Data Protection (GDPR)
Last reviewed: 29/03/23 Next review: 29/03/24
Elisha Waldron is committed to ensuring the data processed by Leesh Fitness remains safe and secure. This policy has been written in line with legislative change, including both the Data Protection Act (1998) and the EU’s General Data Protection Regulation (GDPR). While Leesh Fitness avoids sharing data with third parties at most times, some data is shared in accordance with my business practices. The sharing of data with third parties will always be consensual with the data subject and only if Leesh Fitness is satisfied that their Data Protection policy is GDPR compliant.
The following policy is based on the below principles:
The GDPR includes the following rights for individuals:
– the right to be informed
– the right of access
– the right to rectification
– the right to erasure
– the right to restrict processing
– the right to data portability
– the right to object
– the right not to be subject to automated decision-making including profiling
You may contact Leesh Fitness at any time regarding any queries/requests with the data I hold. Leesh Fitness will ensure that I respond to a GDPR request without undue delay and within one month of receipt.
Leesh Fitness is committed to providing fair and understandable privacy policies in relation to personal data. Leesh Fitness will, at all times, keep data in secure locations (including, but not limited to, encrypted and access restricted files) and not retain data unnecessarily or past the retention length as set out in this policy
Participants and Customers
How Leesh Fitness collects personal data
Leesh Fitness customers and participants supply their personal data when signing up for/booking onto classes through my booking site. A waiver will also be signed via my website for all new participants. Personal data may also come to us unsolicited via enquiries through the website and generic email account.
Why Leesh Fitness collects personal data
To attend any of Leesh Fitness class participants must agree to some processing of their personal data. Class participant safety is my priority, therefore information about participants must be collected in order to create registers and accurate participant records. This information is also used to provide and recommend participants with appropriate classes and help me as an instructor provide modifications where necessary. As a physical activity provider it is essential that this data is provided should a participant have any medical/disability needs. This allows Leesh Fitness to incorporate participants safely into classes.
The data I collect
Personal data and some special category. It is essential to Leesh Fitness primary function (providing classes to participants) that this is provided, and allowed to process and store the following:
Participant Personal Data:
– Full Name
– Date of Birth
– Home Address
– Permission to participate in classes (where necessary by Dr)
Participant Special Category Data:
– Medical Information/History
– Disability Information
– Emergency Name
– Emergency Contact Number(s)
Storage/Retention of data
Data received through booking is uploaded onto bookwhen’s data base software. Leesh Fitness also has a database storage of all data from booking which is stored both in encrypted files on office-based hardware and backed up regularly in an encrypted cloud-based server. Access to these files is restricted through password protection and only available to Elisha Waldron. Registers and emergency contact lists created from participant data are stored in encrypted files on office-based hardware and backed up regularly in an encrypted cloud-based server. Access to these files is restricted through password protection and only available to Elisha Waldron. Hard copies of registers and Waivers and emergency contact details are rarely used however, they are only authorised by Elisha Waldron and remain on my person in a secure file. When they are no longer in use, updated to the office hardware or out-dated, they are destroyed thoroughly.
Standard retention policy
(without the data subject’s right to access, rectification and erasure etc.) is TWO YEARS post final attendance.
Exceptions to policy
– First Aid records are kept for 21 years due to legal obligation
– Photo consent may be kept indefinitely
– Unsolicited enquiries that do not turn into bookings with current classes are deleted after they have been dealt with.
Leesh Fitness does not actively share data with third parties, however there are certain instances where sharing information is crucial to our business processes.
Bookwhen: Leesh Fitness uses a UK based company ‘Leesh Fitness’ to manage participants data, send emails, take payments, create bookings and registers. Leesh Fitness is satisfied that their GDPR regulations are thorough, and the information stored on Bookwhen is secure.
NHS Test and Trace: Participants names and contact numbers may have to be shared with the NHS test and trace service in the event of a positive COVID-19 case within a class.
Photos/Videos of Participants
Leesh Fitness often uses footage/photos used from classes and events for marketing purposes both in social, print media and the website. Participants may choose if they do not wish themselves to be depicted. If Leesh Fitness allows, some attendees at events may film/take photos for their own personal use. These photos are not to shared on social media if they feature another person without their permission.
Leesh Fitness regularly shares photos/videos of students in class and events through social media platforms including; Instagram, Facebook, and email. There may be times when I share names, but only with the explicit consent of the participant(s).
If Leesh Fitness experiences a data breech of any kind, we will inform all the victims of the data breech as soon as possible. Leesh Fitness will store and record all data breeches.