required by the applicable legislation as soon as possible after collecting/receiving the data (within one month) or if the data are used to communicate with the data subject, at the latest, when the first communication takes place; or if disclosure to another recipient is envisaged, at the latest, before the data are disclosed.

When personal data is collected indirectly, we must also make sure it was collected by the third party in accordance with the law and on a basis which is compatible with our proposed processing of that personal data.

For all the above purposes, the IWW WISE-RA and its Data Processors will present the contents of the Summary section of this policy as our Privacy Notice (or in the case of emails sent by IWW role holders from IWW email accounts, a link to this policy webpage, in the email’s footer). The Privacy notice will be provided free of charge, to everyone from whom we collect, or on whom we hold and processes personal data. In addition, when it is presented in this way, the following information will be added within the Policy summary text or in any adjacent text that forms part of the Privacy Notice or data collection medium:

• A link to this webpage containing the full policy.
• the purpose of the data collection and processing, and any additional purposes, and specify the lawful basis used for the collection of data, as required.
• Any intention to share the personal data with any third party, with a link to any third party’s Privacy Notice.
• The source the personal data originates from and whether it came from publicly accessible sources (Not applicable if the data are being obtained directly from the data subject).
• The categories of personal data concerned (not applicable if the data are obtained directly from the data subject).
• Whether the provision of personal data is part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data (not applicable if the data are not obtained directly from the data subject).
• Any signature field or tick box and accompanying explanation statement required for the collection of consent.

Data minimisation

The Union and its Data Processors must ensure that only necessary personal data is collected, stored or processed; and personal data is not accessible to an indefinite number of people, but instead access to personal data is granted on a need-to-know basis. This is known as privacy by default.

Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.

Data Processors may only process personal data where the performance of their role requires it. They cannot process personal data for any reason unrelated to their role.

The Union’s Data Processors can only collect personal data that they require for their job: do not collect excessive data. Ensure any personal data collected is adequate and relevant for the intended purposes.

The Union, its DPO and its Data Processors must ensure that when personal data is no longer needed for specified purposes, it is deleted or anonymised in accordance with the Union’s data retention guidelines.

Accuracy

Personal data must be accurate and, where necessary, kept up to date. It must be corrected or deleted without delay when inaccurate.

The Union’s Data Processors must ensure that the personal data we use, and hold is accurate, complete, kept up to date and relevant to the purpose for which we collected it.

The Union’s Data Processors must check the accuracy of any personal data at the point of collection and at regular intervals afterwards.

The Union, its DPO and its Data Processors must take all reasonable steps to destroy or amend inaccurate or out-of-date personal data.

Register of Systems

The applicable legislation requires us to keep full and accurate records of all our data processing activities. The Union and its Data Processors must keep and maintain accurate records reflecting our processing, including records of Data Subjects’ consents and procedures for obtaining consents.

The IWW WISE-RA Membership Database and other internal IT systems (e.g., the Interwob Forum, Members’ Area, Wobchat, Next Cloud, etc.) should serve as that record, or Register of Systems. This is why IWW WISE-RA Data Processors should keep as much of the data processing activities as they can within IWW WISE-RA’s own data processing systems (namely, the Membership Database, Interwob Forum, Members’ Area, Wobchat, and Next Cloud) where possible, and keep a record on the Membership Database detailing any data processing that occurs outside those internal systems.

The DPO shall be responsible for keeping the Register of Systems up to date with the administrative and technical help, namely, of the Communications Administrator and Membership Administrator.

The Union shall record the appropriate lawful basis upon which personal data or sets of personal data are processed in the Register of Systems.

The Register of Systems should include, at a minimum, the name and contact details of the Data Controller and the Union’s Data Protection Officer, clear descriptions of the personal data types, data subject types, processing activities, processing purposes (i.e., lawful bases for Processing), third-party recipients of the personal data, personal data storage locations, personal data transfers, the personal data’s retention period, any related Data Processor Agreements governing the processing, and a description of the security measures in place. In order to create such records, data maps should be created which should include the detail set out above together with appropriate data flows.

Personal data must not be kept in an identifiable form for longer than is necessary for the purposes for which the data is processed.

The Union and its Data Processors must not keep personal data in a form which permits the identification of the Data Subject for longer than needed for the legitimate purposes or purposes for which we originally collected it, including for the purpose of satisfying any legal, accounting or reporting requirements.

The Union will maintain retention policies and procedures, including Data Retention Schedules, to ensure personal data is deleted after a reasonable time for the purposes for which it was being held, unless a law requires such data to be kept for a minimum time. IWW Data Processors must comply with the Union’s guidelines on Data Retention.

Where the Union acts as the Data Processor for a third party Data Controller or for a third-party, higher-level Data Processor, the terms and conditions of the Personal Data Retention period, Storage Limitation, and Data Disposal may be specified in a Contract for Services, Support Agreement, Service Agreement and/or Data Processor Agreement between the Union and that third-party.

To ensure that personal data is kept for no longer than necessary, the Union shall put in place an archiving policy for each area in which personal data is processed and review this process annually.

The Union and its Data Processors will take all reasonable steps to destroy or erase from our systems all personal data that we no longer require in accordance with the Union’s applicable records retention schedules and policies. This includes requiring the Union’s Data Processors, including third-party Data Processors, to delete such data where applicable.

The Union and its Data Processors will ensure Data Subjects are informed of the period for which data is stored and how that period is determined in any applicable Privacy Notice or Fair Processing Notice.

Data Security and TOMs principles and general terms.

Technical and Organisational Measures (TOM), definition:  the functions, processes, controls, systems, procedures and measures taken to protect and secure the Personal Data, Service User Data and any other sensitive general data that the Society processes.

Personal data must be secured by appropriate Technical and Organisational Measures against unauthorised or unlawful processing, and against accidental loss, destruction or damage.

We will develop, implement and maintain safeguards based on a Technical and Organisational Measures Policy appropriate to our size, scope and business, our available resources, the amount of Personal data that we own or maintain on behalf of others and identified risks (including use of encryption and pseudonymisation where applicable). Our TOMs will be outlined in this section of the Policy.

The objectives of the TOMs Policy are to:

• Ensure that all Union Data Processors are aware of, and implement all the Technical and Organisational Measures required to effectively comply with this Policy and all applicable legislation.
• Provide a concrete framework of procedures for establishing suitable levels of information security for the Union’s information systems and to mitigate the risks associated with the theft, loss, misuse, damage or abuse of these systems.
• Provide the principles and methods by which a safe and secure information systems working environment can be established for Data Processors and service users.
• Ensure that Data Processors understand their own responsibilities for protecting the confidentiality and integrity of the data that they handle.
• Protect the Union from liability or damage through the misuse of its IT facilities and other information processing media.
• Maintain research data and other confidential information provided by suppliers and other third parties at a level of security commensurate with its classification, including upholding any legal and contractual requirements around information security.
• Respond to changes in the context of the Union as appropriate, and to implement improved security and organisational measures as and when required.

The following information security principles provide overarching governance for the security and management of information within the Union:

• Information will be classified according to an appropriate level of confidentiality, integrity and availability and in accordance with relevant legislative, regulatory and contractual requirements.
• Data Processors will handle information in accordance with its classification level, and will comply with any policies, procedures, systems or contractual / Data Processor Agreement requirements put in place by the union to meet those responsibilities.
• Information will be both secure and available to those with a legitimate need for access in accordance with its classification level. Therefore, access to information will be assigned to Data Processors on a need-to-know

We will regularly evaluate and test the effectiveness of those safeguards to ensure security of our Processing of Personal Data.

IWW WISE-RA Data Processors are responsible for protecting the personal data we hold. They must implement reasonable and appropriate security measures against unlawful or unauthorised processing of personal data and against the accidental loss of, or damage to, personal data. They must exercise particular care in protecting Special Category Data from loss and unauthorised access, use or disclosure.

Our Data Processors must follow all procedures and technologies we put in place to maintain the security of all personal data from the point of collection to the point of destruction. They may only transfer personal data to third-party service providers who have signed our Data Processor Agreement, agree to comply with the required policies and procedures and who agree to put adequate measures in place, as requested by us (via our DPO).

Data Processors must maintain data security by protecting the confidentiality, integrity and availability of the personal data, defined as follows:

• Confidentiality means that only people who have a need to know and are authorised to use the personal data can access it.
• Integrity means that personal data is accurate and suitable for the purpose for which it is processed.
• Availability means that authorised users are able to access the personal data when they need it for authorised purposes.

Data Processors must comply with all applicable aspects of our Technical and Organisational Measures Policy and not attempt to circumvent the administrative, physical and technical safeguards we implement and maintain in accordance with the applicable legislation and relevant standards to protect personal data.

⚠ Technical and Organisational Measures (TOM)

Data Processors must comply with all applicable aspects of our Technical and Organisational Measures Policy and not attempt to circumvent the administrative, physical and technical safeguards we implement and maintain in accordance with the applicable legislation and relevant standards to protect personal data.

With regard to personal data for which WISE-RA is the Data Controller, or general internal IWW WISE-RA business, as far as possible, only IWW-WISE-RA-controlled or mandated internal communications platforms and tools should be used for core data processing functions of the union at the IWW WISE-RA Regional Administration and ROC levels, such as membership data and database management, the discussion and practice of internal union business, deliberations and democracy, democratic decision making and elections, complaints processing and data retention, the long term retention and processing of personal data and casework / worker’s representation / organising data, and email communications from and between IWW officers, role holders and data processors about IWW WISE-RA business or containing any personal information processed on behalf of the IWW.

Where possible, non-commercial, open-source platforms, and/or highly secure platforms that minimise the sharing of IWW business data and IWW-processed personal data with third party sources, should be given preference for use as IWW controlled and mandated data processing and communications platforms.

For the IWW NARA (North American Regional Administration) role holders who sign the IWW WISE-RA Data Processor Agreement, all of the terms and conditions described in this document only apply to the processing of the personal data of Data Subjects for which IWW WISE-RA is the Data Controller (i.e., personal data, including the personal data of NARA members, when it is processed within the Interwob forum or other WISE-RA controlled data processing platforms), and excludes NARA members’ personal data where it is processed by IWW NARA outside of the Interwob forum (or outside of any other WISE-RA controlled data processing platforms), and NARA union business excluding personally identifying data in any context or platform, which are governed by the laws, rules, policies and procedures relevant and applicable to and within NARA.

Agents of third party organisations authorised as IWW WISE-RA data processors must only use the communications and data processing platforms and tools (e.g., organisational email accounts) provided by IWW WISE-RA or by that authorised organisation when processing data on the IWW’s behalf.

Going forward in this document ‘IWW’ will stand for ‘IWW WISE-RA’, and ‘IWW Data Processors’ will be taken to include IWW NARA members, or agents of third party organisations who sign a WISE-RA Data Processor Agreement in order to process data controlled by IWW WISE-RA.

When required for their role, IWW officers, role holders and data processors will be given an email account hosted on an IWW controlled email server and/or any access their role may require to other IWW controlled data processing platforms (e.g., the Membership Database, the Interwob forum administrator or moderator tools and interfaces).

IWW officers, role holders and data processors must only use the data processing and communications tools/platforms/accounts assigned to them by the IWW, or by third party organisations authorised by IWW as data processors, for all processing or communications of IWW WISE-RA business or of personal information for which the IWW WISE-RA is the Data Controller. They must never use personal emails or unauthorised/unmandated personal or third party data processing platforms for these purposes, unless the Data Subjects whose personal data is processed provide explicit and informed consent.

Explicit and informed consent means that, before they consent, the Data Subject must be informed of what data will be processed and/or shared, for what purposes it will be processed and/or shared, how it will be processed and/or shared, and with whom it will be shared. The personal data must never be processed or shared in a manner that differs from the purposes and methods that informed that consent unless further consent is obtained to include those new methods and purposes.

IWW role holders and data processors, however, can use their personal telephones and telephone numbers to make regular (phone number to phone number) voice calls and send SMS messages on behalf of the IWW. IWW role holders and data processors may also use the Signal app for end-to-end encrypted messaging and voice-over-internet calls for the same purposes. No other mobile messaging or voice-over-internet apps should be used unless explicitly authorised by the IWW WISE-RA Data Protection Officer (DPO) and mandated by a relevant body of the IWW, or unless the Data Subject provides their explicit and informed consent to do so. IWW data processors must not keep the contact details of call, SMS, Signal-messaging or Signal-call recipients or the contents of SMS or Signal messages saved on their devices longer than is necessary for fulfilling their IWW mandated work, unless they have the explicit and informed consent of the recipient to retain the data for longer on their devices.

⚠ The following list sets out the description of the technical security measures that you, as a data processor, are required to implement whenever accessing and processing IWW WISE-RA data:

• I will use firewalls to protect my internet connection. This will be my first line of defence against an intrusion from the internet.
• I will choose the most appropriate secure settings for my devices and software. Most hardware and software will need some level of set-up and configuration in order to provide effective protection.
• I will keep my software and devices up-to-date. Hardware and software needs regular updates to fix bugs and security vulnerabilities.
• I will install up-to-date, industry standard anti-virus and anti-malware software on all my devices to optimally protect my devices from viruses and other malware. I will choose the most appropriate settings of this software to optimise security. I will keep my anti-virus and anti-malware software updated to the latest version at all time. I will keep my anti-virus/anti-malware definition files fully and regularly updated. I will perform regular virus/malware scans on my devices at least once a week.
• I will ensure that no one other than myself can access IWW WISE-RA data and online platforms via my devices or using my WISE-RA login credentials. I will not allow other users to use my devices while they remain logged in to any IWW WISE-RA platforms. I will restrict access to my devices to users and sources I trust.
• I will ensure that my login passwords for WISE-RA systems are as strong as possible — at least 16 characters and including random strings of: numbers, small and capital letters, and special characters such as %,^,&,*,(,),$,#,@, or !.
• I will keep my passwords stored securely in password management applications (and use two factor authentication to secure my password management application). (We recommend using the open source KeepassXC password manager (https://keepassxc.org/)).
• I will never share my passwords for accessing the IWW WISE-RA membership database, members’ area, Interwob Forum, Wobchat, IWW Nextcloud or any other password-based access that is not intended for use by anyone other than myself. IWW email account passwords may sometimes need to be shared with a co-officer or co-role-holder for shared use; in such cases I will only ever share those passwords using secure, encrypted communications (see step-by-step instructions for this.).
• I will never share or send my passwords or any personal data under my care over unencrypted internet connections, email, messaging, voice calls or any other mode of unencrypted/unsecured communication. I will not send unencrypted emails or messages containing IWW WISE-RA passwords or any personal data, even to myself as a “note to self.”
• I will only use the data processing or communications tools/platforms/accounts that the IWW WISE-RA has assigned and authorised me to use for all my processing/communications of IWW WISE-RA business or of personal information for which the IWW WISE-RA is the Data Controller. I will only use other data processing and communications methods if I obtain authorisation from the IWW WISE-RA DPO, or obtain the explicit and informed consent of the Data Subject. If I am an agent of an IWW WISE-RA authorised third party data processor organisation, I will only use the data processing and communications tools and platforms provided by the IWW or by that organisation. This means, for example, that if I am only given access to the Interwob moderator tools, I will only process the personal data within Interwob and will not export it or communicate it outside of the Interwob platform without further authorisation from the IWW WISE-RA DPO or the Data Subject’s consent; or, for example, if I am given access to the IWW WISE-RA database and an IWW WISE-RA email account, I will only use those tools to process the personal information and will not process it outside of those platforms; unless otherwise allowed in a manner described further below, or allowed by further authorisation by the IWW WISE-RA DPO or through consent of the Data Subject.

• If I am given an IWW WISE-RA email account, I will not set a forwarder from my IWW email account to a non-IWW email, and I will not use a non-IWW email account to send emails using an IWW email alias. The IWW IT Committee does not allow the use of aliases or forwarders linking with any non-IWW email accounts, for data protection reasons.
• If I am given an IWW WISE-RA email account and/or access to the IWW WISE-RA Membership Database, when sending emails to multiple recipients I will normally use the IWW WISE-RA database bulk mailer. Otherwise, if using an email client, I will use the BCC field for the personal email addresses of all recipients; never the “To:” field; to prevent recipients being able to see other recipients’ personal email addresses.
• I will not include the personal data of any IWW WISE-RA Data Subject in emails sent to persons who have not signed an IWW WISE-RA DPA, without the explicit and informed consent of the Data Subject in question.
• Except where other sections of this document allows alternative methods (e.g., using my personal phone or the Signal app), I will only use IWW email accounts for all casework-related or complaints-process-related messages, or any communications relating to an IWW Data Subject’s personal data; whether it is for communicating with any person on behalf of the IWW about their case or their personal data; communicating with their employer or co-workers about their case or personal data; or communicating with other IWW role holders about their case or personal data. I will never email any personal data of IWW WISE-RA Data Subjects from personal non-IWW email accounts without the Data Subject’s explicit and informed consent. I will never email any personal data of IWW WISE-RA Data Subjects to non-IWW email accounts, including the non-IWW email addresses belonging to IWW WISE-RA role holders who have signed a DPA, except with the explicit and informed consent of the Data Subject, and will only ever do so if strictly necessary.
• I will avoid, where possible, storing any personal data and/or IWW WISE-RA data on my devices unless reasonably necessary to perform my assigned role, and if I do so, I will only store such data on password-protected, encrypted hard drives and systems/devices, or in encrypted files. I will delete this data from my devices as soon as I no longer require it. Personal data and IWW WISE-RA data should best be stored on the Interwob forum (in so far as it is data generated on Interwob), or the IWW WISE-RA Membership Database or Nextcloud file repository rather than on personal devices. If I run the IWW’s Nextcloud app on my devices to synchronise file storage between the IWW Next Cloud and my device, I will do so securely and only on password-protected and encrypted devices.
• I will regularly back-up my data to password protected, encrypted storage (for any IWW Data, only on personal hard disks, thumb drives, SD cards, etc, NOT cloud based storage except the IWW WISE-RA Next Cloud file repository). Regular backups of important data will ensure it can be quickly restored in the event of disaster or ransomware infection. I will not use third-party cloud based storage/backup services for backing up IWW WISE-RA data (You can use third-party cloud storage to back up your own devices, systems and files, but not for backing up any data controlled by the IWW WISE-RA, however the IWW WISE-RA Next Cloud file repository can be used as cloud storage for IWW controlled data).
• I will never share or send IWW WISE-RA data or personal data under my care with/to anyone who has not signed an IWW WISE-RA Data Processors’ Agreement, and even then I will only do so on a strictly need-to-know basis and only for the purposes for which the data has originally been collected (as explained to the Data Subject when it was collected). The only exception where I can share personal data under my care with persons who have not signed an IWW WISE-RA Data Processors’ Agreement is where I have obtained further authorisation from the IWW WISE-RA DPO or explicit and informed consent to do so from the Data Subject concerned.
• When sharing or sending IWW WISE-RA union data, especially a Data Subject’s personal data: I will only share the data with persons who have signed the IWW WISE-RA DPA, and only send it from my IWW email account to another IWW email account, or otherwise use encrypted communications; If I need to share data with persons who have not signed an IWW WISE-RA Data Processor Agreement, I will only ever do so if strictly necessary and if I have obtained further authorisation from the IWW WISE-RA DPO or the explicit and informed consent of the Data Subject concerned. In all cases I will send only the data that is strictly necessary for the task, only for the stated purposes it was collected, minimising the data I send, and pseudonymising or anonymising it whenever possible.
• I will never store, process or collect IWW WISE-RA data or any personal data under my care on any third-party data processing, social networking or cloud platform that is not explicitly authorised by the IWW WISE-RA DPO and formally mandated for use by the IWW WISE-RA body that the data corresponds to, and the Data Subject has provided explicit, informed consent to their data being used in this way. For example, I will never collect or copy the data to Google Spreadsheets, Survey Monkey surveys, Dropbox, Google Drive or any other online/cloud data processing/data-collection/survey/file-sharing/storage application, nor use such applications to share the data or collaborate on data processing with other persons (unless the IWW WISE-RA Data Protection Officer has authorised it, AND there is explicit, minuted mandate by the IWW WISE-RA body whose data is concerned, AND explicit, informed, recorded consent by all the Data Subjects whose data is concerned, which allows me to do so. cf. the IWW WISE-RA Privacy and Data Protection Policy for more details on the procedures required to use third party data processing platforms).
• If an authorised and mandated third-party platform is used to process personal data, and it is used with the Data Subject’s consent, I will use strong passwords, secured with an appropriate password management system, and employ two factor authentication to secure my access to that platform. I will furthermore ensure that Data Subjects can have their data removed from that platform at any time and that they know how to do so.
• I will never share, post or cross-reference the personal data under my care using any social media or social networking platform such as Facebook, Discord, Twitter, etc. in a manner that directly or indirectly reveals/shares the data with third parties (unless there is an explicit, minuted mandate by the IWW WISE-RA body whose data is concerned, AND explicit consent by all the Data Subjects whose data is concerned, which allows me to do so).

The applicable legislation restricts data transfers to countries outside the European Economic Area (EEA) in order to ensure that the level of data protection afforded to individuals by the applicable legislation is not undermined. You transfer personal data from one country to another when you transmit, send, view or access that data in or to a different country.

The IWW WISE-RA will not normally transfer Personal data outside UK or EEA, except if one of the following conditions applies:

• it is necessary to process the details of members residing outside the EEA;
• in connection with members travelling abroad or otherwise engaged in international solidarity work;
• As necessary to fairly conduct elections involving IWW WISE-RA organisations outside the EEA, and only where there is a Data Processing Agreement between relevant organisations which meets the requirements of the present Policy, the applicable data protection legislation, and our legal obligations;
• the UK ICO or another relevant regulatory authority has issued a decision confirming that the country to which we transfer the personal data ensures an adequate level of protection for the data subjects’ rights and freedoms;
• appropriate safeguards are in place such as binding corporate rules (BCR), standard contractual clauses approved by the the UK ICO or another relevant regulatory authority, an approved code of conduct or a certification mechanism, a copy of which can be obtained from the Union’s DPO if applicable;
• the Data Subject has provided explicit consent to the proposed transfer after being informed of any potential risks;
• where the Union acts as the Data Processor for a third party Data Controller of the personal data concerned, and where the contract for services or Data Processor Agreement between the Union and the Data Controller explicitly authorises the transfer; or
• the transfer is necessary for one of the other reasons set out in the applicable legislation, including the performance of a contract between us and the Data Subject; the performance of a contract with a third party Data Controller of the personal data concerned; reasons of public interest; to establish, exercise or defend legal claims or to protect the vital interests of the Data Subject where the Data Subject is physically or legally incapable of giving consent; and, in some limited cases, for our legitimate interests.

The Union shall avoid any form of automated decision-making that has a legal or similar significant effect on our Data Subjects, unless absolutely necessary for our legitimate interests, or our legal or contractual obligations, and it complies with the applicable legislation.

Automated Decision-Making, definition: when a decision is made which is based solely on Automated Processing (including profiling) which produces legal effects or significantly affects an individual. The applicable legislation prohibits Automated Decision-Making (unless certain conditions are met) but not Automated Processing.

Automated Processing definition: any form of Automated Processing of Personal data consisting of the use of Personal data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Profiling is an example of Automated Processing.

Generally, automated decision-making is prohibited when a decision has a legal or similar significant effect on an individual unless:

• a Data Subject has explicitly consented;
• the processing is authorised by law; or
• the processing is necessary for the performance of or entering into a contract.

If certain types of special category data are being processed, then grounds (b) or (c) will not be allowed but such special category data can be processed where it is necessary (unless less intrusive means can be used) for substantial public interest like fraud prevention.

All the personal data processed by the Union should be considered as special category data, insofar as it is related to the Data Subjects’ membership in the IWW as a union, or relationship to the IWW as a union (union membership, and people’s political or philosophical views, including sympathy with unions, are identified by the applicable legislation as special category data).

If a decision is to be based solely on automated processing (including profiling), then Data Subjects must be informed, when we first communicate with them, of their right to object. This right must be explicitly brought to their attention and presented clearly and separately from other information.

We must inform the Data Subject of the logic involved in the decision making or profiling, the significance and envisaged consequences and give the Data Subject the right to request human intervention, express their point of view or challenge the decision.

A Data Protection Impact Assessment must be carried out before any automated processing (including profiling) or automated decision-making activities are undertaken.

We can contact and send regular communications to IWW members on the lawful basis of the IWW’s legitimate interests as a trade union, and thus do not need to base such contact or regular communications on consent.

Concerning non-members, a Data Subject’s prior consent is required for electronic direct marketing (for example, by email, text or calls, particularly automated calls). The limited exception for existing non-member contacts, known as “soft opt in”, allows organisations to send marketing texts or emails if they have obtained contact details in the course of a prior business interaction or exchange with that person (i.e., in our case, any interaction that is relevant to our mission or services as a union), they are marketing similar services, and they gave the person an opportunity to opt out of marketing when first collecting the details and in every subsequent message

For all our Data Subjects, members and non-members, the right to object to direct marketing must be explicitly offered in an intelligible manner so that it is clearly distinguishable from other information. A Data Subject’s objection to direct marketing must be promptly honoured. If a non-member opts out at any time, their details should be suppressed as soon as possible. Suppression involves retaining just enough information to ensure that marketing preferences are respected in the future. For members, suppression is not necessary, but their opt-out preferences must be promptly implemented.