Effective Date: July 22, 2020
The Minnesota Streetcar Museum is committed to protecting your privacy. There are various ways that you might interact with MSM, and the information you provide when doing so allows us to improve our museum and serve members and volunteers. We may collect, use and store your personal data, as described in this Policy and as described when we collect data from you.
1. Key Definitions
On this page, and the pages which it links to, we have used some words and phrases, and these are explained below.
The EU General Data Protection Regulation 2016/679 (GDPR) and the Data Protection Act 2018 (which supplements the GDPR) came into force on 25 May 2018. We refer to these as “data protection law”.
“Personal data” means any information which relates to a living, identifiable person. It can include names, addresses, telephone numbers, email addresses etc. but it is wider than that and includes any other information relating to that person or a combination of information which, if put together, means that the person can be identified.
“Special category data” means personal data about a person’s race, ethnic origin, politics, religion, trade union membership, genetics, biometrics (where used for ID purposes), health, sex life or sexual orientation.
“Processing” covers all activities relating to the use of personal data by an organization, from its collection through to its storage and disposal and everything in between.
“Data subject” means the person whose personal data is being processed.
“Data controller” means the organization which is responsible for processing data and ensuring that personal data is processed in accordance with data protection law.
2. Our Policy
MSM complies with the principles of data protection law, the six overall guiding principles are:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality
3. How We Collect Your Personal Information
Different personal data is collected in different ways.
a) Personal data you provide to us
You will provide MSM with personal data when you correspond with MSM, either on your own behalf or on behalf of an organisation. You will also provide us with personal data when you subscribe to receive our communications. If you choose to join MSM as a member you will also voluntarily provide personal data.
b) Personal data we collect automatically
Cookies are small text files that are stored automatically on your computer by websites which allow things such as avoiding the need to log in as frequently, which saves time, and create a customized website that fits your needs.
The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission.
This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.
4. How We Use Your Personal Information
As a data controller, we will only use your personal information if we have a legal basis for doing so. The purpose for which we use and process your information and the legal basis on which we carry out each type of processing is explained below.
- To provide you with information and materials that you request from us.
- It is in our legitimate interests to respond to your queries and provide any information and materials requested in order to provide customer service.
- To personalize our services and products and the Sites to you.
- It is in our legitimate interests to improve the Site in order to enhance your experience on our Site, to facilitate system administration and better our services. We consider this use to be proportionate and will not be prejudicial or detrimental to you.
- To update you on services and products and benefits we offer.
- It is in our legitimate interests to market our services and products. We consider this use to be proportionate and will not be prejudicial or detrimental to you. For direct marketing sent by email to new contacts (i.e. individuals who we have not previously engaged with), we need your consent to send you unsolicited direct marketing.
- To send you information regarding changes to our policies, other terms and conditions and other administrative information.
- It is in our legitimate interests to ensure that any changes to our policies and other terms are communicated to you. We consider this use to be necessary for our legitimate interests and will not be prejudicial or detrimental to you.
- To administer our Sites including troubleshooting, data analysis, testing, research, statistical and survey purposes; To improve our Sites to ensure that consent is presented in the most effective manner for you and your computer, mobile device or other item of hardware through which you access the Sites; and to keep our Sites safe and secure.
- For all these categories, it is in our legitimate interests to continually monitor and improve our services and your experience of the Sites and to ensure network security. We consider this use to be necessary for our legitimate interests and will not be prejudicial or detrimental to you.
- To measure or understand the effectiveness of any marketing we provide to you and others, and to deliver relevant marketing to you.
- It is in our legitimate interests to continually improve our offering and to develop our museum. We consider this use to be necessary in order to effectively generate interest and will not be prejudicial or detrimental to you.
- To enforce the terms and conditions and any contracts entered into with you.
- It is in our legitimate interests to enforce our terms and conditions of service. We consider this use to be necessary for our legitimate interests and proportionate.
- To enable us to contact others in the event of an emergency (we will assume that you have checked with individuals before you supply their contact details to us).
- This is required for protecting the vital interests of you, your dependents, and of others involved in an emergency situation.
- To deliver membership benefits to you.
- This is required for performing our contract with you as a member. This includes postal and electronic communications for members including newsletters and history publications.
We usually process your special category data with your explicit consent. In other cases, we do so because we consider it necessary:
- Very occasionally, for the establishment, exercise or defense of legal claims.
- In emergency situations
- For statistical purposes (but not to take decisions about you).
If you do not wish to provide us with your personal data and processing such data is necessary for the performance of a contract with you and to fulfill our contractual obligations to you, we may not be able to perform our obligations under the contract between us. Where you provide consent, you can withdraw your consent at any time and free of charge, but without affecting the lawfulness of processing based on consent before its withdrawal. You can update your details or change your privacy preferences by contacting us by postal mail.
5. Data Retention: How Long We Keep Your Personal Data
a) Information about customers
We will retain personal information which we process on behalf of our customers for as long as needed to provide services and products to our customers and in accordance with any agreement in place with our customers. When you contact us, we may keep a record of your communication to help solve any issues that you might be facing. Your information may be retained for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirement.
b) Information about members
We will retain personal data about a member for as long as they are a member of MSM and for as long afterwards as is necessary for our permanent museum archives, to answer questions about your membership, and to allow future re-instatement of a lapsed membership.
6. Sharing of Your Data
We do not sell your personal data. We will not share your personal data with any third parties without your prior consent (which you are free to withhold) except where we are required to do so by law or as detailed in section four above or as explained in the remainder of this section.
We may pass your personal data to third parties who are service providers, agents and subcontractors to us for the purposes of completing tasks and providing services to you on our behalf, e.g. to print historic publications and send you mailings on our behalf. However, we disclose only the personal data that is necessary for the third party to deliver the service and we require them to keep your information secure and not to use it for their own purposes.
The types of third parties we may share elements of your personal data with include:
- Payment processors engaged by us to securely store or handle payments information, such as credit or debit card details.
- Providers of email management and distribution tools – for example, if you sign up to receive newsletters or other marketing messages we will manage the delivery of these to you using a third party email distribution tool.
- Providers of data aggregation and analytics software services that enable us to effectively monitor and optimize the delivery of our site and services. One such provider we use is Google Analytics. See the site “How Google uses data when you use our partners’ sites or apps” for specific details on Google’s data policies.
- Providers of online cloud storage services and other essential IT support services
- Museum members may be provided with a membership directory or roster of other members including names, email addresses, postal addresses, and telephone numbers.
- Museum members may be provided with a directory or roster of museum volunteers including names, email addresses, telephone numbers, certified operator status, and museum position or title.
We may also share personal data with third parties where you expressly authorize us to, such as where we run a promotion in conjunction with a partner and you instruct us to share your email address with that third party for the purpose of receiving promotional emails.
Certain information may also be collected from you by third parties such as advertisers, marketing networks and affiliates using cookies and similar technologies. For example your IP address and events relating to your activity like searches you have carried out or pages you have viewed on our site may be collected and transmitted to these third parties to allow them to serve relevant advertising to you across the web and/or provide us with site statistics and analysis allowing us to improve our site. The information that is collected in this way will never include your name, contact details or other information that would enable you to be identified in the offline world.
7. International Transfers of Your Data
8. Data Breach and Incident Management
A personal data breach is defined as the unauthorized or accidental disclosure of, access to, loss, theft or alteration, destruction or damage of personal data. Examples of personal data security breaches include, but not limited to the following:
- loss or theft of hard copy personal data;
- disclosing personal data (via letter, fax, email, text message, etc.) to the wrong recipient; or
- insecure disposal of hard copy records containing personal data in non-confidential waste bins, resulting in loss or theft of that data.
A personal data breach also includes circumstances where personal data appears to have been lost, stolen or otherwise potentially exposed, even if it is later determined that personal data was not actually exposed.
All MSM staff and volunteers must immediately report all personal data breaches of which they become aware to the MSM Corporate Secretary irrespective of the perceived severity of the breach.
9. Your Rights
Under certain circumstances, you have rights under the data privacy law including:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure (known as “the right to be forgotten”)
- The right to restrict processing
- The right to data portability
- The to object or restrict how your personal data is processed
- Rights in relation to automated decision-making
For more details or to exercise any of your rights please address any questions, comments and requests regarding our data processing practices to our Data Protection Officer by postal mail at the postal address for the Minnesota Streetcar Museum.