- The Directors of The SCI (Alex Shoebridge and Martin Shyvers) are committed to compliance with all relevant EU and Member State laws in respect of personal data, and the protection of the “rights and freedoms” of individuals whose information we collect and processes in accordance with the General Data Protection Regulation (GDPR).
- Compliance with the GDPR is described by this policy and other relevant policies such as the Information Security Policy along with connected processes and procedures.
- The GDPR and this policy apply to all personal data processing functions, including those performed on customers’, clients’, employees’, suppliers’ and partners’ personal data, and any other personal data the Company processes from any source.
- The Directors are responsible for reviewing the register of processing annually in the light of any changes to our activities (as determined by changes to the data inventory register and the management review) and to any additional requirements identified by means of data protection impact assessments.
- This policy applies to all employees and self-employed Personal Trainers working at The SCI. Any breach of the GDPR will be dealt with under our disciplinary policy and may also be a criminal offence, in which case the matter will be reported as soon as possible to the appropriate authorities.
- Partners and any third parties working with or for the Company, and who have or may have access to personal data, will be expected to have read, understood and to comply with this policy. No third party may access personal data held by the Company without having first entered into a data confidentiality agreement which imposes on the third party obligations no less onerous than those to which we are committed, and which gives the Company the right to audit compliance with the agreement.
Data subjects’ rights
- Data subjects have the following rights regarding data processing, and the data that is recorded about them:
- To make subject access requests regarding the nature of information held and to whom it has been disclosed.
- To prevent processing likely to cause damage or distress.
- To prevent processing for purposes of direct marketing.
- To be informed about the mechanics of automated decision-taking process that will significantly affect them.
- To not have significant decisions that will affect them taken solely by automated process.
- To sue for compensation if they suffer damage by any contravention of the GDPR.
- To take action to rectify, block, erased, including the right to be forgotten, or destroy inaccurate data.
- To request the supervisory authority to assess whether any provision of the GDPR has been contravened.
- To have personal data provided to them in a structured, commonly used and machine-readable format, and the right to have that data transmitted to another controller.
- To object to any automated profiling that is occurring without consent.
The SCI ensures that data subjects may exercise these rights:
- Data subjects may make data access requests as described in Subject Access Request Procedure; this procedure also describes how the Company will ensure that its response to the data access request complies with the requirements of the GDPR.
- Data subjects have the right to complain to the Company related to the processing of their personal data, the handling of a request from a data subject and appeals from a data subject on how complaints have been handled in line with the Complaints Procedure
- The Company understands ‘consent’ to mean that it has been explicitly and freely given, and a specific, informed and unambiguous indication of the data subject’s wishes that, by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. The data subject can withdraw their consent at any time.
- The Company understands ‘consent’ to mean that the data subject has been fully informed of the intended processing and has signified their agreement, while in a fit state of mind to do so and without pressure being exerted upon them. Consent obtained under duress or on the basis of misleading information will not be a valid basis for processing.
- There must be some active communication between the parties to demonstrate active consent. Consent cannot be inferred from non-response to a communication. The Controller must be able to demonstrate that consent was obtained for the processing operation.
- For sensitive data, explicit written consent of data subjects must be obtained unless an alternative legitimate basis for processing exists.
- In most instances, consent to process personal and sensitive data is obtained routinely by the Company using standard consent documents e.g. when a new client signs a contract, or during induction for participants on programmes.