While W3 Club is closed, make sure you follow all our social media channels for updates, workouts and wellness tips!
GDPR Data Protection
W3 Club Limited (“we”, “our”, “us”, “the company”) collects, receives and uses the Personal Data of customers, employees, workers and other third parties in the course of our business. We are committed to being transparent about how we collect and use Personal Data, and to meeting our data protection obligations.
Regardless of whose data we collect or where it is stored, we recognise the importance of managing Personal Data in a responsible and sensitive manner, with appropriate safeguards, and in accordance with the laws relating to data protection and privacy.
We all have a responsibility for data protection, as set out under the General Data Protection Regulation (GDPR). This policy outlines our commitment to data protection and your obligations in relation to Personal Data. It outlines what we expect from you in order that we comply with the law and do the right thing in relation to data protection.
We have appointed Charlotte Oza, as our Data Protection Officer (DPO). The DPO’s role is to inform and advise us on our data protection obligations. If you are unable to find answers to any questions you have relating to this Data Protection Policy from the guidance on Connect or from your line manager, or if you have any concerns that this Data Protection Policy is not being or has not been followed, please contact the DPO.
Data Controller: the person or Company that determines when, why and how to process Personal Data. It is responsible for establishing practices and policies in line with the GDPR. W3 Club Limited is the Data Controller of all Personal Data relating to customers, employees, workers and others used in our business.
Data Subject: a living, identified or identifiable individual about whom we hold Personal Data.
Data Protection Officer (DPO): a person required to be appointed in specific circumstances under the GDPR. They have responsibility for overseeing data protection compliance in an organisation.
General Data Protection Regulation (GDPR): the General Data Protection Regulation ((EU) 2016/679). Personal Data is subject to the legal safeguards specified in the GDPR.
ICO: the Information Commissioner’s Office, the UK’s supervisory authority in relation to Personal Data.
Personal Data: is any information that relates to a person who can be identified from that information. Personal Data includes Pseudonymised Personal Data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour.
Personal Data Breach: any act or omission that compromises the security, confidentiality, integrity or availability of Personal Data or the physical, technical, administrative or organisational safeguards that we or our third-party service providers put in place to protect it. The loss, or unauthorised access, disclosure or acquisition, of Personal Data is a Personal Data Breach.
Processing or Process: any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any actions in relation to the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.
Pseudonymisation or Pseudonymised: replacing information that directly or indirectly identifies an individual with one or more artificial identifiers or pseudonyms so that the person, to whom the data relates, cannot be identified without the use of additional information which is meant to be kept separately and secure.
What are the key principles we have to follow?
We will process Personal Data in accordance with the following data protection principles:
- we process Personal Data lawfully, fairly and in a transparent manner
- we collect Personal Data only for specified, explicit and legitimate purposes
- we process Personal Data only where it is adequate, relevant and limited to what is necessary for the purposes of processing
- we keep accurate Personal Data and take all reasonable steps to ensure that inaccurate Personal Data is rectified or deleted without delay
- we keep Personal Data only for as long as is necessary for the purpose for which we process it
- we adopt appropriate measures to make sure that Personal Data is secure, and protected against unauthorised or unlawful processing, and accidental loss, destruction or damage.
How do we use Personal Data?
We will only collect and use Personal Data fairly and lawfully and for specified permitted purposes.
The key permitted purposes most relevant to our business are:
- where the Processing is necessary for the performance of a contract with the Data Subject
- pursuing our legitimate business interests where those are not overridden because the Processing prejudices the interests or fundamental rights and freedoms of the Data Subject
- meeting our legal compliance obligations
We cannot use Personal Data for new, different or incompatible purposes from those disclosed when the Personal Data was obtained unless we have informed the Data Subject of the new purpose and, where necessary, they have consented to that new purpose.
You may only Process Personal Data when necessary to perform your job duties. You cannot Process Personal Data for any reason unrelated to your job duties.
What rights do customers have in relation to their Personal Data?
Our customers and others whose Personal Data we collect and use have a number of rights when it comes to how we handle their Personal Data.
These include rights to:
- receive certain information about our processing activities
- request access to their Personal Data that we hold
- prevent our use of their Personal Data for direct marketing purposes
- ask us to erase Personal Data if it is no longer necessary in relation to the purposes for which it was collected or processed or to rectify inaccurate data or to complete incomplete data
- restrict processing in specific circumstances
- challenge processing which has been justified on the basis of our legitimate interests
- prevent processing that is likely to cause damage or distress to the Data Subject or anyone else
- be notified of a Personal Data Breach which is likely to result in high risk to their rights and freedoms
- make a complaint to the Information Commissioner’s Office (the ICO), the UK supervisory authority in relation to Personal Data
- in limited circumstances, receive or ask for their Personal Data to be transferred to a third party.
It is important that we verify the identity of an individual requesting data under any of the rights listed above. Do not allow third parties to persuade you to disclose Personal Data to them without being sure that they are the person to whom the Personal Data relates or, if they are making the request on behalf of someone else, without checking that the person to whom the Personal Data relates has consented to the disclosure.
If you receive any Data Subject request from a customer, please forward it immediately to the club’s Member Services Manager.
What are your rights in relation to Personal Data?
As an employee, worker or contractor, you have various rights in relation to the Personal Data that we collect, receive and use about you.
You can find out more about your rights in relation to your Personal Data, and about how we collect and use that Personal Data, in the Data Privacy Notice for Employees, Workers and Contractors which is available on our intranet site.
How do we look after data?
Personal Data must be protected using appropriate technical and organisational measures against unauthorised or unlawful processing, and against accidental loss, destruction or damage. As a business, we maintain safeguards to protect Personal Data appropriate to our size and scope of business and the level or risk to data.
We are all responsible for protecting the Personal Data we hold and use. You must follow all procedures and technologies we put in place to maintain the security of all Personal Data from the point of collection to the point of destruction.
You must maintain data security by protecting the confidentiality, integrity and availability of the Personal Data, defined as follows:
- confidentiality means that only people who have a need to know and are authorised to use the Personal Data can access it
- integrity means that Personal Data is accurate and suitable for the purpose for which it is processed
- availability means that authorised users are able to access the Personal Data when they need it for authorised purposes
You must comply with and not attempt to circumvent the administrative, physical and technical safeguards we implement and maintain in accordance with the GDPR and relevant standards to protect Personal Data.
Can we share Personal Data with third parties?
Generally no, we are not allowed to share Personal Data with third parties unless certain safeguards and contractual arrangements have been put in place.
You may only share the Personal Data we hold with another employee, agent or representative of W3 Club if they have a job-related need to know the information.
You may only share the Personal Data we hold with third parties, such as our approved third party service providers, if:
- they have a need to know the information for the purposes of providing contracted services to us
- the third party has agreed to comply with the required data security standards, policies and procedures and put adequate security measures in place
- a fully executed written contract that contains GDPR approved third party clauses has been obtained
There are additional stringent requirements that must be met before Personal Data can be transferred to a country outside the European Economic Area, or viewed or accessed from a country outside the European Economic Area.
Do not transfer Personal Data to any third party outsider the European Economic Area without the prior approval of the DPO.
How long should we keep data, and where should it be stored?
We have retention policies and procedures in place to ensure Personal Data is stored appropriately, outlining how long we should keep it and letting you know when it should be deleted.
There is some data we need to keep to comply with legal obligations or for other legitimate reasons. To make sure you know how to handle data correctly, you should read and follow any Data Retention Standard Operating Procedure in force from time to time, which can be found on our Intranet site.
What happens if there is a breach of the Personal Data?
The GDPR requires Data Controllers to notify any Personal Data Breach to the ICO and, in certain circumstances, the Data Subject.
We have put in place procedures to deal with any suspected Personal Data Breach and will notify the ICO and any affected Data Subjects where we are legally required to do so.
If you know or suspect that a Personal Data Breach has occurred, do not attempt to investigate the matter yourself. Immediately contact your line manager, the IT team (if relevant) and the legal department who will be able to advice on next steps. It is very important that you do this without delay, so that steps can be taken to stop the situation worsening and deal with any adverse consequences. You should keep all evidence relating to the potential Personal Data Breach.
What support will you give me in relation to GDPR?
We will provide you with training in GDPR and how we expect you to look after our customer’s data. This will be through line manager briefings and also a mandatory e-learning course.
We will also regularly test and audit our systems and processes to make sure they remain compliant.
You will also find guides to help you in the Data Protection section on our intranet site, including a Do’s and Don’ts guide, a GDPR and Data Protection Frequently Asked Questions document, and a Data Retention Standard Operating Procedure setting out how long to retain particular documents containing Personal Data.
What about direct marketing to our customers?
We are subject to certain rules and privacy laws when marketing to our customers. For example, a Data Subject’s prior consent is required for electronic direct marketing (including marketing by email or text). There is a limited exception for existing customers (known as “soft opt in”) which allows us to send marketing texts or emails if we have obtained contact details in the course of a sale to that person, we are marketing similar products or services, and we gave the person an opportunity to opt out of marketing when we first collected their details and continue to give that option in every subsequent message.
We use this “soft opt in” to enable us to send marketing communications to our customers, and filter those communications through a centrally managed “suppression list” that stops them going to people who have asked not to receive them. All electronic marketing communications include an “opt out” or “unsubscribe” link enabling a customer to opt out of future marketing communications.
A Data Subject’s objection to direct marketing must be promptly honoured. If a customer opts out at any time, their details should be suppressed as soon as possible. Suppression involves retaining just enough information to ensure that marketing preferences are respected in the future.
This policy is non-contractual, which means it’s not part of your formal terms and conditions of employment with us, and from time to time we might review and amend it. If we do, we’ll tell you about the change.
If you have any questions, please contact your line manager.