ABOUT THIS POLICY
During the course of providing services, Sussex Fitness will process personal data (which may be held on paper, electronically, or otherwise) about customers using our services, and about users on our website, and we recognise the need to treat this data in an appropriate and lawful manner, in accordance with the Data Protection Act 1998 (DPA). The purpose of this policy is to make customers and others aware of how we will handle their personal data.
This policy does not form any part of the contract between us and our customers, and we may amend this policy from time to time.
By visiting www.sussexfitness.co.uk(“website”), enquiring about our services or placing orders for goods or services on our website, customers, potential customers and website users are accepting and consenting to the practices described in this policy.
DATA PROTECTION PRINCIPLES
We will comply with the eight data protection principles in the DPA, which say that personal data must be:
(a) Processed fairly and lawfully.
(b) Processed for limited purposes and in an appropriate way.
(c) Adequate, relevant and not excessive for the purpose.
(e) Not kept longer than necessary for the purpose.
(f) Processed in line with individuals’ rights.
(h) Not transferred to people or organisations situated in countries without adequate protection.
“Personal data” means recorded information we hold about customers, prospective customers or users of our website, from which they can be identified. It may include contact details, other personal information, medical history and details, photographs, expressions of opinion, or indications as to our intentions about customers. “Processing” means doing anything with the data, such as accessing, disclosing, destroying or using the data in any way.
WHAT INFORMATION WE COLLECT
We may collect the following information:
(a) Information that is provided on forms filled in by customers or prospective customers, or that is provided by corresponding with us by phone, email or otherwise. This information may include names, addresses, e-mail addresses and phone numbers, dates of birth, medical history and dietary information;
(b) Information that is provided when users of our website register to use our site or order any goods or services on our website; and
(c) Technical information which is automatically collected when customers or prospective customers visit our website, including Internet protocol (IP) address, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform, and information regarding the visit to our website including the date and time and length of time spent viewing the website or particular pages.
FAIR AND LAWFUL PROCESSING
We will usually only process personal data where customers, prospective customers or users of our website have given their consent or where the processing is necessary to comply with our legal obligations. In other cases, processing may be necessary for the protection of our legitimate interests or the legitimate interests of others. The full list of conditions is set out in the DPA.
By visiting our website, enquiring about our goods or services or placing orders for our goods or services customers, prospective customers and website users are accepting and consenting to the practices described in this policy.
We will only process “sensitive personal data” (which includes data about ethnic origin, political opinions, religious or similar beliefs) where a further condition is also met. Usually this will mean that the customer has given their explicit consent, or that the processing is legally required. The full list of conditions is set out in the DPA.
HOW WE ARE LIKELY TO USE PERSONAL DATA
We will process data about customers for legal, administrative and management purposes and to enable us to meet our legal obligations.
We will also process data to provide customers or prospective customers with information about other goods and services we offer that are similar to those already purchased or enquired about, as well as about changes to our services.
We will use technical information collected from our website to ensure that content from our website is presented in the most effective manner for users’ computers, to administer our website and for internal operations (including data analysis, testing and research), to allow website users to participate in interactive services on our website, to keep our website safe and secure, and to measure or understand the effectiveness of any advertising contained on our website and to deliver relevant advertising to website users.
We may process sensitive personal data relating to customers, as appropriate:
(a) information about a customer’s health for the purposes or providing our services, or for the purposes of providing emergency medical treatment. This may involve disclosing sensitive personal data to medical professionals; and
(b) in order to comply with legal requirements and obligations to third parties.
We may combine information that we receive from third parties with information which customers, prospective customers or website users give to us or that we collect about them, and use such combined information for the purposes set out above.
The data that we collect from, or are given customers, prospective customers or website users may be transferred to, and stored at, a destination outside the European Economic Area (“EEA”). It may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. Such staff maybe engaged in, among other things, the provision of support services.
PROVIDING INFORMATION TO THIRD PARTIES
We will not disclose personal data about any customer, prospective customer or website user to a third party unless:
(a) the personal data is being disclosed to a business partner, supplier or sub-contractor for the purpose of performing our obligations under any agreement with our customers;
(b) we have the consent of the customer, prospective customer or website user;
(c) we are satisfied that the third party is legally entitled to the data; or
(d) we sell or buy any business or assets, in which case we may disclose personal data to the prospective seller or buyer of such business or assets.
Where we do disclose personal data to a third party, we will have regard to the eight data protection principles.
We may share technical information that we collect on our website with analytics and search engine providers that assist us in the improvement and optimisation of our website.
(a) only process personal data for the specific purpose or purposes detailed in this policy or otherwise notified customers, prospective customers and website users or for any other purposes specifically permitted by the DPA;
(b) only process personal data to the extent that it is necessary for the specific purposes detailed in this policy or otherwise notified to the relevant customers, prospective customers and website users.
(c) keep the personal data we store accurate and up to date. Data that is inaccurate or out of date will be destroyed;
(d) not keep personal data for longer than is necessary for the purpose. This means that data will be destroyed or erased from our systems when it is no longer required; and
(e) ensure that appropriate measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.
DATA SUBJECT’S RIGHTS
Customers, prospective customers and website users have the right to:
(a) Request access to any personal data we hold about them.
(b) Prevent the processing of their data for direct-marketing purposes.
(c) Ask to have inaccurate data held about them amended.
(d) Prevent processing that is likely to cause unwarranted substantial damage or distress to them or anyone else.
(e) Object to any decision that significantly affects them being taken solely by a computer or other automated process.
SUBJECT ACCESS REQUESTS
If a customer, prospective customer or website user wishes to know what personal data we hold about them, they must make a subject access request in accordance with the terms of the DPA in writing to firstname.lastname@example.org, with an accompanying fee of £20.
Customer should notify us if their personal details change or if they become aware of any inaccuracies in the personal data we hold about them.
Customers can request their details be deleted at any time via email (email@example.com)
COOKIES ON OUR WEBSITE