Data privacy notice
We take the handling, processing, security and protection of any data kept as a key responsibility and priority.
The Chartered Institute of Trade Mark Attorneys (CITMA) is a professional membership organisation and relies on data to be able to provide the goods, services and benefits offered to its members and which members pay for, as well as to non-members who have an interest in the wider Intellectual Property sector and the activities CITMA undertakes.
What data CITMA collects and how it is collected
In order to facilitate the goods and services CITMA offers as well as provide the benefits membership of CITMA provides, various pieces of general and personal information about members and individuals needs to be collected and is kept.
CITMA will collect and keep information such as (not all of this data is captured in every process):
- Name, employer, postal addresses, email addresses, telephone numbers, date of birth, nationality, social media profile handles, qualifications, dietary requirements.
- Data is primarily captured and processed during transactions with CITMA, for example, an application for membership or booking onto a CITMA event/course. These processes are largely through online facilities via the CITMA website, but on occasions via email, paper or telephone as well.
- CITMA will also collect and keep information in respect of non-members who engage in and require the services CITMA provides. This can include information provided when booking onto CITMA events, purchasing products from the e-shop or registering for advice clinics/courses.
- During a transaction where a payment is required, any credit or debit card information entered online is not kept in any capacity. If payment details are provided via any other form, for example via a telephone call with the CITMA office, they are securely destroyed after the payment has been successfully processed.
How CITMA stores data
The majority of data kept is stored in a customer relationship management system which is hosted as a cloud based solution, i.e. not onsite. The cloud based solution is provided by a third-party provider who has strict security service level agreements with their data centre and hosted provider.
Some personal data provided by members is also kept, used and displayed on the CITMA website. Examples include:
- Personal data (name, address) is used to build a personal profile in the secure members’ area of the website from which a member can carry out ‘self-service’ actions such as, paying for their membership subscription, booking on events at membership rates, updating personal information.
- The CITMA membership directory and public search tool (the latter only features those qualified Chartered Trade Mark Attorneys in private practice) displays the name and work address/contact details of members.
- Information (names) regarding members (and some non-members) who volunteer and help deliver the objectives of CITMA by serving on the governing body (Council) or Committees/Working Groups. This information is also contained in the Annual Report.
- The website is securely hosted under strict service level agreements with the provider.
Data is sometimes extracted from the CRM or website by employees of CITMA and used in other general electronic office tools for further analysis or to assist with other activities CITMA undertakes, e.g. creating delegate lists or name badges for events.
The data can also be analysed to inform marketing and communication strategies CITMA undertakes.
Some data is also kept in electronic files on a secure onsite server which is only accessible to the CITMA office employees.
Any data downloaded from these secure systems and taken offsite is done so using encrypted devices. If data is shared with third-parties (see below) the files are password protected.
In the unlikely event that there is a breach of any personal data CITMA keeps, CITMA will, if there is considered to be a high risk of it adversely affecting individuals, notify each individual as soon as is reasonably possible.
In addition CITMA will notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach.
Who does CITMA share data with?
CITMA may share relevant data with third-parties where there is a contract of service. Examples include:
- Name and postal address is shared with a third-party publisher for mailing the CITMA Review publication to members and selected non-members.
- Name and postal address is shared with a third-party distributor for fulfilment of products bought via the CITMA e-shop (books).
- Name, email address, dietary requirements are shared with third-party events agencies who assist with the organising and production of some CITMA events.
- Name and dietary requirements are shared with venue providers for some CITMA events.
Data is also shared with some third-party systems. Examples include:
- Name, email address, postal address is shared with a third-party mailing solution which is used to send relevant CITMA content and information to selected members and non-members via email.
Data is also shared with the CITMA Benevolent Fund; a separate company limited by guarantee and registered charity set up by CITMA to provide financial support for members and dependents who find themselves in hardship. All members of CITMA are automatically considered to be members of the CITMA Benevolent Fund and able to make an application to the fund for assistance if needed. The Benevolent Fund is considered to be one of the benefits of CITMA membership and its constitution requires it to know who the members of CITMA are. The CITMA office handles the day to day operations of the CITMA Benevolent Fund.
CITMA does not sell or share the data held to or with any third-party to use for their own marketing or research purposes.
Retention of data
CITMA can hold personal data in respect of its members, lapsed members, employees and for general contacts.
The retention of personal data is considered in the circumstance of each category above.
For current members of CITMA any personal data held will be retained until such time as they cease to be a member. Once a membership record has been lapsed, the data retention policy relating to lapsed members will apply – see below.
CITMA will retain any personal data of lapsed members for a period of six (6) years from the date the membership record is lapsed. This period will allow time for the reinstatement of membership if a lapsed member wishes to return as a member, as well as to provide historical information and statistics that may be required from time to time. After 6 years the membership record will be securely destroyed.
Once a year, at the end of the renewal period, a list of the membership will be captured and kept on an electronic file for historic reference. This list will only contain the name of members, the name of the firm they work for and their category of membership.
Any personal data held regarding an employee of CITMA will be securely destroyed six (6) years after the final date of employment. This period will allow for the handling of any queries, for example, reference requests, that may arise after employment has ended.
Where personal data is held for general contacts, e.g. suppliers, organisations within the sector etc the data will be retained until such time as the contact is no longer considered relevant. A review of contacts will take place at least once every two years. Any contacts not considered to be relevant will be removed from any database and information securely destroyed.
Rights of individuals
All CITMA members and those individuals, who may have provided personal data during a transaction or interaction with CITMA, have data protection rights. CITMA is fully transparent in handling any requests received from individuals in exercising those rights.
Members are able to ‘self-service’ their preferences in the type of information they receive from CITMA and can opt out of communications. For example, if a member wishes to no longer receive certain email communications from CITMA, they are able to unsubscribe via a link in the email communication they received.
A member can also choose to be anonymous and not listed in the membership directory and public search tool located on the CITMA website. They can do this by amending settings in their CITMA website profile or by contacting the CITMA office.
If an individual wishes to have personal data removed, i.e. exercising their right to be forgotten, CITMA will ensure that this is completed, provided the personal data is no longer required to provide the functions of membership of the organisation.
Any requests to exercise any rights as stated above or any other rights which individuals may have should be sent for the attention of the Data Protection Officer (DPO) using one of the contact methods listed below.
Responding to requests
CITMA will endeavour to respond to any data protection enquiries or requests within one calendar week of receipt of the request.
If you have any queries in relation to this data privacy notice or data protection more generally, please contact the Data Protection Officer via email, firstname.lastname@example.org indicating it is a data protection query or write to the Data Protection Officer, CITMA, 5th Floor, Outer Temple, 222-225 Strand, London, WC2R 1BA.
© CITMA 2018