ADFITNESS DATA PROTECTION POLICY
- Policy prepared by: Chris Adams
- Policy became operational on: 23 May 18
Adfitness needs to gather and use certain information about individuals which can include customers, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact. This policy describes how this personal data must be collected, handled and stored to meet the company’s data protection standards and to comply with the law.
Why this policy exists
This data protection policy ensures Adfitness:
- Complies with data protection law and follows good practice.
- Protects the rights of customers, suppliers and partners.
- Is open about how it stores and processes individuals’ data.
- Protects itself from the risks of a data breach.
Data protection law
The Data Protection Act describes how organisations – including Adfitness – must collect, handle and store personal information. These rules must apply regardless of whether data is stored electronically, on paper or other materials. To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully. The Data Protection Act is underpinned by eight important principles. These say that personal data must:
- Be processed fairly and lawfully.
- Be obtained only for specific, lawful purposes.
- Be adequate, relevant and not excessive.
- Be accurate and kept up to date.
- Not be held for any longer than necessary.
- Processed in accordance with the rights of data subjects.
- Be protected in appropriate ways.
- Not be transferred outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection.
PEOPLE, RISKS & RESPONSIBILITIES
This policy applies to:
- All personnel of Adfitness
- All contractors, suppliers and other people working on behalf of Adfitness.
Personal Data means any information capable of identifying an individual.
This can include:
("I hold the following information to facilitate the delivery of "Personal Training" and "Neurokinetic Therapy"." This information will be regarded as "Client Data".)
- Date Of Birth & Age
- Email Address
- Contact Number
- Medical History
- Injury History
- Personal Training Record
- Neurokinetic Therapy Movement Assessment
- Photographs & Video Footage relating to training & treatments
Adfitness does not retain financial information.
Information related to enquiries will be regarded as "Enquiry Data". Enquiries may only be discussed via "Email" or "Telephone". "Telephone" conversations are not recorded. Enquiry information will be held for 180 days and then deleted, including contact information.
Enquiries made via "Facebook" will be directed to make Enquiry via "Email". For Conversations via "Facebook", "Facebook" is the "Data Controller" and Adfitness is the "Data Processor".
Client information collected via the Website Intake Form (www.adfitness.biz/intakeform) is held securely on iLateral Web Servers and accessed only by Adfitness.
In this case "iLateral" are a Data Controller and "Adfitness" are a Data Controller and Data Processor.
iLateral Web GDPR compliance information can be found here.
Name: Chris Adams, Data Protection Officer
Postal Address: 9 Winsbury Way, Bradley Stoke, Bristol, BS32 9BF
Email Address: email@example.com
Telephone Number: 07707242926
It is very important that the information we hold about you is accurate and kept up to date. Please let us know if at any time your personal information changes by emailing us at "firstname.lastname@example.org".
LEGAL RIGHT TO RETAIN RECORDS
The legal requirement to retain "Records" for a certain period relates to the legal period for bringing civil claims under either Personal Injury law or Contract law as defined by the Limitation Act 1980 and The Limitation (Northern Ireland) Order 1989. An individual has three years to bring a personal injury claim (with some exceptions) and six years if they wish to bring a claim under contract law. Therefore, "Records" must be retained at least until the limitation period has expired.
Adults - 6 years after date of last entry or 3 years after death if earlier
"Records" relating to children and young people (16 years on admission) - Retain until the patient's 25 th birthday or 26 th if young person was 17 at conclusion of treatment, or 3 years after death.
The legal requirement to retain "records" for a certain period relates to the legal period for bringing civil claims under either Personal Injury law or Contract law as defined by the Limitation Act 1980 and The Limitation (Northern Ireland) Order 1989. An individual has three years to bring a personal injury claim (with some exceptions) and six years if they wish to bring a claim under contract law. Therefore, "records" must be retained at least until the limitation period has expired.
Photographs and video footage may be requested to be deleted and shall not be deemed part of the "Record". Photographs and video footage may be deleted by the Adfitness the "Data Controller" and "Data Processor" if deemed no longer required.
This information is available by a "Right To Access" request (see "Right To Access").
Data Protection Risks
This policy helps to protect Adfitness from security risks, including:
- Breaches of confidentiality. For instance, information being given out inappropriately.
- Failing to offer choice. For instance, all individuals should be free to choose how the company uses data relating to them.
- Reputational damage. For instance, the company could suffer if hackers successfully gained access to sensitive data.
Everyone who works for Adfitness has some responsibility for ensuring data is collected, stored and handled appropriately. All personal data must be handled and processed in line with this policy and data protection principles.
- Data is held only for use by Chris Adams the Data Controller and Data Processor
- Data is kept secure, by taking sensible precautions and following the guidelines below.
- In particular, strong passwords must be used and they should never be shared.
- Personal data will not be disclosed to unauthorised people, either within the company or externally.
- Information may only be shared with the Client's explicit signed permission, where necessary with other related Health or Medical Professionals.
- Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of.
- Employees should request help from their management if they are unsure about any aspect of data protection.
The rules describe how and where data should be safely stored.
When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it.
These guidelines also apply to data that is usually stored electronically but has been printed out for some reason:
- When not required, the paper or files should be kept in a locked, fire-proofed drawer or filing cabinet.
- Adfitness should make sure paper and printouts are not left where unauthorised people could see them.
- Data printouts should be shredded and disposed of securely when no longer required.
When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:
- Data should be protected by strong passwords that are changed regularly and never shared.
- If data is stored on removable media, these should be kept locked away securely when not in use.
- Data should only be stored on designated drivers and servers and should only be uploaded to an approved cloud computing service. Backups are made via "Dropbox" and "iCloud". In this instance "Dropbox" and "iCloud" are the Data Controller and Adfitness is the "Data Processor".
- Servers containing personal data should be sited in a secure location, away from general office space.
- Data should be backed up frequently and those backups should be tested regularly, in line with the company’s standard backup procedures.
- All servers and computers containing data should be protected by approved security software and a firewall.
Personal data is of no value to Adfitness unless the business can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft:
- When working with personal data, Adfitness should ensure the screens of their devices are always locked when unattended.Information processing devices should be locked away securely when not in use.
- Personal data should not be shared informally.
- Data must be encrypted before being transferred electronically.
- Personal data should never be transferred outside of the EEA.
The law requires Adfitness to take reasonable steps to ensure that data is kept accurate and up to date. It is very important that the information we hold about you is accurate and kept up to date. Please let us know if at any time your personal information changes by emailing us at "email@example.com".
- Data will be held in as few places as necessary.
- Data should be updated as inaccuracies are discovered.
RIGHT TO ACCESS REQUESTS
All individuals who are the subject of personal data held by Adfitness are entitled to:
- Ask what information the company holds about them and why.
- Ask how to gain access to it.
- Be informed how to keep it up to date.
- Be informed how the company is meeting its data protection obligations.
If an individual contacts the company requesting this information, this is called a Subject Access Request. These requests should be made in writing or email to Adfitness (Contact details available on the company website). Adfitness will aim to provide the relevant data within 14 days.
Note: Adfitness must verify the identification of anyone making such a request before any information is made available.
RIGHT TO BE FORGOTTEN
Under data protection laws you have rights in relation to your personal data that include the right to request access, correction, erasure, restriction, transfer, to object to processing, to portability of data and (where the lawful ground of processing is consent) to withdraw consent.
You can see more about these rights at:
Requests can be made to firstname.lastname@example.org.
PLEASE NOTE. The legal requirement to retain "Records" for a certain period relates to the legal period for bringing civil claims under either Personal Injury law or Contract law as defined by the Limitation Act 1980 and The Limitation (Northern Ireland) Order 1989.
This supersedes the GDPR "Right To Be Forgotten" as information may be required for legal purposes.
Right To Be Forgotten with regards to marketing can be exercised at any time. As can right to have images & videos and non statutory information deleted.
Disclosing Data for other Reasons
In certain circumstances the Data Protection Act allows personal data to be disclosed to law enforcement agencies without the consent of the data subject. Under these circumstances, Adfitness will disclose requested data after gaining verification that the request is legitimate.
Adfitness aims to ensure that individuals are aware that their data is being processed and that they understand:
- How the data is being used.
- How to exercise their rights.