Bristol Co-operative Gym is a co-operative society registered with the FCA (registration number 4395).
In order to provide our services, we collect, store and use personal information about our users, members and coaches. By using any of our services you agree to be bound by the policies set out in this privacy notice. We are registered with the ICO and take our legal and ethical responsibilities towards this information very seriously.
This policy lays out how we deal with the information we hold. If you have any questions about it, please e-mail us.
Who is responsible for this policy?
Guy Lochhead is the appointed Data Protection Officer for the gym, and is responsible for making sure that the gym complies with this policy and with the legal requirements for data protection. He can be contacted via e-mail.
All staff, members and volunteers who collect or process personal information should be aware of this policy and make sure that they follow it.
What does this policy cover?
This policy covers two categories of information that we hold about people:
- Personal data is any information relating to an identifiable person who can be directly or indirectly identified.
- Sensitive personal data is information about a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.
What are the principles behind this policy?
- We process information for specific, legitimate and lawful purposes.
- We are explicit and transparent with people about what information we collect, and how we process it.
- We protect people’s rights over their information.
- We collect information that is adequate, relevant and limited to what is necessary for the specified purposes.
- We make sure that all the information we hold is accurate and up to date.
- We only keep information for as long as it is needed for the specified purpose.
- We ensure appropriate physical and electronic security of all personal information, including protection against unauthorised use, and accidental loss or damage.
- We do not share people’s information without their explicit permission, unless with those third parties utilised in the running of our business (payment processors, accountancy, marketing automation). We never share information to people or organisations in countries without adequate protection.
- We make it easy for people to access and update their information, and to ask us to delete or stop processing their information.
- Analysing the risks of our processing, and using this to inform our security measures;
- Following our information security policy, which is regularly reviewed;
Using basic technical security measures such as encryption;
- Backing up our information systems so that we can restore access if there is a breach;
- Regularly testing and reviewing our information security measures.
Why do we process information?
We collect and process your information (such as name, contact information, bank account and payment information and information relating to health conditions and usage) in order to deliver health and fitness activities and information to our members and users; process payments and other financial transactions; maintain financial records; recruit and manage coaches and other staff; and to inform members and users about products and services we offer.
We process this information under the basis of legitimate interest, in a way you could reasonably expect following a recent enquiry, purchase, session registration, or referral from someone you know, in order for us to provide the services specified above.
We may wish to take photos or videos for marketing purposes. In this case, we will collect and process this information under the basis of Consent. Anyone in the photo/video will be asked for their consent to be photographed / filmed, and for this information to be used for the purposes of marketing.
What information do we hold?
We keep a list all the types of information we hold about people, including the source of that information, how and where we store it, who we share it with, what we do with it and how long we keep it for.
How do we keep this information secure?
We will not share your data with any third party other than those utilised to service our business. External partners may be utilised to perform tasks including but not limited to: processing payments, making bookings, marketing, accounting and account management. All of our partners comply with high levels of confidentiality and best practice in privacy and security standards in line with the General Data Protection Regulation 2018.
We use appropriate security measures to maintain the confidentiality, integrity and availability of the information we hold. We do this by:
How can people find out what information we hold about them?
Anyone can make a subject access request for free, either verbally or in writing, to access a copy of the information we hold about them. We will respond to these requests within a month.
What happens if there is a security breach?
If anyone within the gym thinks that a data breach may have happened, they should inform the Data Protection Officer as soon as possible. If the Data Protection Officer believes that a breach has happened, they should inform the Information Commissioner’s Office and the people involved as soon as possible, and within three days at most.
This policy was adopted on 25th May 2018.
This policy will be reviewed annually within a week of our AGM.
Any questions about this policy should be sent to Guy Lochhead via firstname.lastname@example.org.