24th May 2018
STATEMENT OF INTENT
SG Pilates is an entity owned by Sue Dawson, who’s intention it is to ensure that any data you provide is managed respectfully, kept secure and only used for the lawful purposes for which it has been provided.
Within this policy, we describe instances where SG Pilates is the ‘data controller’ (the organisation who decides what personal information is collected and how it is used), and where we direct or commission the processing of personal information by third parties on our behalf to provide services or improve our offering. This policy will be updated from time to time in line with prevailing legislation.
OUR COMMITMENT TO YOUR PRIVACY
SG Pilates recognises the importance of protecting personal and confidential information in all that we do, and takes care to meet our legal and professional duties. SG Pilates puts in place all reasonable technical, security and procedural controls required to protect your personal information for the whole of its like, in whatever format we hold that information in.
HOW THE LAW PROTECTS YOU
Your privacy is protected by law, which says that we can use your personal information only if we have a proper reason to do so. This includes sharing it outside of SG Pilates. The reasons why SG Pilates may process your personal information are:
- To fulfill an explicit or implied contract we have with you (provision of services);
- When it is our legal duty;
- When it is in our legitimate interest; or
- When you consent to it.
At the end of this document is a list of the ways that we may use your personal information, and which of the reasons we rely on to do so. This is also where we tell you what our legitimate interests are.
WHAT TYPES OF PERSONAL INFORMATION DO WE HANDLE?
We process personal information to enable us to run SG Pilates, and to support the provision of services provided by itself and its instructors, as well as to maintain our accounts and promote our products and services.
The types of personal information we (SG Pilates) use include:
- Personal details such as names, addresses, telephone numbers;
- Your relationship to other customers (where they make referrals);
- Details of how you use our website(s), and where you accessed them from;
- Details of how you interact with us on social media;
- Details of when you contact us and when we contact you;
- Details of products and services you have purchased;
- Any consents you have given us in relation to the processing of information;
- Any private disclosures, personal background and health information that you choose to share with us in the context of applying for or joining in with our classes, via telephone, in personal discussion or other written means..
WHERE & HOW WE COLLECT PERSONAL INFORMATION
We may collect your personal information from the following sources.
Personal information you give to us:
- When you contact SG Pilates by any means or send us an enquiry;
- When you contact the instructor directly;
- During classes, & in the course of providing our services;
- In customer surveys or any other research activity we may conduct with you;
- When you use our services, arrange or attend classes and workshops, both face-to-face and online;
- When you update the information held with us;
- When you request deletion of your personal information, in which case only the deletion request will be kept;
Personal information gathered from our website:
- We collect personal information when you use or access our website(s) including via cookies. Cookies are small files, which ask permission to be placed on your computer’s hard drive so that we can analyse web traffic to our site. Through this we can see which of our website’s pages are being viewed and are of interest. Most web browsers automatically accept cookies but you can modify your setting to decline them if you prefer. If you choose to do this you may find you cannot make full use of our website.
We collect personal information when you contact us via our website, phone or email we may collect your:
- Email Address;
- Telephone Number;
- Any information you choose to supply regarding the purpose of your enquiry.
We collect personal information when we receive incoming telephone calls:
Calls to mobile phones go directly to the handset owner (instructor) who will receive any voicemails or caller information personally.
We collect personal information when we receive electronic mail and messaging communications including contact via the website(s):
All incoming emails sent to ‘email@example.com’ are received by Sue Dawson, as well as being stored on the email server until such time as this is deleted. This email account is not accessed by any other person and has a unique username and password required to access it.
For online communications, personal information may be collected via chat/ messenger services such as Skype or FB Messenger. This information may be noted in line with our policy on session notes (below).
We collect personal information verbally:
Information may be taken verbally either face-to-face or online, for example at one of our classes, or within a group setting. This includes during classes, meetings and workshops.
Verbal information may be noted for the purposes of executing our legitimate interest. For example, during classes, meetings and workshops instructors may make notes, which they deem appropriate to provide the service and for their own legitimate interest.
You may be asked to sign a clause that you have understood your rights within GDPR when you first register for classes with us. In such cases, this form will be kept for lawful purposes.
Face-to-Face meetings, classes and workshops: Some services from time to time include a video recording or photographic record of the session either as part of the service or for use in marketing of SG Pilates. Your consent will be taken upon enrolment .
We collect personal information from third parties:
- Details of your payments from payment service providers ie our bank
- Details obtained from social media.
IF YOU CHOOSE NOT TO GIVE PERSONAL INFORMATION
We may need to collect personal information by law, or under the terms of a contract we have with you, either implied or explicitly stated.
If you choose not to give us this personal information, it may delay or prevent us from meeting our obligations. It may also mean that we cannot provide you with services or products you have opted in for or purchased and may result in annulment of any contracts without a refund. We will notify you if your choice not to give personal information to us would result in a delay or prevent us from meeting our obligations.
Any personal information that is optional will be clearly marked at the point of collection. This does not apply to the content of classes and workshops.
WHO WE SHARE YOUR PERSONAL INFORMATION WITH
Your personal information will only be shared with third party organisations when required (for example for legal organisations or regulatory requirements, in respect of the products and/ or services you request), as well as to fulfil a contract we have with you. Information is shared minimally on a need to know basis.
These types of organisations include:
- SG Pilates member instructors including temporary instructors who are responsible for fulfilment of a contract with you.
- The centre where classes are held
- HM Revenue & Customs, our regulators and other authorities, including fraud and crime prevention agencies (where required by permitted law).
We may share your personal information for these reasons:
- Registering you into classes
- Contacting you to amend class timings
- Contacting you to collect payments;
- Legal and regulatory compliance;
- Preventing or detecting financial crime;
- Maintaining accountancy records;
- Complaints handling;
- Improving customer service;
- Referring you to other service or product providers with your explicit written consent.
Certain services are provided by third party organisations who collect and use personal information in order to provide those services to you. They are known as ‘joint data controllers’ under data protection law. This means that they have a separate responsibility to protect your personal information and will keep you informed about how your personal information will be used.
In the course of usual business, we may use other third party organisations known as ‘data processors’ under the data protection law to support the essential delivery of services. These organisations process your personal information on our behalf.
These types of organisations are used in order to enable us to run SG Pilates efficiently, and they may include some or all the below:
- Marketing agencies;
- CRM systems providers;
- Online accountancy programmes;
- Payment processors;
- Sale carts;
- Webinar platforms;
- Survey systems;
- Facebook applications;
- Content management systems;
- Viral sharing applications;
- Autoresponder and email signup services;
- SMTP services;
- Membership site services;
- Community forums;
- Communications services;
- Third party white label software access;
- FTP services;
- Web hosting services;
- Calendar, Booking & Scheduling Systems.
We only use data processors who are themselves fully compliant with GDPR regulations and seek to receive written assurances from such service providers that they are fully GDPR compliant.
Business or practice premises may operate CCTV surveillance for the purposes of security, and we will seek to confirm that they will handle this information in a compliant and lawful way.
SG Pilates will never share or sell your personal information to external companies for their own marketing purposes.
We may use your personal information to tell you about relevant products or services offered by SG Pilates, our instructors or partners (including providers of services via an affiliate arrangement), as well as to make non-affiliated recommendations that we believe are relevant to you. This is what we mean by ‘marketing’.
We can only use our personal information to send you marketing messages if we either have your consent or a ‘legitimate interest’. Legitimate interest is when we have a business reason to use your information for marketing purposes (which will not unfairly go against your rights and freedoms). In other words, we will not market to you based on legitimate interest if you have told us that you do not want to receive such marketing.
We have a legitimate interest to:
- Send you marketing messages by post, email or social media about products and services that are similar to those which you have already purchased from us (if you have provided us with relevant contact detail(s);
- Contact you to welcome you as a new client, and offer you relevant services;
- Contact you if you decide to leave or cease to be a customer of ours, or if you have reached the end of the agreed contract;
- Send you our newsletter;
- Invite you to take part in additional or complementary services;
- Invite you to make referrals;
- Invite you to leave us feedback, reviews or testimonials;
We will ask for your explicit consent to send any other marketing emails. You can withdraw your consent or ask us to stop sending you any marketing messages at any time. If you want to do so, please contact us by:
- Following the unsubscribe link on the relevant email;
- Emailing firstname.lastname@example.org
Please note that if you tell us that you no longer wish to receive marketing from us, you will still receive essential service information from us, such as details of changes to the product or services you have from us and updates to this privacy notice.
YOUR RIGHTS UNDER GDPR FOR INDIVIDUALS
In order to exercise your rights under data protection law, where there is any doubt, we will need to verify your identity for your security, in order to communicate with you about your personal information.
You can contact us by emailing email@example.com
How to get a copy of your personal information
You can request a copy of your personal information, as well as why we have that personal information, who has access to that personal information and where we got that personal information from at any time. Such requests must be made in writing to the above email. Once we have received your request we will respond within 30 days.
Letting us know if your personal information needs updating
You have the ‘right to rectification’ and to question any information we hold on you that you think is wrong, out of date or incomplete. If you do, we will take reasonable steps to check its accuracy and correct it. If you need to update your contact details and/or the details of others, for example, if you pay for other people, or on behalf of the company you represent, you can also do so by contacting the above email.
If you want us to stop using your personal information
You have the ‘right to object‘ to the use of your personal information, or to ask us to delete, remove or stop using your information if there is no need for us to keep it. This is known as the ‘right to object’ and the ‘right to erasure’ (or ‘right to be forgotten’).
You also have the ‘right to restrict processing’. We may be able to restrict processing of your personal information so that it can only be used for certain things, such as legal claims or to exercise legal rights. In this situation, we would not use or share your information in other ways while it is restricted.
You can ask us to restrict the use of your personal information if:
- It is not accurate;
- It has been used unlawfully but you don’t want us to delete it;
- It is not relevant any more, but you want us to keep it for use in legal claims; or
- You have already asked us to stop using your personal information but you are waiting for us to access your request and conform whether we are permitted to continue using the personal information under data protection law.
If you want to object to how we use your personal information, or ask us to restrict how we use it, please contact us using the details above. If you want us to erase your personal information, for example, if you feel that we should no longer be using your personal information, or that we are illegally using your data, you can request that we erase the personal information we hold on you. You can also do this by contacting us using the details above.
When we receive your request, we will confirm whether the personal information has been deleted or tell you the reason why it cannot be deleted. This may include requesting further proof of your identity. There may be legal reasons why we need to keep your personal information or part thereof.
Your right to portability (obtaining your information in a portable format):
You have the ‘right of access‘ and to get copies of your personal information from us in a format that can be easily re-used (the ‘right to data portability’). You can also ask us to pass on your personal information to other organisations. To request this, please contact us using the details above.
Your right to complain:
If you are not satisfied with our response or believe that we are not processing your personal information in accordance with the law, you can complain to the Information Commissioner’s Office (ICO) by emailing firstname.lastname@example.org or telephoning 0303 123 1113. Additional contact methods are available on their website: https://ico.org.uk/global/contact-us
Your right not to be subject to automated decision-making including profiling
We will not use your personal information for automated decision-making or profiling purposes.
CHANGES TO THIS POLICY
IF YOU CONTACT US
When you contact us or your instructor, we/he/she will need to verify your identity for security reasons. Verifying identity is an important way of safeguarding against criminal activities including the prevention or illicit access to your information.
If we/they are unable to validate your identity, we may ask you to provide further evidence so that your information can be accessed.
FREEDOM OF INFORMATION
SG Pilates and its instructors are not governed by the Freedom of Information Act.
LINKS TO OTHER WEBSITES
Our website may contain links to other websites of interest. However, once you use these links please be aware that you have left our website and we do not have any control over other websites.
Below is a list of the ways that we may use your personal information, and which of the reasons we rely on to do so. This is also where we tell you what our legitimate interests are.
|What we use your personal information for||Our Reason(s) for processing||Our Legitimate Interest (where applicable)|