SOCIETY Legal Notices

Terms and Conditions

(1) Introduction

These terms and conditions govern your use of our website. By using our website, you accept these terms and conditions in full. If you disagree with these terms and conditions or any part of these terms and conditions, you must not use our website.

By using this website, you automatically agree to these terms and conditions.

(2) License to use website

Unless otherwise stated, we own the intellectual property rights in the website and material on the website. Subject to the license below, all these intellectual property rights are reserved.

You may view, download for caching purposes only, and print pages or any content from the website for your own personal use, subject to the restrictions set out below and elsewhere in these terms and conditions.

You must not:
Republish material from this website (including republication on another website);
Sell, rent, or sub-license material from the website;
Show any material from the website in public;
Reproduce, duplicate, copy, or otherwise exploit material on our website for any commercial purpose;
Redistribute material from this website without our written advance permission.

(3) Acceptable use

You must not use our website in any way that harms the website or its availability, or in any way that violates applicable laws or regulations.

You must not use our website to distribute or transmit any malicious computer software or engage in any unlawful or harmful activities.

You must not engage in any systematic or automated data collection activities on or related to our website without our express written consent.

You must not use our website to send unsolicited commercial communications.

You must not use our website for marketing purposes without our express written consent.

(4) Restricted access

Access to certain areas of our website may be restricted. We reserve the right to restrict access to any areas of our website, or the entire website, at our discretion.
If you are a member, your user ID/email and password allows access to restricted areas of our website or other content or services, you must keep your user ID and password confidential and not share them with any other party.

We may disable your account access at our sole discretion without prior notice.

(5) User-generated content

In these terms and conditions, "your user content" refers to material (including, but not limited to, text, images, audio material, video material, and audio-visual material) that you submit for use on our website, for any purpose.

You grant us a worldwide, irrevocable, non-exclusive, royalty-free license to use, adapt, publish, translate, and distribute your user content in any existing or future media. You also grant us the right to sub-license these rights and to take action against any infringement.

Your user content must not be illegal or infringe any third party's legal rights, and it must not lead to legal action against you, us, or any third party under any applicable law.

We reserve the right to edit or remove any material submitted to our website, or hosted or published upon our website, without providing any reason.

(6) Limited warranties

We do not guarantee the completeness or accuracy of the information published on this website. We also do not commit to ensuring that the website remains available or that the material on the website is kept up-to-date.

To the extent permitted by applicable law, we exclude all representations, warranties, and conditions relating to this website and its use, including any warranties implied by law, such as satisfactory quality, fitness for purpose, and reasonable care and skill.

(7) Limitations and exclusions of liability

Nothing in these terms and conditions will:

(a) limit or exclude our or your liability for death or personal injury resulting from negligence;

(b) limit or exclude our or your liability for fraud or fraudulent misrepresentation;

(c) limit any of our or your liabilities in any way that is not permitted under applicable law; or

(d) exclude any of our or your liabilities that may not be excluded under applicable law.

The limitations and exclusions of liability set out in this Section and elsewhere in these terms and conditions:

(a) are subject to the preceding paragraph; and

(b) govern all liabilities arising under these terms and conditions, including liabilities arising in contract, in tort (including negligence), and for breach of statutory duty.

We will not be liable for any losses resulting from events beyond our reasonable control.

(8) Indemnity

You hereby agree to indemnify us and hold us harmless from any losses, damages, costs, liabilities, and expenses (including legal expenses and amounts paid to a third party in settlement of a claim or dispute on the advice of our legal advisers) that arise from any breach by you of these terms and conditions or any claim that you have breached these terms and conditions.

(9) Breaches of these terms and conditions

Without prejudice to our other rights under these terms and conditions, if you breach these terms and conditions, we may take appropriate action to address the breach. This may include suspending your access to the website, prohibiting your access, blocking computers using your IP address, contacting your internet service provider to request that they block your access, or initiating court proceedings against you.

We are not obligated to provide advance notice of our intended actions.

(10) Variation

We may revise these terms and conditions from time to time. The revised terms and conditions will apply to the use of our website from the date of their publication on our website. Please check this page regularly to stay informed about the current version. A revision history is noted at the end of this document.

(11) Assignment

We may transfer, sub-contract, or otherwise deal with our rights and obligations under these terms and conditions without notifying you or obtaining your consent.
You may not transfer, sub-contract, or otherwise deal with your rights and obligations under these terms and conditions.

(12) Severability

If any provision of these terms and conditions is determined by any court or other competent authority to be unlawful and/or unenforceable, the other provisions will remain in effect. If any unlawful and/or unenforceable provision would be lawful or enforceable if part of it were deleted, that part will be deemed to be deleted, and the rest of the provision will remain in effect.

(13) Exclusion of third-party rights

These terms and conditions are for the benefit of you and us and are not intended to benefit any third party or be enforceable by any third party. The exercise of our and your rights under these terms and conditions is not subject to the consent of any third party.

(14) Entire agreement

These terms and conditions, together with our privacy policy, constitute the entire agreement between you and us regarding your use of our website, superseding all previous agreements related to your use of this website.

(15) Law and jurisdiction

These terms and conditions will be governed by and construed in accordance with English law, and any disputes relating to these terms and conditions will be subject to the exclusive jurisdiction of the courts of England and Wales.

(16) Our details

The full name of our Society is Cumbria Family History Society.
We are registered in England under charity registration number 518393
Our address is c/o 28 Ainderby Gardens, Romanby, Northallerton. DL7 8GU
You can contact us by email using one of the contact addresses or the contact form on the Contacts Page of the website.

Revision History
Original: 1st May 2018, Updated 18th December 2023 & 9th July 2024

At the Cumbria Family History Society [CFHS], your privacy is important to us. We operate according to fundamental principles in accordance with the GDPR and relevant legislation:

1. Data Collection: We only collect personal information necessary to fulfil our obligation to you as a society member.

2. Data Storage: We store personal information for only as long as required by law.

3. Transparency: We aim to make it simple for you to determine what information we hold and how to correct errors.

4. Transparency: We aim for full transparency regarding how we gather, use, and share your personal information.

Who We Are and What This Policy Covers

The Cumbria Family History Society (CFHS) is a charity (number 518393), constituted by rules revised and adopted in September 2016, approved by the Charity Commission. CFHS's objects are to promote, encourage, foster, and coordinate genealogy, especially in Cumbria, including historic counties of Cumberland, Westmorland, Lancashire North of the Sands, and the Sedbergh district of Yorkshire. The principal office is c/o The Secretary, 59 Mowbray Road, Northallerton. DL6 1QT.

This Privacy Policy applies to information collected about you when you become a member, trade with, sign up, or communicate with CFHS for any other reason. We collectively refer to our website, mobile applications, products, and services as "Services."

Privacy Policy Changes

While most changes are likely to be minor, CFHS may change its Privacy Policy from time to time. Please check this document frequently for changes. This policy is effective from 1st September 2024. For any questions, contact the Secretary at secretary@cumbriafhs.com.

Purpose of the Processing

We only collect information if needed, e.g., to provide our Services, communicate about your membership, improve our Services, or handle your communication. We process information based on legitimate interest or, in limited cases, consent. Individuals can object to data processing, except for basic data necessary for CFHS membership.

Requesting Access to Your Personal Data

Under data protection legislation, you have the right to request access to your information. Contact the Secretary at secretary@cumbriafhs.com for personal information requests or other concerns.

Information We Collect

We collect information when you provide it to us or automatically through our Services.

Information You Provide

Information is typically collected when you apply for/renew membership, set website preferences, or contact us. We collect:

Membership details: name, address, email, and optional preferences

Website facilities: name and email

Communications: information provided when you respond to surveys or contact our officers.

Information We Collect Automatically

In our website, we use Google Analytics to capture the follow information. None of this identifies the individual and is only collected to help us improve the quality of our membership services online. 

Log Information: browser type, IP address, device identifiers, language preference, referring site, access date/time, operating system, and mobile network.

Usage Information: visits, page views.

Location Information: approximate location from your IP address.

Information from Cookies & Other Technologies.

How We Use Information

We use information to provide Services, develop/improve them, monitor/analyse trends, ensure security, communicate with you, personalize your experience, and serve relevant content.

Sharing Information

We don't sell users' private personal information. We may share information with Society Officers, Suppliers, Third Party Vendors, or as required by law. Users can also consent to sharing. Public information may be indexed by search engines.

Data Retention

We retain data as long as necessary. Members' data is retained as long as they're members. Non-members' data is retained as long as you wish, with exceptions.

Security

We protect information against unauthorised access, use, alteration, or destruction. Ensure strong passwords and don't disclose them.

Choices

Users have choices, e.g., limit provided information or opt out of electronic communications.

Cookies

We use limited cookies, e.g., for consent status, to identify logins, and for website functionality.

Transferring Information

Accessing Services worldwide means information may be processed, transferred, and stored outside your home country.

Ads and Analytics Services Provided by Others

CFHS doesn't use advertising services provided by others, but some facilities may set cookies, e.g., Google Re-Captcha.

Third-Party Software

Interacting with third-party software may provide them information about you. Review their rules and policies.

Links to Other Websites

Our website may contain links to other websites, not governed by this privacy statement. Exercise caution.

Change Log

Original document issued on May 1st  2018. 

Updated 18th December 2023 & 1st September 2024

Accreditation

This privacy policy is based on a policy made available under a Creative Commons Sharealike license.

This policy will be reviewed every two years.

Signed: T Littleton Date: 1st September 2024

Print Name: T Littleton Position: Chair of Trustees

DRAFT

1 Introduction

Under the United Kingdom General Data Protection Regulations (UKGDPR) Cumbria

Family History Society (herein after referred to as ‘the Charity’) is required to comply

with the UK-GDPR and undertakes to do so.

2 Definitions

The definitions of terms used in this policy are the same as the definitions of those

terms detailed in Article-4 of the UK-GDPR.

Data Subject

A data subject is an identifiable individual person about whom the Charity holds

personal data.

Contact Information

For the purposes of this Policy, Contact Information, means any or all of the person’s:

 full name;

 full postal address;

 telephone and/or mobile number(s);

 e-mail address(es);

 social media IDs/User Names (e.g.: Facebook, X, WhatsApp)

3 Principles

The Charity will ensure that all personal data that it holds will be:

a)  processed lawfully, fairly and in a transparent manner in relation to individuals;

b)  collected only for specified, explicit and legitimate purposes and not further

processed in a manner that is incompatible with those purposes;

further processing for archiving purposes in the public interest, scientific or historical

research purposes or statistical purposes shall not be considered to be incompatible

with the initial purposes;

c)  adequate, relevant and limited to what is necessary in relation to the purposes for

which they are processed;

d)  accurate and, where necessary, kept up to date; every reasonable step must be

taken to ensure that personal data that are inaccurate, having regard to the purposes

for which they are processed, are erased or rectified without delay;

e)  kept in a form which permits identification of data subjects for no longer than is

necessary for the purposes for which the personal data are processed;

personal data may be stored for longer periods insofar as the personal data will be

processed solely for archiving purposes in the public interest, scientific or historical

research purposes or statistical purposes subject to implementation of the

appropriate technical and organisational measures required by the UK-GDPR in

order to safeguard the rights and freedoms of individuals; and

f)  processed in a manner that ensures appropriate security of the personal data,

including protection against unauthorised or unlawful processing and against

accidental loss, destruction or damage, using appropriate technical or organisational

measures.

2

4 Lawful Processing

The Charity will obtain, hold and process all personal data in accordance with the

UK-GDPR for the following lawful purposes. In all cases the information collected,

held and processed will include Contact Information (as defined in 2 above).

4.1 By Consent

People who are interested in, and wish to be kept informed of, the activities of the

Charity.

a)  Subject to the person's consent, this may include information selected an

forwarded by the Charity on activities by other organisations which are relevant to

those of the Charity.

NB: this will not involve providing the person’s personal data to another organisation.

b)  The information collected may additionally contain details of any particular areas

of interest about which the person wishes to be kept informed.

c)  The information provided will be held and processed solely for the purpose of

providing the information requested by the person.

4.2 By Contact

People who sell goods and/or services to, and/or purchase goods and/or services

from the Charity. The information collected will additionally contain details of:

a)  The goods/services being sold to, or purchased from the Charity;

b)  Bank and other details necessary and relevant to the making or receiving of

payments for the goods/services being sold to, or purchased from the Charity.

The information provided will be held and processed solely for the purpose of

managing the contract between the Charity and the person for the supply or

purchase of goods/services.

4.3 By Legal Obligation

People where there is a legal obligation on the Charity to collect, process and share

information with a third party. e.g.: the legal obligations to collect, process and share

with HM Revenue & Customs payroll information on employees of the Charity.

The information provided will be held, processed and shared with others solely for

the purpose meeting the Charity’s legal obligations.

4.4 By Legitimate Interest

Volunteers, including Trustees

In order to be able to operate efficiently, effectively and economically, it is in the

legitimate interests of the Charity to hold such personal information on its volunteers

3

and trustees as will enable the Charity to communicate with its volunteers on matters

relating to the operation of the charity, eg:

 the holding of meetings;

 providing information about the Charity’s activities, particularly those activities

which, by their nature, are likely to be of particular interest to individual

volunteers/trustees;

 seeking help, support and advice from volunteers/trustees, particularly where

they have specific knowledge and experience;

 ensuring that any particular needs of the volunteer/trustee are appropriately and

sensitively accommodated when organising meetings and other activities of the

Charity.

5 Individual Rights

NB: The following clauses are taken primarily from the guidance provided by the Office of the

Information Commissioner.

5.1 The right to be informed

When collecting personal information the Charity will provide to the data subject free

of charge, a Privacy Policy written in clear and plain language which is concise,

transparent, intelligible and easily accessible containing the following information:

 Identity and contact details of the controller

 Purpose of the processing and the lawful basis for the processing

 The legitimate interests of the controller or third party, where applicable

 Categories of personal data;

Not applicable if the data is obtained directly from the data subject

 Any recipient or categories of recipients of the personal data

 Details of transfers to third country and safeguards

 Retention period or criteria used to determine the retention period

 The existence of each of data subject's right

 The right to withdraw consent at any time, where relevant

 The right to lodge a complaint with a supervisory authority

 The source the personal data originates from and whether it came from publicly

accessible sources

Not applicable if the data is obtained directly from the data subject

 Whether the provision of personal data is part of a statutory or contractual

requirement or obligation and possible consequences of failing to provide the

personal data

Not applicable if the data is Not obtained directly from the data subject

 The existence of automated decision making, including profiling and information

about how decisions are made, the significance and the consequences.

In the case of data obtained directly from the data subject, the information will be

provided at the time the data are obtained.

In the case that the data are not obtained directly from the data subject, the

information will be provided within a reasonable period of the Charity having obtained

the data (within one month), or,

4

if the data are used to communicate with the data subject, at the latest, when the first

communication takes place; or

if disclosure to another recipient is envisaged, at the latest, before the data are

disclosed.

5.2 The right of access

The data subject shall have the right to obtain from the controller confirmation as to

whether or not personal data concerning him/her are being processed, and, where

that is the case, access to his/her personal data and the information detailed in the

Charity’s relevant Privacy Policy.

5.3 The right of rectification

The data subject shall have the right to require the controller without undue delay to

rectify any inaccurate or incomplete personal data concerning him/her.

5.4 The right to erase

Except where the data are held for purposes of legal obligation or public task (4.3 or

4.5) the data subject shall have the right to require the controller without undue delay

to erase any personal data concerning him/her.

NB: This provision is also known as “The right to be forgotten”.

5.5 The right to restrict processing

Where there is a dispute between the data subject and the Controller about the

accuracy, validity or legality of data held by the Charity the data subject shall have

the right to require the controlled to cease processing the data for a reasonable

period of time to allow the dispute to be resolved.

5.6 The right to data portability

Where data are held for purposes of consent or contract (4.1 or 4.2) the data subject

shall have the right to require the controller to provide him/her with a copy in a

structured, commonly used and machine-readable format of the data which he/she

has provided to the controller and have the right to transmit those data to another

controller without hindrance.

5.7 The right to object

a) The data subject shall have the right to object, on grounds relating to his or her

particular situation, at any time to processing of personal data concerning him/her

which is based Public Task or Legitimate Interest (4.5 or 4.6), including profiling

based on those provisions. The controller shall no longer process the personal data

unless the controller demonstrates compelling legitimate grounds for the processing

which override the interests, rights and freedoms of the data subject or for the

establishment, exercise or defence of legal claims.

b)  Where personal data are processed for direct marketing purposes, the data

subject shall have the right to object at any time to processing of personal data

5

concerning him/her for such marketing, which includes profiling to the extent that it is

related to such direct marketing.

c)  Where the data subject objects to processing for direct marketing purposes, the

personal data shall no longer be processed for such purposes.

d)  At the latest at the time of the first communication with the data subject, the right

referred to in paragraphs a) and d) shall be explicitly brought to the attention of the

data subject and shall be presented clearly and separately from any other

information.

5.8 Rights in relation to automated decision making and

profiling

Except where it is:

a) based on the data subject��s explicit consent or

b) necessary for entering into, or performance of, a contract between the data subject

and a data controller; the data subject shall have the right not to be subject to a

decision based solely on automated processing, including profiling, which produces

legal effects concerning him/her or similarly significantly affects him/her.

Operational Policies

6 Operational Policies and Procedures

Cumbria FHS (the Charity) is a small charity holding just a small amount of non- sensitive

data on a number of people.

The Trustees understand and accept their responsibility under the UK General Data

Protection Regulation (UK-GDPR) to hold all personal data securely and use it only for

legitimate purposes with the knowledge and approval of the data subjects.

By the following operational policies and procedures the Trustees undertake to uphold the

principles and requirements of the UK-GDPR in a manner which is proportionate to the

nature of the personal data being held by the Charity. The policies are based on the

Trustees’ assessment, in good faith, of the potential impacts on both the Charity and its data

subjects of the personal data held by the Charity being stolen, abused, corrupted or lost.

7 Personnel

7.1 Data Protection Officer

In the considered opinion of the Trustees the scope and nature of the personal data

held by the Charity is not sufficient to warrant the appointment of a Data Protection

Officer. Accordingly, no Data Protection Officer is appointed.

7.2 Data Controller

The Board of Trustees is the Data Controller for the Charity.

6

7.3 Data Processor

The Board of Trustees will appoint at least 1 and not more than 5 of its number, or

other appropriate persons, to be the Data Processors for the Charity.

The Charity will not knowingly outsource its data processing to any third party (e.g.

Google G-Suite, Microsoft OneDrive) except as provided for in the section “Third

Party Access to Data”.

7.4 Access to Data

Except where necessary to pursue the legitimate purposes of the Charity, only the

Data Processors shall have access to the personal data held by the Charity.

8. Collecting and Processing Personal Data

The Charity collects a variety of personal data commensurate with the variety of

purposes for which the data are required in the pursuit of its charitable objects.

All personal data will be collected, held and processed in accordance with the

relevant Data Privacy Notice provided to data subjects as part of the process of

collecting the data.

A Data Privacy Notice will be provided, or otherwise made accessible, to all persons

on whom the Charity collects, holds and processes data covered by the UK-GDPR.

The Data Privacy Notice provided to data subjects will detail the nature of the data

being collected, the purpose(s) for which the data are being collected and the

subjects rights in relation to the Charity’s use of the data and other relevant

information in compliance with the prevailing UK-GDPR requirements.

9. Information Technology

9.1 Data Protection by Design/Default

Inasmuch as:

a)  none of the Charity’s volunteer Trustees are data protection professionals;

b)  it would be a disproportionate use of charitable funds to employ a data protection

professional, given the scale and nature of the personal data held by the Charity;

the Trustees will seek appropriate professional advice commensurate with its data protection

requirement whenever:

c) they are planning to make significant changes to the ways in which they process

personal data;

d)  there is any national publicity about new risks (eg: cyber attacks);

e)  any material changes to the UK-GDPR are proposed or have been made;

which might adversely compromise the Charity’s legitimate processing of personal data

covered by the UK-GDPR.

Personal data will never be transmitted electronically (e.g.: by e-mail) unless securely

encrypted.

7

9.2 Data Processing Equipment

The scale and nature of the personal data held by the Charity is not sufficient to justify the

Charity purchasing dedicated computers for the processing of personal data.

Instead the Charity will purchase and own at least 2 and not more than 5 removable

storage devices to store the personal data that it holds and processes.

The removable storage devices will also act as backup devices.

Whilst the data will be processed on the computers/laptops to which the Data Processors

have access, no personal data covered by the UK-GDPR will be stored on those

computers/laptops. All interim working data transferred to such computers/laptops for

processing will be deleted once processing has been completed.

When not in use the removable storage devices will be kept in a secure location and

reasonably protected against accidental damage, loss, avoidable theft or other misuse by

persons other than the Data Processors.

The Data Controller & Data Processors will keep a register of:

1. a)  the location of all removable devices used for the storage and processing of

personal data;

2. b)  each occasion when the data on each device were accessed or modified and by

whom.

The Charity’s removable storage devices shall not be used for the storage of any data which

are unrelated to the Charity’s processing of personal data.

9.3 Data Processing Location

Data Processors shall only process the Charity’s personal data in a secure location, and not

in any public place, e.g. locations whether the data could be overlooked by others, or the

removable data storage devices would be susceptible to loss or theft.

Computers/laptops in use for data processing will not be left unattended at any time.

9.4 Data Backups

To protect against loss of data by accidental corruption of the data or malfunction of a

removable data storage device (including by physical damage), all the Charity’s personal

data shall be backed up periodically and whenever any significant changes (additions,

amendments, deletions) are made to the data.

Backup copies of the data shall be held in separate secure locations which are not

susceptible to common risks (e.g.: fire, flood, theft).

10 Data Subjects

10.1 The Rights of Data Subjects

8

In compliance with the UK-GDPR the Charity will give data subjects the following rights.

These rights will be made clear in the relevant Data Privacy Notice provided to data

subjects:

 the right to be informed;

 the right of access;

the right to rectification;

 the right of erasure {LO} Also referred to as ‘The right to be forgotten’

 the right to restrict processing;

 the right to data portability; {LO} {LI}

the right to object; {SC} {Co} {LO}

 the right not to be subjected to automated decision making, including profiling.

The above rights are not available to data subjects when the legal basis on which the

Charity is holding & processing their data are:

{SC} Subject Consent; {Co} Contractual obligation

{LO} Legal Obligation {LI} Legitimate Interest

10.2 Rights of Access, Rectification and Erasure

Data subjects will be clearly informed of their right to access their personal data and to

request that any errors or omissions be corrected promptly.

Such access shall be given and the correction of errors or omissions shall be made free of

charge provided that such requests are reasonable and not trivial or vexatious.

There is no prescribed format for making such requests provided that:

a)  the request is made in writing, signed & dated by the data subject (or their legal

representative);

b)  the data claimed to be in error or missing are clearly and unambiguously

identified;

c)  the corrected or added data are clear and declared by the subject to be complete

and accurate.

It will be explained to subjects who make a request to access their data and/or to have

errors or omissions corrected, or that their data be erased, that, while their requests will be

actioned as soon as is practical there may be delays where the appropriate volunteers or

staff to deal with the request do not work on every normal weekday.

Where a data subject requests that their data be rectified or erased the Data Controller and

Data Processor will ensure that the rectifications or erasure will be applied to all copies of

the subject’s personal data including those copies which are in the hands of a Third Party for

authorised data processing.

10.3 Right of Portability

The Charity will only provide copies of personal data to the subject (or the subject��s lega

representative) on written request.

The Charity reserves the right either:

a)  to decline requests for portable copies of the subject’s personal data when such

requests are unreasonable (i.e.: excessively frequent) or vexatious;

9

or

b)  to make a reasonable charge for providing the copy.

10.4 Data Retention Policy

Personal data shall not be retained for longer than:

a)  In the case of data held by subject consent:

the period for which the subject consented to the Charity holding their data;

b)  in the case of data held by legitimate interest of the charity:

the period for which that legitimate interest applies. For example: in the case of data

subjects who held a role, such as a volunteer, with the Charity the retention period is

that for which the Charity reasonably has a legitimate interest in being able to identify

that individual’s role in the event of any retrospective query about it;

c)  in the case of data held by legal obligation:

the period for which the Charity is legally obliged to retain those data.

The Charity shall regularly, not less than every 6 months, review the personal data which it

holds and remove any data where retention is no longer justified. Such removal shall be

made as soon as is reasonably practical, and in any case no longer than 20 working days (of

the relevant Data Processor) after retention of the data was identified as no longer justified.

11 Privacy Impact Assessment

11.1 Trustees’ Data

The volume of personal data is very low, no more than 7 individuals

The sensitivity of the data is low-moderate: the most sensitive data being date of birth,

previous names and previous addresses;

The risk of data breach is small as the data are rarely used, with the majority of the data

being held for a combination of legal obligation and legitimate interest.

Overall Impact: LOW

11.2 Volunteers’/Members’ Data

The volume of personal data is medium, less than 1000 individuals

The sensitivity of the data is low: the most sensitive data being an e-mail address and postal

address; The risk of data breach is small, primarily the accidental disclosure of names,

addresses & e-mail addresses.

Overall Impact: LOW

12 Third Party Access to Data

Under no circumstance will the Charity share with, sell or otherwise make available to Third

Parties any personal data except where it is necessary and unavoidable to do so in pursuit

of its charitable objects as authorised by the Data Controller.

Whenever possible, data subjects will be informed in advance of the necessity to share their

personal data with a Third Party in pursuit of the Charity’s objects.

10

Before sharing personal data with a Third Party the Charity will take all reasonable steps to

verify that the Third Party is, itself, compliant with the provisions of the UK-GDPR and

confirmed in a written contract. The contract will specify that:

 The Charity is the owner of the data;

 The Third Party will hold and process all data shared with it exclusively as specified

by the instructions of the Data Controller;

 The Third Party will not use the data for its own purposes;

 The Third Party will adopt prevailing industry standard best practice to ensure that

the data are held securely and protected from theft, corruption or loss;

 The Third Party will be responsible for the consequences of any theft, breach,

corruption or loss of the Charity’s data (including any fines or other penalties

imposed by the Information Commissioner’s Office) unless such theft, breach,

corruption or loss was a direct and unavoidable consequence of the Third Party

complying with the data processing instructions of the Data Controller

 The Third Party will not share the data, or the results of any analysis or other

processing of the data with any other party without the explicit written permission of

the Data Controller;

 The Third Party will securely delete all data that it holds on behalf of the Charity once

the purpose of processing the data has been accomplished.

 The Charity does not, and will not, transfer personal data out of the UK.

13 Data Breach

In the event of any data breach coming to the attention of the Data Controller, the Trustees

will immediately notify the Information Commission’s Office.

In the event that full details of the nature and consequences of the data breach are not

immediately accessible (e.g.: because Data Processors do not work on every normal

weekday) the Trustees will bring that to the attention of the Information Commissioner’s

Office and undertake to forward the relevant information as soon as it becomes available.

14 Privacy Policy & Privacy Notices

The Charity will have a Privacy Policy and appropriate Privacy Notices which it will make

available to everyone on whom it holds and processes personal data, in accordance with

5.1.

In the case of data obtained directly from the data subject, the Privacy Notice will be

provided at the time the data are obtained.

In the case that the data are not obtained directly from the data subject, the Privacy Notice

will be provided within a reasonable period of the Charity having obtained the data (within

one month), or,

if the data are used to communicate with the data subject, at the latest, when the first

communication takes place; or

if disclosure to another recipient is envisaged, at the latest, before the data are disclosed.

At The Cumbria Family History Society (CFHS), we are committed to protecting your privacy and ensuring transparency about how we use cookies on our website. This Cookies Policy explains what cookies are, how we use them, and your choices regarding cookies.

What are Cookies?

Cookies are small text files placed on your device by websites you visit. They are widely used to make websites work more efficiently and provide information to the site owners. Cookies help us enhance your experience by remembering your preferences and visits.

Types of Cookies We Use

1. Strictly Necessary Cookies: Essential for the operation of our website. These cookies do not collect personal data and are required for you to navigate the site and use its features. - Example: Session cookies to maintain your login status.

2. Performance Cookies: Collect information about how visitors use our website, such as which pages are visited most often. This data is used to improve our website's functionality. All information collected by these cookies is aggregated and anonymous. - Example: Google Analytics cookies.

3. Functionality Cookies: Allow our website to remember choices you make (e.g., your user name, language, or region) and provide enhanced, more personal features - Example: Cookies to remember your login details and preferences.

Third-Party Cookies

We may also use third-party cookies from service providers like Google Analytics, Stripe, and other analytics services to understand and improve our website’s performance. These third-party services have their own privacy policies regarding how they use your information.

• Google Analytics: Used to track website performance and visitor behaviour. For more information, see Google Analytics Cookie Policy.

Your Consent

By using our website, you consent to our use of cookies in accordance with this Cookies Policy. You can withdraw your consent at any time by adjusting your browser settings to refuse cookies or to alert you when cookies are being sent. Please note that some parts of our website may not function properly if you refuse cookies.

Managing Cookies

You have the right to accept or reject cookies. Most web browsers automatically accept cookies, but you can usually modify your browser settings to decline cookies if you prefer. Below are links to manage cookies in popular browsers:

• Google Chrome

• Mozilla Firefox

• Safari

• Microsoft Edge

Changes to This Cookies Policy

We may update this Cookies Policy from time to time to reflect changes in technology, legislation, or our data protection practices. Any updates will be posted on this page with an updated revision date.

Contact Us

If you have any questions about our use of cookies, please contact us at or visit our contact page for more information.

Effective Date: 1 January 2024