TO ALL MEMBERS - UPDATE FROM CTT ON GDPR. (Forms are attached if we are organising an event)
Many clubs have asked about the GDPR and how this affects the promotion of club events. In response to those requests, CTT has produced the guidance below.
The guidance is also attached as a pdf document should you wish to print this.
A copy of the May 2018 version of the signing on sheet is also attached. Please could you ensure that your club uses the attached version (May 2018) for all future club events and that any old versions of this form are destroyed?
GDPR GUIDANCE – “CLUB” EVENTS
Nearly everyone will have heard of the General Data Protection Regulation, commonly known as the GDPR. This comes into effect on 25 May 2018. The GPDR does have an impact on CTT and clubs or teams affiliated to CTT and care must be taken about how an individual’s personal information is used.
The purpose of this guidance is to summarise how the GDPR will affect your club or team if it promotes “club” events and what needs to be done to safeguard a rider’s personal information that’s given on the signing on sheet. This guidance also applies to those events promoted as “Come & Try It” events.
Typically, a “club” event is promoted on a relatively informal level, with club members and guests “signing on” on the day of the event. When signing on for a “club” event, the rider will give their name, address, emergency contact telephone number, club and age. The information given by the rider is personal information and as such, this does fall under the GDPR.
A rider’s personal information to be used only for the purposes of the event
The information each rider provides on the signing on sheet must be used only for the purposes of the promotion and management of the event. The club cannot use that information for anything else. This is because that information is the rider’s personal information and is personal data for the purposes of the GDPR.
Under the GDPR, “legitimate interest” is an appropriate basis for processing personal data (i.e. the information given on the signing on sheet) provided that personal data is used in a way the person concerned (the “data subject”) would reasonably expect. As such, certain information (not the emergency telephone number) may be published on the result sheet for the event. It is expected that this will be limited to the entrant’s name, age or age category, the rider’s club and the rider’s recorded time and/or finishing position.
The “signing on” sheet (May 2018)
A rider is entitled to know what their personal information is to be used for. The signing on sheet has been amended and now includes this additional wording:
As an entrant to this event your information may be shared on the event or promoting club website, social media pages or in emails sent by or on behalf of the promoting club. This data will only be shared in relation to your participation in the event, e.g. the list of entrants, results or event reports. This data will be limited to your name, gender, age or age category, the name of the affiliated club or team of which you are a member and your finishing time and/or position.
Please would your club or team use the May 2018 version of the signing on sheet and destroy any previous versions held.
Please do not release a rider’s personal information to a third party
Under no circumstances must the rider’s contact details be released to a third party. As is to be expected, those details can be released in the case of emergency or to an appropriate CTT District official or to one of the National officers of CTT (e.g. the CTT National Secretaries or the National Treasurer).
Photographs and video footage
The rider’s consent is needed if photographs or video footage of that rider taken during the event are to be published, whether in paper form or uploaded onto a website or social media.
Personal information must be kept secure
You must keep the information provided to you by the rider secure at all times. Please remember to password protect files and computers. In the case of paper copies of information, these should always be kept as securely as possible and not be left anywhere for others to see or left in a public place.
When using third party software you need to obtain assurances over the security of the system, e.g. by asking the provider for an explanation of how data security is managed. If you back-up your computer to the “cloud”, you should also ensure that the company you use is within the European Economic Area (or, if data is transferred outside of the EEA, then measures have been taken in accordance with data protection law to ensure that the data remains secure, e.g. privacy shield certified).
If there is a breach
The GDPR defines a ‘personal data breach’ as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’.
As the promotor of a “club” event, if there is a breach, it would most likely be because of one of the following:
• a breach of confidentiality (someone gains access to information who shouldn't have access to
• access by an unauthorised third party;
• deliberate or accidental action (or inaction) by a controller or processor;
• sending personal data to an incorrect recipient;
• computing devices containing personal data being lost or stolen;
• alteration of personal data without permission; and
• loss of availability of personal data.
Should there be a breach, this must be reported to the Information Commissions Office (ICO) within 72 hours of you becoming aware of it. If you are in any doubt, please contact [email protected]
If there is sufficient time, this can be reported on your behalf. You must also keep a record of any personal data breaches.
How long to keep the information for
The rider’s personal information provided to you when signing on for the event should normally be retained for a period of four years following the date of the event and in the event of an accident in an event involving a competitor who is aged under 18 years for the period of four years from and including that competitor’s 18th birthday. This is needed should there be a claim made against a competitor or other person associated with such event. It is recommended that should there be an accident involving a competitor under the age of 18 years that all the relevant information and documents are sent to the National Secretary (Legal & Corporate) who will retain these on your behalf.
CTT Data Privacy Notice
Please ensure that your club members are familiar with this so that you can understand how CTT protects and how it uses personal data. A copy can be found on the CTT website:
Information Commissioners Office (ICO)
If you would like to see more information about the GDPR, please visit the ICO website:
How to contact CTT
If you are uncertain about what this means or what your obligations as an organiser are, please email [email protected]
or write to us at National Secretary (Legal & Corporate), Cycling Time Trials, c/o Nick Sharpe, Wash Farm, Wash, Chapel-en-le-Frith, High Peak, SK23 0QW.
CTT Type B Sign on sheet May18 (Word).docx
GDPR Guidance - Club Events.pdf