Dear Members,
As you are probably aware, the Personal Information Protection Act 2016 (“PIPA”) will be fully implemented in Bermuda from 1 January 2025. The purpose of the legislation is to protect and regulate personal information. In particular, it sets out a number of specific requirements for organisations that use personal information and also establishes the rights that individuals have regarding the use of their personal information by those organisations.
Under the legislation, “Personal information” is broadly defined and means “any information about an identified or identifiable individual.” This includes basic information such as your name and contact details, but also more sensitive information such as race, colour, sex, sexual orientation, national or ethnic origin, sexual life, marital status, or physical or mental disability. The Bermuda Snow Society only requests and uses personal information that is necessary for activities organised by our social club.
Furthermore, the Bermuda Snow Society is committed to protecting the security, confidentiality, and privacy of the personal information that is used in conducting its activities. Please find our Society’s Privacy Statement below, which is provided to help its members and prospective members understand how the Society collects, uses, and protects the personal information obtained in running our Society. It also briefly summarises your rights with respect to the Society’s use of your personal information.
Please let the committee know if you have any questions, concerns, or requests about the way the Bermuda Snow Society is using your personal data.
BERMUDA SNOW SOCIETY
PERSONAL DATA PRIVACY STATEMENT
Introduction
The Bermuda Snow Society (“the Society”) is a social community which aims to connect its Members through a common interest in Alpine sports and lifestyle.
This personal data privacy statement (“Privacy Statement”) is designed primarily to help the Society’s Members and prospective Members understand how the Society uses and protects the personal data that it obtains in the running of the Society. The Privacy Statement also applies to certain other parties that provide personal data to the Society, including, but not limited to, visitors to the Society’s website and social media platforms, as well as the Society’s third-party service providers.
For the purposes of this Privacy Statement:
Personal data means any information about an identifiable individual (also referred to as “personal information” or “personally identifiable information”).
The use of personal data includes collecting, obtaining, recording, holding, storing, organising, adapting, altering, retrieving, transferring, consulting, disclosing, disseminating or otherwise making available, combining, blocking, erasing or destroying such data.
The Society is committed to protecting the security, confidentiality, and privacy of any personal data used in conducting its activities. As such, the Society has adopted a number of Data Privacy Principles as set out in this Privacy Statement, and has also implemented related internal policies and procedures to ensure the appropriate use and protection of personal data in accordance with applicable laws and regulations. All committee members of the Society are required to comply with these Data Privacy Principles and the related internal policies and procedures.
What are the Society’s Data Privacy Principles?
To ensure the security, confidentiality, and privacy of personal data in accordance with applicable laws and regulations, the Society has adopted the following Data Privacy Principles:
Transparency: The Society will be clear and transparent about how it uses personal data.
Limited purposes: The Society will use personal data solely for the purposes of operating and developing its activities and events for Members. See section 4 for more details.
Data minimisation and adequacy: The Society will only request and use personal data that is proportionate to its activities.
Fair and lawful usage: The Society will only use personal data lawfully and where it has a legitimate reason to do so. See section 6 for more details.
Data quality and accuracy: The Society will seek to ensure that any personal data it uses remains accurate and up to date.
Data security and retention: The Society will retain personal data securely in order to prevent (i) loss, (ii) unauthorised access, destruction, use, modification or disclosure, or (iii) any other misuse. The Society will also securely dispose of personal data when it is no longer required. The Society’s information security safeguards are proportionate to (i) the likelihood and severity of the harm threatened by the loss, access or misuse of the personal information; (ii) the sensitivity of the personal information (including in particular whether it is sensitive personal information); and (iii) the context in which it is held.
Training and awareness: Committee Members of the Society with access to other individuals’ personal data are made aware of their obligations regarding all personal data, with due regard to these Data Privacy Principles.
Third parties: Where the Society appoints a third-party service provider that requires the sharing of some personal data to perform agreed services, it will ensure that the third party has adopted standards of protection equivalent to those set out in this Privacy Statement. The Society will only disclose personal data to governmental or judicial bodies, law enforcement agencies, or its regulators if required by applicable laws and regulations. See section 8 for more details.
Data transfers: Before the Society transfers personal data to another jurisdiction, it assesses the adequacy of the protection provided by the overseas third party. Depending on the results of that assessment, the Society may require the third party to contractually implement additional safeguards and protections commensurate with the standards set out in Bermuda’s personal information protection laws and regulations. See section 8 for more details.
Data Subject’s rights: The Society will ensure that Data Subjects’ rights are observed in accordance with applicable laws and regulations. See section 10 for more details. For the purposes of this Privacy Statement, a Data Subject is the identified or identifiable individual to whom the personal data relates.
How does the Society collect and receive personal data?
The personal data typically obtained by the Society is provided directly by individuals on a voluntary basis during the application process to become a new Member (including initial expressions of interest) and then during the course of Membership so that the Society can provide ongoing community access and meet its other obligations. Limited personal data may also be obtained through referrals of interested parties by existing Members.
Some personal data may also be automatically collected from individuals who access the Society’s website and social media platforms.
Limited amounts of personal data may also be collected from third parties, primarily to enable those entities and their employees to provide services to the Society so that it can conduct its activities effectively. See section 8 below for more details on third-party service providers.
What personal data is collected by the Society?
The Society seeks only to collect and use personal data that is necessary for the following purposes:
Conduct its activities, including the provision of related services to its Members.
Provide information about the Society to prospective Members and/or visitors to its website and social media platforms.
The Society endeavours to ensure that it uses personal data that is adequate, relevant, and not excessive for the purposes for which it was requested.
The personal data that is typically requested and/or provided by the Society’s actual and prospective Members includes:
Personal information: Name, date of birth, and personal contact details (e.g. telephone numbers, email addresses), and personal contact details of other named individuals (e.g. spouse, partner, or parent) to be contacted in case of an emergency.
If Members provide the Society with personal data about other individuals, they should first ensure that such individuals are aware of the information being provided and, if appropriate, provide them with a copy of this Privacy Statement.
Electronic identification data: This may include individual login details required to access any of the Society’s online systems (e.g. a member portal), if applicable.
In addition, the Society and/or its online service providers may use cookies, IP addresses, web beacons and other technologies to automatically collect certain types of information when visiting the Society’s website and social media platforms. The collection of this information allows the Society and its marketing service providers to improve the performance and usability of the Society’s online presence and to measure the effectiveness of its marketing activities.
The personal data provided by the Society’s third-party service providers is generally limited to names and business contact details (e.g. telephone numbers, and email addresses).
In very limited cases, the Society may receive information about individuals that is of greater sensitivity (referred to as sensitive personal information) and is therefore subject to additional considerations. The Society will ensure it has a valid legal basis for collecting such sensitive personal information and that such information is appropriately safeguarded. Examples may include:
Diversity-related personal information: Such as information about place of origin, race, colour, national or ethnic origin, gender, marital status, and family status.
Health and disability information: Such as sickness or disability that may affect an individual’s participation in certain Society events or activities.
Criminal information: Such as alleged or proven criminal offences that may affect an individual’s eligibility to become or remain a Member.
How does the Society use personal data?
The Society does not share personal data with third parties other than as necessary for its legitimate operational needs, or as required or permitted by law. In particular, the Society does not sell or otherwise make personal data available to any third party for their own commercial use or benefit.
The Society primarily uses personal data to:
Respond to requests for Membership (including expressions of interest).
Provide services to its Members and fulfil its other obligations to Members.
Perform activities necessary for running its community (see section 8 for more details on the Society’s use of specialist third-party service providers).
Meet its legal obligations.
More specifically, the Society may use personal data in order to:
Make decisions about eligibility and suitability for Membership during both the application process and on an ongoing basis.
Prepare documentation relevant to Membership for execution by each Member.
Communicate with Members about activities, events, or schedule changes.
Respond to emergencies, for example by contacting named individuals provided by Members if a need arises.
Address legal disputes that may arise from Membership or the Society’s activities, including disagreements or disputes regarding rights and obligations under any Membership terms and conditions.
Provide Members and prospective Members with the Society’s newsletters, promotional material, and other marketing communications.
Invite Members and prospective Members to social events.
Reply to an official request from a public or judicial authority.
Comply with any legal or regulatory obligations imposed on the Society.
What are the legal grounds for the Society to use personal data?
In accordance with applicable data privacy laws and regulations, the processing of personal data must be supported by a lawful basis. The Society only uses personal data (including sensitive personal information) where it is lawful to do so, specifically in the following circumstances:
Performance of a contract: The Society may use a Member’s personal data if such information is necessary for providing services and performing other obligations under the Membership terms and conditions, to which the individual is a party. Similarly, the Society may use personal data provided by a potential Member where that individual has requested the Society to take steps toward establishing a Membership relationship.
Reasonable expectation: The Society may use personal data if it reasonably considers that the individual would not be expected to refuse that use and the use does not prejudice the individual’s rights. (This basis may not be available for processing sensitive personal information.)
Consent: The Society may use personal data where it can reasonably demonstrate that the individual has consented. Individuals may withdraw their consent at any time by contacting the Society’s Privacy Officer at the email address listed in section 10.
Emergency: The Society may use personal data if it is necessary to respond to an emergency that threatens life, health or security.
Public information: The Society may use personal data if it is publicly available and its use is consistent with the purpose of its public availability.
Provision of law: The Society may use personal data if that use is pursuant to a provision of law that authorises or requires such use, such as keeping records for tax purposes or providing information to a public body or law enforcement agency.
Prior to using any sensitive personal information or criminal record data, the Society will identify the appropriate lawful basis from those listed above. This is typically the relevant individual’s explicit consent or a legal requirement to collect or report such information.
Must you give the personal data requested by the Society?
The Society seeks to minimise the amount of personal data it collects, particularly sensitive personal information.
Nevertheless, certain personal data (in particular contact details, payment information, and emergency contact details) is necessary for the Society to enter into, maintain, and fulfil its obligations to each Member. For example, without this personal data, the Society would not be able to:
Provide the services or resources offered under Membership.
Comply with its contractual obligations regarding the welfare and safety of Members.
Similarly, the Society and its third-party service providers may be unable to fulfil their respective obligations under any relevant services agreement without exchanging some limited personal data for the employees responsible for providing and overseeing the services.
Does the Society transfer personal data to third parties and other countries?
The Society uses specialist third parties to provide certain services on a cost-effective basis, for example:
Provision and hosting of any relevant Society-related apps or software.
Legal and other professional services.
Marketing and business development, including hosting the Society’s website and social media platforms.
Information Security and related IT systems, including responses to information security threats.
The Society may also be required to share personal data with the following:
Auditors: The Society may disclose personal data if relevant to ad hoc data privacy/data security audits or other investigations.
Courts, tribunals, law enforcement or regulatory bodies: The Society may disclose personal data in order to respond to requests from courts, tribunals, regulators, government or law enforcement agencies, or where it is necessary or prudent to comply with applicable laws, orders, or regulations.
Some of these service providers, or their affiliates that provide subcontracting support, may be based overseas. The Society only shares personal data necessary for the service provider to perform the required services (often limited to names and contact details of Members). However, the hosts of the Society’s data and/or back-up data will have broader access to the personal data used by the Society.
The Society ensures that all third parties receiving personal data are subject to standards equivalent to those in this Privacy Statement and/or by contractual provisions designed to ensure personal data is adequately protected. Before transferring personal data to another jurisdiction, the Society assesses the adequacy of the protection provided by the overseas third party. Depending on the results of that assessment, the Society may require the third party to adopt additional safeguards commensurate with Bermuda’s personal information protection laws and regulations.
How long does the Society retain personal data?
The Society will keep personal data only for as long as is necessary to fulfil the purpose for which it was originally collected, taking into account any legal, regulatory, or reporting requirements that relate to the retention period for business records.
What are an individual’s rights with respect to the Society’s use of their personal data?
Subject to the terms of the applicable laws and regulations, Data Subjects have the following rights:
Right to Access: An individual may request that the Society provide a copy of their personal data and details of (i) the purposes for which such personal data is used, (ii) the persons or types of persons to whom the personal data is disclosed, and (iii) the circumstances for any such disclosure to third parties.
Right to Withdraw Consent: An individual may request that the Society, where its processing is based on consent, stop that processing by withdrawing their consent. However, the Society may continue to process certain personal information to the extent permitted by other legal grounds. Any withdrawal of consent may make it impossible for the Society to provide certain Membership services or to fulfil the terms of Membership with that individual.
Right to Accuracy/Rectification: An individual may request that the Society update any inaccuracies in the personal data it holds about them.
Right to Blocking: An individual may request that the Society cease or not begin using their personal data for advertising, marketing, or public relations, or where use of that data is causing or is likely to cause substantial damage or distress to the individual or another individual. (Note that the Society does not use personal data for advertising, marketing, or public relations without explicit consent.)
Right to Erasure: An individual may request that the Society delete any of their personal data where it is no longer relevant for the purposes of its use.
Please contact the Society’s Privacy Officer at [email protected] if you have any questions, concerns, or requests about the Society’s use of your personal data. The Privacy Officer is designated for the purposes of compliance with the Bermuda Personal Information Protection Act 2016.
If you are dissatisfied with the Society’s use of your personal data as outlined in this Privacy Statement, you may contact the Office of the Privacy Commissioner ([email protected]), which is an independent supervisory authority established pursuant to the Bermuda Personal Information Protection Act 2016.
Updating this Privacy Statement
This version of the Society’s Privacy Statement is dated 22 December 2024. Any updates will be provided on the Society’s website and, where appropriate, directly via email.