The British Flower and Vibrational Essences Association (BFVEA)

Data Protection Policy

The BFVEA’s Data Protection Policy ensures that it’s handling of personal data complies with the requirements of the Data Protection Act 1998 and General Data Protection Regulation (2018).


The Policy applies to all Personal Data collected, processed and stored by BFVEA in manual and automated form. This includes the data of:

  • Registered members of BFVEA
  • Persons in the process of applying for membership
  • Subscribers of publications
  • Attendees of the annual Gathering conference

The Data Protection Principles

The BFVEA Data Controller is registered with the ICO and ensures that all data shall be obtained and processed fairly and lawfully.

To do this the data subject will, at the time the data is being collected, be made aware of:

  • How to contact the Data Controller –
  • The purpose(s) for which the data is being collected
  • The person(s) to whom the data may be disclosed by the Data Controller • Where possible, the informed consent of the data subject will be sought before their data is processed.
  • Personal data received as a result of a postal application or completing an on-line application form for Practitioner Membership will be kept confidentially.
  • Where it is not possible to seek consent, the Data Controller will ensure that collection of the data is justified under one of the other lawful processing conditions – legal obligation, contractual necessity, etc.
  • Processing of personal data will only be carried out only as part of BFVEA’s lawful activities, and BFVEAwill safeguard the rights and freedoms of the data subject at all times.

Any other information that is considered necessary by the BFVEA will be fairly processed by the Data Controller in the following way:

The data subject’s data will ….

1. …. not be disclosed to a third party except: –

a. where a list of names and addresses is sent each quarter to enable the despatch of ESSENCE magazine by its printers. The list (held electronically) is password protected and destroyed by the printer after use.

b. where a list of names and food requirements is supplied to the Gathering venue.

c. when using Mailchimp to send publications and communications to Members.

2. ….. be obtained only for one or more clearly specified, legitimate purposes. A data subject will have the right to question the purpose(s) for holdingtheir data.

3. ….. not be further processed in a manner incompatible with the specified purpose(s).

4. ….. be kept safe and secure. Appropriate security measures will be taken to protect against unauthorised access to, or alteration, destruction or disclosure of any personal data held by the Data Controller. Access to and management of data subject records will be limited to those who have appropriate authorisation and password access.

5. ….. be kept accurate, complete and up to date. The Data Controller will:

  • ensure that administrative and IT validation processes are in place to conduct regular assessments of data accuracy.

6. … be adequate, relevant and not excessive in relation to the purpose(s) for which the data were collected and processed. Data which are not relevant to such processing will not be acquired or maintained.

7. … not be kept for longer than is necessary to satisfy the specified purpose(s). The Data Controller keeps personal data for a time deemed reasonable and necessary. Once the period has elapsed, the Data Controller undertakes to destroy, erase or otherwise put this data beyond use.

8. … be managed and stored in such a manner that, should a data subject submit a valid Subject Access Request it can be readily retrieved and provided to them in an efficient manner within the legal timelines, one month as per GDPR.

Data Subject Requests. Any formal, written request by a data subject for a copy of their personal data.

Rectification Requests. Any formal, written request by a data subject for the update of their personal data to rectify incorrect or out-of-date information will be carried out within one month.

Erasure Requests. Any formal, written request by a data subject for the erasure or ‘right to be forgotten’ of their personal data will be carried out within one month.

Data Breach Reporting. All data breach incidents (loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, (or any similar incident) will be reported to the Office of the Data Protection Commissioner within 72 hours. Where devices or equipment containing personal or sensitive personal data are lost or stolen, the Data Protection Commissioner is notified only where the data on such devices is not encrypted. The affected data subjects will also be informed.

Data Breach Logging. A summary of all data breaches will be recorded in an incident log as required by the Office of the Data Protection Commissioner. The record will include a brief description of the nature of the incident and, if appropriate, an explanation of why the Office of the Data Protection Commissioner was not informed. Such records will be provided to the Office of the Data Protection Commissioner upon request.

Definitions. For the avoidance of doubt, and for consistency in terminology, the following definitions will apply within this Policy.


This includes both automated data (held on computer or stored with the intention that it is processed on computer) and manual data, processed as part of a relevant filing system.

Personal Data

Information which relates to a living individual, who can be identified either directly from that data, or indirectly in conjunction with other data which is likely to come into the legitimate possession of the Data Controller.

Data Controller

A person or entity who, either alone or with others, controls the content and use of Personal Data by determining the purposes and means by which it is processed.

Data Subject

A living individual to whom the Personal Data relates directly or indirectly.

Data Processor

A person or entity who processes personal data on behalf of a Data Controller on the basis of a formal, written contract.

Relevant Filing System

Any set of information in relation to living individuals which is not processed by means of computers, and that is structured, either by reference to individuals, or by reference to criteria relating to individuals, in such a manner that it is readily retrievable.

Use of cookies

A cookie is a simple text file stored on your computer or mobile device by a website’s server. The BFVEA website does not collect personalised statistics about how people use the site.

Users 16 and under

Persons aged 16 or under, need parent/guardian’s permission before providing personal information to the BFVEA website

Data Protection Contacts

If you have an enquiry or concern regarding the processing of personal data, please contact:

The BFVEA Secretary, BM BFVEA, London, WC1N 3XX or email: