All queries about this policy should be addressed to the person designated as responsible for Data Protection matters in your country’s FLK/TTS organisation, and assigned by the board to address matters related to the data protection and privacy of employees’, volunteers’ and participants’/members’ personal data. The contact email address for your country can be found below.
All FLK/TTC organisations teaching and promoting Fung Loy Kok Taoist Tai Chi® and Taoist Tai Chi® arts around the world (‘FLK/TTC organisations’) are volunteer organisations. They are dedicated to bringing together people of different languages and cultures in a community focused on furthering the aims and objectives established by the founder, Master Moy Lin Shin; in summary, making available and promoting the Taoist arts and teachings to help alleviate suffering. The benefits of these arts may be of an intangible nature.
FLK/TTC organisations need to collect and use certain types of information about the people who come into contact with them in order to carry on their work and promotion. This personal information is collected and processed appropriately, whether it is collected on paper, stored in a computer database, or recorded on other material. There are safeguards outlined under the General Data Protection Regulation (GDPR) 2018 to ensure this.
2. Data Controller
FLK/TTC organisations are the Data Controllers under the GDPR, which means that they determine for what purposes and by what means personal data will be processed in their particular country. The National Boards of the FLK/TTC organisations are the lawful representatives and responsible for drawing up, executing and maintaining the policy outlined in this document. The boards have decided to appoint a designated person in their country who must be informed about the personal data being kept and the general purpose for which it is used. They must also be informed of any and every change concerning the processing of personal data. To contact this person please send your enquiry to the email address for your country.
3. Purposes (article 5 GDPR)
FLK/TTC organisations collect and process personal data for the purpose of enabling an individual to become a member or participant (as defined in each country) and to assure their membership/participant status, including the opportunity to participate in activities and events, and as a record of that membership/participation. FLK/TTC organisations also use information for insurance and other administrative purposes, aligned to their legitimate interests.
Photographs and videos of members/participants may be used to promote Taoist Tai Chi® arts (Promotion of Taoist Tai Chi® arts being one of the FLK/TTC organisations’ aims and objectives that define membership/participation). However, distribution and dissemination of photographs and videos is only carried out with formal authorisation from the person assigned by the board to look after data protection and must be in line with the official purposes of the FLK/TTC organisations. The data is not processed for other purposes.
From time to time, data may be used in local offices to address personal matters such as the death of a family member or to announce good news from members. Such ad-hoc use of information is left to the discretion of those responsible for the running of the local branch.
4. Lawful Basis (article 6 GDPR)
The GDPR states that there must be a lawful basis for data processing and for the FLK/TTC organisations the lawful basis is for the individual to be recognised and validated as a member or participant of one of the FLK/TTC organisations in a specified country.
For the purpose of financial payment processing, FLK/TTC organisations apply ‘contractual obligation’ as its legal basis. In exchange for a membership/participant contribution FLK/TTC organisations provide membership/participant benefits arising from the pursuit of and adherence to the aims and objectives.
For the purpose of providing events notifications and for issuing accounts of events including videos, photographs etc. FLK/TTC organisations use ‘legitimate interest’ as it is fundamental to the aims and objectives and sustainability of FLK/TTC organisations to communicate, to its members/participants and to the general public, the activities that take place globally. However, all such information is collected with transparency, privacy notices, data minimisation and adherence to the principles of proportionality.
The legal basis of consent is only used outside of the above legal bases of ‘contractual obligation’ and ‘legitimate interest’.
FLK/TTC organisations may share data with each other as necessary.
- The data is collected for the specific, described and justified purposes as outlined above in no. 3
- Sharing of this data is for such purposes
- The individual whose data is collected has been fully and transparently informed about the purposes, and the fact that their data may be shared and with whom
- Data is shared if it is necessary for the execution of the agreement made with the individual or if the individual has given their consent
- Photographic and/or video data may be used on FLK/TTC websites or social media, worldwide. Members/participants are given the opportunity to opt-out, where possible, but are made aware that it is their responsibility to communicate their wishes to the photographer at any event. Should anyone accidentally appear in a photograph on our website, despite care taken to avoid this, the individual concerned may contact the designated person who will arrange for it to be removed as soon as possible.
- Data will only be shared where necessary, and will be shared only if the underpinning legal basis permits it.
The above means specifically that the individual must be notified how and with whom their data will be shared, and in some circumstances, if no other legal basis can be applied, may necessitate applying consent as the legal basis.
Data is only shared in specific circumstances, for instance executing an agreement in the context of participation in an event (judged case by case).
In specific cases particular data can be processed and shared with third parties without the consent of the individual, namely and as far as:
- If necessary for the protection of the vital interests of the individual or another person (e.g. someone has an accident, cannot give consent, and their data is shared for the purpose of immediate medical help).
- If it concerns the data of employees of FLK/TTC organisations and sharing is necessary for the reintegration or supervising of employees or people receiving social support because of sickness or disability.
Special Category Data
Processing of special category data, e.g. health data, political data, religious data etc. is permitted if in agreement with the formulated purposes and other regulations under the following circumstances:
- The individual has given explicit consent
- The processing is necessary for FLK/TTC organisations’ execution or support of a legal claim, or when courts are acting within the context of their legal jurisdiction.
No more data will be shared than is necessary.
Principles of Data Protection
FLK/TTC organisations regard the lawful and correct treatment of personal information as very important to successful working, and to maintaining the confidence of those with whom it deals.
FLK/TTC organisations intend to ensure that personal information is treated lawfully and correctly.
To this end, FLK/TTC organisations adhere to the Principles of Data Protection, as stated in the General Data Protection Regulation (GDPR) 2018.
Principles demand specifically that FLK/TTC organisations:
- deal in a secure way with personal data and respect the privacy of individuals
- process data in a way that conforms to the data protection principles of lawfulness, fairness and transparency
- process personal data in accordance with the law and in a proper and considerate manner
Principle of Purpose
- only collect the data necessary for specifically defined and justified purposes
- only collect and process data on a legal basis as described above
- only process the individuals’ personal data as defined in advance
- process personal data in order to execute tasks or to meet legal obligations and in so doing strive for minimal personal data processing. Where possible less or no personal data is processed
- retain personal data in order to execute tasks or to meet legal obligations but retain it for no longer than necessary; three years in general or up to seven years in the case of financial documents that relate to tax records, depending on law in each country.
Integrity and Confidentiality
- take appropriate measures to protect personal data as stated in this policy. Personal data is only processed by people responsible for maintaining privacy and confidentiality, and for the purpose it is collected.
Sharing with Third Parties
- share personal data with third parties when necessary to execute tasks or meet legal obligations
- if working with third parties concerning processing of personal data, will agree the requirements for the processing with the third party and ensure those requirements are legally aligned. At all times FLK/TTC organisations will endeavour NOT to transfer personal data outside of the EU.
Subsidiarity and Proportionality
- when achieving the purpose for which the data is being processed FLK/TTC organisations will keep any infringement of the individual’s privacy as minimal as possible
- any infringement of the interests of the individual is in proportion to the purpose of processing
Rights of the Individual
FLK/TTC organisations honour all rights of people about whom information is held. These include:
- Right to information: individuals have the right to ask if their personal data is being processed
- Right to view: individuals are able to check how their data is processed
- Right to correction: individuals can request that incorrect information be corrected
- Right to be forgotten: when an individual has given consent for their data to be processed they have the right to request that the data be deleted and removed
- Right to object: individuals have the right to object to the processing of their personal data. FLK/TTC organisations will comply with the request unless there are justified grounds for the processing
In line with the above all employees and volunteers:
- are trained to keep data private
- are trained to protect it from breach and to respond to breach
- understand that they should only keep other people’s personal data or copies of documents or other records containing personal data, including company data, when they meet with lawful retention obligations or as far as this data is necessary for the stated purposes.
- understand that once the annual financial audit is complete there is no lawful reason to keep copies of finance paperwork previous to the audit other than those stored at Head Office for the statutory time, so should destroy anything they have
- understand that emails with personal data in should be deleted once the data is no longer required
- understand that all data should be kept private and secure either under lock and key/code if physical, or coded/encrypted/password protected if electronic
6. Data Collection
FLK/TTC organisations ensure that data is collected within the boundaries defined in the GDPR and this policy. This applies to data that is collected in person, or by completing a form. Without certain information membership/participation may not be possible.
7. Data Storage
Information and records relating to participants/members will be stored securely and will only be accessible to people who require it for the stated purpose.
Information will be stored only for as long as it is needed or for the required statute, and will be disposed of appropriately. Queries over the length of time that particular data can be stored can be addressed to the person designated by the board to look after data protection (by sending an email to the email address below).
It is the FLK/TTC organisations’ responsibility to ensure all personal and company data is not recoverable from any computer system previously used within the organisation, which has been passed on/sold to a third party.
8. Data Access and Accuracy
Obligation to Inform (articles 13 and 14 GDPR)
FLK/TTC organisations inform individuals of the processing of their personal data when it is collected.
FLK/TTC organisations keep personal data no longer than necessary and for the stated purpose. It is deleted as early as possible, being destroyed or adjusted in such a way so that it can no longer be used to identify an individual. Once membership/participation is terminated, FLK/TTC organisations do not hold information for any period exceeding three years in general, and up to seven years in the case of financial documents that relate to tax records, particular to the laws in each country.
Submission of Request
Any member/participant can submit a request to access/view their personal data and submit a request to amend it if required. This request must be submitted to the individual looking after data protection in the country in which the person is a member/participant. FLK/TTC organisations will evaluate the justification of the request and respond appropriately to inform the individual if and how the request will be met, within one month from receipt of the request. If the request is not granted the individual has an opportunity to object or submit a complaint with the relevant authority.
On receipt of a request FLK/TTC organisations can ask for additional information, such as a copy of a driving license or passport, to validate the identity of the individual.
In addition, FLK/TTC organisations ensure that:
- they have a designated person with specific responsibility for ensuring compliance with Data Protection
- everyone processing personal information understands that they are contractually responsible for following good data protection practice
- everyone processing personal information is appropriately trained to do so
- everyone processing personal information is appropriately supervised
- anybody wanting to make enquiries about handling personal information knows what to do and who to ask
- they deal promptly and courteously, within one month, with any enquiries about handling personal information
- they describe clearly how they handle personal information
- they regularly review and audit the ways they hold, manage and use personal information
- they regularly assess and evaluate their methods and performance in relation to handling personal information
- all staff are aware that a breach of the rules and procedures identified in this policy may lead to disciplinary action being taken against them
9. Data Breaches
A personal data breach is a loss of personal data, such as a lost laptop, lost paperwork and any other breach of security or privacy that, either by accident or in an unlawful manner, leads to the destruction, loss, alteration or unauthorized access to personal data. This includes unauthorized access to forwarded, stored (or by other means) processed data e.g. loss of a memory stick, unauthorized access of personal data by third parties. Such incidents must be reported to the person appointed by the board to look after data protection, to ensure compliance with GDPR.
For this persons contact details, please see the email address below. This person reports to the board (which is accountable for ensuring appropriate responses to such actions). Where mandated by the GDPR, certain incidents may have to be reported to the relevant supervisory authorities.
Volunteers and employees are aware of:
- the need to keep personal data private and secure
- who they should contact if there is a breach, when and why
- how to recognise a breach
When a data breach has been identified and reported to the designated person they will, without unreasonable delay, within seventy two hours of becoming aware of the breach, report the breach to the relevant authority, if required. If for some reason it is reported later than seventy two hours the reason for the delay will be added to the report.
It is possible that a breach causes a higher risk to the rights and freedoms of an individual and in this case the individual(s) whose personal data was breached may be contacted directly in simple and clear language. After a breach occurs, the circumstances will be evaluated, a risk assessment performed, and mitigating controls implemented to minimize other breaches occurring in the future.
If a member/participant feels that their rights under GDPR have been compromised, they can submit a complaint to the appropriate person in their country of membership/participation. Complaints will be directed to the board to ensure they are impartially addressed.
11. Policy Updates
This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments made to the GDPR 2018.
This is a simple and understandable translation of the current privacy law based on the GDPR. Naturally the applicable laws and regulations are always leading and no rights can be derived from this document.
In case of any queries or questions in relation to this policy please contact the designated person ensuring compliance with Data Protection in your country of membership.
Czech Rep firstname.lastname@example.org
Version: created July 2019.