Skip to content Skip to footer

“A private members-only dinner club connecting professionals, founders, and creatives across the UK.”

Member Login
Join club
Join club
Close

GDPR Policy

1. Introduction And Context

This Data Protection policy and related business rules applies to Dinner Club Network Ltd (hereafter known as the Company) business dealings and transactions. This Data Protection Policy was designed to ensure that the Company operates lawfully and in compliance with the Regulations covering the use of Personal Data and has been developed with an understanding of the following:

  • The type of Personal Data we process
  • The volume of Personal Data we process
  • The purposes for which we process the Personal Data
  • The risks associated with the processing
  • The tools we use to process the Personal Data and the associated security
  • The rights of the individuals and
  • The interest of the Company

The information collected above is captured in our records of Personal Data processing activities referred to as the Data Map.

This Data Protection Policy outlines our commitment to ensuring we process data lawfully in accordance with the Regulations as well as outlining the rules on how we:

  • Support individuals’ rights under the Regulations
  • Manage Security Events, Security Incidents and Data Breaches
  • Ensure we protect Personal Data when implementing change across the Company by using Privacy Impact Assessments
  • Retain records in line with an agreed retention schedule

This Data Protection Policy and related business rules should be read in conjunction with our

Security and IT policies to understand the technical and organisational measures we have in place to

protect all data, including Personal Data.

2. Policy Statement

The Company is committed to ensuring that it processes Personal Data in a lawful manner and is committed to openness and fairness in the handling of Personal Data. The Company will abide by the key principles relating to processing of Personal Data as set out in UK law and the GDPR. In particular,

  • Personal Data will be processed lawfully, fairly and in a transparentmanner
  • Personal Data will be collected for specified, explicit and legitimate purposes
  • Personal Data collected will be limited to that which is required and adequate for the purpose
  • Personal Data will be accurate and where necessary kept up to date
  • Where Personal Data is inaccurate, we will take all reasonable and proportionate steps to rectify or erase the inaccurate information
  • Personal Data will only be kept for as long as is necessary for the purposes for which it was collected and processed
  • Personal Data will be processed in a manner that ensures appropriate security of the
  • Personal Data is maintained through technical or organisational measures that provide protection against unauthorised or unlawful processing and against accidental loss, destruction or damage
  • We welcome the rights of access to information that are set out in the law
  • We are committed to operating openly and to meeting all reasonable requestsfor
  • information that are not subject to specific exemption in the legislation
  • We will adhere to the individual’s rights set out in the law as noted below:

    – Right to be Informed through effective Privacy Notices

    Right to access

    Right of rectification

    Right of erasure

    Right to restrict processing

    Right of objection

    Right of portability

  • We will adhere to an individual’s rights in relation to automated decision making and profiling if this is ever utilised by the Company.

  • We will manage records so that they:

    Meet all the internal business needs

    Enable the defence of the rights and interests of the Company

    Enable the content of the record to be accessed, used and reused in a controlled and efficient manner

    -Enable compliance with all regulatory and statutory requirements, including the General Data Protection Regulation
    -Are capable of providing evidence of a transaction or business process which is admissible in a court of law

    – Are kept, maintained and stored in the most appropriate way consistent with the aboveAre disposed of in a way which is auditable

  • We will ensure that records (electronic and paper) are retained for

    the full retention period and archived or disposed of in accordance

    with the Company Records Retention Schedule.

3. Procedures

The Management Director recognises that any violation of the Data Protection Act 2018 and GDPR could subject the organisation to severe penalties including fines of up to 4% of annual turnover; compensation claims for damages suffered by individuals; reputational damage and loss of client trust.

The Management Director will implement and maintain:

  • Compliance with this Data Protection Policy and the related business rules
  • Appropriate training for all employees in respect to their rights, duties and responsibilities individually and those of the organisation under the Data Protection Act 2018 and GDPR.

4. Data Protection Rights

The Company will follow rules to ensure we are able to meet the rights of individuals set out in the Regulations.

The rights specifically identified are:

  • Right to be informed. When Personal Data is collected from an individual, we aim to explain what Personal Data we collect and process about the individual. We aim to be as open and transparent as possible about how we use Personal Data in any request that is received from a verified individual or authorised third party. We will establish and maintain effective Privacy Notices. All Data Subjects who have Personal Data held by us are entitled to:

     

    –  ask what information we hold about them and why

    –  see what personal information we hold aboutthem

    ask how to gain access to it

    ask what we use it for and who we might pass it onto and why

    ask for information we might have about the source of the information

    be informed of how we keep the Personal Data up to date

    be informed of how we are meeting our data protection obligations

  • Right to Access. We will supply a copy of the Personal Data that we hold about an individual when it is requested by a verified individual or authorised third party.

  • Right of Rectification. If an individual believes that the information, we hold about them is inaccurate or incomplete, we will rectify it where it is reasonable and possible to do so.

  • Right of Erasure. This right is sometimes referred to as the “Right to be Forgotten” subject to the provisos below. We will delete an individual’s Personal Data from our systems where they:

    believe the Personal Data is no longer necessary for the purpose for which it was collected

    withdraw their consent (subject to the requirement for us to retain Personal Data to process the request)

    believe we have processed Personal Data unlawfully or believe we should delete Personal Data to comply with other laws or regulation

  • However, we may choose to refuse the request:

    if we believe that we have a legal obligation to keep the Personal Data we hold

    if it is required for the legitimate interests and purposes of the Company

    if it is required for the establishment, exercise or defence of legal claims

  • Right to Restrict Processing. Individuals have the right to request a ‘block’ or to request that we suppress the processing of their Personal Data. When processing is restricted, we are permitted to store the Personal Data, but not to further process it. We will retain just enough information about the individual to ensure that the restriction is respected in future. However, as an organisation we will restrict the processing of Personal Data in the following circumstances:

    when an individual contests the accuracy of the Personal Data, we will restrict the processing until we have verified the accuracy of that Personal Data

    when an individual objects to the processing we will review whether our legitimate grounds override those of the individual

    when processing is unlawful, and the individual opposes erasure and requests restriction instead.

    -If it has been identified we no longer need the Personal Data, but the individual requires the data to establish, exercise or defend a legal claim.

  • Right of Objection. An individual has the right to object to the processing of their Personal Data at any time. If an individual’s data is being used for direct marketing, we will stop contacting them. However, we may reject a “Right of Objection” request:

    where we are processing data for research and statistical purpose

    -where there is a public interest in the continued processing of the data

    where we believe we have compelling legitimate grounds for continuing to process the individual’s data, which outweighs any harm or damage to the individual through the continued processing of the data

    -Where the processing is for the establishment, exercise or defence of legal claims.

  • Right of Portability. We will allow an individual to obtain and reuse their Personal Data for their own purposes. This only applies to Personal Data they have provided to us that is processed in our systems. We will provide the individual with a copy of this Personal Data in a format that can be read by another person’s or organisation’s system. We will enable the transfer of that copy of their Personal Data to another organisation or we will do it for them where it is technically feasible for us to do so. We will refuse this right of transfer where we feel it may adversely affect the rights of another person.

  • We will adhere to an individual’s rights not to be subject to a decision based solely on automated processing which produces legal effects concerning him or her.

5. Data Subject Request Rules

Data Subject Requests can be made by or on behalf of an individual in respect to any or all of the rights outlined in Section 04, above. We will encourage individuals to use the methods outlined in our Privacy Notice to make a request.

However, individuals can send in their requests in writing to any Director in the Company and we will be required to respond. It is important that requests that are received are sent immediately to the Board of Directors for processing as in some instances there are strict criteria and limits around the time taken to respond to the request.

We can receive requests from any individual who believes we hold Personal Data about them. Individuals with this right may include:

  • Current and former employees/members/partners
  • Current and former contractors
  • Business associates

  • Clients

  • Suppliers

  • People who have attended marketing, hospitality or training events (orsimilar)

5.1 Receiving A Data Subject Request

  • Data Subject Requests will be submitted to the Board of Directors directly by the Data Subject if they follow the process outlined in the Privacy Notice.

5.2 Logging A Request

When a Data Subject Request is sent to the Board of Directors, the request will be logged in the request tracking system. The request tracking system will be able to keep a record of the following information related to the request:

  • Name of requestor

  • Type of Data Subject (e.g., customer or employee)

  • Contact information

  • Date of receipt

  • Description of request

  • Rights covered by request

  • Date to start tracking request (if different from receipt)

  • Reason for delayed start (if applicable)

  • Date for completion of request

  • Confirmation the Data Subject Request has been validated and date

  • Confirmation that requestor has been communicated with acknowledgement

  • Date collection of data completed

  • Date data provided to requestor

  • Method of provision of data

  • Date closed

In managing the request, we will also keep track of all communications and contact with the requestor and other parties and a full log of actions.

6. Request Validation Rules

Before carrying out a Data Subject Request we will validate the person making the request and the request itself. This may be done at the time the request is received if the request is made in a verbal communication. We will confirm in writing any verbal communication.

We will communicate with the requestor where we require additional information or inform them in writing of a reason the request will not be processed. We will carry this out as swiftly as possible to ensure the rights of the requestor(s) are not being affected.

6.1 Third-party Data Sharing

  • If the information in the Data Subject Request does not provide sufficient proof to allow us to confirm the identity of the requestor, further information will be required to confirm the Data Subject’s identity. Examples may be unique information that can be validated against information held within our systems or other proof ofidentification.

  • Often, there will be no reason to doubt a person’s identity, for example, if we have regularly corresponded with them. However, if there is good cause to doubt a person’s identity, we will request that the individual submitting the request provides the evidence that we reasonably need to confirm their identity. For example, we may ask for a piece of information held in their records that we would expect the individual to know, a witnessed copy of the individual’s signature or proof of their address.

  • If we cannot verify the Data Subject making the request, we will refuse the request.

6.2 We Will Verify The Request Relates To Personal Data

  • The Board of Directors will check that the request relates to Personal Data and that we have a duty to process that request is covered under the law and Regulations.

  • If the information requested does not meet the definition of Personal Data as described in this Data Protection Policy and the GDPR we will inform the Data Subject. If the Data Subject disputes our finding, we will direct them to the Company Directors.

  • If the request relates to other information that we may hold, then the communication will be sent.

6.3 Document Control

This Policy needs to be formally reviewed on an annual basis, as a minimum, or if required changes are identified to address one or more of the following:

  • A change in business activities, which will or could possibly affect the current operation of the Management System, and the relevance of this document

  • A change in the manner in which the Company manages or operates its information assets and/or their supporting assets, which may affect the accuracy of this document

  • An identified shortcoming in the effectiveness of this Policy, for example as a result of a reported information security incident, formal review or an audit finding.

The current version of this Policy, together with its previous versions, shall be recorded below

Magdalena Cholewa
Director SQR Group – Board Member
06/12/2024

Go to Top