Version 1 (May 2018)
Please read this policy carefully, as it contains important information about what information we collect, how and why we do so, how we process and protect this data after collection, your rights in relation to your personal data and how to contact us and / or the appropriate external authorities in the event that you wish to report a concern about the way in which we process your data.
At Storm Fitness Academy we are committed to providing quality fitness education and training and we want to have your trust and confidence in the way that we deal with your information.
To comply with UK laws, we have to manage your personal information fairly, lawfully and transparently. This means you will know how we intend to use your information before we use it so you can decide whether you want to give us your information or not.
All our employees are responsible for maintaining customer confidentiality. We provide training and education to all our employees and we regularly review our policies and procedures. Our aim is that you have confidence in Storm Fitness Academy and feel comfortable about giving us your information. We believe that looking after your information is a key part of our relationship.
What data do we collect?
Through our day-to-day business interactions with customers we may, where applicable, collect and process the following personal and / or sensitive data:
- Your name
- Your data of birth
- Your gender
- Your specific learning requirements
- Your contact details (phone numbers, postal address(es) and email address(es))
- Your job title
- Your personal or company credit card / billing information
- Information about how you have engaged with our website (e.g. which web pages you visited, your IP address and the device you used)
How do we collect this data?
It is important for individuals undertaking Storm Fitness Academy qualifications and / or accessing other Storm Fitness Academy services to know that certain elements of their personal data (e.g. name and date of birth) will typically need to be shared with us to deliver the relevant service. Similarly, members of staff at organisations that receive products and / or services from us may have their name and contact details shared with us by their employer.
Wherever personal information is shared with us by anyone other than the person whose information we are collecting (the “data subject”), it is the responsibility of the third party to ensure that the data subject is fully aware that their information will be shared with us and has provided their consent for this to happen prior to their information being shared. An example would be an employer ensuring that a member of staff has consented to their personal information being shared with us during their enrolment process.
If you make an enquiry with regard to one of our products or services we will use your personal information to respond. This is to make sure we provide the best possible service to you. If you change your mind at any time and would prefer for us to us no longer contact you then just let us know and we will delete your contact information as requested.
When you enrol onto a course or workshop with Storm Fitness Academy, you’ll be asked to provide an up to date photograph of yourself and a copy of your driving license or passport. This is used for identification purposes so that we can identify you when attend your course, and assist us in preventing identity fraud.
Disabilities, learning difficulties, injuries and illnesses
During enrolment you will also be asked if you have any disabilities, learning difficulties, injuries or illnesses. This information is initially used by us to ensure that we provide the correct support that you need during your training. We may also share this information with the awarding body to ensure that the support we offer meets their regulatory requirements.
Registration with the awarding body
Upon enrolment we will also ask for your full name, address, date of birth and ethnicity. This information will be passed to the awarding body and used to process your certificate and for equal opportunities monitoring purposes.
Marketing and promotion
We’ll offer you an opportunity to receive direct marketing and promotional information. We value our relationship, so we do our best to send you only information we think may be of interest to you personally. We’ll do this by post, email, phone or SMS. We’ll only send you information in this way if you have consented to receive it. Don’t worry you can withdraw your consent at any time.
Why do we collect this data and how do we use it?
We collect data in order to fulfil a variety of obligations, and we ensure that those sharing data with us are aware of what information is mandatory and what is optional in order for us to fulfil those different obligations.
Under the terms of the GDPR, we collect and process this data on one or more of the following bases:
- Consent: for example, when you provide us with your email address and formally opt-in to receive marketing communications from us
- Contractual obligations: for example, in order to deliver contracted products and services to our customers, we may use an individual’s personal information to contact them directly
- Legitimate interests: for example, in order to assist with complaints or appeals or to optimise your website experience
- Legal obligations: for example, to assist us and / or law enforcement agencies with fraud investigations
Who do we share your data with?
We take all reasonable steps to ensure that personal data is suitably protected and can only be accessed and processed by those with a legitimate reason to do so. Aside from the applicable Storm Fitness Academy Team, personal data may be shared with the following third parties:
- Our gym partners if you have requested us to do so
- Our service providers (for example, companies that supply and / or host our IT services, our print service supplier and credit reference agencies)
- Our Awarding Organisations
- Consultants and / or professional experts whose remit specifically requires access to personal data
- Law enforcement agencies, in the event that we are required to assist with legal proceedings
How do we protect your data?
We use a combination of organisational and technical methods to protect your data from unauthorised access and / or accidental loss. For example locked filing cabinets, password protected laptops, tablets, and software. Where we use third parties to process personal information, we also require them to adhere to the same levels of security and protection.
Any personal information that you voluntarily post via public platforms (for example, within a Storm Fitness Academy Facebook Group, or Forum) may become accessible to others. We cannot be held responsible for any personal information you have shared in this way, so you are advised to exercise caution when deciding when and where to share your information.
How long do we keep your data for?
We retain data for as long as is required to fulfil our ongoing regulatory, quality assurance and / or legal obligations. For example, assessment data will be retained beyond the end of a contract between us in case it should be required during regulatory audits, complaint handling, appeals and / or legal proceedings.
Please refer to the next section of this Policy and the ‘How to contact us’ section if you feel that we are retaining your data for longer than necessary and wish to exercise your “Right to erasure”.
Where you have opted into marketing communications, please note that you can update your preferences or unsubscribe at any time.
What rights do you have?
The GDPR outlines various rights that a data subject has with regard to their personal data. Please see a summary below:
- The “Right to be informed”: individuals must be made aware of how and why their personal data is collected. In providing the Policy, Storm Fitness Academy meets this requirement
- The “Right of access”: individuals can request access to copies of their personal data in order to verify that it is being processed in a lawful and correct way
- The “Right to rectification”: individuals can request that inaccurate personal data is corrected (or completed if it is incomplete)
- The “Right to erasure”: under certain circumstances, an individual can request that their personal data is deleted (e.g. if they wish to unsubscribe from receiving marketing communications and also have their contact details completely deleted from our systems. This would be possible provided there was no legitimate ongoing reason for us to retain their details)
- The “Right to restrict process”: under certain circumstances an individual can request the suppression of their personal data (e.g. allowing us to continue holding their data, but pausing all processing of that data whilst they seek to verify that it is accurate and / or being processed lawfully)
- The “Right to portability”: under certain circumstances, an individual can request that their personal data is electronically transferred from us to another data controller
- The “Right to object”: under certain circumstances, an individual can object to the way in which their data is being processed (for example, if they believe that we do not have legitimate grounds for collecting and processing certain information about them). If the objection is upheld, we are required to stop processing that information
How to contact us
If you have any queries or concerns about this Policy or wish to exercise your rights, please email us at firstname.lastname@example.org.
How to lodge a complaint
If you believe that your data protection rights may have been breached, you can lodge a formal complaint by contacting us as described above. If you are unhappy with our response, please visit https://ico.org.uk/concerns to access more information about how to escalate your complaint to the Information Commissioner (if you are in the UK) or to your local data protection supervisory authority.
Changes to this Policy
We may update this Policy from time to time, and when doing so we will include a new version number and date so that you can be sure when that version was introduced. Where we believe changes to the Policy are materially significant, we will notify customers of the changes by email.