Privacy Policy

DATED: MAY 2018

BREEDON PRIORY HEALTH CLUB LTD GDPR PRIVACY NOTICE

FOR MEMBERS ATTENDING BREEDON PRIORY HEALTH CLUB

WHAT IS THE PURPOSE OF THIS DOCUMENT? Breedon Priory Health Club is a company incorporated and registered in England and Wales (company number 8295486) with its registered office address at Charnwood Accountants, The Point, Granite Way, Mountsorrel, Loughborough, Leicestershire LE12 7TZ. The Club is committed to protecting the privacy and security of your personal information. This privacy notice describes how the Club collects and uses personal information about Members attending the Club (“Members”) (known collectively as “You” or “Your”), in accordance with the General Data Protection Regulation (GDPR). The Club, is a “data controller”. This means that we are responsible for deciding how we hold and use personal information about You. We are required under data protection legislation to notify You of the information contained in this privacy notice. This notice applies to Members. This notice does not form part of any contract to provide services. We may update this notice at any time but if we do so, we will provide You with an updated copy of this notice as soon as reasonably practical. It is important that Members read and retain this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about You, so that You are aware of how and why we are using such information and what Your rights are under the data protection legislation. DATA PROTECTION PRINCIPLES We will comply with data protection law. This says that the personal information we hold about You must be: 1. Used lawfully, fairly and in a transparent way. 2. Collected only for valid purposes that we have clearly explained to You and not used in any way that is incompatible with those purposes. 3. Relevant to the purposes we have told You about and limited only to those purposes. 4. Accurate and kept up to date. 5. Kept only as long as necessary for the purposes we have told You about. 6. Kept securely. THE KIND OF INFORMATION WE HOLD ABOUT YOU Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). There are “special categories” of more sensitive personal data which require a higher level of protection, such as information about a person’s health or sexual orientation. We will collect, store, and use the following categories of personal information about You: • Full Name including title • Date of Birth/Gender/Marital Status • Home address • Telephone Numbers • Occupation • Member ID/QR Access Code • Bank account details, including sort code and account number • Attendance information • Photographs and video clips of you for general purposes • Emergency contacts should we need to contact someone else in an emergency (we will assume you have already gained consent from these people beforehand) • Login and Password details for our database systems • Use of CCTV for security purposes and investigative purposes where applicable • Connection to social networking sites to enable you to follow or be followed by other members, including through a mobile app (further information below) • Accidents/Incidents, and pre-existing injuries • Records of any medication • Records of any reportable death, injury, disease or dangerous occurrence • Some data is collected automatically through using our website (see section below) Why we collect this information and the legal basis for handling your data We use personal data about you to provide health and fitness services and fulfil the contractual arrangement you have entered into. This includes using your data to:  contact you in case of an emergency  to support your wellbeing  to assist you in carrying out regular assessment of your progress and to identify any areas of concern  to keep you updated with information about our service HOW IS YOUR PERSONAL INFORMATION COLLECTED? We collect personal information about you from when the initial enquiry is made, through the enrolment process and up to 7 years after you stop using the Club’s services. HOW WE WILL USE INFORMATION ABOUT YOU We will only use Your personal information when the law allows us to. Most commonly, we will use Your personal information in the following circumstances: 1. Where we need to perform the contract we have entered into with You. 2. Where we need to comply with a legal obligation. 3. Where it is necessary for our legitimate interests (or those of a third party) and Your interests and fundamental rights do not override those interests. We may also use Your personal information in the following situations, which are likely to be rare: 1. Where we need to protect Your interests (or someone else’s interests). 2. Where it is needed in the public interest or for official purposes. Situations in which the Club will use personal information We need all the categories of information in the list above (see Paragraph entitled ‘The Kind of Information we Hold About You’) primarily to allow us to perform our contracts with you and to enable us to comply with legal obligations. • To report on a Member’s attendance • To be able to contact you or your emergency contact • To ensure membership fees are paid If Members fail to provide personal information If you fail to provide certain information when requested, we may not be able to perform the respective contract we have entered into with you, or we may be prevented from complying with our respective legal obligations to you. Change of purpose We will only use Your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use Your personal information for an unrelated purpose, we will notify you, as is appropriate in the circumstances, and we will explain the legal basis which allows us to do so. Please note that we may process your personal information without your respective knowledge or consent, as relevant to the circumstances, in compliance with the above rules, where this is required or permitted by law. AUTOMATED DECISION-MAKING Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We are allowed to use automated decision-making in the following circumstances: 1. Where we have notified you of the decision and given you 21 days to request a reconsideration. If we make an automated decision on the basis of any particularly sensitive personal information, we must have either explicit written consent from you, or it must be justified in the public interest, and we must also put in place appropriate measures to safeguard your rights as is relevant in the circumstances. You will not be subject to decisions that will have a significant impact on You based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you as is appropriate in the circumstances. DATA SHARING We may have to share your data with third parties, including third-party service providers and other entities in the group. We require third parties to respect the security of Your data and to treat it in accordance with the law. Why might the Club share your personal information with third parties? We will share Your personal information with third parties where required by law, where it is necessary to administer the working relationship with You or where we have another legitimate interest in doing so. Which third-party service providers process my personal information? Who we share your data with For us to deliver our services we will also share your data as required with the following categories of recipients:  our current database management system  banking services to process direct debits and make refunds to you (as applicable)  our insurance underwriter (if applicable) We will also share your data if:  we are legally required to do so, for example, by law, by a court or the Charity Commission;  to enforce or apply the terms and conditions of your contract with us;  to protect you; for example, by sharing information with the police;  it is necessary to protect our/or others’ rights, property or safety  we transfer the management of the Club, in which case we may disclose your personal data to the prospective buyer so they may continue the service in the same way. We will never share your data with any other organisation to use for their own purposes How do we protect your data? We protect unauthorised access to your personal data and prevent it from being lost, accidentally destroyed, misused, or disclosed by: Ensuring all IT storage is password protected (updated every 3 months or as and when staffing changes) and only accessible to senior management; all paperwork is stored within a locked filing cabinet. How secure is my information with third-party service providers and other entities in our group? All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions. When might you share my personal information with other entities in the group? By taking out a membership, filling in a contact form on our website or using a mobile app we provide to you, you agree and accept that we may gather, process, store and/or use the personal data submitted in accordance with the terms set below. If you are under the age of 16, the Club will not collect or process your details unless we have also received the consent of an adult who has parental responsibility for you. You have the right to withdraw your consent at any time unless by doing so you prevent us from delivering the service set out in your membership agreement. To withdraw consent for the storage and processing of your data, please write to Sigourney Gates, Director, Breedon Priory Health Club, Green Lane, Wilson, Derbyshire DE73 8LG. Identity and contact details of the data processor Personal data collected by us and stored via our website or mobile app is processed on our behalf by ClubWise Software Ltd, 6 Tower Court, Horns Lane, Princes Risborough, Bucks, HP27 0AJ Company Reg: 3843268 Marketing We may send you marketing information by e-mail or sms about products and services which we believe may be of interest to you. However, we will only do so with your prior consent and will always provide the ability to review, change your preferences or unsubscribe with immediate effect. You can also make your request via email to sblunt@breedonprioryhealthclub.co.uk We will share Your personal information with other entities in our group as part of our contract with our CCTV system; this would be for the requirement of maintenance to these systems. Where applicable we are able to use images from CCTV for investigations, but their viewing is limited to group senior management. What about other third parties? We may share Your personal information with other third parties, for example in the context of the possible sale or restructuring of the business. In this situation we will, so far as possible, share anonymised data with the other parties before the transaction completes. Once the transaction is completed, we will share Your personal data with the other parties if and to the extent required under the terms of the transaction. We may also need to share Your personal information with a regulator or to otherwise comply with the law. Cookies A cookie is a small amount of data, which often includes a unique identifier that is sent to your computer browser from a website’s computer and is stored on your device’s hard drive in the form of a text file. How does the club use cookies? Cookies are used to control an online session and provide security such as a time-out function. We only issue session specific cookies which store no personal or transactional data. Third Party Cookies: The club may use Google Analytics for SEO purposes and to improve their online marketing efforts. For a detailed explanation of how Google Analytics cookies work please visit: https://developers.google.com/analytics/resources/concepts/gaConceptsCookies Other web sites Our web site may contain links to other web sites which are outside our control and are not covered by this Privacy Policy. If you access other sites using the links provided, the operators of these sites may collect information from you which will be used by them in accordance with their privacy policy, which may differ from ours. DATA RETENTION How long will you use my information for? We will only retain Your data for as long as you are a member. On termination of your membership, we will instruct the designated processor to store your personal data for a maximum period of 7 years for the purposes of responding to you in the event of any future indemnity claim that may arise. In the case of an incident having occurred whilst you are a member, we will store your personal data for a maximum period of up to 25 years for indemnity and insurance purposes. After this period, your personal data will be anonymised to prevent you from being identified from the information we hold. The anonymised data may be used for business analysis purposes after you are no longer a member. RIGHTS OF ACCESS, CORRECTION, ERASURE, AND RESTRICTION Your duty to inform us of changes It is important that the personal information we hold about You is accurate and current. Please keep us informed if Your personal information changes during your working relationship with us. Your rights in connection with personal information Under certain circumstances, by law You have the right to: • Request access to Your personal information (commonly known as a “data subject access request”). This enables You to receive a copy of the personal information we hold about You and to check that we are lawfully processing it. • Request correction of the personal information that we hold about You. This enables You to have any incomplete or inaccurate information we hold about You corrected. • Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove Your personal information where You have exercised Your right to object to processing (see below). • Object to processing of Your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about Your particular situation which makes You want to object to processing on this ground. You also have the right to object where we are processing Your personal information for direct marketing purposes. • Request the restriction of processing of Your personal information. This enables you, as is appropriate, to ask us to suspend the processing of personal information about You for example if You want us to establish its accuracy or the reason for processing it. • Request the transfer of Your personal information to another party. If You want to review, verify, correct or request erasure of Your personal information, object to the processing of Your personal data, or request that we transfer a copy of Your personal information to another party, please write to Sigourney Gates, Director, Breedon Priory Health Club, Green Lane, Wilson, Derbyshire DE73 8LG. Note that if we refuse a request from you under rights of access, we will provide you with a reason as to why. If a data breach occurs which compromises your personal data, you have a right to be informed within 72 hours of us first becoming aware of the breach. No fee usually required We reserve the right to charge a fee in the event of complex, trivial and/or repetitive access requests. What we may need from You We may need to request specific information from You to help us confirm your identity and ensure Your right to access the information (or to exercise any of Your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it. RIGHT TO WITHDRAW CONSENT In the limited circumstances where You may have provided Your consent to the collection, processing and transfer of Your personal information for a specific purpose, You have the right to withdraw Your consent for that specific processing at any time. To withdraw Your consent, please write to Sigourney Gates, Director, Breedon Priory Health Club, Green Lane, Wilson, Derbyshire DE73 8LG.. Once we have received notification that You have withdrawn Your consent, we will no longer process Your information for the purpose or purposes You originally agreed to, unless we have another legitimate basis for doing so in law. If you wish to exercise any of these rights at any time or if you have any questions, comments or concerns about this privacy notice, or how we handle your data please contact us. If you continue to have concerns about the way your data is handled and remain dissatisfied after raising your concern with us, you have the right to complain to the Information Commissioner Office (ICO). The ICO can be contacted at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF or ico.org.uk/ CHANGES TO THIS PRIVACY NOTICE We reserve the right to update this privacy notice at any time, and we will provide You with a new privacy notice when we make any substantial updates. We may also notify You in other ways from time to time about the processing of your personal information. If you have any questions about this privacy notice, please write to Sigourney Gates, Director, Breedon Priory Health Club, Green Lane, Wilson, Derbyshire DE73 8LG. I/We acknowledge that on the date shown below, I/We received a copy of the Club’s Privacy Notice and that I have read and understood it. Signature: ________________________________________________ Date: __________________ Name (in capitals): _____________________________________________________________________