1. WHY is a Data Privacy Policy needed?

Because it’s the law – in the UK, the law requires organisations which handle personal data to do so in accordance with data protection principles and to let individuals know what personal information they collect, how it is used, who it is shared with, how it is used, the steps taken to secure and protect the personal data, what their rights are under data protection law and what to do if they have questions or concerns.

2. WHO is “I”?

Darren Steward, trading as DCS Health and Fitness and the Healthy Grub Club, is the data controller (referred to as “I”, “Me”or “My” in this Policy). This means I decide how your personal data is processed and for what purposes.

3. WHAT is personal data?

Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. The processing of personal data is governed by the General Data Protection Regulation (the GDPR). Some personal data falls into the category of Sensitive Personal Data and has more stringent rules governing it’s use; medical information is categorised as sensitive personal data and, as such, I hold a small amount of sensitive personal data. The processing of personal data is governed by the General Data Protection Regulation (GDPR) and covers not only My clients but My business contacts. GDPR does not differentiate between private individuals and businesses – if the data held enables an individual to be identified, then GDPR applies.

4. HOW do I process your personal data?

I comply with My obligations under GDPR by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data. I do not use any form of automated decision making when processing personal data.

5. WHY do I process your personal data?

I may use your personal data for any of the following purposes (or as otherwise notified to you from time to time):

• to deal with your request or enquiry via any of my platforms (email, social media, website, telephone, in person, etc.);
• to process, administer and take deposits/payment for your appointment(s) and/or product purchase(s);
• to send you appointment reminder texts/emails before your appointment;
• to contact you in the rare circumstances of a change to your appointment ;
• to keep records of the treatments you have had, any allergies or medical conditions you may have which may impact on treatments;
• to inform you of news, events and activities which I believe may be of interest to you;
• to improve My services and products, including by customer survey, and to ensure that content from the website and social media is presented in the most effective manner for you and for your computer (or other devices);
• for internal record keeping, business administration, business development and research (including anonymised personal information for future statistical analysis) and for the administration of My websites and social media;
• to comply with legal, regulatory and other good governance obligations (including in connection with a court order, government investigation or when otherwise required by law).

This list is not intended to be exhaustive and may be updated from time to time as business needs and legal requirements dictate.

5. WHAT is the legal basis for processing your personal data?

I process medical information and keeping you informed about news, events and activities with your consent. I process all other personal data because I have a contractual obligation to or because I am required to do so by law or because it is in My legitimate interests.

6. SHARING your personal data

Your personal data will be treated as strictly confidential. I will not individually share your personal data with any third parties without your consent EXCEPT:

• With the companies/individuals who provide administrative support to My business;
• With the emergency services in case of an emergency;
• With My insurers and advisers (and any of My suppliers if relevant) in the event of a claim against Me;
• With any other organisation or entity, if I am required by law to do so.

However, I use a number of third-party organisations and applications in order to manage My business, ie Mailchimp for most of My bulk e-mails and Box.com for cloud storage of My appointment book, client records accounting records, etc. Technically, this means I am sharing some of your personal data with them. You can find details of their privacy policies at:

Mailchimp – mailchimp.com/legal/privacy/
Box – box.com/en-gb/legal/privacypolicy

Again, technically, this may mean that your personal data is being transferred outside of the European Economic Area (“EEA”) as, for example, the servers used by Mailchimp and Box are physically located in the USA; both Box and Mailchimp participate in and have certified their compliance with the EU-U.S. Privacy Shield Framework

If you choose to interact with Me via social media or participate in Zoom meetings, your personal data will be processed in accordance with their privacy policies. You may find details at:

Facebook – facebook.com/about/privacy/
Twitter – twitter.com/en/privacy
Instagram – help.instagram.com/519522125107875?helpref=page_content
Zoom – zoom.us/privacy

You should be aware that when you participate in a Zoom workout, other participants will see your Zoom ID and also see you if you choose to switch your video feed on.

7. HOW long do I keep your personal data?

This will depend on the reason the personal data is being held.

Personal data relating to treatments you have had and/or products you bought will be retained for a minimum of 7 years or such longer period as the information may be necessary to defend a claim of latent damage under My insurance policies (currently a maximum of 15 years).

Any personal data contained in My accounting records will be retained for not more than 7 years.

Personal data used to record attendance at meetings, events and activities organised by Me will be held for not more than 2 years except where I am required to hold it for longer by My insurers.

Depending on the content, a photograph may be considered personal data. I take photos at My events and activities and may use them on My websites, in social media and in newsletters – those images will be retained indefinitely.

‘Year’ refers to My accounting year which runs from 6 April to 5 April.

8. YOUR rights.

Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data: –

• The right to request a copy of your personal data which I hold about you;
• The right to request that I correct any personal data if it is found to be inaccurate or out of date;
• The right to request your personal data is erased where it is no longer necessary for Me to retain such data;
• The right to withdraw your consent to the processing at any time;
• The right to request that I provide you with your personal data and where possible, to transmit that data directly to another data controller, (known as the right to data portability), (where applicable);
• The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
• The right to object to the processing of personal data, (where applicable);
• The right to lodge a complaint with the Information Commissioners Office.

9. FURTHER processing.

If I wish to use your personal data for a new purpose, not covered by this Data Privacy Policy, then I will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, I will seek your prior consent to the new processing.

10. HOW to make a complaint

To exercise all relevant rights, queries or complaints please in the first instance contact our Me at gdpr@dcshealthandfitness.co.uk If this does not resolve your complaint to your satisfaction, you have the right to lodge a complaint with the Information Commissioners Office.

11. UPDATES to My Data Privacy Policy.

This Data Privacy Policy was last updated on 30 March 2020. Any changes I make to My Data Privacy Policy will be shown on My website (dcshealthandfitness.co.uk, and, where appropriate, notified to you by email.