Privacy Policy
WELCOME TO KINGSBRIDGE GYM CLUB PRIVACY & GDPR POLICY.
Below you will find our policies regarding any personal information that you may supply to us through this web site, email, direct face to face or telephone contact or obtained as part of our membership program. Where Kingsbridge Gym Club is required to process relevant personal data we shall take all reasonable steps to do so in accordance with this Policy.
PRIVACY POLICY
We acknowledge and agree that any personal data of yours that we handle will be processed in accordance with all applicable data protection laws in force from time to time. Currently, the Data Protection Act 1998 applies. With effect from 25 May 2018, the General Data Protection Regulations (“GDPR”) will come into force, which will change the law.
Our goal is to protect your privacy and the information that you submit to us through various channels (Face to Face, Email, Website, Phone Conversation)
Kingsbridge Gym Club operates this web site and its business operations from the club office, The Loft, Unit 7, Station Yard, Kingsbridge TQ7 1ES. All matters pertaining to this web site and business are governed and interpreted in accordance with the laws of England and Wales and any dispute arising hereunder shall be subject to the exclusive jurisdiction of the English Courts.
By accessing this web site or contacting us directly via the various channels listed above, you indicate your acceptance of this Privacy Policy and the Terms of Use posted on this site.
This web site is not directed to children under the age of sixteen and we do not knowingly collect personal information from children under the age of sixteen on the site. If we become aware that we have inadvertently received personal information from a visitor under the age of sixteen on the site, we will delete the information from our records.
Information we collect and how we use
it
Personal Information – You may choose to provide personal information to Kingsbridge
Gym Club via various channels. Here are some of the ways you may provide the
information and the types of information you may submit. We also tell you how
we may use the information.
The information about you we may collect, hold and process is set out below:
· Name
· Contact information including postal address, email address and telephone number
Where we collect this data from:
Get In Touch – Email – If you email us through the “Get In Touch” link on this site, we ask you for information such as your name and email address, so we can respond to your questions, queries and comments. You may choose to provide additional information as well.
· Get In Touch – Phone
· Get In Touch – Email
· Get In Touch - Form
· Telephone Conversation – inbound/outbound
· Face to Face conversation
What we do with the information we gather
We require this information to understand your needs and provide you with a better service, and in particular for the following reasons:
· Internal record keeping
· We may use the information to improve our products and services
· We may periodically send promotional marketing emails about new classes, services or other information which we think you may find interesting using the email address which you have provided.
Security
We are committed to ensuring that your information is secure. In order to
prevent unauthorised access or disclosure, we have put in place suitable
physical, electronic and managerial procedures to safeguard and secure the
information we collect online.
Internet Protocol Address
We collect an Internet Protocol address from all visitors to our site. We use
your IP address to help us administer our site. Your IP address is also used to
help identify you when you visit our site.
How we use cookies
A cookie is a small file which asks permission to be placed on your computer’s
hard drive. Once you agree, the file is added and the cookie helps analyse web
traffic or lets you know when you visit a particular site. Cookies allow web
applications to respond to you as an individual. The web application can tailor
its operations to your needs, likes and dislikes by gathering and remembering
information about your preferences.
We use traffic log cookies to identify which pages are being used. This helps
us analyse data about webpage traffic and improve our website in order to
tailor it to customer needs. We only use this information for statistical
analysis purposes and then the data is removed from the system.
Overall, cookies help us provide you with a better website by enabling us to
monitor which pages you find useful and which you do not. A cookie in no way
gives us access to your computer or any information about you, other than the
data you choose to share with us.
You can choose to accept or decline cookies. Most web browsers automatically
accept cookies, but you can usually modify your browser setting to decline
cookies if you prefer. This may prevent you from taking full advantage of the
website.
Links to other websites
Our website may contain links to other websites of interest. However, once you
have used these links to leave our site, you should note that we do not have
any control over that other website. Therefore, we cannot be responsible for
the protection and privacy of any information which you provide whilst visiting
such sites and such sites are not governed by this privacy statement. You
should exercise caution and look at the privacy statement applicable to the
website in question.
Information We Share
We do not sell or otherwise disclose personal information about our visitors
(by all channels), except as described here. We may share information provided
by our visitors to this site with service providers we have retained to perform
services on our behalf. These service providers are restricted from using or
disclosing the information except as necessary to perform services on our
behalf or to comply with legal requirements. In addition, we may disclose
information about you (i) if we are required to do so by law or legal process,
(ii) to law enforcement authorities or other government officials, or (iii)
when we believe disclosure is necessary or appropriate to prevent physical harm
or financial loss or in connection with an investigation of suspected or actual
illegal activity.
We reserve the right to transfer any information we have about you in the event
we sell or transfer all or a portion of our business or assets. Should such a
sale or transfer occur, we will use reasonable efforts to direct the transferee
to use personal information you have provided through this web site in a manner
that is consistent with this Privacy Policy.
How We Protect Personal Information
We maintain administrative, technical and physical safeguards to protect
against unauthorized disclosure, use, alteration or destruction of the personal
information you provide on this web site. We use secure socket layer (SSL)
technology to help keep the personal information you provide on this site
secure.
How we hold the information
All the personal data we have is stored on our database in the UK.
Disclosure of your information
Your personal information and related information will be kept on Kingsbridge
Gym Club servers only. All servers will be located inside the European
Economic Area (EEA). Personal data shall not be transferred to a country
or territory outside the EEA unless that country or territory ensures an
adequate level of protection or the appropriate safeguards are in place for
your rights and freedoms. Before such a transfer takes place outside of
the EEA, we will provide you with further information concerning this.
Other
trusted third parties that we may share your data with are as follows: Class
Manager, legal advisors and other companies for the purpose of undertaking our membership
program.
Your rights
You currently have the right at any time to ask for a copy of the information
about you that we hold.
Retention of your data
Your data will be retained for no longer than is necessary and in accordance
with our Data Retention Policy.
Withdrawal of consent
If you have provided us with your consent to process your data, for the purpose
of using our services, you have the right to withdraw this at any time.
In order to do so you should contact us by emailing [email protected]
Controlling your personal information
You may choose to restrict the collection or use of your personal information in the following ways:
· whenever you are asked to fill in a form on the website, look for the box that you can click to indicate that you do not want the information to be used by anybody for direct marketing purposes
· if you have previously agreed to us using your personal information for direct marketing purposes, you may change your mind at any time by writing to or emailing us at [email protected]
We will not sell, distribute or lease your personal information to third parties unless we have your permission or are required by law to do so.
If you believe that any information, we are holding on you is incorrect or incomplete, please email us as soon as possible at the above addresses. We will promptly correct any information found to be incorrect.
Concerns
If you have a concern about the way we are collecting or using your personal
data, you should raise your concern with us in the first instance or directly
to Information Commissioners Office at https:\\ico.org.uk\concerns
Contact
If you have any questions or comments about this Privacy Policy please address
any questions, comments and requests regarding our data processing practices to
Dena Stafford, [email protected]
Updates to Our Privacy Policy
This Privacy Policy may be updated periodically and without prior notice to you
to reflect changes in our information practices. We will post a notice on this
web site to notify you of any significant changes to our Privacy Policy and
indicate when it was most recently updated.
Kingsbridge Gym Club (KGC) is a not-for-profit charity and is exempt from registering with the Information Commissioners office (ICO)
General Statement
Kingsbridge gym club is required to process relevant personal data regarding employees, volunteers, customers (parents), students and suppliers as part of its operation and shall take all reasonable steps to do so in accordance with this Policy.
We recognize that the GDPR will help us move towards the highest standards of operations in protecting our data subject’s data.
We are committed to:
· ensuring that we comply with the eight data protection principles, as listed below
· meeting our legal obligations as laid down by the Data Protection Act 1998
· ensuring that data is collected and used fairly and lawfully
· processing personal data only in order to meet our operational needs or fulfil legal requirements
· taking steps to ensure that personal data is up to date and accurate
· establishing appropriate retention periods for personal data
· ensuring that data subjects' rights can be appropriately exercised
· providing adequate security measures to protect personal data
· ensuring that a nominated officer is responsible for data protection compliance and provides a point of contact for all data protection issues
· ensuring that all employees are made aware of good practice in data protection
· providing adequate training for all employees responsible for personal data
· ensuring that everyone handling personal data knows where to find further guidance
· ensuring that queries about data protection, internal and external to the organisation, is dealt with effectively and promptly
· regularly reviewing data protection procedures and guidelines within the organisation
GDPR & DATA PROTECTION POLICY
Data Protection Controller
Kingsbridge Gym Club has appointed Dena Stafford as the Data Protection Controller (DPC) who will endeavour to ensure that all personal data is processed in compliance with this Policy and the Principles of the Data Protection Act 1998. The Freedom of Information Act 2000 and the Protection of Freedoms Act 2012 are also relevant to parts of this policy. Highjam recognises The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) adopted 27 April 2016, the two-year transition period and the application date of 25 May 2018 and is actively working towards compliance with that directive.
The Principles
KGC shall so far as is reasonably practicable comply with the Data Protection Principles (the Principles) contained in the Data Protection Act to ensure all data is
1. Fairly and lawfully processed
2. Processed for a lawful purpose
3. Adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Accurate and up to date
5. Not kept for longer than necessary
6. Processed in accordance with the data subject's rights
7. Secure
8. Not transferred to other countries without adequate protection
Definitions
· A Data Controller is a natural or legal person or organisation which determines the purposes and means of processing personal data
· A Data Processor is a natural or legal person or organisation which processes personal data on behalf of a controller
· A Data Subject: An individual who is the subject of personal data
Data Controller
· KGC – for employee, member and student data held on online databases
Data Processor:
· Class Manager – KGC booking system for customers, student and employees
· Brightpay – Internal employee payroll details
· KGC Onedrive Shared (via password protected files/servers) – when processing personal data on behalf of the controller
Data Subject:
· KGC employees
· KGC members
· KGC students
Personal Data
Personal data covers both facts and opinions about an individual where that data identifies an individual. For example, it includes information necessary for employment such as the member of staff’s name and address and details for payment of salary. Personal data may also include sensitive personal data as defined in the Act.
Processing of Personal Data
Consent may be required for the processing of personal data unless processing is necessary for the performance of the contract of employment. Any information which falls under the definition of personal data and is not otherwise exempt, will remain confidential and will not be disclosed to third parties with appropriate consent.
KGC processes some personal data for direct marketing, data subjects have the right to request an opt-out to these activities, which must be respected.
Sensitive Personal Data
KGC may, from time to time, be required to process sensitive personal data. Sensitive personal data includes data relating to medical information, gender and criminal records and proceedings.
Rights of Access to Information
Data subjects have the right of access to information held by KGC, subject to the provisions of the Data Protection Act 1998 and the Freedom of Information Act 2000. Any data subject wishing to access their personal data should put their request in writing to the DPC. KGC will endeavour to respond to any such written requests as soon as is reasonably practicable and in any event, within 14 days for access to records and 7 days to provide a reply to an access to information request. The information will be imparted to the data subject as soon as is reasonably possible after it has come to KGC's attention and in compliance with the relevant Acts.
Exemptions
Certain data is exempted from the provisions of the Data Protection Act which includes the following:-
· National security and the prevention or detection of crime
· The assessment of any tax or duty
· Where the processing is necessary to exercise a right or obligation conferred or imposed by law upon KGC, including Safeguarding and prevention of terrorism and radicalisation
The above are examples only of some of the exemptions under the Act. Any further information on exemptions should be sought from the DPC.
Accuracy
KGC will endeavour to ensure that all personal data held in relation to all data subjects is accurate. Data subjects must notify the data processor of any changes to information held about them. Data subjects have the right in some circumstances to request that inaccurate information about them is erased. This does not apply in all cases, for example, where records of mistakes or corrections are kept, or records which must be kept in the interests of all parties to which they apply.
Enforcement
If an individual believes that KGC has not complied with this Policy or acted otherwise than in accordance with the Data Protection Act, the employee should utilise KGC’s grievance procedure and should also notify the DPC.
Data Security
KGC will take appropriate technical and organisational steps to ensure the security of personal data. All employees will be made aware of this policy and their duties under the Act. KGC and therefore all staff are required to respect the personal data and privacy of others and must ensure that appropriate protection and security measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to all personal data.
An appropriate level of data security must be deployed for the type of data and the data processing being performed. In most cases, personal data must be stored in appropriate systems and be encrypted when transported offsite. Other personal data may be for marketing purposes therefore having a lower requirement for data security.
External Processors
KGC must ensure that data processed by external processors, for example, service providers, Cloud services including storage, websites etc. are compliant with this policy and the relevant legislation.
Secure Destruction
When data held in accordance with this policy is destroyed, it must be destroyed securely in accordance with best practice at the time of destruction.
Retention of Data
KGC may retain data for differing periods of time for different purposes as required by statute, members or best practices, individual departments incorporate these retention times into the processes. Other statutory obligations, legal processes and enquiries may also necessitate the retention of certain data.
Data Security Breach Reporting
Confirmed or suspected data security breaches should be reported promptly to Dena Stafford via [email protected]. The report should include full and accurate details of the incident including who is reporting the incident and what classification of data is involved.
Once a data breach has been reported an initial assessment will be made to establish the severity of the breach and who the lead responsible officer should be to lead the data breach management plan. This plan will involve the following four elements and will be conducted in accordance with the guidelines for Data Security Breaches by the Information Commissioner
A. Containment and Recovery
B. Assessment of Risks
C. Consideration of Further Notification
D. Evaluation and Response