Privacy Policy

ZAPilates General Data Protection Policy

Introduction

As a business, it is necessary for ZAPilates to collect, store and process personal data about our customers, suppliers, instructors and other third parties who we engage to provide services for us or do business with.

With the introduction of the General Data Protection Regulation 2016 (GDPR) the way personal data is kept and used by businesses has become more regulated. This policy sets out how we will process personal data we collect from, or is provided by, data subjects and others on their behalf. 

This policy will help us to comply with our legal obligations and enable individuals about whom we hold data to have confidence in us. It is important that you read this policy carefully to ensure you comply with it. 

Data protection contact

Zoe McCready has ultimate responsibility for ensuring compliance with our data protection obligations. Any questions about the operation of this policy or any concerns that the policy has not been followed should be referred in the first instance to her.

Responsibility for data protection

A data controller, is responsible for establishing practices and policies in line with the GDPR and any other laws governing data protection. It is important that together we do more than just say that we are complying with data protection laws, but that we are also able to demonstrate compliance. We do this principally by:

▪ implementing processes and policies that enable us to comply with data protection laws, such as not collecting more personal data than we need, providing comprehensive, clear and transparent privacy notices, and creating and improving security features on an ongoing basis;

▪ undertaking data protection impact assessments, where appropriate, when using new technologies where the processing is likely to result in a high risk to the rights and freedoms of data subjects;

▪ undertaking periodic internal audits of personal data held by us; and

▪ training instructors and appropriate connected persons. 

How should personal data be processed?

Any personal data that we process must:

▪ be processed fairly, lawfully and in a transparent manner;

▪ be processed ONLY for specified, explicit and legitimate purposes;

▪ be relevant and limited to what is necessary to collect and process;

▪ be accurate and kept up to date, ensuring, where reasonably possible, that inaccurate personal data is erased or rectified without delay;

▪ not be kept for any longer than is necessary to fulfil the purpose or purposes for which it was collected; and

▪ be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Lawfulness, fairness and transparency

The GDPR is not intended to prevent the processing of personal data; rather, the GDPR aims to ensure that it is done fairly and lawfully to protect the rights of the data subject.

For personal data to be processed lawfully, it must be processed for one of the specific reasons set out in the GDPR. 

The following are some of the reasons provided by the GDPR which we will rely on as a business to process personal data:

Processing is necessary:

▪ for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract;

▪ for compliance with a legal obligation to which we are subject; and/or

▪ for the purposes of our legitimate interests, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

In addition to the legal reasons set out above, we can also process a data subject’s personal data where they have given consent to the processing for one or more specified purposes, provided that the consent is a freely given, specific, informed and unambiguous indication of the data subject’s wishes. A data subject will have the right to withdraw any consent given.

For special categories of personal data to be processed lawfully, there are additional conditions which must be met, in addition to satisfying one of the above reasons for processing personal data. Sensitive personal data must also be processed in accordance with one of the following legal grounds set out in the GDPR:

▪ the data subject has given explicit consent to the processing of that personal data for one or more specified purposes;

▪ the processing is necessary for carrying out obligations under employment law, social security or social protection law, or a collective agreement;

▪ the processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving consent;

▪ the processing relates to personal data which has been made public by the data subject;

▪ the processing is necessary for establishing or defending legal claims; and/or

▪ the processing is necessary for reasons of substantial public interest, in accordance with UK or EU law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject.

Keeping personal data secure 

When we process personal data, we must do our best to ensure that it remains secure and is protected against unauthorised or unlawful processing and accidental loss, destruction or damage.

This should be done by:

▪ Ensuring ongoing confidentiality, integrity, availability and resilience of systems and services used to process personal data;

▪ Facilitate regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

In assessing the appropriate level of security, it is the responsibility of each Data Controller to take into account the risks that are presented by processing, in particular, from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

Cupboards should be kept locked if they hold personal data or confidential information of any kind. Data users must ensure that individual monitors do not show personal data or confidential information to passers-by and that they log off from Gymcatch (or any future booking system) when it is left unattended.

You should take steps to minimise the risk of theft, loss, destruction, damage or unauthorised use of personal data or other confidential information. Such steps could include

▪ taking only the personal data that we need to take and kept secure; 

▪ ensuring that bags or cases containing paper records are not left visible in your car or left unattended for longer than is necessary. If it is unavoidable to leave paper records in your car (e.g. whilst filling up with petrol) they must be locked in the boot of your car;

▪ ensuring that paper records are not carried ‘loosely’ but instead kept in a file or folder;

Express permission should be given from you before allowing any team member to take personal data off site other than to the office address. 

Personal data breach

A personal data breach may not be evident straightaway. However, there may be indicators of a personal data breach, system compromise, unauthorised activity, or signs of misuse. A personal data breach can happen in many ways, including:

▪ loss of a mobile device or hard copy file which contains personal data (e.g. leaving it on a train);

▪ theft of a mobile device or hard copy file which contains personal data (e.g. stolen from a car or a house);

▪ human error (e.g. an administrator sending an email containing personal data to the wrong person or the accidental alteration or deletion of personal data);

▪ inappropriate security permissions allowing unauthorised use (e.g. allowing an unauthorised third party to access secure areas of the setting);

▪ excessive or unusual log-in and system activity, in particular from any active user accounts;

▪ unusual remote access activity;

▪ the presence of any spoof wireless (Wi-Fi) networks visible or accessible from our environment;

▪ equipment failure;

▪ hardware or software keyloggers found connected to or installed on our systems;

▪ unforeseen circumstances such as a fire or flood; or

▪ ‘blagging’ offences where information is obtained from us by a third party deceiving us.

As soon as you become aware of any personal data breach or are unsure if a personal data breach has occurred, whether by you or someone else, you should contact Zoe immediately.

Erasing or destroying personal data

Paper records that contain personal data must be shredded and disposed of securely. Paper records containing personal data must not be disposed of in any other way.

For electronically stored data, there is a significant difference between deleting personal data irretrievably, archiving it in a structured, retrievable manner or retaining it as random data in an unemptied electronic wastebasket. Personal data that is archived, for example, is subject to the same data protection rules as ‘live’ personal data. 

When deleting electronic data, all possible steps should be taken to put the data in question beyond use. Where it is impossible to delete data from the electronic ether altogether, personal data will only be deemed to be deleted if we have no intention of using or accessing the personal data again.

Transferring data to third Parties

No data is to be transferred.

Notifying data subjects

As a data controller you are required to provide information to data subjects about the personal data we collect about them on request. Such notices will provide information about:

▪ the purpose and the legal basis for processing their personal data;

▪ whether the collected personal data will be disclosed to any third parties;

▪ whether the personal data will be transferred to any other country and, if so, what safeguards will be put in place;

▪ how long we will process the personal data for or, if that is not possible, the criteria we will use to determine that period;

▪ how the data subject can obtain a copy of the personal data held about them;

▪ details of their rights, including how to make a complaint;

▪ if the personal data has to be provided to comply with a law or a contract, the possible consequences of failing to provide the data;

▪ the existence and details of any automated decision making.

If we have received personal data about a data subject from other sources, we will also provide the data subject with the following information:

▪ the type of personal data we have received; and

▪ the source of the data and whether it came from publicly accessible source (e.g. a website).

Rights of data subjects

If we process personal data, the data subjects will have the right to:

▪ request access to any data we hold about them;

▪ have any inaccurate personal data about them corrected and incomplete personal data completed;

▪ object to us processing their personal data for our legitimate interests. We can refuse this request if our legitimate interests outweigh those of the data subject or if we need to continue processing for the establishment or defence of legal claims;

▪ ask us to destroy personal data about them. We can refuse this request if the personal data is still necessary in relation to the purposes for which it was being processed and there is a legal ground for us to continue processing;

▪ ask us to restrict processing of their personal data to merely storing it. This can only be requested if the accuracy of personal data has been contested and this is being verified, or if we no longer require the personal data but the data subject needs it to establish or defend a legal claim, or if the data subject has objected to the processing of personal data and we are deciding whether our legitimate interest override theirs, or if our processing is unlawful.

If a data subject exercises these rights and we have disclosed the personal data in question to a third party, we will do our best to ensure that the third party complies with the wishes of the data subject.

Subject access requests

Data subjects who wish to request information that is held about them must do so in writing. This must be provided within 48 hours. No requests from other sources will be accepted.

Personal data breach response plan

In the event of a personal data breach, we must take quick action to stop the breach from continuing and, in certain circumstances, must report the breach within 72 hours of it occurring. Therefore, if you become aware of any personal data breach or are unsure if a personal data breach has occurred, whether by you or someone else, you should contact Zoe immediately.

Once a personal data breach or a potential personal data breach has been reported, this will involve:

▪ investigating the personal data breach to determine the nature and cause of the breach and the extent of the damage or harm that could result from it;

▪ implementing the necessary steps to stop the data breach from continuing or recurring and limiting the harm to data subjects as a result of the breach;

▪ assessing whether there is an obligation to notify other parties, in particular, the Information Commissioner’s Office (ICO) and the affected data subjects and, if so,

making those notifications. If a notification to the ICO is required, this will normally need to be done within 72 hours of you becoming aware of the personal data breach and therefore it is essential that you report it immediately;

▪ recording the personal data breach and the steps taken.

Terms

Data subject means a living individual about whom we hold personal data.

Personal data means data relating to a data subject who can be identified (directly or indirectly) from that data (or from that data and other information in our possession or available to us). Personal data can be factual (e.g. a name, address or date of birth) or it can be an opinion about that data subject, their actions and behaviour. It can also include an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic (e.g. DNA or RNA), mental, economic, cultural or social identity of that individual.

Data controller Determines the purpose and manner for which any personal data is processed. 

Data users are those of our Instructors, Administrators and Suppliers and other persons connected with our business whose work involves processing personal data. Data users must protect the data they handle in accordance with this data protection policy and any applicable data security procedures.

Data processors means any person that processes personal data.Teachers and Administrators are data processors. 

Processing is a term used to describe what we do with the data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing also includes transferring (or disclosing) personal data to third parties.

Special categories of personal data is a term used to describe sensitive personal data such as information about a person's racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexual life, genetic data and biometric data where processed to uniquely identify a person or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings. Sensitive personal data can only be processed under strict conditions.