Cardiff City House of Sport and its subsidiaries (“We” and “Us”) respect your privacy and are committed to managing and safeguarding the information you provide to us.
If we are providing services to you direct, then we are the “data controller”. This means that we are responsible for deciding how we hold and use personal information.
THE INFORMATION WE HOLD ABOUT CUSTOMERS
We only hold enough information about our Customers to enable us to carry out services for them. This includes name, address and contact details of our Customers together with information about the property or the work required, together with any additional information that we need to know about which can include pastoral, behavioural or special needs of Customers to ensure that their needs are met and to support the safeguarding of our Customers and our employees and contractors.
If you are participating in one of our community activities then we will only collect enough information to enable you to participate, for example to make sure that it is safe for you to participate, or if we are providing you with life skills we may need to know further information about you so that you can make the most of the experience.
HOW IS INFORMATION COLLECTED?
Information is collected from the following sources:
- when you speak to one of our employees to book the use of our facilities;
- when we speak to you to arrange an appointment or to progress the services that we are providing to you;
- when you submit information to us via our website or by e-mailing us;
- by completing a personal details form because you are interested in receiving a service from us or because you want to participate in one of our activities.
HOW WE WILL USE INFORMATION ABOUT OUR CUSTOMERS
We may use the information that we have about you to:
- provide and plan the services that you have asked us to provide;
- make sure that we are allocating appropriate resources to you to meet your particular requirements – for example if we think that you (or anyone in your group) might need extra care (because of age, health, disability), we may record this;
- help provide and improve our services and products;
- to handle any complaints that you may have about our service;
- help prevent and detect debt, fraud and loss;
- train our staff;
- get in touch with you about the services that we have been asked to provide. That could be by email, phone, text, multimedia message or another form of electronic communication – for example we may send you notification of an appointment by text or phone to confirm an appointment;
- ask for your feedback about the services that we have provided to you;
- to report any safeguarding issues to the relevant authorities.
If you give us information on behalf of someone else, such as someone in your team or league, you are confirming that you have given them the information in this policy, and that they have agreed to you giving us the information.
We may monitor and record any communications we have with you, like phone conversations and emails. This is just to make sure we are providing you and the property owner with a good service and that we are meeting our regulatory and legal responsibilities.
USING PHOTOGRAPHIC AND DIGITAL IMAGES, FILM OR VIDEO FOOTAGE AND DIRECT QUOTES (‘IMAGES’)
In circumstances where we may capture and hold images about you, such images will be held for one of the following purposes:
- To support case studies and/or reports about what we are doing in the community; published externally.
- To support case studies and/or reports about what we are doing in the community; published internally only.
If the data has been collected for purpose (a) it may be used in printed and electronic form and may appear in different publications (including websites, twitter, television and exhibition panels) within the UK.
If the data has been collected for purpose (b) it may be used in printed and electronic form and may appear in internal publications only.
If the data has been collected for either purpose (a) or (b) it will be stored on a secure server in accordance with our Document and Data Retention Policy. All data published internally or externally will be anonymised.
We will take all reasonable measures to ensure the data is used solely for the purposes for which they are intended. If you become aware the data is being used inappropriately, you should inform us immediately.
It may be necessary for us to provide information about you to our Associated Companies, or to regulatory authorities if we are required to do so by law. We will do this:
- to provide you with the services that you have asked us, which might include giving information to members of your family;
- in connection with an agreement with you;
- to help find and prevent debt, fraud or loss;
- for legal or regulatory purposes;
- for any associated legal action;
- as part of government data-sharing initiatives.
We may also pass your information on to organisations that regulate us or who inspect installations for example the Health and Safety Executive.
We shall not share your personal information to third parties for marketing purposes unless you have given your written consent for us to do so.
“Associated Companies” refers to those companies belonging to the same family of companies as us and who benefit from a close relationship, shared systems and shared ownership.
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need-to-know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
We will retain your personal information only for as long as is directed by the relevant Data Controller which is typically the end of our contract. Where we are the Data Controller we shall retain your personal information for as long as required in connection with the services that have been provided to you, and this will usually be as long as any guarantee that has been provided to you.
RIGHTS OF ACCESS, CORRECTION, ERASURE, AND RESTRICTION
If we are acting as a Data Processor you may need to make a request to exercise your Data Subject Rights directly to the Data Controller. However, under certain circumstances, by law you have the right to:
- Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it;
- Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected;
- Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below);
- Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.
You also have the right to object where we are processing your personal information for direct marketing purposes;
- Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it;
- Request the transfer of your personal information to another party.
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact the Data Protection Officer in writing, whose details are provided below.
RIGHT TO WITHDRAW CONSENT
If you have provided consent to us processing your personal information you have the right to withdraw your consent for processing for that purpose at any time.
If you talk to us over the Internet (for example by email or webmail) remember that this form of communication is not always secure. These kinds of messages may go through a number of countries before they are delivered. That is just the nature of the Internet, so we cannot accept responsibility for any unauthorised access or loss of personal information if it is beyond our control. We may use ‘cookies’ to monitor how people use our site. A cookie is a piece of information stored on your computer’s hard drive that records how you have used a website. Our cookies policy tells you more about cookies and how we use them.
DATA PROTECTION OFFICER
If you have any questions about this Customer and Community Privacy Notice or how we handle your personal information, please contact the Data Protection Officer whose details are as follows:
Data Protection Officer
Cardiff City House of Sport
Clos Parc Morgannwg
or email: firstname.lastname@example.org
This policy was last updated on 15 May 2018.
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues. We would, however appreciate the chance to deal with your concerns before you approach the ICO so please consider contacting us in first instance.