Data Protection GDPR Policy group exercise
As a self-employed
group exercise instructor, I am fully committed to comply with the General Data Protection Regulation (GDPR). The GDPR
applies to all organisations and sole traders that process data relating to their employees, as well as to others including
customers, contractors and clients. It sets out principles which should be followed by those who process data; it gives
new and extended rights to those whose data is being processed.
To this end, I endorse fully and adhere to the six principles of data protection, as set out in the
Article 5 of the GDPR.
1. Data must be processed lawfully,
fairly and in a transparent manner in relation to individuals.
Data must be collected for specified, explicit and legitimate purposes and not further processed
in a manner that is incompatible with those purposes.
must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
4. Data must be accurate and, where necessary,
kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to
the purposes for which they are processed, are erased or rectified without delay.
5. Data must be kept in a form which permits identification of data subjects
for no longer than is necessary for the purposes for which the personal data are processed.
6. Data must be processed in a manner that ensures appropriate security of
the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction
or damage, using appropriate technical or organisational measures.
These principles must be followed at all times when processing or using personal information. Therefore,
through appropriate management and application of processes and controls I will:
- observe the conditions
regarding the collection and use of information including the giving of consent
- meet the legal obligations to specify the purposes for which information is used
- collect and process appropriate information only to the extent that it is needed
to fulfil my operational need
- ensure the quality of information
- ensure that the information is held for no longer
than is necessary
- ensure that the rights of people about
whom information is held can be fully exercised under the GDPR (i.e. the right to be informed that processing is being
undertaken, to access one’s personal information; to prevent processing in certain circumstances, and to correct,
rectify, block or erase information that is regarded as incorrect)
- take appropriate security measures to safeguard personal information
- publicise and abide by individuals' right to appeal or complain to the supervisory authority (the Information
Commissioner's Office (ICO)) in the event that agreement cannot be reached in a dispute regarding data protection
- ensure that personal information is not shared or transferred abroad without
prior written consent
I will ensure
data is kept securely
information is not disclosed either orally or in writing or via Web pages or by any other means, accidentally or otherwise,
to any unauthorised third party.
GDPR sets a high standard for consent and requires a positive opt-in. Neither pre-ticked boxes nor any other method of
default consent are allowed. As required by the GDPR, I take a "granular" approach i.e. I ask for separate consent
for separate items and will not use vague or blanket requests for consent. As well as keeping evidence of any consent,
I ensure that people can easily withdraw consent (and tell them how this can be done).
Note that the GDPR provides for special protection for children’s personal
data and I comply with the requirement to obtain parental or guardian consent for any data processing activity involving
anyone under the age of 13.
This policy sets out my commitment to protecting personal data and how that
commitment is implemented in respect of the collection and use of personal data.
GDPR Data Processing
Lawful basis for collecting, storing and processing data
Special Category Data
Lawful basis detail
Action taken to inform data subjects
(13 and over)
The individual has consented to receiving
updates about a class/es and for their personal data to be stored so that as a teacher I can stay informed about any health
or wider needs that participants have that I need to consider whilst delivering the class/es.
are provided with a ‘Participants privacy notice’
Contact ceased 6 months after individual
has stopped attending the class/es. All personal data not linked to financial records deleted/destroyed at this point.
Participant (12 and under)
The individual’s parent or guardian
has consented to receiving updates about a class/es and for their child’s personal data to be stored so that as
a teacher I can stay informed about any health or wider needs that participants have that I need to consider whilst
delivering the class/es.
Parent/guardian provided with a ‘Participants privacy notice’
Contact ceased 6 months after individual has stopped attending the class/es. All personal data
not linked to financial records deleted/destroyed at this point.