The purpose of this data privacy statement is to demonstrate the commitment of Brigid Aitken t/a Thornhall Chalet to upholding the data protection interests, rights and freedoms of my customers, employees and any other data subjects whose personal data we process.
The scope of this statement extends to our obligations under the The Data Protection Act 2018 which includes the General Data Protection Regulation (GDPR). It covers all processing carried out by Thornhall Chalet for Brigid Aitken as a data controller. It also covers activities related to Pilates, Yoga and NIA classes run by Brigid Aitken. For the avoidance of doubt, it does not cover processing for which Thornhall Chalet is acting as a data processor to another data controller unless stated otherwise. One example of this would be our use of card payment systems, where the card payment service provider is the data controller and company name is the data processor operating under the instructions of the card payment service provider.
For customers of Thornhall Chalet, this statement should be read in conjunction with our Terms & Conditions of business.
Data protection principles
When processing personal data, Thornhall Chalet and Brigid Aitken will uphold the rights and freedoms of data subjects by adhering to the following principles:
Personal data shall be:
Processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);
Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (“purpose limitation”);
Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);
Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of the data subject (“storage limitation”);
Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).
As a data subject of company name GDPR gives you the following rights:
You also have the right to lodge a complaint about our processing of your personal data with the Information Commissioner’s Office (ICO). www.ico.org.uk
To exercise your rights as a data subject you should contact me at email@example.com. It will be necessary for me to ask you to identify yourself and the nature of your request before I can deal with your enquiry. All requests related to your rights as a data subject are known as Subject Access Requests (SARs) and I will only deal with them in writing by post or by email. I will not be able to engage in this by telephone.
Article 4 of the GDPR defines “personal data” as,
“Any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”
Thornhall Chalet processes personal data about individuals in the following categories:
Pilates, Yoga and NIA activities process personal data about individuals in the following categories:
The personal data processed in each case is specified by a Privacy Notice at the point of data capture in the case of data supplied directly by the data subject (Article 13) or within 28 days of the use of the personal data if supplied indirectly, not by the data subject but by a third party (Article 14).
Items of personal data processed are (per category):
Thornhall Chalet uses third party service partners (“data processors” or “joint data controllers”) to assist in the processing of personal data. As the data controller, Thornhall Chalet discloses certain items of personal data to these data processors. Each of these third parties is bound by contract to process personal data only in thy way specified by the data controller and to support the data controller in upholding the rights and freedoms of you as a data subject.
These data processors are located within the EEA and operate in accordance with the GDPR.
Thornhall Chalet retains personal data only for as long as the purpose of processing demands (limitation principle). It is then deleted or destroyed in accordance with the Data Retention & Disposal Policy. Thornhall Chalet retains all customer and transaction detail for accounting purposes for a period of 6 years following the conclusion of the financial year in which the transaction occurred. All data is then securely destroyed using shredding for paper records and secure deletion for electronic records.
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data, for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation is prohibited by GDPR.
This prohibition does not apply only if one of the following applies:
Thornhall Chalet does not process any special categories of sensitive data.
Pilates, Yoga and NIA classes have an insurance requirement for a basic medical questionnaire to be completed before the classes can start. You will be asked before collection to provide explicit consent for this special category personal data to be collected and stored safely. The data items requested will be made clear to you before collection.
Processing unseen by the data subject, including tracking
To raise a report of a data breach involving processing related to Thornhall Chalet please contact me at firstname.lastname@example.org .
Brigid Aitken, t/a Thornhall Chalet
Dyke by Forres
Changes to this statement will be made and published on the website at www.thornhall.co.uk.
Effective from date: 14/4/2019