Crossfit Llanelli is strongly committed to the security and protection of members’ personal information and we do our utmost at all times to ensure privacy. We take the security and privacy of our customers very seriously. We strive to conform to the UK and European Data Protection laws. We do not share any information with third parties, nor do we collect or retain any information other than that necessary for us to provide our services to you.
We will uphold the 6 principles for data processing: Lawfulness, fairness and transparency; Purpose limitation; Data minimisation; Storage limitation; Integrity & confidentiality (security), and Accountability. This policy aims to cover these principles.
There are two important roles regarding data use. These are:
Data Controllers– a person who (either alone, jointly or in common with other persons) determines the purposes for which, and the manner in which, any personal data is to be processed.
Data Processors– in relation to personal data, means any person (other than an employee of a data controller), who processes the data on behalf of the data controller. (“Processing”, in relation to information/data, means obtaining, recording or holding the information/data or carrying out any operation or set of operations on it, including; organisation, adaptation or alteration of the information/data, retrieval, consultation or use of the information/data, disclosure of the information/data by transmission, dissemination or otherwise making available, or alignment, combination, blocking, erasure or destruction of the information/data.
Under these definitions, Crossfit Llanelli is a data controller, and GoTeamUp and Go Cardless are both data controllers and processors. GoTeamUp and Go Cardless have their own procedures for their responsibilities.
What data do we collect?
If you email us or sign up for a service, or you contact us via our form, Crossfit Llanelli may obtain the following information; Name, Email Address, Address, and Phone Number.
How do we obtain your data?
You directly supply Crossfit Llanelli with any data we collect. This is collected and processed when you register online and place an order for any of our products and services, voluntarily complete a customer survey or provide feedback on any of our products/services, or use/view our website via your internet browser’s cookies.
Crossfit Llanelli may also receive your data indirectly from Go Cardless when a service is purchased. This includes Name, Email address, Address and service purchased.
How do we use this data?
We use members’ personal information only as necessary for us to provide our services to you. We do not share any information with unrelated third parties nor do we collect or retain any information other than is required for the provision of our products or services. Information collected during the online registration process is stored securely. Information collected will be securely destroyed if it is no longer required by Crossfit Llanelli. Members may request details of personal information, which we hold under the Data Protection Act 1998 and General Data Protection Regulation 2016 (GDPR). A small fee may be payable, but is not usually charged. Copies of this information can be obtained by writing to us at email@example.com. If you believe that any information we are holding on you is incorrect or incomplete, please write to or email us as soon as possible, at the above address. We will promptly correct any information found to be incorrect. We request all members check their details for accuracy annually and make any necessary changes. This includes re-completion of our waiver if any information has been changed on GoTeamUp. We will email reminders for this. Please note in order to receive emails from us, you need to ‘opt in’ and complete an email verification to confirm your consent in order for us to comply with legal requirements. We require this to allow us to communicate with members effectively.
The data we collect is necessary to process your order, manage your account and email you as part of our update service. When your order is processed by our payment provider, Go Cardless, it may send your data to (and also use the resulting information from) credit reference agencies in order to prevent fraudulent purchases.
We will not share your data outside of our organisation otherwise.
How do we store your data?
Crossfit Llanelli securely stores your data electronically.
Your data will be kept for a period of 1 year. Once this time period has expired, we will contact you to ask if you wish to remain on our database. If you ask to be removed, we will delete your data manually unless you have an ongoing service with us, in which case we will email you to ask to you review and update your details as outlined above. Data will be amended each year at the end of the Financial Year, or when document reviews are scheduled.
Alternatively you may email us at any time at firstname.lastname@example.org and ask us to delete your data.
Security of information
Personal information collected by Crossfit Llanelli and our website crossfit-llanelli.co.uk is stored in secure operating environments that are not available to the public. Security measures include strong, multiple password protected systems and 2-step authentication processes.
We will protect your personal information no matter where we process or store your data.
We perform compliance checks with iZettle annually to ensure we are PCI DSS compliant for our use of GoTeamUp POS and iZettle for card payments. As part of this we annually ensure staff, where relevant, complete the iZettle training modules for Managers in the PCI Manager portal, and have tailored their template Security Policy for our business. In line with the requirements of this review:
New network devices (that access POS) are configured by changing all default passwords and installing anti-virus software (usually McAfee) and activating firewall. McAfee tests daily for anomalies.
Wi-Fi password changed from default
Only necessary software installed
Security patches checked weekly automatically
Any suspicious behaviour on system monitored and reported as necessary
PAN Finder being trialled for added security
Crossfit Llanelli would like to send you information about products and services of ours that we think you might like. If you have agreed to receive marketing, you may always opt out at a later date. You have a right at any time to stop us from contacting you for marketing purposes. Please email us at email@example.com to action this.
What are your data protection rights?
Crossfit Llanelli want to make sure you are fully aware of your data protection rights. As such, every user is entitled to the following:
The right to access – You have the right to request copies of your personal information from Crossfit Llanelli. We may charge you a small fee for this service.
The right to rectification – You have the right to request correction of any information you believe to be inaccurate, and completion of any information you believe to be incomplete.
The right to be informed – we cover this by the information included in this policy.
The right to erasure – You have the right to request that we erase your personal information under certain conditions.
The right to restrict processing – You have the right to request the restriction of processing of your personal data, under certain conditions.
The right to object to processing – You have the right to object to the processing of your personal data, under certain conditions.
The right to data portability – You have the right to request that Crossfit Llanelli transfers the data that we have collected to another organization, or directly to you, under certain conditions.
Rights relating to automated decision making including profiling – You have the right to challenge and request a review of the procession provisions if you believe the rules are not being followed.
If you make a request, we have one month to respond. To exercise any of these rights please email us at firstname.lastname@example.org or write to us at: Unit 8.4 Trostre Industrial Estate, South Ave, Llanelli, SA14 9UU. Any requests for personal information go straight to the Data Protection Officer for action under ERM028b Subject Access Request Procedure.
Data Protection Officer for Crossfit Llanelli:
Privacy policies of other websites:
Please note that Crossfit Llanelli does provide links to other sites via our website, Facebook and Instagram accounts. Once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information that you provide whilst visiting such sites, which are not governed by this statement. You should exercise caution and look at the privacy statement applicable to the website in question. We also have no responsibility for the content of the linked website(s).
Where we engage third party contractors (e.g. coaches, presenters) to perform services for us, those third party contractors may be required to handle your personal information. Under these circumstances, those third party contractors must safeguard this information and must only use it for the purposes for which it was supplied, although we are not responsible for ensuring this. Other than the above, we will not disclose your personal information without your consent unless disclosure is either necessary to prevent a threat to life or health, authorised or required by law, reasonably necessary to enforce the law or necessary to investigate a suspected unlawful activity.
GoTeamUp / Go Cardless
Crossfit Llanelli makes use of third-party software to manage client payments, bookings and membership, provided by GoTeamUp. GoTeamUp has their own privacy and data security policy with regard to client information. You can access this information on their website.
CCTV is in operation at Crossfit Llanelli. Signs are displayed to make all visitors and members aware of this in the reception area. There are currently 2 cameras in operation, one monitoring the ‘Cwtch” upstairs coffee area and the other monitoring the gym floor.
The Data Protection Officer has shared this policy with all staff members, so everyone is aware of our requirements under the Data Protection Act, General Data Protection Regulation and other relevant legislation. All staff have been made aware how to handle personal data (in this case not to share with anyone at any time unless required to by Law), and that it is a criminal offence to do so.
There are various contacts available on Crossfit Llanelli’s website, any of which can be used as an access point to information and complaints in relation to our CCTV.
We have utilised Appendix 2 from the CCTV Code of Practice (published June 2013, last updated Oct 2014) to ensure our compliance with CCTV requirements. This can be found at the end of this policy, entitled “CCTV checklist”.
Changes to our Policy:
From time to time, it may be necessary for us to review and revise this Policy. We reserve the right to change our Policy at any time and should this occur, the amendment will be posted on our website and will be effective immediately. This policy was last reviewed 23/07/2020.
Our business Terms and Conditions are also available on our website which outline how we use personal information. This is freely available information so anyone visiting our website can access it.
Should you wish to report a complaint, or you feel that we have not addressed your concern in an appropriate manner, you may contact the Information Commissioner’s Office
Notification has been submitted to the Information Commissioner and the next renewal date recorded: Registration ZA620996, made 15/12/2019. Renewal date 14/12/2020.
Named individual responsible for the operation of the system: Emma Lewis
The problem we are trying to address has been clearly defined and installing cameras identified as the best solution. This decision is reviewed on a regular basis:
The CCTV is for capturing thefts and any incidents, and to back up staff if needed when working alone with a client. Reviewed annually for effectiveness.
A system has been chosen which produces clear images, which law enforcement bodies (i.e.the police) can use to identify crime. These can easily be taken from the system when required.
Cameras have been sighted so that they provide clear images and cover the biggest areas possible. They have been positioned to avoid capturing the images of people not visiting the premises.
As mentioned in the policy text, there are visible signs showing that CCTV is in operation.
Images are securely stored on the CCTV server and only authorised staff have access to them. They will not be shared with any third party with the exception of law enforcement bodies.
The recorded images are wiped monthly. This is automatically actioned by the system. From past events this has shown to just be enough for incidents to come to light (e.g. thefts). Any shorter and these incidents risk being missed.
The potential impact on individuals’ privacy has been identified when taking into account the use of the system. Cameras are sited to film only that which would be in plain sight, and the monitor location has also been chosen bearing this in mind.
Crossfit Llanelli knows how to respond to individuals making requests for copies of their own images, and to seek advice from the Information Commissioner as soon as such a request is made. Firstly an offer for them to come and view the footage would be made, then a copy supplied if still requested. A third party company (by means of a secrecy contract) would be used to blur out the faces of others if deemed necessary. Staff have been made aware it is a criminal offence to misuse CCTV footage
Regular checks are carried out to ensure the system is working properly and produces high quality images. Spiderwebs are cleaned off the external camera monthly, or more frequently if required and a signed record of this is kept. Viewing monitor is switched on at the start of each day to ensure the cameras are online and working properly. The date and time stamp is checked at least twice a year (accounting for daylight savings’ time) and the system is reviewed annually for effectiveness. Monitor is kept in a secure location away from public view.
In the future we plan to explore the Surveillance Camera Commissioner’s Third Party Certification Scheme to evidence good practice.