Data Protection Policy

Introduction - Privacy and data protection as a key policy for Stichting PACK

Stichting PACKS’s commitment to protecting privacy and data protection has been adopted as a key policy. This key policy underpins both this Data Protection Policy and other associated policies used by Stichting PACK, and its events.

1. Purpose of this Data Protection policy and what it covers

This policy sets out Stichting PACKS’s approach to protecting personal data and explains your rights in relation to how we may process personal data. More detail in respect of how we process and protect your data is provided below, in particular in section 5. 

. If you have any queries about anything set out in this policy or about your own rights, please write us via our contact system:

We may update this policy from time to time in minor respects, although we will make sure that any substantial or significant changes will be notified to you directly.

2. Some Important Definitions

‘We’ means Stichting PACK

‘Personal Data’ is defined in section 3

‘Processing’ means all aspects of handling personal data, for example collecting, recording, keeping, storing, sharing, archiving, deleting and destroying it.

‘Data Controller’ means anyone (a person, people, public authority, agency or any other body) which,on its own or with others, decides the purposes and methods of processing personal data. We are a data controller insofar as we process personal data in the ways described in this policy.

‘Data processor’ means anyone who processes personal data under the data controller’s instructions,for example a service provider. We act as a data processor in certain circumstances.

‘Subject Access Request’ is a request for personal data that an organisation may hold about an individual. This request can be extended to include the deletion, rectification and restriction of processing.

‘Vulpes’ Vulpes is a Stichting PACK web-based event registration system. 

3. What is personal data?

Personal data means any information about an identified or identifiable person. For example, an individual’s home address, personal (home and mobile) phone numbers and email addresses, occupation, and so on can all be defined as personal data.

Some categories of personal data are recognised as being particularly sensitive (“sensitive personal data”). These include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic and biometric information, and data concerning a person’s sex life or sexual orientation.

4. How does data protection apply to PACK and its activities and events?

Data protection legislation applies to all data controllers regardless of whether they are charities or small organisations. It applies to PACK in the same way as it does to other organisations. 

5. What type of personal data do we collect and why?

5.1 Attendees

We may hold personal data (including sensitive personal data) about attendees on our event database. We believe it is important to be open and transparent about how we will use your personal data. Information we may hold about you includes the following:

This information is collected via your input in the registration form when you register for an event.

We benefit from the service of a large number of volunteers giving their time to Stichting PACK.

As an organisation that works with volunteers, we need to keep information relating to each member of crew who has a contract with us. This will include the pre-enlistment stage, references, and records relating to the time they worked for us, including probationary, appraisal and disciplinary information.

Information we may hold about crew includes the following:

6.1 Keeping to the law

We must keep to the law when processing personal data. To achieve this, we have to meet at least one of the following conditions:

6.2 Information that we share

We may have to share your personal data within appropriate levels of the event, as long as this is necessary and directly related to your role within the event. We do not share personal data with companies, organisations and people outside Stichting PACK, unless one of the following applies;

7. Keeping personal data secure

Everyone who handles personal data (including crew and volunteers,) must make sure it is held securely to protect against unlawful or unauthorised processing and accidental loss or damage. We take appropriate steps to make sure we keep all personal data secure, and we make all of our crew aware of these steps, including keeping to our internal information and computing technology (ICT) policy. In most cases, personal data must be stored in appropriate systems and encrypted when taken off-site. The following is general guidance for everyone working within Stichting PACK, including Crew, board members and volunteers.

 All crew have a responsibility to keep to the requirements of this data protection policy and our related procedures and processes. Managers are responsible for making sure that crew within their teams are aware of and keep to this. If you become aware of a data protection issue you must report it promptly to your team manager. If you do not keep to this data protection policy and its associated policies and procedures, we may take disciplinary action against you.

Only those staff who need membership information to carry out their role have access to that information.

9. Data Retention

We may keep information for different periods of time for different purposes as required by law or best practice. Individual departments include these time periods in their processes. We make sure we store this in line with our Data Retention Policy.

As far as membership information is concerned, to make sure of continuity (for example if you leave and then re-join) and to carry out our legal responsibilities relating to safeguarding young people, we keep your membership information throughout your membership and after it ends, and we make sure we store it securely in as far as needed for tax filing.

making sure that this data protection policy is up to date

advising you on data protection issues

dealing with complaints about how we use personal and sensitive personal data reporting to the ICO if we do not keep to any regulations or legislation

10. Rights to accessing and updating personal data

Under data protection law, individuals have a number of rights in relation to their personal data.

(a) The right to information: As a data controller, we must give you a certain amount of information about how we collect and process information about you. This information needs to be concise, transparent, understandable and accessible.

(b) The right of subject access: If you want a copy of the personal data we hold about you, you have the right to make a subject access request (SAR) and get a copy of that information within 30 days.

(c) The right to rectification: You have the right to ask us, as data controller, to correct mistakes in the personal data we hold about you.

(d) The right to erasure (right to be forgotten): You can ask us to delete your personal data if it is no longer needed for its original purpose, or if you have given us permission to process it and you withdraw that permission (or where there is no other lawful basis for processing it).

(e) The right to restrict processing: In certain circumstances where, for lawful or legitimate purposes we cannot delete your relevant personal information or if you do not want us to delete it, we can continue to store it for restricted purposes. This is an absolute right unless we have a lawful purpose to have it that overwrites your rights.

(f) The obligation to notify relevant third parties: If we have shared information with other people or organisations, and you then ask us to do either (c), (d) or (e) above, as data controller we must tell the other person or organisation (unless this is impossible or involves effort that is out of proportion to the matter).

(g) The right to data portability: This allows you to transfer your personal data from one data controller to another.

(h) The right to object: You have a right to object to us processing your personal data for certain reasons, as well as the right to object to processing carried out for profiling or direct marketing.

(i) The right to not be evaluated on the basis of automatic processing: You have the right not to be affected by decisions based only on automated processing which may significantly affect you.

(j) The right to bring class actions: You have the right to be collectively represented by not-for-profit organisations.

11. Subject access requests

You are entitled to ask us, in writing, for a copy of the personal data we hold about you. This is known as a subject access request (SAR). In line with legislation, we will not charge a fee for this information and will respond to your request within one month. This is unless this is not possible or deemed excessive, in which case we will contact you within the month of making the SAR.

12. Further information and contacts

Data protection officer contact details

Subject access requests

Subject access requests for data held by PACK should be made via the form on