In the course of completing the membership form, you have provided information about yourself (‘personal data’). We (the University of Oxford*) are the ‘data controller’ for this information, which means we decide how to use it and are responsible for looking after it in accordance with the General Data Protection Regulation and associated data protection legislation.
How we use your data
We will use your data to service your membership. This includes sending renewal information, sending Pitt Rivers Museum Members newsletters, sending What’s On leaflets and Pitt Rivers Museum Members flyers or invitations for events you are entitled to attend. If you buy membership as a gift your details and your association with that membership will be recorded. We need to process your data for this purpose in order to fulfil our contractual obligations to you or to take steps at your request prior to entering into a contractual relationship.
We will also use your personal data to invite you to support the work of the Pitt Rivers Museum by volunteering, making a donation or getting involved in fundraising activities. If you make a donation, we will use any personal information you give us to record the nature and amount of your gift, claim gift aid where you have told us you are eligible, and thank you for your gift. We need to process your data for this purpose in order to meet our legitimate interests in supporting the work of the Pitt Rivers Museum.
All our communications with you will be by post, unless you give us permission to contact you by email. You give us this permission by providing your email address.
We will only use your data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another related reason and that reason is compatible with the original purpose. If we need to use your data for an unrelated purpose, we will seek your consent to use it for that new purpose.
Who has access to your data?
Access to your data within the University will be provided to those who need to view it as part of their work in carrying out the purposes described above.
We may share your data with companies who provide services to us, such as for administrative purposes, financial services, or to assist with our communications (e.g. mailing houses, printers). These companies are required to take appropriate security measures to protect your data in line with our policies. We do not allow them to use your data for their own purposes. We permit them to process your data only for specified purposes and in accordance with our instructions.
Where we share your data with a third party, we will seek to share the minimum amount necessary. We do not and will not sell your data.
Retaining your data
We will retain your financial data for seven years, even after you have ceased to be a member, in order to comply with tax and accounting rules. If you tell us you no longer wish to be a member, for example by cancelling your direct debit, we will retain your personal data for as long as is necessary to update our records. If you do not renew your membership we will retain your personal data for one year after you cease to be a member.
We will retain your name and the dates of your membership as part of the archive of the Members of the Pitt Rivers Museum.
Your data will be held securely in accordance with the University’s policies and procedures. Further information is available on the University’s Information Security website.
Where we store and use your data
We store and use your data on University premises, in both a manual and electronic form.
Electronic data may be transferred to, and stored at, a destination outside the European Economic Area ("EEA"), for example, when we communicate with you using a cloud based service provider that operates outside the EEA such as Survey Monkey/MailChimp/Eventbrite/Wuhoo/etc.
Such transfers will only take place if the country receiving the data is considered by the EU to provide an adequate level of data protection; or the organisation receiving the data is covered by an arrangement recognised by the EU as providing an adequate standard of data protection e.g. transfers to companies that are certified under the EU US Privacy Shield.
You have the right to:
- request access to your data (commonly known as a "subject access request"). This enables you to receive a copy of your data and to check that we are lawfully processing it.
- request correction of your data. This enables you to ask us to correct any incomplete or inaccurate information we hold about you.
- request erasure of your data. This enables you to ask us to delete or remove your data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your data where you have exercised your right to object to processing (see below).
- object to the processing of your data, where we are processing it to meet our public tasks or legitimate interests (or the legitimate interests of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your data for direct marketing purposes.
- request that the processing of your data is restricted. This enables you to ask us to suspend the processing of your data, for example, if you want us to establish its accuracy or the reason for processing it.
- request the transfer of your data to another party
Further information on these rights is available from the Information Commissioner’s Office.
Depending on the circumstances and the nature of your request it may not be possible for us to do what you have asked, for example, where there is a statutory or contractual requirement for us to process your data and it would not be possible to fulfil our legal obligations if we were to stop.
If you wish to exercise any of the rights described above or raise any queries or concerns about our use of your data, please contact us at contact us at email@example.com. You may also contact our Data Protection Officer at firstname.lastname@example.org. If you remain dissatisfied, you may lodge a complaint with the Information Commissioner’s Office at: https://ico.org.uk/concerns/
*The University’s legal title is the Chancellor, Masters and Scholars of the University of Oxford