Overeaters Anonymous Virtual Region 

Privacy Policy and Notice for Service Volunteers

Overeaters Anonymous Virtual Region upholds our 12^th Tradition of anonymity and is committed to protecting the privacy of everyone who shares their personal information with us.

1. GOVERNING LAW AND JURISDICTION

The OA Virtual Region is incorporated as a not-for-profit entity under the laws of the State of New Mexico, the United States of America.

This Policy and all other policies of the Virtual Region, and any dispute or claim arising out of or in connection with this and other Virtual Region policies or their subject matter, shall be governed by and construed exclusively in accordance with the laws of the State of New Mexico, United States of America.

The Virtual Region, all Board members (who act as directors of the Virtual Region) and any other persons designated by the Board in terms of the Bylaws of the Virtual Region to undertake various service for the Virtual Region, and you by affixing your signature at the end of this document, agree that the courts of New Mexico, United States of America, shall have exclusive jurisdiction to adjudicate on and/or settle any dispute or claim arising out of or in connection with this and other Virtual Region policies, or their subject matter.

2. SCOPE OF THIS POLICY AND NOTICE

The Virtual Region is committed to respecting the privacy of individuals whose personal data is collected, processed and shared. This Policy and Notice describes how this commitment is to be met by the Virtual Region and by fellows giving service to the Virtual Region.

It provides information on how your personal data and the personal data of others is to be collected, processed and shared on behalf of the Virtual Region or in connection with the Virtual Region.

It sets out your responsibilities in collecting, processing and sharing the personal data of other service fellows and of any other person whilst you give service for the Virtual Region.

The term “Virtual Region Events” in this document means, amongst others, Virtual Region Assemblies, Virtual Region Conventions, Virtual Region workshops, Virtual Region marathons, Virtual Region retreats, Virtual Region meetings and other Virtual Region special events.

This Policy and Notice addresses your rights and responsibilities to protect the personal data of others that is collected and shared while giving any form of service for the Virtual Region including as Virtual Region representative; Virtual Region committee member, officer or chair; Virtual Region board member, officer or chair; Virtual Region Zoom host, co-host, moderator or dash board operator; Virtual Region Welcome Center service fellow; Virtual Region speaker; Virtual Region sponsor coordinator; Virtual Region website service fellow; Virtual Region Newsletter Service Fellow, Virtual Region Eblast and Virtual Region Event service fellow.

Registers of personal data will be kept of attendances at Virtual Region Events, and stored safely by the Virtual Region service bodies hosting these Virtual Region Events.

3. GENERAL PRINCIPLES

The Virtual Region takes responsibility for the personal data that it collects, processes, shares and manages. Privacy will be protected, and personal data not disclosed, unless with explicit consent, or where this is to an authorized data processor or third party service provider of the Virtual Region (such as, amongst others, Zoom, the Eventbrite event platform or our website hosts) or where this is required by law. The Virtual Region will only use personal data for the OA purpose for which it was disclosed, and will securely delete or destroy it once it is no longer required.

The Virtual Region will not use your personal data for any purposes other than for OA related purposes, and will not sell your personal data to any third party.

OA members giving service to the Virtual Region are requested to provide their contact details to the Virtual Region so that they can be contacted in order to fulfill their service role. This personal data of yours (these contact details) will be held on Dropbox or on another secure cloud storage service and for the period of time stated in Table in Paragraph 10 below (at the end of this document).

Virtual Region communication platforms include the Virtual Region websites, Zoom, Facebook, Instagram, WhatsApp, Google Workspace, Signal, chatbot and other platforms we may use now or in the future. In the course of giving service to the Virtual Region it may become necessary for others to provide and share your personal data to a person who is listed in one of the categories below and/or for you to collect and share the personal data of a person who is listed in one of the categories below:

1. service fellows including amongst others: committee members, interpreters, speakers, moderators, hosts, co-hosts, meeting leaders,
2. fellows who submit articles, stories, podcasts, video or other forms of media to the Virtual Region for Virtual Region Events, newsletters, blogs, and other outreach materials,
3. fellows who speak, facilitate, train or share at events including but not limited to workshops, meetings, marathons, conventions, assemblies and special events,
4. OA members who are seeking sponsorship information or fellowship, or who are willing to sponsor,
5. OA newcomers,
6. OA returnees,
7. concerned family members of an individual,
8. concerned friends of an individual,
9. college students seeking information,
10. medical or mental health professionals such as doctors, nutritionists, social workers, psychologists, or nurses,
11. members of the clergy,
12. members of the public seeking information on OA.

 

4. THE COLLECTION AND PROCESSING OF PERSONAL DATA

The personal data that a service fellow may collect and use to further the purpose of the Virtual Region includes amongst others the name of a person, their contact details such as mobile number and email address, the name of the city in which they reside; and their length of abstinence, their meeting, group, intergroup and/or national service body affiliation and their service position, where applicable.

The General Data Protection Regulation (GDPR) requires that any collection and use of or sharing of the personal data of other persons (who are listed in the eleven categories under Section 3 above), and who are subject to the European Union General Data Protection Regulation (EU GDPR), may be done only to the extent of fulfilling the purpose for which it was collected.

Concerning your own personal data, your consent is requested to provide this data in the personal data Box at the end of this Policy and Notice document, for sharing with those persons listed in the eleven categories under Section 3 above.

By your consent, you agree to other OA service fellows – during the course of their OA service – sharing your personal data as provided by you, with any person listed in the eleven categories under Section 3 above, subject to the sharing of your personal data being done on a needs-only basis.

The legal basis – for collecting and/or processing your personal data and for collecting and/or processing the personal data of others – is the legitimate interest in reaching out and providing information about the OA fellowship and the OA program in accordance with the OA 12 Traditions.

No personal data is to be shared with anyone outside of the scope of this Privacy Notice unless required by law.

All personal data is to be kept securely and confidentially for the period specified in Table A below, after which time it is deleted or destroyed using secure methods, unless otherwise extended by you as the data subject.

In collecting and/or using the personal data of persons listed in the eleven categories under Section 3 above, you undertake:

1. to do so only for the purpose of fulfilling the service role for which you have volunteered;
2. to take all steps to keep the personal data to which you have access secure and safe;
3. to direct all inquiries from the press, radio, TV and social media outside of OA, as well as inquiries from government agencies, medical societies, and any outside organizations to the Virtual Region Board Chair;
4. to review and abide by any and all policies and procedures for data protection and privacy that apply to your service position; and
5. to attend any orientation and training as required by the Virtual Region.

5. INFORMATION SECURITY

The Virtual Region makes use of IT tools and chat programs (e.g. email, cloud-hosted storage), which means that personal data may be processed by third parties (e.g. Google, Eventbrite, Zoom, Signal, WhatsApp, DropBox, Hello Sign, DocuSign, Microsoft 365, Mail Chimp, Constant Contact, AOL and Yahoo and others), but this is on the basis that GDPR-compliant data processing or similar agreements are in place by such third parties that protect the privacy of the personal data that is in the possession of such third parties.

6. YOUR RIGHTS AS A DATA SUBJECT

The Virtual Region takes reasonable efforts to comply with the GDPR, which is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area.

In terms of the GDPR, you as a data subject (whose data is being collected and processed), have several rights:

1. The right to know what data has been collected about you by the Virtual Region and its service fellows, and how such data has been processed,
2. The right to request that changes be made to inaccurate data,
3. The right to withdraw consent to data processing,
4. The right to ask for data to be deleted,
5. The right to object to data processing, or for it to be restricted,
6. The right to request that your data be updated, or deleted, or processing restricted in any way,
7. The right to lodge a complaint to the relevant Data Protection Regulator for your country of residence, such as, for illustrative purposes, the Information Commissioners Office of the United Kingdom.

You also have the right to request and be given the following information:

1. The reason why your personal data is held,
2. The source of your personal data (if not directly from you yourself) that is held,
3. Whether your personal data has been disclosed to anyone else, and if so, to whom,
4. For how long it will be stored,
5. Whether any automated decision-making was used to process the personal data, and
6. Whether your personal data has been shared outside the EU and if so the mechanisms in place to protect your data.

These requests are called ‘Subject Access Requests.

Process for subject access requests

If you wish to exercise any of the abovementioned rights, you are requested to send a Subject Access Request to the Chair of Virtual Region or to the Virtual Region Board member who is designated as the person responsible for the protection of privacy and of personal data, at chair@oavirtualregion.org

The information should be provided to you within 30 days, without charge.

The Virtual Region Board Chair or designated Virtual Region Board member where applicable, will always verify the identity of anyone making a Subject Access Request before handing over any information.

The Chair of the Virtual Region or the designated Virtual Region Board member where applicable, will record this and all other SARs in one secure location in the Virtual Region Folder.

In making a Subject Access Request you will be contacted to have your identity confirmed, if necessary, by a telephone conversation, or by being asked to supply written evidence of your identity.

The Virtual Region Board Chair or designated Virtual Region Board member, where applicable, will collaborate with the Virtual Region Board members as necessary to identify all information which is held concerning you as a data subject.

All material is to be reviewed by the Virtual Region Board Chair or designated Virtual Region Board member, where applicable, and an assessment made of whether the information can be immediately disclosed, or whether disclosure may adversely affect the rights and freedoms of another individual. Information about a third party is not to be disclosed, and this can be edited out of and redacted from any documents.

Nothing is to be disclosed to you that might prejudice a legal investigation, or where disclosure would breach some other legal duty. Specialist advice is to be sought by the Virtual Region Board if there is any concern about whether disclosure should not be made.

The general rule is that material is to be disclosed to the data subject within 30 days of the request being made, although if it will take longer to prepare the disclosure then you as the data subject may be contacted within 30 days, and informed of the delay and likely timescale for disclosure. Disclosure is to be made within 90 days of your Subject Access Request.

If no personal data is held about you as a data subject then you are to be informed of this.

If personal data is held but no disclosure is made to you as the data subject, then you are to be informed of the reasons for non-disclosure and that no action will be taken by the Virtual Region on your request, and that you have the right to complain to the relevant Data Protection Regulator for your country of residence such as, for example and for illustrative purposes, the Information Commissioners Office of United Kingdom.

If your contact details change during the period of time stated in Table A below (the period of time allowed for the holding of your details), you are requested to notify the Chair of the Virtual Region or, to the Virtual Region Board member designated as the person responsible for the protection of privacy and of personal data, so that your records can be updated.

7. INTERNATIONAL TRANSFER OF PERSONAL INFORMATION (CONSENT TO SHARE OUTSIDE EU)

The Virtual Region covers all geographical areas, extending beyond the USA, the EU, the European Economic Area (“EEA”) and the United Kingdom to include all countries and territories. Some countries and territories may have data protection policies akin to the GDPR and others may not. In these latter circumstances the GDPR requires specific consent to be obtained from data subjects in order to permit their personal data to be processed outside of the EU. Such consent will be sought.

It is likely that your personal data may be transferred outside of the European Economic Area (“EEA”) and of the United Kingdom. It is necessary to tell you this because countries outside of the EEA and the United Kingdom do not always offer the same levels of protection to personal data.

If you are an EEA or a UK resident:

European law and UK law prohibit the transfer of your personal data outside of the EEA and of the UK unless the transfer meets the following lawful criteria:

1. The country to which your data is being transferred has been approved by the EU as having an adequate standard of data protection;
2. The third-party data processor, which is being made use of to store or process information outside the EEA (e.g. Google processes information in the US), provides EU-approved safeguards for the security of data, e.g. the processing contract incorporates EU-approved Standard Contractual Clauses;
3. You have explicitly consented to the transfer of your information, and you have been warned of the possible risks of the transfer.

Important note about transfers outside the EEA and the United Kingdom under (c) above (consent):

As stated above, your personal data may be shared with other OA service fellows and with any person listed in the eleven categories under Section 3 above. This list includes persons who are OA members and also persons who are not OA members.

Due to the global scope of the Virtual Region, there are individuals who reside in areas outside of the EEA and of the United Kingdom. In carrying out their service to the Virtual Region, service fellows will need to communicate via email and other modes including Google, Zoom, Signal, WhatsApp, DropBox, Hello Sign, DocuSign, Microsoft 365, Mail Chimp, Constant Contact, AOL and Yahoo and others.

If a Virtual Region service fellow who resides outside of the EEA and of the United Kingdom receives a communication containing the personal data of any person, or if a Virtual Region service fellow makes use of a shared folder to access the personal data of a person residing outside of the EEA or of the United Kingdom, then that Virtual Region service fellow will be transferring (processing) personal data outside of the EEA and of the United Kingdom.

The EU or the United Kingdom may have made a finding for the non-EEA country in question that there are adequate or inadequate data protection standards in place in that country.

This Privacy Policy and Notice therefore addresses the possibility that personal data is likely to be accessed and shared with a person who is resident outside of the EEA and of the United Kingdom, in a country where the EU has not made a finding of adequacy. If you are a resident of the EEA or of the United Kingdom, your consent is therefore requested for your personal data to be accessed from outside of the EEA or the United Kingdom.  At the bottom of this form you will be asked to give your consent.

8. PRIVACY POLICY BREACH

In the event that you make any mistake with regard to your use of another person’s personal data or in the event there is any breach of the security and safety of this personal data, then it is incumbent on you, within 24 hours of this mistake or breach, to notify the Virtual Region Board Chair or the Virtual Region Board member who is designated as the person responsible for the protection of privacy and of personal data at chair@oavirtualregion.org.

Examples of a breach are – if your email has been hacked, your phone or computer has been stolen or lost, or you have mistakenly shared personal data with someone who was not the intended recipient.

9. ARCHIVING AND RETENTION

OA fellows giving service to the Virtual Region are responsible for managing their own Dropbox Folder or other secure cloud storage and email accounts. Virtual Region Committee and Subcommittee Chairs are responsible for their group’s email addresses.

Personal data is to be stored by the Virtual Region only for the minimum period necessary, consistent with the purpose for which it was processed.

In accordance with this document, I as a service fellow for the Virtual Region undertake and agree that once my service is complete, and – where necessary –  after uploading all personal data that I have collected and/or used to the Virtual Region central data repository that is designated for my service and after submitting a report to the Virtual Region as to the use of personal data, when required to do so, that I will delete all personal data that I have collected and used and shared; subject to the provision that where there is a separate private agreement between me and a data subject for me to retain their personal data, and to the extent of this separate and private agreement, it shall be permissible for me to retain their personal data.

The Virtual Region itself may retain personal data until the retention period has elapsed, as detailed in the Table below. It is the responsibility of the person managing the personal data on the Virtual Region Dropbox to take reasonable efforts to delete it.

10. RELEASE OF RIGHTS TO ANY AUDIO RECORDING OF YOUR VOICE

In the event of any audio recording/s being made of your voice during the service that you give to Virtual Region, you release such recording to the Virtual Region and unconditionally grant and assign to it and its assigns all rights in perpetuity including all rights of use, with no royalties or compensation being owing or payable to you for the publication and distribution of the audio recording onto the Virtual Region website and/or in other appropriate OA forums, collections, podcasts and digital media applications, as solely determined by the Virtual Region. You agree that any use of the audio recording of your voice by OA for a fee will be done solely to help the Virtual Region be self-supporting in its purpose of carrying the message to compulsive overeaters who still suffer.

Table A

Description of data	Period to keep
Contact details for OA fellows giving service at Virtual Region	30 months
Register of Virtual Region Events attendance	30 months after attending Virtual Region Event
Emails	30 months after email received or sent
Financial records (including emails)	7 years after end of financial year to which they relate
Events agenda packs	7 years after event, to enable follow up and accountability, including financial accountability
Dropbox folder contents Google drive document, forms and folders	Officer access to Dropbox deleted by Dropbox Admin once handover period finished Contents of folders deleted in accordance with this table Google drive, document forms and fold to be delete by Drive Admin once h anover period is finished.
Newsletter subscribers	While consent is in place
Audio Recordings	Unlimited as per paragraph 10 above

Should you have any questions, you are free to contact us at email chair@oavirtualregion.org.

11. WHAT TO DO WHEN YOU LEAVE A SERVICE POSITION

The Virtual Region requires all service volunteers to be mindful of protecting personal data and anonymity of all our members. This applies while and after you do service.

For you as a service fellow, OA Virtual Region has additional guidelines and helpful suggestions for the use, storage and deletion of personal data. The document “Service Volunteer Data Privacy Checklist” will assist you while you are serving, when you rotate to a new service position, or when you leave a service position.

Version 6 September 2023

Any questions about this policy or any queries concerning data protection matters should be raised with the Chair of Virtual Region at chair@oavirtualregion.org.