Privacy policy
We respect your privacy and are committed to protecting your personal data. This notice explains how the PSA collects, uses, shares and safeguards your information in accordance with GDPR. It also outlines your rights and how you can access them.
Find the full document below, or here for easier reading.
This GDPR Policy was updated on 3rd September 2025 and will be in effect from 19th September 2025
An overview of updates:
- The September 2025 document outlines clearly what data is held and processed regarding memberships and newsletter subscribers, and what data is not held.
- The new document specifically references those third parties used to provide membership benefits to active PSA members, and what data is required to be shared with them for this specific and explicit purpose, updated from generic language in the previous version.
- The update makes the document easier to read and provides clarity on data storage and processing.
- The update provides further details on your rights, and how to excercise them under GDPR legislation.
For queries relating to data processing, copies of any third party data sharing agreements, or to raise a complaint, please contact GM@PSA.org.uk
For full transparency, the previous version of the GDPR policy is available here, but will no-longer be current as of 19th September 2025.
GDPR Policy
1. Introduction
The Production Services Association (PSA) is committed to protecting the privacy and personal data of its members, volunteers, staff, partners, and stakeholders. This Privacy policy outlines how we collect, use, store, and safeguard personal data in compliance with General Data Protection Regulation (GDPR) as well as other applicable privacy laws.
2. Scope
This policy applies to all personal data processed by the PSA, including data collected from our partners, and any other members of the association. It also applies to data shared with third parties such as our website provider, document storage and email providers, project management software provider, survey software and AI notetakers for minuting meetings.
3. Data We Collect
We collect and process personal data from the following groups:
Members:
- Names, contact details (email, phone number, address).
- Membership details, including status and records of payments made (e.g., whether membership fees have been paid, dates of payments, and amounts). We do not store sensitive financial information such as bank account details unless explicitly required and processed securely.
- Basic insurance information for members receiving membership through supporting partners.
- Survey responses submitted via tools like SurveyMonkey.
- Attendance and participation records for events such as the AGM.
Staff and Volunteers:
- Names, contact details, emergency contact information.
- Employment or volunteer agreements, including role descriptions and contractual details
- Bank account details for payroll (for staff) or expense reimbursements, stored securely and only accessible by authorised personnel.
- Records related to remuneration and bonuses (staff), performance, training, and development.
- Health information, where necessary, to meet legal or health and safety obligations.
- Attendance and participation records for meetings.
Other Data Subjects:
• Event participants or partners: registration details, dietary preferences, and
accessibility requirements.
• Service providers and contractors: contact details and payment information.
Sensitive Data:
Where applicable, we may collect special category data, such as health information or
data related to diversity and inclusion. This is only processed with explicit consent or to
meet legal obligations.
4. Purpose of Data Processing
We collect personal data for the following purposes:
• To manage membership records and facilitate communication with members.
• To organise and administer events, including the Annual General Meeting (AGM).
• To gather feedback and opinions via surveys, ensuring the PSA remains
responsive to members' needs.
• To administer and govern the PSA.
• To conduct the advocacy and outreach work of the PSA.
• To comply with legal obligations and regulatory requirements.
5. Legal Basis for Processing
We process personal data based on one or more of the following legal grounds:
• Consent: When individuals provide explicit consent (e.g., through survey
participation or event registration).
• Contractual Necessity: To fulfil our obligations to members as part of their
membership and to our staff and volunteers as part of their agreements with us.
Page 2 of 6• Legitimate Interests: To run the association effectively, provided it does not
infringe on data subjects’ rights. Where meetings are being recorded either by
conventional means or to support AI generated minutes attendees are informed
of this processing before meetings, and any objections will be considered on a
case-by-case basis.
• Legal Compliance: To adhere to applicable laws and regulations.
6. Data Sharing
We may share personal data with trusted third-party service data controllers such as
Quest Business Services, Parliament Hill and Precision Insurance Brokers to provide
membership benefits and Mondiale Publishing to receive business services. All third-
party controllers are required to comply with GDPR and Data Sharing Agreements
(DSAs) are in place.
All third-party processors are required to comply with GDPR and provide sufficient
guarantees of data protection. A complete list of third-party processors and the
appropriate data processing agreements (DPAs) can be provided on request.
7. Data Retention
Personal data will be retained only for as long as necessary to fulfil the purposes
outlined in this policy.
Meeting recordings (audio and video) and transcripts, including those used for the
purposes of AI generated minutes will be deleted following review and approval of the
minutes by the attendees. For the AGM provisional approval of the minutes by the
Council will be considered sufficient to delete the recordings. The maximum time such
recordings will be stored is two weeks.
Membership and volunteer records will typically be retained for the duration of
membership / volunteering and up to six years thereafter for legal and administrative
purposes, such as to meet financial regulations.
Employee records will typically be retained for the duration of employment and as long
as required for legal and administrative purposes, including:
• Employment contracts, personnel, pensions and benefits, redundancy
payments, dismissal/disciplinary/grievance, pensions and benefits records will
be retained for six years
• Payroll and tax records and accident records will be retained for three years
• Right to Work checks will be retained for 2 years
8. Data Subject Rights
Page 3 of 6Under GDPR, all individuals whose personal data is processed by the Production
Services Association - including members, staff, and volunteers - have the following
rights:
i. Right to Access:
To request a copy of the personal data held about them.
ii. Right to Rectification:
To request correction of inaccurate or incomplete personal data.
iii. Right to Erasure ("Right to Be Forgotten"):
To request the deletion of their personal data in certain circumstances, such as when
the data is no longer necessary for the purposes for which it was collected.
This does not apply where data must be retained to comply with legal obligations (e.g.,
financial records or legal claims).
iv. Right to Restrict Processing:
To limit the processing of their data in specific situations, such as when disputing its
accuracy or legality.
v. Right to Data Portability:
To request their data in a structured, commonly used, and machine-readable format for
transfer to another organisation (e.g., from electronic payroll systems)
vi. Right to Object:
To object to the processing of their personal data based on legitimate interests, such as
inclusion in public-facing marketing materials.
vii. Right Not to Be Subject to Automated Decision-Making:
To not be subject to decisions made solely by automated means that significantly affect
them. (e.g., automated performance reviews)
viii. Right to Be Informed:
Page 4 of 6To receive clear and transparent information (e.g., through this policy and the PSA
Privacy Notice) about how their data will be processed, including its purposes, legal
basis, and retention periods.
ix. Right to Withdraw Consent:
If processing is based on consent (e.g., inclusion in surveys or promotional materials),
individuals have the right to withdraw their consent at any time. Withdrawal does not
affect the legality of data processing that occurred before consent was withdrawn.
x. Right to Complain:
To lodge a complaint with the Information Commissioner’s Office (ICO) or another
relevant supervisory authority if they believe their rights have been infringed.
Contact details for the ICO are:
Website: ICO Website
Telephone: 0303 123 1113
9. Data Security
We take appropriate technical and organisational measures to secure personal data,
including:
• Encryption and secure storage of electronic data.
• Regular data protection training for staff and volunteers.
• Restricted access to personal data based on role necessity.
10. Breach Notification
In the event of a data breach, we will:
• Notify affected members without undue delay if their data is at risk.
• Report the breach to the Information Commissioner's Office (ICO) within 72
hours if required.
• Report the breach to any third-party data processor in accordance with our Data
Sharing Agreement.
11. Policy Review
This GDPR policy will be reviewed annually or as required to reflect changes in
regulation or the PSA’s operations.
12. Contact Information
Page 5 of 6For questions or concerns about this policy, please contact:
The General Manager
Production Services Association
Waterloo Place, Watson Square, Stockport, England, SK1 3AZ
gm@psa.org.uk
0333 777 5544
This GDPR policy was written in December 2024 and approved by Tom Rees co-chair on
4th December 2024
A further review took place 2nd September 2025 to include Parliament Hill in section 6.
Page 6 of 6
