General Data Protection Regulation
What is GDPR?
GDPR stands for General Data Protection Regulation. It is a EU law that aims to identify what private information is used by companies and institutions about their customers or members and for what purposes, as well as how it’s dealt with, stored and shared with other organizations. Companies and institutions that are legal entities must comply with these rules if they deal with information originating from the EU / belonging to EU citizens, even if they are outside of the EU space.
Toastmasters deals, at various levels, with private information about its members and guests, such as name, address, email and phone number, as well as activity information such as club attendance and educational progress. This information can reside in the club or at the levels of areas, divisions, and districts, as well as Toastmasters International’s own website and Easy Speak.
While clubs are not legally strictly obliged to comply with GDPR given their lack of a legal status, they are highly encouraged to do so. Compliance with GDPR will also show goodwill and an active concern for the respectful usage of club members’ information and shows transparency in an area that is growing as a concern in many members’ minds. Lastly, adhering to these rules protects clubs from legal problems precisely because it shows concern, diligence, and transparency.
How can clubs comply with GDPR?
Every year, each club should nominate one club officer as a contact person for GDPR
The GDPR contact person should be a current officer as officers are official representatives of clubs. Ideally, it should be the Vice President of Membership or the Secretary but it could be anyone. Note: this doesn’t have to be an official role such as a “Data Protection Officer”: the GDPR contact person is a much more informal one, and enough for this purpose.
The GDPR contact person should understand how GDPR works
They should read this page as well as the privacy notices to understand the regulations well. Follow the rules in the documents and if you have any questions don’t hesitate to contact us! See contacts at the bottom of the page.
The GDPR contact person gives the privacy notices to current and new members and guests for them to read and sign.
Clubs have a choice on how to supply the privacy notices to members and guests:
⇒ Those clubs that choose to deal with physical documents should download them from this page (see bottom of page), make the required changes for the club’s needs (in the yellow fields), print the forms, then hand them in to all members (current and new) to be filled and signed.
⇒ Those clubs that choose to deal with these documents in software (non-physical) should create the necessary forms online (for example on Google Docs) based on the documents found at the bottom of this page. Ensure that the required changes to suit the club’s needs (in the yellow fields) are made. Then give a link to the documents to all new and existing members and new visitors and ask them to fill it and sign it. Please ensure that there is a clear way for the members to authenticate themselves here, for example on Google Forms you can get the form to retrieve the Gmail email associated with the user’s account. Here is an example, created for District Officers.
The GDPR contact person should store the signed privacy notices in a secure location:
⇒ Clubs that deal with physical documents should store the signed versions somewhere safe such as a safe with a lock, combination or key. It is also possible to either take a picture of the document or scan it and store it in the club’s online archive, in which case the physical document should be destroyed.
⇒ Clubs that choose to deal with software documents, can simply store the response as in any regular Google form. Please ensure that the information is held in a password-protected account.
What should clubs do when someone ceases to be a member of Toastmasters?
In this case, clubs should delete information about former / non-active members, namely their names and contact details. However, clubs don’t have to do anything on the Toastmasters International and Easy Speak – it’s the members themselves who deal with their accounts on those websites.
How should I deal with members from other clubs attending a session of my club?
It’s important that these members sign the guests’ privacy notice. You can make it easier by having it purely online and sending them the link at the beginning of the session. Then store their acceptance digitally.
I’m organising an event. What should I do?
Organizers of events will need to take into consideration personal preferences for usage of information and not simply rely on the member’s privacy notice at their home club. Also, note that each member’s privacy notice and preferences (e.g. do they allow to be added to an instant messaging group? Do they allow their photo and video to be taken and put on social media?) are stored in clubs and event organisers from other clubs, areas or divisions don’t have access to this information, not easily anyway.
Therefore, a separate privacy notice for events was created and is available at the bottom of this page. Event organisers must make them available to all attendees in either physical or digital form, in the same way that clubs would do.
In order to do this you can choose one of the following:
⇒ If you choose to deal with physical documents, start by making the required changes for the events specifics (in the yellow fields), print the forms, then hand it in to the attendees and ask them to fill it and sign it.
⇒ If you choose to deal with software documents, create a copy of the documents, then make the required changes to suit the event specifics (in the yellow fields), put them online and then give a link to it to the member or visitor and ask them to fill it and sign it.
Then store the documents for one year, counting after the event, ideally at the home club responsible for the organisation of the event own online archive.
What about the Toastmasters International website and Easy Speak?
These already have their own privacy notices and members can set their choices in those websites whichever way they want. The privacy notices supplied in this page already take this separation into consideration.
My term as a club officer is ending, how can I hand over oversight to a new officer?
Every year the club officers change and so should the GDPR contact person. Explain to them what is GDPR and share the link to the current page. Tell them where the signed privacy notices are located and give them access in the case of software documents; for physical documents give them in hand and explain that they need to be stored securely.
As in any other role, take the initiative to approach the new officer and make yourself available to help for a while in case the new officer needs it.
What about other levels of Toastmasters?
The privacy notice for members is quite complete for club, area and division activity but District Officers (i.e. Area Directors, Division Directors and District Core team) have different activities all year-round, so they need a specific privacy notice. This document is online and needs to be filled out and signed electronically (name and contacts are enough) by these officers, ideally at the beginning of each term.
In the case of this document, the Administration Manager of the District Core Team will ensure that the new officers read, understand and sign it. The GDPR contact person at club level can safely ignore this.
What should I do in case of breach of information?
If you discover your member/guest data has been breached, you must report it to the member/guest and to your country’s supervisory authority within 72 hours. Toastmasters International should also be notified immediately, if the breach is related to a member, by sending an email to email@example.com.
Portuguese Supervisory Authority: Comissão Nacional de Proteção de Dados (https://www.cnpd.pt/)
Spanish Supervisory Authority: Agencia Española de Protección de Datos (https://www.aepd.es/es)
What should I do if someone exercises their rights?
If a member/guest requests their data to be erased, for example, clubs must comply with these petitions within a reasonable amount of time (recommended within 72 hours). If a member/guest requests complete erasure of their data, it is important to advise that erasure will be permanent. Notify Toastmasters International of your steps to document them, through the e-mail: firstname.lastname@example.org.
Advise the member to contact Toastmasters International or Easyspeak on their own if they would like to be deleted from Toastmasters completely.
If the member/guest requests the deletion of all photos in which they appear, you must delete all individual photos of the member/guest. You must also remove all referrals you have made on the club’s social media about the member/guest. In group photos, you should appear to common sense by telling the member that such pictures should not deleted “just because” of one person; however, if they insist, you must always consider the rights in question and try to distort the image of the member/guest in these photos, so that it cannot be recognized. We recognize that this is not an easy task but one that may be necessary when the member so insists.
Here’s a full list of the documents mentioned above.
Privacy notice for District Officers: English only.
To use these documents clubs must create an online form equivalent to the documents (privacy notices for guests, members and events). Here is a link to an example for District Officers. Adapt the documents to your club or event by editing the fields in yellow. You may also delete mentions to social media you don’t use.
I have a question! Who should I contact?