On 25th May 2018 the EU’s General Data Protection Regulation (“GDPR”) will come into force. The Government currently has a Bill before Parliament, the Data Protection Bill 2017, which imports the provisions of the GDPR into UK law, with some variations to suit UK practices and requirements, and which will continue in force after Brexit. All organisations however small are bound by the GDPR and the Bill (when it becomes an Act) and so NWWRA must follow the specified data protection rules.

Who are we?

North West Wimbledon Residents’ Association. Our contact details are at the end of this notice. We are the ‘data controller’ for the purposes of GDPR. This means that we decide how your Personal Data is processed and for what purposes.

What is your Personal Data?

Personal Data is data that relates to a living individual who can be identified from that data. We might be able to identify you from the data itself or by linking that data to other information we have access to. GDPR tells us how we must process your Personal Data. We collect:

  • Names
  • Addresses
  • Email Addresses
  • Telephone numbers
  • A record of annual membership subscription paid
  • A record of emails sent to you from NWWRA

What is the legal basis for processing your Personal Data?

NWWRA is a Residents’ Association of members. The data we process is collected from individual members of NWWRA, either through registration on or through a NWWRA road representative. Data is processed on the basis of legitimate interest as a residents’ association.

How do we process your Personal Data?

We comply with our obligations under GDPR in the following ways:

  • By keeping Personal data up to date,
  • By storing and destroying it securely,
  • By not collecting or retaining unnecessary or excessive amounts of data,
  • By protecting Personal Data from loss, misuse, unauthorised access and disclosure and
  • By ensuring that appropriate technical measures are in place to protect Personal Data

How do we use your Personal Data?

  • To manage your membership information and process annual subscriptions for NWWRA
  • To inform you of news, events, activities or services which we think you might like to hear
  • To share your Personal Data with NWWRA road representatives to enable them to collect annual subscriptions and update data for the purposes of delivering the service we provide
  • To carry out the legitimate purposes expected of a residents’ association

Do we share Personal Data with anyone?

Personal Data will be treated as strictly confidential and will be shared only with organisations whose services are required in order to go about the legitimate activities of NWWRA. We will only share your Personal Data with other third parties with your consent. These third parties, in turn may rely on data processors to provide services that help them help us. Some third parties we use may operate outside the EEA. In these cases, we will make sure that we have robust contracts in place with those third parties and that adequate safeguards exist to protect and secure your Personal Data. When you give your consent to our holding of your Personal data you agree to us sharing your Personal Data with third party processors and sub-processors located both inside and outside the EEA.

Where your personal data may be processed is the data processor. Information is stored securely on dedicated servers housed in a purpose built data centre. SSL is used to protect the information when transferring data between the server and NWWRA or members.
Data is protected through a unique username and password, which have been authenticated and encrypted for maximum security. No financial information (bank details, credit card information etc) is held by, this is held by the payment facilitators (Paypal and GoCardless).

How long will we keep your Personal Data?

As long as a resident is a member of NWWRA we shall retain their Personal Data. If a resident leaves the area, we will keep their information for no longer than we reasonably need. Usually this will be for a period of no more than a month.

What are your rights over your Personal Data? Members have a right

  • To request a copy of the Personal Data which we hold, without any charge
  • To request that we correct any Personal Data found to be inaccurate or out of date
  • To request that your Personal Data is erased when it is no longer necessary for us to keep it
  • To withdraw your consent to the processing we carry out at any time
  • To ask us to restrict further processing
  • To object to the processing of Personal Data
  • To update your personal data yourself on, or to have it removed through contacting the membership secretary


We use the hCaptcha anti-bot service (hereinafter “hCaptcha“) on our website. This service is provided by Intuition Machines, Inc., a Delaware US Corporation (“IMI”). hCaptcha is used to check whether the data entered on our website on a contact form has been entered by a human or by an automated program. To do this, hCaptcha analyzes the behavior of the website visitor based on various characteristics. This analysis starts automatically as soon as the website visitor enters the part of the website with hCaptcha enabled. For the analysis, hCaptcha evaluates various information e.g. IP address, how long the visitor has been on the website or mouse movements made by the user. The data collected during the analysis will be forwarded to IMI.  Website visitors are not advised that such an analysis is taking place if the user is not shown a challenge. Data processing is based on Art. 6(1)(f) of the GDPR (DSGVO): the website operator has a legitimate interest in protecting its site from abusive automated crawling and spam. IMI acts as a “data processor” acting on behalf of its customers as defined under the GDPR. For more information about hCaptcha and IMI’s privacy policy and terms of use, please visit the following links: and

Contact Details

If you have a problem, complaint or if there is something you don’t understand, please contact us through this page.

Should a breach of your privacy occur, you should notify the UK regulator at the Information Commissioner’s Office within 72 hours. At