This document sets out the rights of individuals accessing Pobble’s services and how Pobble will protect individuals’ rights under legislation such as the EU GDPR.
How we process your data
Except where indicated in the sections below, we do not share your personally identifiable information with third parties.
We process data according to the following requirements.
- We need to store your data for purposes of creating, maintaining and servicing your Membership of Pobble. We store the following personally identifiable data:
- Your name
- Your telephon number(s)
- Your address
- As a Member of a Charity, we are required to store your details in order to fulfil our legal obligations such as advise you of AGMs or other Charity-related activities.
- If you were to resign as a Member (or otherwise cease to be a Member), we will delete your data immediately.
- We keep this data under the Legal obligation basis, that is we are required to maintain your Membership (and its ongoing subscription) as per charity legislation in the Isle of Man and our Articles of Association.
- An individual also has the right to restrict our use of their data on a temporary basis. The effect of this is that the data will become inaccessible to all users. This restriction will have implications for an individual’s service provision such as membership, buddy system, etc.
- We need to store your data for purposes of creating, maintaining and servicing your participation within the Buddy system.
This applies to both Members and non-Members (as Mainshteryn/Mentors are not required to be Members, though for the purposes of
administration are treated as such).
- We store the following personally identifiable data:
- Your name
- Your telephone numbers
- Your address
- This processing falls under the GDPR Contract legal basis, that is, you have entered an arrangement in the form of your Mainshter or Prindeys status. As part of your entering into this arrangement, we will advise your of how your data will be processed under the Contract legal basis.
- For Mainshteryn/Mentors, we’ll keep your data no longer than a month following the completion of your most recent buddy partnership. This does not affect our obligations under the processing of your data for the purposes of maintaining your Membership, if any, so we may retain your Membership data under the legal basis for Membership.
- For Prindessyn/Apprentices, we’ll keep your data up to no longer than a month following the completion of your most recent buddy partnership, after which your previous partnerships with your Mainshteryn/Mentors will be anonymised to remove your individually identifiable data. We must retain these anonymised records for the term of our relationship with each Mainshter/Mentor for the purposes of provision of benefits, remuneration, etc.
- It is inevitable that your information will be shared with the other side of your Buddy partnership. Their storage of your data will be subject to their own implementation of GDPR, if required.
- As the Buddy System falls under the Contract legal basis, it is not required of Pobble to support an individual’s objection of storage of their data. However, if we are requested to do so, we can delete an individual’s data but it must be accepted that this will immediately terminate any Buddy System arrangement (this is without prejudice to Membership data).
- An individual also has the right to restrict our use of their data on a temporary basis. The effect of this is that the data will become inaccessible to all users. This restriction will have implications for an individual’s service provision such as buddy system, etc.
- Deletion or Restriction of a Buddy System will also:
- Delete and terminate Buddy partnerships where the individual was a Mainshter/Mentor
- Anonymise Buddy partnerships to remove the individual’s personally-identifiable data where the individual was a Prindeys/Apprentice
- We need to store your data for purposes of managing events, specifically, to confirm numbers to venues/partners, collect moneys required to fulfil booking requirements, etc. by ourselves or our partners and to confirm selections such as menu choices.
- We do not share your personally identifiable information with our partners, but we are required to provide partners with non-identifying information such as numbers, menu-choices, special requests, etc. Our partners are typically venues such as restaurants, event spaces, etc. or individuals such as speakers, hosts, etc. Where a special request is made by an individual, we may specifically request Consent as a legal basis to share their personally identifiable information in order to execute the request if we consider it to be required.
- This processing falls under the GDPR Legitimate Use legal basis, in that, it would be impossible to accurately and effectively plan events, collect payment and secure space/seating without knowing who will be attending. See the Legitimate Interests Assessment in this document for more information on how we establish this basis.
- We’ll delete/destroy your data within 5 days of completion of the event and receipt of any outstanding payment required from the individual in relation to the event (whichever is the later). We retain this information up to this period for the purposes of collecting event feedback, payment and reconciliation with our own records. Data we keep after this period will be anonymised, which will typically be to understand event success.
- We cannot offer individuals the ability to opt-out of our handling of individual’s data without cancelling their participation in the event.
Legitimate Interests Assessment
- For the purposes of clarity, where we rely on Legitimate Interests to process data as a legal basis, we have done so according to the following assessment:
- Identify the Interests
- Management of transient events/data that have specific expiration dates after which data may be deleted.
- Provide support for individuals’ preferences, requirements, tastes and capabilities in relation to the activity.
- Understand subscription, attendance and interest in events and activities with a view to maintaining communication with individuals until 5 days following completion of the event.
- Without collecting personally identifiable information to support the event/activity, it would not be possible to accurately, effectively and safely host, conduct or provide the event/activity.
- Collection of interest, attendance, preferences, requirements, etc. may be via mediums we cannot fully control, such as social media.
- Data collected will be for the purpose of hosting, executing or implementing the event/activity only.
- It may be required to request personal and private data in the interests of safety in order to host an event/activity. (allergies, medical issues with regards trips/activities, etc.). This personal data will be destroyed immediately following the event/activity.
- We are happy to explain why we need information either personally or officially, in writing.
- Whilst we cannot guarantee individuals have the right to opt out, we will endeavour to try without affecting their participation. We may be able to use an anonymised identity, for example.
- From time to time we will contact individuals to inform them, invite them or make requests of them in support of Pobble, its activities and supporters. These communications are regardless of Membership of Pobble and will be processed independently of any membership or subscription.
- This processing falls under the GDPR Consent use legal basis. All individuals are offered the opportunity to receive marketing communications from ourselves based on a clear “opt-in” process which has no prejudice to any service provided by Pobble.
- Each communication will include an option for this consent to be removed (typically, an "Unsubscribe" link will be how we implement this option). On activation, this will remove all your data we hold with regards to this communication. It will not affect any other data we hold for you under other legal bases, such as Membership, Buddy system, etc.
User logins (Administration)
- In order to implement certain aspects of the Pobble service, including our implementation of our obligations under GDPR, we store user data as logins to services. This user data has no prejudice on any Membership or other service arrangement between Pobble and the user/individual. If you do not work with Pobble, this has no effect on your rights.
- This processing falls under the GDPR Legal obligation legal basis, in that, to be in compliance with GDPR it would not be practicable to implement our obligations without introducing significant risk of non-compliance. GDPR is available at The EU.
- Our obligations are several, we must: secure data, restrict access to data, provide for exercising of individuals’ rights under GDPR (erasure, portability, objection), proactively delete data and audit accesses to and changes of data. User’s identities may be combined with these activities as part of our implementation of GDPR requirements.
- Users have no rights to erasure of their data, portability of their data or objection to us storing their data.
- We collect data in relation to our implementation of modern communication mediums such as web sites, social media interactions, etc. Whilst this data is generally aggregated, some identifying data is collecting and it may be possible for identities to be inferred given the niche nature of the data and our users.
- We use third parties to provide services such as web sites, social media, etc. Where your data is held or managed by a third party, your rights fall within the remit of these third parties. Therefore, if you interact with us on Facebook, your rights within GDPR will be implemented by Facebook.
- Where we use a third party within our own service, your rights fall within our implementation of GDPR. We will apply whatever legal basis we see fit at the time of implementation and update this Privacy Notice accordingly.
Actioning GDPR Requests
- The act of actioning your rights under GDPR requires us to collect information from individuals for identification. We will retain this for the period of the GDPR Request only.
- We will endeavour to collect only the necessary identifying information of an individual to guarantee identity whilst being able to respond to requests
Acting on your rights to your data under GDPR
- Whilst the GDPR legislation is intended for EU citizens, we will endeavour to allow all individuals to exercise similar rights, regardless of state.
- We’ve created a special page to allow GDPR rights to be exercised. This will provide access to all rights:
- Accessing the information we store about you
- Correcting information we hold about you
- Right to be forgotten
- Right to restrict processing
- Right to object
- Right to portability
- Rights related to automated decision making and profiling
- Making requests is free of charge in principle, but we reserve the right to charge an appropriate administration fee if the request is complex, unfounded or excessive. The application and amount of this fee will be at our discretion.
- We will endeavour to provide you with the results of your request as soon as possible, but certainly within a month.