Porthcawl Chamber of Trade
Data Protection Policy
Date last updated: 26th November 2025
1. Introduction
The Porthcawl Chamber of Trade (“the Chamber”) is committed to protecting the privacy and security of the personal data it handles. We process personal information lawfully, fairly and transparently in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
This policy describes how we collect, store, use and protect personal data as part of our work supporting the businesses of Porthcawl.
This policy applies to all officers, committee members and volunteers acting on behalf of the Chamber.
2. Purpose of This Policy
The purpose of this policy is to ensure that:
- Personal data is handled responsibly and only used for legitimate Chamber purposes
- Officers understand their responsibilities under UK GDPR
- Data is kept secure and only retained for as long as necessary
- Individuals understand how their information is used and what rights they have
- The Chamber operates transparently and complies with all legal obligations
3. Roles and Responsibilities
Data Controller
The Data Controller is the Porthcawl Chamber of Trade.
This means the organisation is legally responsible for determining how personal data is collected, used and stored.
Data Protection Lead (Interim)
Until the Secretary position is formally appointed, the President will act as the interim Data Protection Lead and is the primary point of contact for any data protection queries.
Responsibilities include:
- Ensuring compliance with this policy
- Managing access to personal data
- Responding to data access or deletion requests
- Coordinating any required reporting to the ICO
- Ensuring data is only used for legitimate Chamber activities
A dedicated Data Protection Officer is not required due to the Chamber’s size and risk profile.
4. What Data We Collect
The Chamber only collects data relevant to its work and membership, including:
- Name
- Business name
- Business address
- Email address
- Phone number
- Website or social media details
- Membership information
- Communication preferences
- Event registrations
- Survey responses or consultation feedback
We do not collect sensitive personal data unless strictly necessary and only with explicit consent.
5. How We Use Personal Data
We process personal data for legitimate Chamber purposes, including:
- Managing membership
- Communicating Chamber news, meetings and events
- Sharing information relevant to local businesses
- Coordinating business consultations and surveys
- Liaising with local authorities and partners
- Supporting regeneration and economic development
- Maintaining a business directory (opt-in)
- Handling general enquiries
We do not sell personal data or share it with third parties for marketing.
6. Lawful Bases for Processing
We process data under the following lawful bases:
- Legitimate Interests: communicating with businesses, running events, organising Chamber activities
- Consent: newsletters, optional communications and directory listings
- Contract: managing membership where applicable
- Legal Obligation: complying with UK law or regulatory requirements
Individuals may withdraw consent at any time.
7. Data Storage and Security
We take reasonable and proportionate steps to protect personal data, including:
- Password-protected email and cloud storage
- Access restricted to authorised officers only
- Regular access reviews when roles change
- Secure deletion of old or unnecessary data
- Avoiding unnecessary printing or physical storage of personal data
Data is stored only for as long as necessary for the purpose for which it was collected.
8. Sharing and Disclosure
We may share personal data with:
- Chamber officers or volunteers carrying out legitimate duties
- Service providers supporting Chamber operations (e.g. email systems, cloud hosting)
- Event partners where necessary for participation or logistics
- Public bodies where legally required (e.g. in response to lawful requests)
We do not share data with third parties for commercial marketing.
9. Individual Rights
Individuals have the right to:
- Access the personal data we hold about them
- Request corrections to inaccurate data
- Request deletion where appropriate
- Object to certain types of processing
- Withdraw consent at any time
- Request data portability
Requests can be made to the Chamber via email:
info@[insert domain]
10. Data Breaches
Any suspected data breach must be reported immediately to the Data Protection Lead.
A breach will be:
- Investigated promptly
- Logged and risk-assessed
- Reported to the ICO within 72 hours if necessary
- Communicated to affected individuals where appropriate
The Chamber will take all reasonable steps to prevent recurring issues.
11. Data Retention
Personal data is kept only for as long as necessary:
- Membership records: membership period + up to 24 months
- Event attendance: up to 12 months
- Enquiries: up to 6 months
- Email correspondence: reviewed annually
- Consultation responses: retained only while relevant
Data that is no longer required is securely deleted.
A detailed retention schedule can be added later if required.
12. Policy Review
This policy will be reviewed annually or when significant changes occur in legislation, Chamber structure or data-processing activities.
End of Policy