Virtual Region Convention of OvereatersAnonymous (VRC) upholds our 12th Tradition of anonymity, and is committed to protecting the privacy of everyone who shares their personal information with us.

The Virtual Region is organized and incorporated as a not for profit entity under the laws of the State of New Mexico, the United States of America.

This Policy and all other policies of the Virtual Region, and any dispute or claim arising out of or in connection with this and other Virtual Region policies or their subject matter, shall be governed by and construed exclusively in accordance with the laws of the State of New Mexico, UnitedStates of America.

The Virtual Region, all Board members (who act as directors of theVirtual Region) and any other persons designated by the Board in terms of theBylaws of the Virtual Region to undertake various service for the VirtualRegion, agree that the courts of New Mexico, United States of America, shall have exclusive jurisdiction to adjudicate on and/or settle any dispute or claim arising out of or in connection with this and other VR policies, or their subject matter.

The VRC will process personal data of OA memberswho attend and give service at the VR Convention. Registers will be kept of attendanceat the Convention, and contact details saved to email accounts.

The VRC is committed to respecting the privacy of individuals whose personal information are being processed, and this policy describes how this commitment will be met. It applies to OA members who deal with personal data on behalf of the VRC or in connection with the VRC.

This policy should be read in conjunctionwith the Data Protection Policy, the Information Security Policy, the Privacy Noticeto Convention Attendees, and where applicable, the Privacy Notice to ServiceFellows.

The VRC takes responsibility for the personal information we process. Privacy will be protected, and personal information not disclosed, unless with explicit consent, or where this is to an authorized data processor of the VRC (like Zoom, the Eventbrite event platform or our website hosts) or where this is required by law. We will only use personal data for the purpose which it was disclosed, and securely delete or destroy it once it is no longer required.

Different principles apply to persons attending in a personal capacity as compared with those who are attending theVRC in a service position.

OA members giving service at VRC are to supply their contact details to the VRC so that they can be contacted in order to fulfill their role within OA. These details will be held on Dropbox or on another secure cloud storage service and for the period of time stated in theTable below (at the end of this policy document).

The contact details of OA members giving service at VRC may be shared with email providers, with third party services that store information for scheduling for contact and emailing purposes, and with persons who are listed below, in the course of their giving the service for which they sign up:

If any OA member giving service at VRC would like to object to the processing of their data, or to request that the processing of their contact details be restricted, they should do so in writing to the Chair of the VRC or, where there are Co-Chairs of the VRC, to the Co-Chair designated as the person responsible for the protection of privacy and of personal data, at privacy@oavirtualconvention.org.

If the contact details of any OA member giving service at VRC changes during the period of time stated in the Table below (the period of time allowed for the holding of their details), they are to notify the Chair of the VRC or, where there are Co-Chairs of the VRC, to theCo-Chair designated as the person responsible for the protection of privacy and of personal data, at privacy@oavirtualconvention.org so that their records can be updated.

At the time of registration, a “Privacy Notice to Convention Attendees” will be provided that explains who will hold their data and how it will be processed.The period for which personal data will be retained is set out in the Table below.

Individuals are requested to register in advance of attending the Virtual Region Convention.

At the time of registration, a "Privacy Notice to Convention Attendees" will be provided that explains who will hold their data and how it will be processed. The period for which personal data will be retained is set out in the Table below.

The Virtual Region takes reasonable efforts to comply with the General Data Protection Regulation (GDPR), which is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. In terms of the GDPR, data subjects (people whose data is being processed), have several rights:

If you would like to exercise any of theserights then please contact the Chair of the VRC or where there are Co-Chairs of the VRC, pleasecontact the Co-Chair designated as the person responsible for the protection ofprivacy and of personal data, at privacy@oavirtualconvention.org.

The Virtual Region covers every geographical area, extending beyond the USA and the EU to include all countries and territories. Some countries and territories may have data protection policies akin to the GDPR and others may not. In these latter circumstances theGDPR requires specific consent to be obtained from data subjects in order to permit their personal data to be processed outside of the EU. Such consent will be sought.

Individuals have the right to access any personal data that relates to them which the VRC holds, and to be given the following information:

This is called a ‘subject access request’(SAR). Any person who wishes to exercise this right should contact the Chair ofVRC or where there are Co-Chairs of the VRC, the Co-Chair designated as the person responsible for the protection of privacy and of personal data, via email at privacy@oavirtualconvention.org.

The information should be provided within30 days, without charge. The Chair or Co-Chair, where applicable, will always verify the identity of anyone making a subject access request before handing over any information.

The individual making the request should be contacted and their identity confirmed, if necessary, by a telephone conversation, or by being asked to supply written evidence of their identity.

The VRC Chair or Co-Chair, where applicable, should collaborate with the VR Board members to identify all information which is held concerning the subject. OA does not collect a great deal of personal data, and so it is likely that the information will be limited to their inclusion on a list, register of attendance at the VRC. However, if the person has given service at the VRC then there may be more information collected, including emails from them and concerning them.

All material is to be reviewed and an assessment made of whether it can be immediately disclosed, or whether disclosure may adversely affect the rights and freedoms of another individual.Information about a third party is not to be disclosed, and this can be edited out of documents.

Nothing is to be disclosed that might prejudice a legal investigation, or where disclosure would breach some other legal duty. Specialist advice is to be sought if there is any concern about whether disclosure should not be made.

The general rule is that material is to be disclosed to the data subject within 30 days of the request being made, although if it will take longer to prepare the disclosure then the data subject should be contacted within 30 days, and informed of the delay and likely timescale for disclosure. Disclosure is to be made within 90 days of the request.

If no information is held about the datasubject then they are to be informed.

If no information is held but no disclosure is made then the data subject is to be informed that no action will be taken on their request, and that they have the right to complain to the relevant Data Protection Regulator for their country such as, for example and for illustrative purposes, the Information Commissioners Office of the United Kingdom.

A brief description of the disclosure is tobe recorded, together with the timing of any disclosure, and any non-disclosedmaterial, with reasons given for non-disclosure.

OA members giving service at the VRC areresponsible for managing their own Dropbox Folder or other secure cloud storageand email accounts, and VRC Committee and Subcommittee Chairs are responsiblefor their group’s email addresses.

Personal data is to be stored only for theminimum period necessary, consistent with the purpose for which it wasprocessed.

Once the retention period has elapsed it isthe responsibility of the person controlling the data to take reasonableefforts to delete it.

This 2nd version of the PrivacyPolicy was updated on behalf of the VRC Chair on 10 January 2021.