vACDM Data Policy
Version: 1.0 - Last updated: 2023-12-19
This policy has been created using the Data Policy of ECFMP as a basis. It was modified to fit the conditions set by the vACDM Admin Team and Platform.
(1) Introduction
1.1 Purpose of this policy
This policy has been put in place to achieve:
- Compliance with the European General Data Protection Regulations (GDPR).
- Protection of our Service Users
1.2 Types of data collected
vACDM only collects a small amount of personal data which is indirectly provided to us by members via third parties.
1.2.1 Data provided to us by a third party
vACDM obtains data from VATSIM.net when a user authorises it through 'VATSIM Connect'. While a user may authorise more data to be transmitted, data stored is limited to:
- Full Name
- VATSIM ID (CID)
- VATSIM Rating (whether it is >=S1 or not)
vACDM also obtains information publicly available via the VATSIM.net API. Personal data stored is limited to VATSIM ID (CID).
1.2.2 Data collected directly by vACDM
Currently, no personal data is collected directly by vACDM.
1.3 Policy Statement
vACDM has a responsibility to:
- Comply with European Data Protection Laws.
- Follow good data protection practices.
- Respect individuals rights which includes but is not limited to:
- The right to access
- The right to rectification
- The right to object
- The right to erasure
- Provide appropriate guidance and training for members with access to personal data.
- Report any possible breaches to the relevant authorities, even if not legally required to do so.
(2) Responsibilities
2.1 vACDM Admin Team
General responsibility for ensuring data protection and compliance with regulations fall with the vACDM Admin Team.
2.2 Data Protection Officer
vACDM does not have an appointed Data Protection Officer. This is justified by the limited nature and volume of the data collected and the circumstances of data collection.
2.3 Specific Departments
The Region Admins are the only other members outside the vACDM Admin Team who have a responsibility when it comes to accessing personal data collected by vACDM.
Other members of vACDM may at times temporarily be tasked with responsibilities regarding control and storage of data.
2.4 vACDM Admin Team and Volunteers
Members of vACDM who hold any elevated access to data are required to read, understand and abide by this policy plus any established procedures set by the vACDM Admin Team.
vACDM has a zero tolerance policy regarding inappropriate access and/or use of personal data collected by vACDM. Any individual to be found in breach of this policy will have their access removed.
(3) Data Recording and Storage
3.1 Accuracy
vACDM considers all data collected across all services to be correct and accurate however, human error can lead to inaccuracies.
3.2 Updating Data
A member may request for their data to be updated by making a request to data@vacdm.net. However, for members continuing to use the system, data obtained from VATSIM.net is not under the control of vACDM and will be overwritten with the next login.
3.3 Storage of Data
All data collected by vACDM is stored via databases. Access directly to the database is limited to key members of the vACDM Admin Team.
3.4 Retention of Data
Data is stored by vACDM according to the following logic:
3.4.1 Priviledged users
Data of users that have been assigned any role will be kept indefinetly.
3.4.2 Unpriviledged users
Data of users that have not been assigned any role will be removed 180 days after the last activity within the system.
3.5 Archiving
Backups of vACDM Databases are created for maintenance purposes and to protect against inadvertent data loss. Access to backups is heavily restricted.
(4) Transparency
4.1 Commitment
vACDM is committed to ensuring all members are aware of what data is collected and why we collect such data.
- Data is collected for the purpose of facilitating vACDM functions
- Data is retained to allow evaluation of vACDM systems
- Personal data shall never be transferred without express permission of the individual.
- vACDM data without personal information may be transferred or utilised by other organisations affiliated with vACDM or VATSIM.net
4.2 Procedures
Details on how to exercise rights in relation to the data held is detailed in the relevant sections of this policy.
(5) Right of Access
5.1 Responsibility
Requests for personal data under the 'Right of Access' are the responsibility of the vACDM Admin Team. Such requests are to be compiled within one month of the request being received. If circumstances prevent this from occurring, an extension of a further two months may be instituted by vACDM, providing that the member making the request is informed of this before the expiration of the original one month deadline.
5.2 Procedure for Making a Request
Right to access requests must be sent to data@vacdm.net.
If a member at a lower level to that of the vACDM Admin Team that might reasonably be construed to be a request for access, they have the responsibility to notify the vACDM Admin Team without delay.
5.3 Provision for Verifying Data
Where the person managing the access request is unable to confirm the identity of the requester there should be a provision for checking their identity before releasing any data.
5.4 Charging
It is anticipated that simple requests will not incur a charge/fee. vACDM reserves the right to impose a fee where it should be required, for example due to volume of requests or complexity of data.
5.5 Procedure for Granting Access
All requests are to be sent to data@vacdm.net.
Personal data shall only be shared with the individual to whom it relates. Other individuals’ data will be redacted before data is passed to the requesting member.
(6) Right to Rectification
6.1 Responsibility
Accurate data is in the best interests of both the Network and the membership. The vACDM Admin Team is responsible for the management of such requests.
6.2 Procedure for Making a Request
Right to rectification requests shall be sent to data@vacdm.net.
If a member at a lower level to that of the vACDM Admin Team receives a request for rectification that might reasonably be expected to fulfil it, they have the responsibility to notify the vACDM Admin Team without delay.
6.3 Charging
There is no charge/fee associated with making a right of rectification request.
(7) Lawful Basis
7.1 Legitimate Interest
vACDM asserts that it has a legitimate interest in collecting and storing personal data outlined above. The reasons for this claim are:
- vACDM is a voluntary community promoting flight simulation, virtual air traffic control, management of busy events and members seeking to join have an obvious interest in such activities.
- The data collected is the minimum required to allow for the running of the vACDM Service.
- That the data is necessary to allow for the vACDM Admin Team to properly manage the network both in day to day operations and in circumstances where a member may act in a manner contrary to the guidelines published by vACDM.
7.2 Data for Minors
vACDM relies on VATSIM to ensure that parental consent is collected from users unable to provide their own consent (because they fall below the minimum age to do so, as defined under the GDPR or other local regulations).
vACDM acknowledges its responsibility to inform VATSIM of any member that may be below this age and that are actively participating on the network without suitable consent.
7.3 Opting Out
Notwithstanding vACDM’s claim of legitimate interest, members may object to this claim and/or request that vACDM cease processing their data. These two rights are known as the Right to Object and the Right to Restrict Processing.
Members must be aware that if they choose to exercise either of these rights, vACDM is obliged to lock their account in order to comply with their wishes and their request may be referred to VATSIM to take the appropriate action for their network account too.
7.4 Timing of Opting Out
While a notification of an objection to vACDM’s claim of legitimate interest or a request to suspend processing may be made at any time. Such claims may not be made retrospectively.
(8) Right of Erasure
8.1 Responsibility
Requests of personal data under the Right of Erasure are the responsibility of the vACDM Admin Team. Such requests are to be compiled within one month of the request. If circumstances prevent this from occurring, an extension of a further two months may be instituted by vACDM, providing that the member making the request is informed of this before the expiration of the original one month deadline.
8.2 Procedure for Making a Request
Right of erasure requests must be sent to data@vacdm.net.
8.3 Provision for Verifying Data
Where the the person managing the erasure request is unable to confirm the identity of the requester there should be a provision for checking their identity before releasing any data.
8.4 Charging
There is no charge/fee associated with making a right of erasure request.
8.5 Procedure for Granting Erasure
vACDM shall evaluate all requests for erasure. vACDM reserves the right to retain any data it believes is in its legitimate interest to do so or that is required to establish, exercise or defend any legal claim.