TRMT data protection policy

1. General
TRMT is a company limited by guarantee number 2907154, registered charity number 1164893.
The object of the Trust is to advance the education of the public in the area known as Three
Rivers in the county of Hertfordshire by the provision of a museum and as further defined in
paragraph 3 of its Memorandum of Association.
TRMT considers that it has a legitimate interest in collecting, holding and processing members’
personal data in order to achieve its objective. This personal data comprises name, date of
joining, address, telephone number(s), email address(es) and, for Directors only, NHS number.
It is collected from membership applications, subscription reminders, Gift Aid declarations and,
for Directors only, Companies House declarations, and is no more than the minimum required
for the Trust to meet its objective and its legal obligations as both a limited company and a
registered charity. TRMT also holds the names and contact details of donors of artefacts. TRMT
collects, holds, processes and protects this data in accordance with the provisions of the General
Data Protection Regulation (GDPR).
The Data Controller is TRMT. The Treasurer, and in his absence the Company Secretary, is
responsible for overseeing this policy and ensuring that it is followed by the Directors and
Officers of TRMT.
A members’ personal data is not shared with any third parties without that member’s consent.
After approval by the Board of Directors of TRMT this policy will be reviewed annually.


2. Disclosure
TRMT will inform members as to what and how their personal data is collected, processed,
stored and protected, together with the legal basis for such collection and use.


3. Lawful Use
TRMT will ensure that members’ personal data is treated lawfully and correctly and in
accordance with the principles set out in the GDPR, and in particular that:
- it is used only to enable the Trust to meet its objectives and legal liabilities as set out in 1
above;
- it is adequate, accurate, relevant and not excessive;
- it is collected, processed, stored and protected in accordance with members’ rights under the
GDPR;
- it is held no longer than is necessary for TRMT to achieve its objectives and to comply with
its legal obligations;
- it is kept securely and that appropriate measures are taken to prevent unauthorised or unlawful
processing, and accidental loss, damage or destruction.


4. Breach
Any unlawful collection, processing, loss, damage or destruction of members’ personal data
should be reported to the Treasurer, or in his absence the Company Secretary, who will decide,
in conjunction with other Directors if necessary, on the appropriate action to be taken. Severe
breach will be reported to the Information Commissioner’s Office.


Approved by the Board of Directors on 4th June 2018


(Due for review in June 2019)