Privacy Notice
1. INTRODUCTION
We, Greenwich Leisure Limited are “controllers” of the information which we collect from or about you – “Personal Data”. As controllers, we are responsible for the security and processing of your Personal Data. This Privacy Notice explains why and how we process your data.
The word ‘process’ covers most things that can be done with personal data, including collection, storage and destruction of that data.
GLL also trades under the name of “Better”, “GLL (Trading) Limited, “North Country Leisure” (NCL) and “Gosling Leisure Limited”.
GLL is a charitable social enterprise and registered society under the Co-operative & Community Benefit and Societies Act 2014 registration no. 27793R and our contact details are:
Address:
Registered Head office:
Middlegate House, The Royal Arsenal, London, SE18 6SX
Email:
privacy@GLL.ORG
Our Data Protection Officer (DPO) is Mr Philip Donnay who you can contact at the above registered address or through privacy@gll.org if you have any queries about this notice or anything related to data protection.
You have certain rights in relation to your personal data including the right to object to processing of your data in certain circumstances. All of these rights are set out in Section 12 of this privacy notice.
2. YOUR PERSONAL DATA
‘Personal data’ is any information that relates to a living, identifiable person. This data can include your name, contact details, and other information we gather as part of our relationship with you.
It can also include ‘special categories’ of data, which is information about a person’s race or ethnic origin, religious, political or other beliefs, physical or mental health, trade union membership, genetic or biometric data, sex life or sexual orientation. The collection and use of these types of data is subject to strict controls. Similarly, information about criminal convictions and offences is also limited in the way it can be processed.
We are committed to protecting your personal data, whether it falls into ‘special categories’ or not, and we only process data if we need to for a specific purpose, as explained below.
We collect your personal data mostly through our contact with you, and the data is usually provided by you, but in some instances we may receive data about you from other people/organisations. We will explain when this might happen in this Notice.
3. DATA, WHY IT WILL BE PROCESSED AND OUR LEGAL BASIS FOR PROCESSING
Personal Data Description
Processing reason
Legal Condition or Basis for processing
Customer’s (or prospective customer’s) name, address, email address, telephone number(s), date of birth, age, bank details, credit card information, Customer, membership or library number, customer account no. photographic images, telephone recordings, marketing preferences, details of financial transactions, goods or services provided/activities undertaken, location, date and time of visits, disability status or special needs information, family structure and lifestyle, social circumstances, forces number (for funded sessions), prison number (in relation to prison library service only) concessionary information (to receive concessionary benefits), school and class details (for library school sessions only) and reading preferences (library customers only).
Name, address, email, telephone number bank details of a Guarantor/Parent/Carer of a child customer/member.
Supplier’s name and contact details, bank details and supplier account number details of financial transact ions and goods or services purchased
Proof of identity documents (Hirers of some venues/facilities only)
Provision of services or facilities under a contract; keeping and updating of records and details associated with that contract; Membership and bookings administration and service updates; general correspondence connected with the services being provided; dealing with complaints or queries.
Protection of the business from financial risk; provision of applicable discounts and benefits; keeping of mandatory financial records
In respect of recorded telephone calls, for training and development of staff; for case management of complaints and escalations; for the purpose of identifying the caller
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
Art 6 (1) b)
Processing is necessary for compliance with a legal obligation to which the controller is subject (for example, contractual obligations, or financial and auditing regulations)
Art 6 (1) c)
Processing is necessary for the purposes of our legitimate interests -in providing services including customer service, protecting the business and maintaining and providing a secure environment
Art 6 (1) f)
Processing is necessary for the purposes of our legitimate interests - training development and quality purposes
Art 6 (1) f)
Personal appearance and behaviour (all customers and users of and other visitors to a facility)
Collection and monitoring of CCTV images for the purpose of security, the prevention and detection of crime; protection of assets and property; to assist with parking control (in some instances); to facilitate the investigation of incidents
Monitor staff when carrying out work duties; to facilitate in the management and support of staff
Maintaining and providing a secure environment
Art 6 (1) f)
Processing is necessary for the purposes of our legitimate interests - protection and management of business risks and the legitimate interests of third parties
Art 6 (1) f)
Visitors and contractors on work visits
Collection of name, company and car registration number (where relevant/needed) for recording presence and attendance in the building and issuing of contractor permits to work.
Processing is necessary for the purposes of our legitimate interests – maintaining proper record of maintenance/repair workers attending site, and for maintaining record of visitors on site in case of an emergency evacuation
Art 6 (1) f)
Attainment/Progression/Goals – in relation to children and adults attending lessons (e.g. swimming lessons) and gym members with personalised training programmes
To track progression and achievement of those taking lessons in various sports, to ensure their progression onto the next level making lessons relevant productive and value for money for the customer; to ensure appropriate levels of skills in each class
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
Art 6 (1) b)
Next of kin/emergency contacts
(in relation to customers, and workers including volunteers)
To contact NOK or parent in an emergency or in the case of injury illness or death
Processing is necessary for the purposes of our legitimate interests – we need to be able to get in touch with someone who may be able to help in the event of you becoming ill or injured, or in any other kind of emergency
Art 6 (1) f)
Personal details, contact information, occupation and job location
of individuals who have suffered injury or illness or been involved in an incident at one of our venues (all affected customers or visitors);
witness contact details
To keep report on and submit required records of incidents accidents and near misses.
Processing is necessary for compliance with a legal obligation to which GLL is subject (e.g. HSE legal obligations of reporting)
Art 6 (1) c)
Processing is necessary for the purposes of our legitimate interests – to investigate facts around incidents and accidents and ensure compliance and improvements. For providing relevant information to our insurers.
Art 6 (1) f)
Gender, Parental Responsibility, GP Details, Safeguarding Referral Info (Family Structure, Key Agencies, Referrer, School Name, Contacts At Social Services And Police, details of witnesses), Medicine Administration, , Diet, Language, Toilet Routine, Sleep Pattern, Looked After Child Status,
Identification Of Need,
Progress Made, Lone Parent Status, Age Of Parent, Employment Status
Pregnancy Status, LSOA Area, Disability, Special Needs, Parent Smoker, Asylum Seeker, Refugee, Education Details, Employment Details
Health Visitor Info, Family Members names, Referral Actions, Adult Collecting, NI Number (For Together For Twos) as relevant and required in relation to children attending child care facilities, crèches, children’s centres or other child related activities
For the tracking of ability of children in Childcare settings, and for the purpose of monitoring the progress in targeted cohorts
To work in partnership to identify vulnerable families including those identified by health, social care, schools and local PVIs, Children's Centre local priority groups and families in need With partners, agree an engagement plan to ensure that services and resources are targeted to address the family's needs To track these children to ensure they and their families are engaged in Children's Centre services to meet identified needs
To do an eligibility check
Monitoring purposes, and to provide anonymised feedback to the commissioning partners
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
Art 6 (1) b)
Car registration, name and company name in relation to visiting contractors and workmen
To maintain accurate records of persons present in the building in case of evacuation; to keep accurate logs of maintenance visits.
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
Art 6 (1) b)
Processing is necessary for compliance with a legal obligation to which GLL is subject (e.g. HSE legal obligations of reporting)
Art 6 (1) c)
Name, Address, email address, phone number, sporting achievements, bank details, club membership,
Names, Images, sporting achievements
To process application, and if granted, process the payment of a GLL Sports Foundation Award
To keep the athlete updated on future award related information and to promote of GSF and GLL Better
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
Art 6 (1) b)
Legitimate interest of updating athletes on potential future financial and ongoing support and upcoming events of interest and to promote the awards programme and availability of funding to future generations
Art 6 (1) f)
Consequence of not providing the above data:
GLL will be unable to enter into a contract with you for the provision of services or facilities
Name, email address, gender, phone number, preferred method of contact and marketing preferences
For receiving promotions and marketing, including newsletters, bulletins and mailouts.
For entering into a prize draw or competition
Consent – you have given consent to the processing of your personal data for one or more specific purpose
Art 6 (1) a)
Fitness Goals and fitness and activity interests, attainment and progression (all customers taking up membership)
To provide a relevant and effective personalised fitness programmes and advice; motivational feedback and promote a sense of achievement; to ensure marketing and promotional information provided is relevant to your interests.
Consent – you have given consent to the processing of your personal data for one or more specific purpose
Art 6 (1) a)
Name, contact details, event details and services required
To pass to our preferred suppliers of event services for the Customer to contract with if they wish
Consent – you have given consent to the processing of your personal data for one or more specific purpose
Art 6 (1) a)
Photograph, location, name
Publicity, competition result, promotion to be published in hard format or online or on social media
Consent – you have given consent to the processing of your personal data for one or more specific purpose
Art 6 (1) a)
You may withdraw your consent to the processing of the personal data in this section at any time. Please see s12.
Special Category Data
Processing
Legal Condition or Basis for processing – Article 9 condition required
Medical history and accident/injury details
To keep report on and submit required records of incidents accidents and near misses.
Processing is necessary for compliance with a legal obligation to which GLL is subject (e.g. HSE legal obligations of reporting)
Art 6 (1) c)
Processing is necessary for the purposes of our legitimate interests – to investigate facts around incidents and accidents and ensure compliance and improvements. For providing relevant information to our insurers and for the welfare of our customers.
Art 6 (1) f)
Explicit consent will be requested
Art 9 (2) a): and/or
Art 9 (2) c) processing is necessary to protect the vital interests of the data subject
Medical History
Allergy Information
To work in partnership to identify vulnerable families including those identified by health, social care, schools and local PVIs, Children's Centre local priority groups and families in need With partners, agree an engagement plan to ensure that services and resources are targeted to address the family's needs
Monitoring purposes, and to provide anonymised feedback to the commissioning partners
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
Art 6 (1) b)
Explicit consent will be requested
Art 9 (2) a): and/or
Art 9 (2) c) processing is necessary to protect the vital interests of the data subject
Biometric data – facial images (customers in some facilities)
used to uniquely identify an individual upon entry into our premises or facilities
Processing is necessary for the purposes of the legitimate interests pursued by the GLL – to provide quick, safe and efficient controlled access to our facilities
Art 6 (1) f)
Explicit consent will be requested
Art 9 (2) a)
Health information (if relevant and necessary) of individuals who have suffered injury or illness or been involved in an incident at one of our venues;
Health information / status prior to exercising
To keep report on and submit required records of incidents accidents and near misses.
To provide information to emergency services if involved
Processing is necessary for compliance with a legal obligation to which GLL is subject (e.g. HSE legal obligations of reporting)
Art 6 (1) c)
Processing is necessary for the purposes of our legitimate interests – to investigate facts around incidents and accidents and ensure compliance and improvements. For providing relevant information to our insurers and to provide safe professional exercise guidance and programming.
Art 6 (1) f)
Processing is necessary in order to protect the vital interests of the data subject or of another natural person
Art 6 (1) d)
Explicit consent will be requested
Art 9 (2) a)
If consent is refused or withdrawn, we will be unable to provide the contracted services
Art 7 (4)
Physical or mental health details
for example, anthropometric data, relevant medical history and assessment notes
To safely provide, and allow participation in, health related schemes or services, including but not limited to cardiac rehab, weight management, use of some fitness facilities and Spa Treatments
Consent
The data subject has given consent to the processing of his or her personal data for one or more specific purposes
Art 6 (1) a)
Explicit consent will be requested
Art 9 (2) a)
If consent is refused or withdrawn, we will be unable to provide the contracted services
Art 7 (4)
Offences and alleged offences
criminal proceedings, outcomes and sentences - in relation to prospective and current and workers (including volunteers)
For the purpose of meeting safeguarding obligations
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
Art 6 (1) b)
Processing is necessary in order to protect the vital interests of the data subject or of another natural person
Art 6 (1) d)
Processing shall be carried out as authorised by the Police Act 1997 and the Rehabilitation of Offenders Act 1974 as amended
Art 9 (2) (b)/Art 10
Ethnicity of individuals applying for membership
We collect ethnicity information to provide summarised and anonymised demographic information to our clients, the local authorities and to provide more focussed services to our customers and communities
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
Art 6 (1) e)
Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject
Art 9 (2) g)
as clarified in DPA 2018 Schedule 1, Part 2, Para 8 – ‘Equality of opportunity or treatment.’
4. COOKIES
GLL’s websites collect and use cookies as set out below. None of the cookies collect or store personally identifiable information. Please note - if you use your browser settings to block the cookies you may not be to access all or parts of our website.
Essential Cookies
For the full functional use of our websites we use essential cookies to
1. record the user's permission (if given) to allow cookies
2. record whether the user has seen the pop-up inviting them to take our customer survey
Performance Cookies
For Web statistic analysis – to track usage patterns and deliver customised content to our users
Usage Cookies
The following cookies are used to report on the interactions on the GLL websites but are not readable by GLL.
_ga _gad _gat
Targeting Cookies
The following cookies are used to enable us to send you promotional and marketing information that your data suggests may be of interest to you (profiling). They are not readable by GLL
doubleclick.net
adservice.google.com
rfihub.com
5. DATA RECEIVED FROM THIRD PARTIES
Data and from whom/where
Processing
Legal Condition or Basis for processing
Data
Name, Address, Contact details (telephone number(s)), date of birth, bank details, photographic images, marketing preferences, details of financial transactions, goods or services provided, family lifestyle and social circumstances,
From a leisure provider where its contract is ending and GLL is taking over the management of that service; or from third parties (agents) selling memberships on our behalf;
Provision of services or facilities under a contract; keeping and updating of records and details associated with that contract;
Membership and bookings administration and service updates;
Protection the business from financial risk; provision of applicable discounts and benefits;
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
Art 6 (1) b)
Processing is necessary for the purposes of our legitimate interests - in providing services including customer service, protecting the business and maintaining and providing a secure environment
Art 6 (1) f)
Data
Customers’ Racial or ethnic origin; Religious or other beliefs of a similar nature
From
a leisure provider where its contract is ending and GLL is taking over the management of that service; or from third parties (agents) selling memberships on our behalf
In the capture of photographic images; in the registration for activities or services available for people of a specific race or ethnic origin;
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
Art 6 (1) b)
Processing is necessary for the purposes of our legitimate interests - in providing services including customer service
Art 6 (1) f)
Data
Customers’ Physical or mental health details
From
Referrers or relevant health/social care professionals for example, GPs and software providers of health monitoring partners – example of data - anthropometric data, lifestyle data (incl but not limited to smoking, sleep information) relevant medical history and assessment notes
To safely provide, and allow participation in, health related schemes or services, including but not limited to cardiac rehab, weight management, use of some fitness facilities
Consent
The data subject has given consent to the processing of his or her personal data for one or more specific purposes
Art 6 (1) a)
As this is special category data, explicit consent will be requested
Art 9 (2) a)
If consent is refused or withdrawn, we will be unable to provide the health service Art 7 (4)
Where we receive such personal data as set out above, the planned processing and legal condition or basis for processing will be as set out above. We shall also within a reasonable time period after obtaining the personal data, but at the latest within one month, notify you from which source the data originates, and whether it came from a publicly accessible source. One received, all other provisions of this privacy notice will also apply to this received personal data.
Data
Next of kin/emergency contacts
For customers From
a leisure provider where its contract is ending and GLL is taking over the management of that service
To contact NOK or parent in an emergency or in the case of injury illness or death
Processing is necessary for the purposes of our legitimate interests – we need to be able to get in touch with someone who may be able to help in the event of you becoming ill or injured, or in any other kind of emergency
6. WHO WE MAY SHARE YOUR DATA WITH
Data that we may share
With whom we will or may share it
Data relating to customers suppliers and visitors (as relevant)
Professional advisors and consultants; Suppliers and service providers; Debt collection and tracing agencies; Business associates and contractors; Credit reference agencies; Financial organisations; Auditors; Health authorities; Health and social welfare organisations; Survey and research organisations
All customers’ personal data
With our clients (often the local authority which owns the venue or facility) as they are the joint controller of the data. This may be during the contract or at the end of the contract, or on their instruction and with notice to the customer, to the incoming new service provider.
With a third party purchaser / organisation / individual when selling or transferring part of our business.
All customer and supplier/contractor personal data
With our software and storage provider of corporate information Insite Limited Company Number 02899725 and our processor for collecting or making payments via BACS/AUDISS - Bottomline Technologies Ltd Co. Number 08098450 or any future temporary or permanent alternative service providers
With staff and workers in other relevant internal departments or sections within GLL group of companies
Any other agencies engaged by GLL
With third party suppliers who are engaged for the secure destruction of confidential waste (e.g. shredding services)
When an individual has been on our premises in person, with the NHS Test and Trace service in relation to public health measures concerning the Covid-19 pandemic and any other similar events (contact details only)
Leisure Customers
With our third party provider of software and storage of customer personal data Legend Club Management Systems (UK) Limited Reg No. 04014581 or any future temporary or permanent alternative service provider
Customers purchasing courses for themselves or children
With our third party provider of software of customer personal data CAP2 SOLUTIONS LTD registration number 7067120 and storage company Rackspace registration number 03897010 or any future temporary or permanent alternative service providers
Library Customers
With our third party provider of software and storage of customer personal data Capita Business Services Ltd, trading as Capita Software Services – company number 02299747 or any future temporary or permanent alternative service provider
Children’s Centre customers
With the third party provider of software of customer personal data Collate Systems Limited registration number 09182558 or any future temporary or permanent alternative service provider
All Customers and others who contact our Customer Experience Team either by phone or online using the “contact us” form.
With our third party provider of helpdesk software and storage of customer data by Zendesk Inc. of 1019 Market St. San Francisco, CA 94103 or any future temporary or permanent alternative service provider
All Customers and others who contact our Customer Experience Team by phone
With our third party provider of telephone calls and telephone call management system British Telecommunications plc
Registered in England no: 1800000 or any future temporary or permanent alternative service provider
Customers applying for membership or courses online
With our third party provider of software and storage of customer personal data Itineris Limited Co. number 4285360 or any future temporary or permanent alternative service provider
Corporate Customers joining through the corporate online joining platform – name, type of membership, centre location, approval status and membership number
With the corporate customer’s employer for the purposes of validating the application for corporate membership. No special category data is shared.
Individuals joining the sports foundation
With our third party providers of software and storage of customer personal data Empower Inc Limited co. number 05363658 or any future temporary or permanent alternative service provider. Your name, sport and the funding amount will be shared with our sport partners (organisations that operate within the sports industry and have knowledge of athletes at a competitive level including but not limited to Sports Aid, the National Governing Bodies and the British Olympic Association).
Customers using football bookings at certain facilities
Our Agent, Recreational Sporting Limited registered in England & Wales Reg No. 12921560 or any future temporary or permanent alternative service provider
Spa Customers
With our third party provider of software and storage of customer personal data Booker Inc of 165 Broadway, Suite 702, New York, NY 10006 U.S. or any future temporary or permanent alternative service provider
Golfing customers
With our third party provider of software and storage of customer personal data ESP Leisure Ltd (Company Reg No: 2550976) or any future temporary or permanent alternative service provider
Customers who purchase tickets for events
With our third party contractors (ticketing agents) who process the data for ticket sales and production:
1. Spektrix Ltd. Reg No: 6220078 data hosted by Pulsant Limited co. no. : 03625971
2. Advanced Computer Software Group Limited reg. No. 05965280
3. Tickets.Com Limited Reg No 02309315
4. See Group Limited Reg No. 6348619
or any future temporary or permanent alternative service providers
Customers of our bowling services
With our third party providers of software Meriq AB, a company registered in Sweden under number SE556627391701 and processing of customer personal data by Amazon Web Services in Europe, and by Bowling Vision Ltd, Company number: 6031508 in the U.S. or any future temporary or permanent alternative service providers
Fitness customers using the Technogym application
With Technogym UK Limited registration number 2782468 who process the data using sub-processors
1. AMAZON WEB SERVICES, Inc. - 410 Terry Avenue North, Seattle, WA 98109-5210 (server hosting as a cloud provider) storing in EU (Dublin) Region
2. SENDGRID Inc., Biedrichstrasse 8 D-61200 Woelfersheim/Frankfurt, Germany (email cloud provider) storing in EU and US
3. GOOGLE INC., 1600 Amphitheatre Parkway, Mountain View, California 94043 USA storing in EU (Belgium) region - some services are supported with resources located in the USA
4. TomWare S.c.a.r.l. - via L.B. Alberti, 21/A - 48124 – Ravenna storing in EU (Italy)
or any future temporary or permanent alternative service providers
Students of our London Leisure College
With our third party provider of software and storage of customer data Accessplanit Limited registration number 07083596 or any future temporary or permanent alternative service provider
Customers of our Healthwise Service
With our third party providers of software and storage of customer personal data
i. Ethical Technology Limited company no. 2208123 and Rackspace
ii. KI Performance Lifestyle Limited company number 06738270
or any future temporary or permanent alternative service providers
Customers who are booking social events at one of our venues (e.g. weddings, parties etc)
With our preferred suppliers of event services at the customer’s request
Visitors to and users of Better website
Data is collected on our behalf by Morse Digital Co. No. OC368394 and then forwarded to one of our third party processors - Insite or Legend - or any future temporary or permanent alternative service provider - depending on the nature of the data.
Customers and users of Nursery services/facilities
With our third party providers of software Parenta Group Limited . Co No 05249690 or any future temporary or permanent alternative service provider
Customers’ contact details who have opted in for marketing purposes
This is processed by a third party contractor Dotdigital Group PLC Reg. No 06289659 or any future temporary or permanent alternative service provider
Individuals who have suffered injury or illness or been involved in an incident at one of our venues
With our third party provider of software for our web based incident reporting system - Acclaim Safety Systems Ltd reg 03923418 and their data storage provider - UK Fast reg no. 03845616 or any future temporary or permanent alternative service providers
Facial images and associated data for facial recognition technology (FRT) and customer membership numbers
With our third party provider of software and data storage for our facial recognition function and for inspection to compute licence fee to
CCTech Ltd, Company No. 11800859, company Reg. No. 09343422 or any future temporary or permanent alternative service provider
Customers’ relevant medical information. For example an assessment report or onward referral
Where required we may share details regarding outcomes of health intervention with a GP or the medical professional who made the referral.
Were a medical risk present we may contact GP to share information.
If an onward referral is required we may with consent make a referral (including relevant medical data) to a health team.
Targeting Cookies
Access is provided to : Doubleclick.net, Adservice.google.com & Rfihub.com for marketing and profiling purposes – e.g. sending you promotional or marketing information that your data suggests may be of interest to you. They do not contain any personally identifiable information.
7. TRANSFER OF DATA OUTSIDE OF THE EU – STATEMENT
GLL generally does not share or transfer any customer visitor or supplier personal data outside of the EEA. However some software providers are located, or store customer data, in the U.S. In such instances, the EU-US Privacy Shield is engaged. The European Commission has decided this provision ensures adequate protection to allow personal data to be transferred to the United States.
GLL will not share, disclose or transfer your personal data outside the EEA or the US without ensuring the relevant contract includes the standard data protection clauses adopted by the European Commission; in this way, GLL is providing adequate safeguards for the transfer of this data outside of the EEA.
Our software provider Zendesk Inc uses data storage centres some of which are located in the Asia Pacific region.
8. HOW WE STORE YOUR DATA
Data
How it is stored
Paper / hard copy personal data
In an appropriately secure manner and location with appropriately controlled access
Electronic personal data
On an appropriately secure server with appropriately controlled access or in a cloud storage facility within the UK managed by an approved third party contractor.
9. DATA RETENTION
Data
Retention Principle
All personal data
Data is processed and stored only as long as it is needed for the purpose for which it was collected, subject to the following overriding principles:
1. where legal obligations require us to keep the information for longer or for a specified period
2. until the expiry of any limitation period in relation to potential claims against GLL
3. until the expiry of a reasonable period of time in relation to potential complaints or claims against GLL
GLL has set out an internal protocol in relation to retention periods which takes account of the obligation to keep data only for as long as it is needed as well as all statutory or other legal obligations regarding the retention of such records.
10. RIGHTS OF THE DATA SUBJECT
You have the following rights in respect of your data:
1. The right to be informed about who is controlling your data, how, and for what purpose they intend to process the data, with whom they may share the data, and for how long they will keep the data. Full information is at :
RIGHT TO BE INFORMED
All of these are summarised within this Privacy Notice and full details are available on the ICO website here:
RIGHT TO BE INFORMED
2. The right of access – you have the right to receive confirmation that your data is being processed. You also have the right to access your personal data in order to verify the lawfulness of the processing. Further information is available here :
RIGHT OF ACCESS
You can contact us at privacy@gll.org to request access to your data.
Further information on how and when we must respond and handle requests and when we may charge a fee are set out here :
RIGHT OF ACCESS
3. The right to rectification – you can ask for inaccurate or incomplete personal data to be rectified. Full details are here:
RIGHT TO RECTIFICATION
Further information on how quickly we will meet your request, or the occasions on which we may decline to meet your request can be found here.
RIGHT TO RECTIFICATION
If we decline to meet your request, we will explain why, and remind you of your right to complain to the Information Commissioner’s Office or ultimately seek a judicial remedy.
4. The right to erasure or the right to be forgotten – you can ask for your personal data to be deleted or removed in specific circumstances. Full details on these circumstances can be found here:
RIGHT TO ERASURE
We will deal with requests for erasure in accordance with the provisions set out here:
RIGHT TO ERASURE
We will only store and process data that is specifically required for genuine and proper business reasons and for the protection of our business from financial risk and only for the appropriate length of time.
5. The right to restrict processing – you can ask us to “block” or suppress the processing of your personal data circumstances. Full details about those circumstances can be found here:
RIGHT TO RESTRICT PROCESSING
We will restrict processing of your personal data as requested unless we cannot or choose not to for the permitted reasons which are set out here:
RIGHT TO RESTRICT PROCESSING
Otherwise, we will retain just enough information about you to ensure that the restriction is respected in future.
6. The right to data portability – this allows you to obtain and re-use certain elements of your personal data for your own purposes across different services; it allows you to move copy or transfer your data easily from one IT environment to another in a safe and secure way, without hindering its usability. Full details are available here:
RIGHT TO DATA PORTABILITY
How quickly and in what format we will provide your data will be governed by the details here:
RIGHT TO DATA PORTABILITY
If we are going to decline your request, we will within one month of the request explain to you why not and will inform you of your right to complain to the Information Commissioner’s Office, and your right to a judicial remedy.
7. The right to object – you have the right to object to certain types of processing, or processing for specific reasons. The details are set out here:
RIGHT TO OBJECT
i. processing based on “legitimate interests” or “the performance of a task in the public interest/exercise of official authority (including profiling) on grounds relating to your particular situation;
ii. to direct marketing (including profiling);
iii. and to processing for purposes of scientific/historical research and statistics on grounds relating to your particular situation;
We will comply with your request to stop processing your data in accordance with the requirements and provisions set out here:
i. if you notify us of the grounds of objection specific to your situation we will stop processing the personal data unless:
a. we can demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedoms; or
b. the processing is for the establishment, exercise or defence of legal claims.
ii. We will, without delay and free of charge, stop processing personal data for direct marketing purposes as soon as we receive an objection.
iii. if you notify us of the grounds of objection specific to your situation we will stop processing the personal data unless we are conducting research where the processing of personal data is necessary for the performance of a public interest task.
8. Rights in relation to automated decision making and profiling – you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects, or which similarly significantly affects you. Full details can be found here:
RIGHTS RE AUTOMATED DECISIONS
We use or may use in the future automated decision making in the form of Facial Recognition Software for controlling access to our facilities and services. We will comply with the requirements set out here:
RIGHTS RE AUTOMATED DECISIONS
We may profile personal data and sometimes special category data for the purposes of marketing and promotion where individuals have opted into receiving this. You can ask for us to stop sending you marketing information by contacting privacy@gll.org
11. WITHDRAWING CONSENT
For personal data where we are relying upon your consent as the legal basis for processing (please refer to section 3. Above) you may withdraw your consent at any time by altering your preferences in your online portal, or by notifying us at privacy@gll.org.
12. MAKING A COMPLAINT
If you feel you have a complaint regarding the processing of your personal data, please contact the Data Protection Officer at privacy@gll.org.
13. HOW TO CONTACT GLL’S DATA PROTECTION OFFICER
If you wish to contact GLL’s Data Protection Officer, please write to the address or the email at the top of this privacy notice.
14. IF YOU STILL HAVE A CONCERN REGARDING YOUR PERSONAL DATA
You may report your concern to the Information Commissioner’s Office – contact details may be found on the ICO website https://ico.org.uk/for-organisations.