Promise Pilates & Wellbeing Services
GDPR: DATA PROTECTION PRIVACY POLICY:
As your group exercise instructor, I, Kirsty Green, am committed to protecting your privacy. This privacy policy sets out how I use and protect any information that you give me.
Your personal data:
As an attendee of my group exercise classes & wellbeing services, I collect, store and use personal data that you provide me..
I do this so that I can effectively manage my classes and ensure that as a partici-pant you are kept informed and safe. I use your data to contact you with class up-dates and wider group exercise related opportunities I think you may be interested in.
I will use your data to keep me informed about your health or wider needs you have that I need to consider whilst delivering your class/es/services.
If you have provided me with emergency contact details I will use this data only when required. Some of the data that I collect from you is ‘specialist category’. This includes (not exhaustively) any data relating to disabilities and health. I collect and use this data to enable me to tailor activities to your needs.
Data collected from casual enquiries via the website or to the contact mobile number will not be stored once the enquiry has been satisfied.
Unless you have given separate written consent, I will cease contact with you, 6 months after you stop attending Promise Pilates class/es or stop receiving wellbeing services.
Your ParQ forms (Physical Activity Readiness Questionnaire) will be kept for a max-imum of 3 years in the interest of ‘Lawful Obligation’. At this point it will be de-stroyed. Any personal data linked to financial records will be kept for a 6-year peri-od, at which point it will be deleted/destroyed. HM Revenue and Customs (HMRC) have the right to inspect financial information relating to the previous 6 years and require all trading entities to keep financial records for this length of time.
I will not share your personal data. All data you provide to me is stored on a pass-word protected device and/or locked away. The only exception to this rule is when I carry paper copies of your personal data (ParQ forms) to the class/es/services that you attend. I must do this so that I have your health needs and emergency contact details to hand should they be required.
You may request details of personal data which I hold about you or withdraw your consent at any time.
You can contact me on 07791010426 or email info@promisepilates.co.uk
If you have any concerns about my information rights practices you can raise them here www.ico.org.uk/concerns or by calling 03031231113.
Detailed Breakdown of obligations:
As a self-employed group exercise instructor, I am fully committed to comply with the General Da-ta Protection Regulation (GDPR). The GDPR applies to all organisations and sole traders that pro-cess data, relating in this case to class attendees and wellbeing clients. It sets out principles which should be followed by those who process data; it gives new and extended rights to those whose da-ta is being processed.
To this end, I endorse fully and adhere to the six principles of data protection, as set out in the Arti-cle 5 of the GDPR.
1. Data must be processed lawfully, fairly and in a transparent manner in relation to individuals.
2. Data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
3. Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
4. Data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are pro-cessed, are erased or rectified without delay.
5. Data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
6. Data must be processed in a manner that ensures appropriate security of the personal data, includ-ing protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
These principles must be followed at all times when processing or using personal information. There-fore, through appropriate management and application of processes and controls I will:
• observe the conditions regarding the collection and use of information including the giving of con-sent
• meet the legal obligations to specify the purposes for which information is used
• collect and process appropriate information only to the extent that it is needed to fulfil my opera-tional needs
• ensure the quality of information used
• ensure that the information is held for no longer than is necessary
• ensure that the rights of people about whom information is held can be fully exercised under the GDPR (i.e. the right to be informed that processing is being undertaken, to access one’s personal information; to prevent processing in certain circumstances, and to correct, rectify, block or erase information that is regarded as incorrect)
• take appropriate security measures to safeguard personal information
• publicise and abide by individuals’ right to appeal or complain to the supervisory authority (the Information Commissioner’s Office (ICO)) in the event that agreement cannot be reached in a dis-pute regarding data protection
• ensure that personal information is not shared or transferred abroad without prior written consent
Data Security:
I will ensure that:
• personal data is kept securely
• personal information is not disclosed either orally or in writing or via Web pages or by any other means, accidentally or otherwise, to any unauthorised third party.
Subject Consent:
The GDPR sets a high standard for consent and requires a positive opt-in. Neither pre-ticked boxes nor any other method of default consent are allowed. As required by the GDPR, I ask for separate consent for separate items and will not use vague or blanket requests for consent. As well as keeping evidence of any consent, I ensure that people can easily withdraw consent (and tell them how this can be done).
GDPR Data Processing Outline:
Data subject: Participant (13 and over)
Lawful basis for collecting, storing and processing data: Individual Consent
Special Category Data: Health
Lawful basis detail:
The individual has consented to receiving updates about a class/es and wellbeing services and for their personal data to be stored so that as a teacher I can stay informed about any health or wider needs that participants have that I need to consider whilst delivering the class/es.
Action taken to inform data subjects:
Individuals are provided with a ‘Welcome Pack’ when using Promise Pilates & Wellbeing Ser-vices; which includes a copy of the Client Agreement Form, within which I outline my privacy poli-cy commitment and a notice to view this detailed copy by visiting www.promisepilates.co.uk or by requesting a paper copy.
Data Management:
Contact will cease 6 months after participants have stopped attending the class/es/using the wellbe-ing services (unless a written request is made to continue to be contacted/informed). Personal data on ParQ forms will be kept as a ‘Lawful Obligation’ for a maximum of 3 years, at which point it will be deleted/destroyed.
All personal data linked to financial records will be kept for 6 years, at which point it will be delet-ed/destroyed.
Conclusion:
This policy sets out my commitment to protecting personal data and how that commitment is im-plemented in respect of the collection and use of personal data.
Kirsty Green.
.