PRIVACY POLICY

Information about Plymouth Active

In this privacy policy ‘we’, ‘us’ or ‘our’ means Plymouth Active. We are registered with Companies House, we are a non-for-profit Company (Company Number: 13749536) operating in the sports and leisure sector in Hounslow. Under the General Data Protection Regulations (GDPR) our Company is identified as a Data ‘Controller’, and as such we have a responsibility to provide information about how we collect, use and protect personal data and this Privacy Policy is way of providing this type of information. “Controller” means the natural of legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data” Information Commissioners Office, 2020

Our Commitment

At Plymouth Active, we take seriously our responsibility to protect your personal data and we ensure that respecting privacy is at the heart of all that we do. We fully adhere to the requirements set out in the General Data Protection Regulation (GDPR) and other data protection laws.

When you share your personal data with us through our website, online apps and other channels, we take steps to keep your personal data safe and secure and make sure it is processed in a fair, transparent and lawful way.

We work in partnership with the Plymouth Council, and together we have robust policies, procedures and systems in place, and our data protection training and cyber security training is mandatory for all our staff. These controls help us to ensure that we consider the privacy and security implications of all our business activities when designing and delivering our services.
We have a dedicated Data Protection Officer (DPO), Cyber Security Manager and Senior Information Risk Officer (SIRO) that oversee our approach to privacy, security and data protection. Our DPO can be contacted by e-mailing us.

GDPR Principles

Like all organisations who collect and use personal data, Plymouth Active must apply the seven GDPR principles. These principles are:

Lawfulness, fairness and transparency

Personal data must be processed in a lawful, fair and transparent manner.

This means when we collect and use personal data, we must identify the lawful basis for doing so, we must make sure we are not doing anything with that personal data in breach of any other laws. We must handle the personal data in ways the person (data subject) would reasonably expect or must explain why we have done any unexpected processing. We must be clear, open and honest about how and why we use personal data.

Purpose limitation

Personal data must be collected for specific, explicit and legitimate purposes and not used in a manner that is incompatible with those purposes.

This means when we collect personal data, we must be clear with the person about why we need it and what we will do with it. We may only process the personal data for a new purpose if that purpose is compatible with our original purpose, or we get the data subjects consent or we have a clear obligation set out in law.

Data minimisation

Personal data must be adequate, relevant and limited to what is necessary.

This means we must only collect and use personal data that is necessary for the stated purpose or purposes. We must make sure the personal data is sufficient for fulfilling those purposes. We must review the personal data that we hold and delete anything we no longer need.

Accuracy

Personal data must be accurate, and where necessary kept up to date.

This means that we must take reasonable steps to keep the personal data that we collect, and process correct and up to date. From time to time we will review the personal data we hold, and we may contact you to make sure the personal data we have about you is correct and does not contain any errors. We must make sure that we comply with your right to rectification of your personal data.

Storage limitation

Personal data must be kept in a format which allows identification of the person for no longer than is necessary and for the purposes for which it is used.

This means we must always know what personal data we hold. We must be able to justify how long we keep personal data, and we may not keep that personal data for longer than is necessary. We must regularly review personal data and erase it or anonymise it when it is no longer needed.

Integrity and confidentiality

Personal data must be used in a manner that is compatible with appropriate security measures in place to protect that data.

This means that our policies, procedures, processes, systems and practices must be adequate and ensure that personal data is always protected from unlawful access and kept secure.

Accountability

Personal data must be handled in compliance with the GDPR.

This means we must take responsibility for complying with the GDPR. We must keep records of the steps we have taken to comply with the GDPR. We must make sure that our organisational and technical control measures, such as our policies, procedures, processes systems and training are available and are fit for purpose in compliance with the GDPR. We must ensure that we review and update our control measures at appropriate intervals.

The type of personal data we collect

We collect a range of personal data and the type depends on the service that you have requested from us.

The personal data we currently collect are:

  • Contact information, such as your name, username, address, e-mail address and phone numbers
  • Identity information, such as your age, date of birth
  • Financial information, such as bank details and details about your payments
  • Details about any contact we have had with you, such as any compliments, complaints or incidents
  • Details about your preferences in receiving marketing and communications from us or from our third parties either by post, by phone, through social media, by e-mail and by text
  • Technical information about how you use our website, apps or other technology, including IP addresses or other device information.
    We do not collect the following Special Categories of Personal Data about you, unless it is volunteered by you for example in connection with your use of personal training programmes and services.
  • Personal data about racial or ethnic origin
  • Personal data about political opinions
  • Personal data about religious or philosophical beliefs
  • Personal data about trade union membership
  • Personal data about sex life and or sexual orientation
  • Personal data about genetic and or biometric data

How we get your personal data and why we have it

We operate several leisure facilities in Plymouth and provide services for our customers, in the centres, online and by telephone.

Your personal data may be collected when you register your interest with us and use our website or online apps, you will be asked for your personal data to enable us to process your request.
If you cease to use our services, we will remove your contact details after 2 years.

Becoming a member

Should you choose to become a member, we will collect personal data about you and if appropriate your family to enable us to set up your membership and deliver services to you. This could be online, face to face in one of our centres or over the phone.

Once your membership ceases, we will remove your bank details from our system, membership records will remain while you continue to use our facilities. We will retain transaction records for up to 7 years for activity and usage reporting.

Completing health questionnaires (Physical activity readiness questionnaires PARQ)
We will want to ensure that you exercise safely. When you join you may be asked to complete a health questionnaire.

Booking classes and activities

If you book to attend a class or take part in one of our activities, you will be asked for personal data to help us deliver the service to you.

Visiting our centres

If you visit one of our centres, we will record the fact that you have attended, and your image maybe captured on our CCTV that is place to detect and prevent crime. This also helps us to better understand how we are performing and help us to continuously improve our services to our customers.
Attendance may also be recorded if you use your membership card to enter through the turnstile.

Participating in our Swim School

If you, or your child is registered with our swim school programme, our swimming teachers may record information about your/their progress.

Completing customer satisfaction Surveys

If you have used any of our you may be asked to fill in a feedback form, we use this information to respond to your comments directly and to help to improve our services.

We retain customer feedback data for up to 2 years. We do not limit the duration of anonymised customer feedback.

CCTV

In order to ensure the safety of our staff and customers, we operate CCTV systems in our centres. These systems are used to detect and prevent crime or to monitor the safety of swimmers.

CCTV recordings are retained for a period of up to a month before deletion and may be held for longer if required as evidence in legal proceedings.

 

Lawful basis

Before we process your personal data, we must review the purposes of our processing and have a valid lawful basis for processing your data. The GDPR provides six lawful bases for processing (consent, contract, legal obligation, vital interest, public task and legitimate interests and we rely on five of these lawful bases for our processing:

Consent

Offering real choice and control

This means when you have explicitly told us that we may collect and use your personal data, such as by asking us to add you to one of our mailing lists that offer information about our products, services. We will offer you the chance to opt in or out of receiving this type of information.

Contract

Performance and compliance with the contract

The means we may collect, use and process your personal data where it is necessary for the performance of a contract, such as a membership or class booking or in order to take steps at your request before entering a contract with you to:

  • Deliver services that you have requested
  • Validate your bank and payment details
  • Take a payment via direct debit or by your payment card
  • Send you confirmation of bookings etc.
  • Notify you when your membership is up for renewal
  • Legal obligation

Processing is necessary for compliance with a common law or statutory obligation
This means we may process personal data to comply with law, for example to respond to a claim under insurance law.

Vital interests

Processing is necessary in order to protect the vital interests of the data subject or another natural person

This means we may collect, use and process personal data to protect your vital interests or the vital interests of another person, for example by contacting the relevant authorities if we believe an individual is likely to come to immediate harm.

Legitimate interests

Processing is necessary for the purposes of the legitimate interests
This means we must consider the most appropriate basis for processing your personal data in pursuit of our legitimate interests. We must take extra care in our responsibility to consider and protect your rights and interests. We rely on the three – part test:

  • We must identify the legitimate interest
  • We must show that our processing of personal data is necessary to achieve that interest
  • We must balance the need for personal data processing against the person’s interests, rights and freedoms

At Plymouth Active, our legitimate interests are:

  • Operating our business effectively and efficiently
  • Marketing our services to potential customers
  • Ensuring the safety and security of our staff and customers
  • Informing our local authority partners about the performance of our services

In pursuit of these interests we may:

  • Ask you to give feedback on your use of our services
  • Provide reports on visitor numbers to our partners (this type of information will always be anonymised)
  • Operate CCTV cameras to detect and prevent crime
  • Monitor the safety of swimmers in our pools
  • Where we obligated by law, we may need to disclose data to relevant authorities such as the police.

Sharing personal data

Our staff, suppliers and subcontractors will have access to your personal data for the purpose(s) it was collected. We will only disclose the minimum amount of personal data in order to provide the service that you require.

We have implemented data processing policies and we check that our suppliers and contractors have control measures to ensure that your personal data is kept safe and your rights observed while the data is in their care.

We may use the services of third-party data processors to deliver our services for example to host our website, to process direct debit payments or send emails on our behalf.

In order to process payments, we may pass your payment details to the Bank

Some of our services, such as our online booking app are provided by a third-party software company.
Plymouth Active operate our leisure centres on behalf of the local authority Plymouth Council.

At the end of our contract, in order to ensure continuity of service, it may be necessary to pass your data on to Plymouth Council, or another company that they select to run the facility. Where we do so, you will always be informed that the operation of the service is changing hands.
In the unlikely event that Plymouth Active were sold to a third party, details of our customers would be passed on to that third party as a part of the sale of the business.

How we look after your personal data

Plymouth Active have implemented a range of technical and organisational control measures to ensure that your personal data is properly protected at all times. Our IT systems are hosted in secure data centres with access controls to restrict access to authorised personnel.

How long do we keep your personal data

All the personal data that we collect, and hold is kept in accordance with our data retention policies. These policies are guided by the legal and regulatory frameworks that we are subject to in proving our services and helps us to ensure that we do not keep personal data for longer than is necessary and for the purpose(s) it was collected for.

Your rights

The GDPR legislation provides you with a number of rights in relation to your personal data, including your right to access your personal data and ask us to correct any mistakes and delete and restrict the use of your personal data. You also have the right to object to us using your personal data, to ask us to transfer the personal data you provided to us, to ask us to withdraw your permission to use your personal data. See your right in detail below (certain exemptions apply and you can contact our DPO for more information)

Please click here for a download of the subject access request form.

Right to be informed

You have the right to be informed about how we collect and use of your personal data.

Right of access

You have the right to access and receive a copy of your personal data, and other supplementary information. This right of access is commonly referred to a subject access request, data subject access request or ‘SAR’.

Right to rectification

You have the right to ask that inaccurate personal data about you rectified or completed if incomplete. You can make the request verbally or in writing.

Right to erasure or rectification

You have the right to ask that your personal data is erased. This right is commonly known as ‘the right to be forgotten’.

Right to restrict processing

You have the right to object to the processing of your personal data in certain circumstances. These circumstances include:

When the person the personal data is about contests the accuracy of their personal data and we are in the process of validating the accuracy of that personal data

In an event that the personal data has been unlawfully processed and when the person the personal data is about opposes erasure and requests restriction instead

When we no longer need the personal data and the person the data is about needs us to keep it for a legal claim

When the person the personal data is about objects to us processing their personal data under grounds set out in Article 21(1) of the GDPR (Right to object) and we are considering whether our grounds for our legitimate interest overrides that of the person.

Right to data portability

You have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable way. You also have the right to request that we transmit this data directly to another controller.

Right to object

You have the right to object to us processing your personal data in certain circumstances, including your right to request that we stop using your personal data for direct marketing purposes.

You are not required to pay any charge for exercising your rights. Please contact our data protection officer if you wish to make a request.

Your feedback and your right to complain

If you have any questions, comments, complaints and suggestions about this privacy notice and you can contact our customer relations team using our contact page.

If you are dissatisfied with the way we have handled your personal data, you can make a complaint to our customer relations team  complete our online form and you can find more information about our complaint and comments policies also by contacting us.

You can also complain to the Information Commissioner’s Office (ICO) if you are unhappy with how we have used your personal data.

In addition, regardless of whether you make a complaint under our complaints policies and procedures you have the right to complain to the ICO if you are unhappy with how we have used your data.

The ICO’s address:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk

Links

Where we provide links to websites of other organisations this privacy notice does not cover how that organisation processes personal data. We encourage you to read the privacy notices on the other websites you visit.

 

Skip to content