About this Policy
Protecting your personal information is extremely important to Julie’s Swim School (“the Company”, “we” or “our”). This policy explains when and why we collect personal information about our employees and clients, how we use it, how we keep it secure and your rights in relation to it.
What is Personal Information?
The GDPR defines ‘personal data’ as any information relating to an identified or identifiable natural person (a “data subject”). When we talk about personal information we mean information about an individual that can identify them, such as their name, address, email, telephone number and bank details. A “data subject” can be a customer, employee, business contact or supplier. Any reference to “information” or “data” in this policy is a reference to personal information about a living individual. We may collect, use and store your personal data as described in this policy.
How do we collect information about you?
Depending on which ‘data subject’ category you are in the Company may collect personal information from you in various ways; directly from you when you contact us by phone, via our contact us form on our website, via messenger, our Facebook page, other social media or email to make an enquiry. If you are applying for a job the Company will also collect personal information from your CV or the application form. We may also receive information if you have been introduced by another person such as a friend or relative
What information do we collect
If you are a client (potential or existing) we may ask for the following personal information about you; name & address, contact details such as email address and phone numbers, bank details, children’s names and dates of birth, details of medical and/or additional needs. We may also seek to take and hold visual images. If you are an employee, as well as your personal data, we may collect and hold and process the following data; NI numbers, health records (details of sick leave, medical conditions, disabilities, prescribed medication), employment records (interview notes, CVs, application forms, performance reviews, remuneration details including salaries, pay increases etc., records of disciplinary matters including reports and warnings, details of grievances including notes from interviews, procedures followed and outcomes).
Children We are keen to protect the privacy of children under age 13 (this is the age proposed in the Data Protection Bill under which children cannot provide their own consent to the use of personal data). We will use the parent or guardian’s email address to send the parent or guardian notifications about our privacy practices, communications about the swim school timetable or about other features of the swim school and for such features as described in this policy.
What do we use your information for?
Clients We use your details to help us provide the best possible swimming lessons for you/your child. We also use it to contact you about bookings, send you up to date information on classes, details on upcoming intensive course and additional course and information on items for sale which may interest you. We will also send you newsletters from time to time, conduct online surveys and/or run competitions. Your bank details may be needed to collect payments or process refunds. Visual images may be used for training purposes or on our website or for social media or advertising purposes.
Employees All of the data held for existing employees is used to process all aspects of your employment; · Personal data, NI numbers and bank details are required for the processing of your salary; · Employment records, such as assessments and performance reviews are used to promote your career development; · Records of disciplinary matters are held as the data may be necessary for the defence of legal claim.
Using your information in accordance with Data Protection laws Data protection laws require us to meet certain conditions before we are allowed to use your personal information in the way we describe in this policy. To use your personal information, we will rely on the following conditions, depending on the activities we are carrying out; Providing our contracts and services to you: We will process your personal information to carry out our responsibilities resulting from any agreements you’ve entered into with us and to provide you with the information, products and services you’ve asked from us which may include online services. Complying with applicable laws: We may process your personal information to comply with any legal obligation we are subject to. Legitimate interests: To use your personal data for any other purpose described in this policy, we’ll rely on a condition known as “legitimate interests”. It’s in our legitimate interests to collect your personal data as it provides us with the information we need to deliver our services to you more effectively. We may use your information to; · Carry out market research and product development, which can include creating customer demographics and/or profiling. We may sometimes work with carefully selected third parties to do this, for example using advertising services provided by organisations such as Google or Facebook and may share data with them, which could be combined with the information they hold about you. · Continue to send marketing information, via email only, to customers who purchased a service or product before 25th May 2018 and did not opt-out, until such time as they have reviewed their marketing preferences (which can be done at any time). · Develop and test the effectiveness of marketing activities. · Develop, test and manage our brands, products and services. · Study and also manage how our customers use products and services from us · Manage risk for us and our customers. This requires us to carry out an assessment of our interests in using your personal data against the interests you have a citizen and the rights you have under data protection laws. The outcome of this assessment will determine whether we can use your personal data in the ways described in this policy, except in relation to marketing, where we will always rely on your consent. ·
Consent: We may provide you with marketing information about our services or products where you have provided your consent for us to do so. You may opt out of marketing at any time by emailing us at Alternatively, you can use the Contact Us section of our website. You can also manage your marketing preferences on our customer portal. ·
Special Category (Sensitive) Data: Where you have consented, we will process any medical, health and additional needs information you have provided and any other sensitive information obtained from a third party (e.g. your GP or other medical professional), solely for the purposes of allowing us to offer the best service
Where your Data is held The data we collect from you is stored at a destination inside the European Economic Area (“EEA”). We’ll take all reasonably necessary steps to make sure that your data is treated securely and in accordance with this policy. We will only transfer your data to a recipient outside the EEA where we are permitted to do so by law, for instance, where the transfer is; · based on standard data protection clauses adopted or approved by the European Commission · to a territory that is deemed adequate by the European Commission, or · where the recipient is subject to an approved certification mechanism and the personal information is subject to appropriate safeguards, etc. Unfortunately, sending information via email is not completely secure; anything you send is done so at your own risk. Once received, we will secure your information in accordance with our security procedures and controls.
Do we share your information with any third parties? No, we do not share, rent or sell your information with any third parties, with the following exceptions; · Where we use third party providers for services such as payroll and pension for employees and only the relevant information required for them to deliver the service is disclosed; · We were compelled to by any legal authority · The business was sold to a new owner along with our pool rights and/or customer details
How long do we keep your information? We shall not keep your personal data for any longer than is necessary in light of the purpose or purposes for which that personal data was originally collected, held and processed. We will review your personal data every year to establish whether we are still entitled to process it. If we decide that we are not entitled to do so, we will stop processing your personal data and securely destroy all personal data once we no longer need it. Data Security We have implemented generally accepted standards of technology and operational security in order to protect all our data subjects’ personal data from loss, misuse of unauthorised alteration or destruction. There are times when personal data is held, accessed and processed via an app on mobile phones or tablets specifically “SwimBiz” - provided by Thinksmart Software. All teachers will meet the following conditions; · A strong and secure password is required to log into the account on the device where the data is stored. · Under no circumstances should any passwords be written down or shared · Internet security software from a reputable supplier must be installed (and enabled) on the device. · All users are required to log out after each use and the password must not be saved on the device Data Breach and Response Plan If any breach, or potential breach, of personal data occurs, then the response plan must be followed immediately. Personal data breaches can include; · Access by an unauthorised third party · Deliberate or accidental action (or inaction) by the Company or those organisations who process personal data on behalf of the Company · Sending personal data to an incorrect recipient · Computing devices containing personal data being lost or stolen · Alteration of personal data without permission; and · Loss of availability of personal data When an incident takes place, Julie Simonelli must be informed promptly. Julie Simonelli will establish whether, in their view, a personal data breach has occurred. If it is deemed that a breach has occurred then the likelihood and severity of the resulting risk to peoples’ rights and freedoms should be established. If it is unlikely that there is a risk to data subjects’ rights and freedoms then the Company will not be required to report the data breach. If it is likely that there is a risk to data subjects’ rights and freedoms then the Company will notify the Information Commissioner’s Office (“ICO”). The ICO should be notified of a personal data breach within 72 hours of becoming aware of it even if all details have not been obtained. Further information can be submitted as soon as possible. The following information will be given to the ICO; · A description of the nature of the personal data breach including, where possible, the approximate number of individuals concerned and the approximate number of personal data records concerned. · A description of the likely consequences of the personal data breach; and · A description of the measure taken, or proposed to be taken, to deal with the personal data breach. The Company will inform, without undue delay, the affected individuals about the personal data breach when it is likely to result in a high risk to their rights and freedoms. Advice will also be provided to help the affected individuals protect themselves from the effects of the personal data breach. The nature of the breach will be described in clear and plain language including the following; · The name and contact details of someone from the Company from whom more information can be obtained. · A description of the likely consequences of the data breach; and · A description of the measures taken, or proposed to be taken, to deal with the data breach and including, where appropriate, the measures taken to mitigate any possible adverse effects. Your rights You have rights under the GDPR; a) To access your personal data b) To be provided with information about how your personal data is processed c) To have your personal data corrected d) To have your personal data erased in certain circumstances e) To object or restrict how your data is processed; and f) To have your data transferred to yourself or another organisation in certain circumstances. If you have any questions regarding our data processing practices or wish to exercise any of your rights, including changing your marketing preferences, please contact Julie Simonelli using the contact details set out below.
How you can access and update your information The accuracy of your information is important to us. If you change email address or if any of the other information we hold is inaccurate or out of date, please contact us using the details shown at the end of this document. You have the right to ask for a copy of the information the Swim School holds about you. Such requests (SAR) should be direct to Julie Simonelli, using the contact details at the end of this document. We do not charge a fee for the handling of a SAR, however, we reserve the right to charge reasonable fees for additional copies of information that has already been supplied to a data subject and for requests that are unfounded or excessive.
Review of this policy We will keep this policy under regular review and reserve the right to amend this policy from time to time without prior notice. You are advised to check our website www.juliesswimschool.com regularly for any amendments (but amendments will not be made retrospectively). This Policy aims to ensure compliance with the General Data Protection Regulation (GDPR) when dealing with your personal data. Further details on the GDPR can be found at the website for the Information Commissioner (www.ico.gov.uk). For the purposes of the GDPR we will be the “controller” of all personal data we hold about you. This policy was last updated in May 2018.
Our contact details Julie Simonelli 37 Balmoral Road Ash Vale Surrey GU12 5BB