Search Events

Privacy Policy

Privacy Policy

Privacy Notice

1. INTRODUCTION

We, Greenwich Leisure Limited are “controllers” of the information which we collect from or about you – “Personal Data”. As controllers, we are responsible for the security and processing of your Personal Data. This Privacy Notice explains why and how we process your data.

The word ‘process’ covers most things that can be done with personal data, including collection, storage and destruction of that data.

GLL also trades under the name of “Better”, “GLL (Trading) Limited, “North Country Leisure” (NCL) and “Gosling Leisure Limited”.

GLL is a charitable social enterprise and registered society under the Co-operative & Community Benefit and Societies Act 2014 registration no. 27793R and our contact details are:

Address:    

Registered Head office:
Middlegate House, The Royal Arsenal, London, SE18 6SX

Email:

privacy@GLL.ORG

 
Our Data Protection Officer (DPO) is Mr Philip Donnay who you can contact at the above registered address or through privacy@gll.org if you have any queries about this notice or anything related to data protection.

You have certain rights in relation to your personal data including the right to object to processing of your data in certain circumstances. All of these rights are set out in Section 12 of this privacy notice.

2. YOUR PERSONAL DATA

‘Personal data’ is any information that relates to a living, identifiable person. This data can include your name, contact details, and other information we gather as part of our relationship with you.

It can also include ‘special categories’ of data, which is information about a person’s race or ethnic origin, religious, political or other beliefs, physical or mental health, trade union membership, genetic or biometric data, sex life or sexual orientation. The collection and use of these types of data is subject to strict controls. Similarly, information about criminal convictions and offences is also limited in the way it can be processed.

We are committed to protecting your personal data, whether it falls into ‘special categories’ or not, and we only process data if we need to for a specific purpose, as explained below.

We collect your personal data mostly through our contact with you, and the data is usually provided by you, but in some instances we may receive data about you from other people/organisations. We will explain when this might happen in this Notice.

3. DATA, WHY IT WILL BE PROCESSED AND OUR LEGAL BASIS FOR PROCESSING

Personal Data Description

Processing reason

Legal Condition or Basis for processing

Customer’s (or prospective customer’s) name, address, email address, telephone number(s), date of birth, age, bank details, credit card information, Customer, membership or library number, customer account no.  photographic images, telephone recordings, marketing preferences, details of financial transactions, goods or services provided/activities undertaken, location, date and time of visits, disability status or special needs information, family structure and lifestyle, social circumstances, forces number (for funded sessions), prison number (in relation to prison library service only) concessionary information (to receive concessionary benefits), school and class details (for library school sessions only) and reading preferences (library customers only).

Name, address, email, telephone number bank details of a Guarantor/Parent/Carer of a child customer/member.

Supplier’s name and contact details, bank details and supplier account number details of financial transact ions and goods or services purchased

Proof of identity documents (Hirers of some venues/facilities only)

Provision of services or facilities under a contract; keeping and updating of records and details associated with that contract; Membership and bookings administration and service updates; general correspondence connected with the services being provided; dealing with complaints or queries.

 

 

Protection of the business from financial risk; provision of applicable discounts and benefits; keeping of mandatory financial records

 

In respect of recorded telephone calls, for training and development of staff; for case management of complaints and escalations; for the purpose of identifying the caller

Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

Art 6 (1) b)

 

Processing is necessary for compliance with a legal obligation to which the controller is subject (for example, contractual obligations, or financial and auditing regulations)

Art 6 (1) c)

 

 

Processing is necessary for the purposes of our legitimate interests -in providing services including customer service, protecting the business and maintaining and providing a secure environment

Art 6 (1) f)

 

Processing is necessary for the purposes of our legitimate interests - training development and quality purposes

Art 6 (1) f)

Personal appearance and behaviour (all customers and users of and other visitors to a facility)

Collection and monitoring of CCTV images for the purpose of security, the prevention and detection of crime; protection of assets and property; to assist with parking control (in some instances); to facilitate the investigation of incidents

Monitor staff when carrying out work duties; to facilitate in the management and support of staff

Maintaining and providing a secure environment

Art 6 (1) f)

Processing is necessary for the purposes of our legitimate interests - protection and management of business risks and the legitimate interests of third parties

Art 6 (1) f)

Visitors and contractors on work visits

Collection of name, company and car registration number (where relevant/needed) for recording presence and attendance in the building and issuing of contractor permits to work.

Processing is necessary for the purposes of our legitimate interests – maintaining proper record of maintenance/repair workers attending site, and for maintaining record of visitors on site in case of an emergency evacuation

Art 6 (1) f)

Attainment/Progression/Goals – in relation to children and adults attending lessons (e.g. swimming lessons) and gym members with personalised training programmes

To track progression and achievement of those taking lessons in various sports, to ensure their progression onto the next level making lessons relevant productive and value for money for the customer; to ensure appropriate levels of skills in each class

Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

Art 6 (1) b)

Next of kin/emergency contacts

(in relation to customers, and workers including volunteers)

To contact NOK or parent in an emergency or in the case of injury illness or death

Processing is necessary for the purposes of our legitimate interests – we need to be able to get in touch with someone who may be able to help in the event of you becoming ill or injured, or in any other kind of emergency

Art 6 (1) f)

Personal details, contact information, occupation and job location

of individuals who have suffered injury or illness or been involved in an incident at one of our venues (all affected customers or visitors);

witness contact details

 

To keep report on and submit required records of incidents accidents and near misses.

Processing is necessary for compliance with a legal obligation to which GLL is subject (e.g. HSE legal obligations of reporting)

Art 6 (1) c)

Processing is necessary for the purposes of our legitimate interests – to investigate facts around incidents and accidents and ensure compliance and improvements. For providing relevant information to our insurers.

Art 6 (1) f) 

Gender, Parental Responsibility, GP Details, Safeguarding Referral Info (Family Structure, Key Agencies, Referrer, School Name, Contacts At Social Services And Police, details of witnesses), Medicine Administration, , Diet, Language, Toilet Routine, Sleep Pattern, Looked After Child Status,

Identification Of Need,

Progress Made, Lone Parent Status, Age Of Parent, Employment Status

Pregnancy Status, LSOA Area, Disability, Special Needs, Parent Smoker, Asylum Seeker, Refugee, Education Details, Employment Details

Health Visitor Info, Family Members names, Referral Actions, Adult Collecting, NI Number (For Together For Twos) as relevant and required in relation to children attending child care facilities, crèches, children’s centres or other child related activities

For the tracking of ability of children in Childcare settings, and for the purpose of monitoring the progress in targeted cohorts

 

To work in partnership to identify vulnerable families including those identified by health, social care, schools and local PVIs, Children's Centre local priority groups and families in need  With partners, agree an engagement plan to ensure that services and resources are targeted to address the family's needs  To track these children to ensure they and their families are engaged in Children's Centre services to meet identified needs

 

To do an eligibility check 

 

Monitoring purposes, and to provide anonymised feedback to the commissioning partners

Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

Art 6 (1) b)

 

Car registration, name and company  name in relation to visiting contractors and workmen

To maintain accurate records of persons present in the building in case of evacuation; to keep accurate logs of maintenance visits.

Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

Art 6 (1) b)

Processing is necessary for compliance with a legal obligation to which GLL is subject (e.g. HSE legal obligations of reporting)

Art 6 (1) c)

Name, Address, email address, phone number, sporting achievements, bank details, club membership,

Names, Images, sporting achievements

To process application, and if granted, process the payment of a GLL Sports Foundation Award

To keep the athlete updated on future award related information and to promote  of GSF and GLL Better

Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

Art 6 (1) b)

Legitimate interest of updating athletes on potential future financial and ongoing support and upcoming events of interest and to promote the awards programme and availability of funding to future generations

Art 6 (1) f)

Consequence of not providing the above data:

GLL will be unable to enter into a contract with you for the provision of services or facilities

Name, email address, gender, phone number, preferred method of contact and marketing preferences

For receiving promotions and marketing, including newsletters, bulletins and mailouts.

For entering into a prize draw or competition

Consent – you have given consent to the processing of your personal data for one or more specific purpose

Art 6 (1) a)

Fitness Goals and fitness and activity interests, attainment and progression (all customers taking up membership)

To provide a relevant and effective personalised fitness programmes and advice; motivational feedback and promote a sense of achievement; to ensure marketing and promotional information provided is relevant to your interests.

Consent – you have given consent to the processing of your personal data for one or more specific purpose

Art 6 (1) a)

Name, contact details, event details and services required

To pass to our preferred suppliers of event services for the Customer to contract with if they wish

Consent – you have given consent to the processing of your personal data for one or more specific purpose

Art 6 (1) a)

Photograph, location, name

Publicity, competition result, promotion to be published in hard format or online or on social media

Consent – you have given consent to the processing of your personal data for one or more specific purpose

Art 6 (1) a)

You may withdraw your consent to the processing of the personal data in this section at any time. Please see s12.

 

 

Special Category Data                          

Processing

Legal Condition or Basis for processing – Article 9 condition required

Medical history and accident/injury details

To keep report on and submit required records of incidents accidents and near misses.

Processing is necessary for compliance with a legal obligation to which GLL is subject (e.g. HSE legal obligations of reporting)

Art 6 (1) c)

Processing is necessary for the purposes of our legitimate interests – to investigate facts around incidents and accidents and ensure compliance and improvements. For providing relevant information to our insurers and for the welfare of our customers.

Art 6 (1) f) 

 

Explicit consent will be requested

Art 9 (2) a): and/or

Art 9 (2) c) processing is necessary to protect the vital interests of the data subject

Medical History

Allergy Information

 

To work in partnership to identify vulnerable families including those identified by health, social care, schools and local PVIs, Children's Centre local priority groups and families in need  With partners, agree an engagement plan to ensure that services and resources are targeted to address the family's needs 

 

Monitoring purposes, and to provide anonymised feedback to the commissioning partners

Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

Art 6 (1) b)

 

Explicit consent will be requested

Art 9 (2) a): and/or

 

Art 9 (2) c) processing is necessary to protect the vital interests of the data subject

Biometric data – facial images (customers in some facilities)

 

 

 

 

 

 

 

 

used to uniquely identify an individual upon entry into our premises or facilities

Processing is necessary for the purposes of the legitimate interests pursued by the GLL – to provide quick, safe and efficient controlled access to our facilities

Art 6 (1) f)

 

Explicit consent will be requested

Art 9 (2) a)

 

 

Health information (if relevant and necessary) of individuals who have suffered injury or illness or been involved in an incident at one of our venues;

 

Health information / status prior to exercising

To keep report on and submit required records of incidents accidents and near misses.

 

 

To provide information to emergency services if involved

 

 

Processing is necessary for compliance with a legal obligation to which GLL is subject (e.g. HSE legal obligations of reporting)

Art 6 (1) c)

Processing is necessary for the purposes of our legitimate interests – to investigate facts around incidents and accidents and ensure compliance and improvements. For providing relevant information to our insurers and to provide safe professional exercise guidance and programming.

Art 6 (1) f) 

Processing is necessary in order to protect the vital interests of the data subject or of another natural person

Art 6 (1) d) 

Explicit consent will be requested

Art 9 (2) a)

If consent is refused or withdrawn, we will be unable to provide the contracted services

Art 7 (4)

Physical or mental health details

for example, anthropometric data, relevant medical history and assessment notes

To safely provide, and allow participation in, health related schemes or services, including but not limited to cardiac rehab, weight management, use of some fitness facilities and Spa Treatments

Consent

The data subject has given consent to the processing of his or her personal data for one or more specific purposes

Art 6 (1) a)

Explicit consent will be requested

Art 9 (2) a)

If consent is refused or withdrawn, we will be unable to provide the contracted services

Art 7 (4)

Offences and alleged offences

criminal proceedings, outcomes and sentences - in relation to prospective and current and workers (including volunteers)

 

For the purpose of meeting safeguarding obligations

Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

Art 6 (1) b)

Processing is necessary in order to protect the vital interests of the data subject or of another natural person

Art 6 (1) d)

Processing shall be carried out as authorised by the Police Act 1997 and the Rehabilitation of Offenders Act 1974 as amended

Art 9 (2) (b)/Art 10

Ethnicity of individuals applying for membership

We collect ethnicity information to provide summarised and anonymised demographic information to our clients, the local authorities and to provide more focussed services to our customers and communities

 

Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

Art 6 (1) e)

 

Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject

Art 9 (2) g)

as clarified in DPA 2018 Schedule 1, Part 2, Para 8 – ‘Equality of opportunity or treatment.’

 

4. COOKIES

GLL’s websites collect and use cookies as set out below. None of the cookies collect or store personally identifiable information. Please note - if you use your browser settings to block the cookies you may not be to access all or parts of our website.

Essential Cookies

For the full functional use of our websites we use essential cookies to
1. record the user's permission (if given) to allow cookies
2. record whether the user has seen the pop-up inviting them to take our customer survey

Performance Cookies

For Web statistic analysis – to track usage patterns and deliver customised content to our users

Usage Cookies

The following cookies are used to report on the interactions on the GLL websites but are not readable by GLL.

_ga       _gad     _gat

Targeting Cookies

The following cookies are used to enable us to send you promotional and marketing information that your data suggests may be of interest to you (profiling). They are not readable by GLL
doubleclick.net
adservice.google.com
rfihub.com

5. DATA RECEIVED FROM THIRD PARTIES

Data and from whom/where

Processing

Legal Condition or Basis for processing

Data

Name, Address, Contact details (telephone number(s)), date of birth, bank details, photographic images, marketing preferences, details of financial transactions, goods or services provided, family lifestyle and social circumstances,

From a leisure provider where its contract is ending and GLL is taking over the management of that service; or from third parties (agents) selling memberships on our behalf;

Provision of services or facilities under a contract; keeping and updating of records and details associated with that contract;

Membership and bookings administration and service updates;

Protection the business from financial risk; provision of applicable discounts and benefits;

 

Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

Art 6 (1) b)

 

Processing is necessary for the purposes of our legitimate interests - in providing services including customer service, protecting the business and maintaining and providing a secure environment

Art 6 (1) f)

Data

Customers’ Racial or ethnic origin; Religious or other beliefs of a similar nature

From

a leisure provider where its contract is ending and GLL is taking over the management of that service; or from third parties (agents) selling memberships on our behalf

In the capture of photographic images; in the registration for activities or services available for people of a specific race or ethnic origin;

 

 

 

Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

Art 6 (1) b)

 

Processing is necessary for the purposes of our legitimate interests - in providing services including customer service

Art 6 (1) f)

Data

Customers’ Physical or mental health details

From

Referrers or relevant health/social care professionals for example, GPs and software providers of health monitoring partners – example of data -  anthropometric data, lifestyle data (incl but not limited to smoking, sleep information) relevant medical history and assessment notes 

To safely provide, and allow participation in, health related schemes or services, including but not limited to cardiac rehab, weight management, use of some fitness facilities

Consent

The data subject has given consent to the processing of his or her personal data for one or more specific purposes

Art 6 (1) a)

As this is special category data, explicit consent will be requested

Art 9 (2) a)

If consent is refused or withdrawn, we will be unable to provide the health service Art 7 (4)

Where we receive such personal data as set out above, the planned processing and legal condition or basis for processing will be as set out above. We shall also within a reasonable time period after obtaining the personal data, but at the latest within one month, notify you from which source the data originates, and whether it came from a publicly accessible source. One received, all other provisions of this privacy notice will also apply to this received personal data.

 

Data

Next of kin/emergency contacts

For customers From

a leisure provider where its contract is ending and GLL is taking over the management of that service

To contact NOK or parent in an emergency or in the case of injury illness or death

Processing is necessary for the purposes of our legitimate interests – we need to be able to get in touch with someone who may be able to help in the event of you becoming ill or injured, or in any other kind of emergency

6. WHO WE MAY SHARE YOUR DATA WITH

Data that we may share

With whom we will or may share it

Data relating to customers suppliers and visitors (as relevant)

Professional advisors and consultants; Suppliers and service providers; Debt collection and tracing agencies; Business associates and contractors; Credit reference agencies; Financial organisations; Auditors; Health authorities; Health and social welfare organisations; Survey and research organisations

All customers’ personal data

With our clients (often the local authority which owns the venue or facility) as they are the joint controller of the data. This may be during the contract or at the end of the contract, or on their instruction and with notice to the customer, to the incoming new service provider.

With a third party purchaser / organisation / individual when selling or transferring part of our business.

 

All customer and supplier/contractor personal data

With our software and storage provider of corporate information Insite Limited Company Number 02899725 and our processor for collecting or making payments via BACS/AUDISS - Bottomline Technologies Ltd Co. Number 08098450 or any future temporary or permanent alternative service providers

With staff and workers in other relevant internal departments or sections within GLL group of companies

Any other agencies engaged by GLL

With third party suppliers who are engaged for the secure destruction of confidential waste (e.g. shredding services)

When an individual has been on our premises in person, with the NHS Test and Trace service in relation to public health measures concerning the Covid-19 pandemic and any other similar events (contact details only)

Leisure Customers

 

With our third party provider of software and storage of customer personal data Legend Club Management Systems (UK) Limited Reg No. 04014581 or any future temporary or permanent alternative service provider

Customers purchasing courses for themselves or children

 

With our third party provider of software of customer personal data CAP2 SOLUTIONS LTD registration number 7067120 and storage company Rackspace registration number 03897010 or any future temporary or permanent alternative service providers

Library Customers

 

With our third party provider of software and storage of customer personal data Capita Business Services Ltd, trading as Capita Software Services – company number 02299747 or any future temporary or permanent alternative service provider

Children’s Centre customers

With the third party provider of software of customer personal data Collate Systems Limited registration number 09182558 or any future temporary or permanent alternative service provider

All Customers and others who contact our Customer Experience Team either by phone or online using the “contact us” form.

With our third party provider of helpdesk software and storage of customer data by Zendesk Inc. of 1019 Market St. San Francisco, CA 94103 or any future temporary or permanent alternative service provider

All Customers and others who contact our Customer Experience Team by phone

With our third party provider of telephone calls and telephone call management system British Telecommunications plc

Registered in England no: 1800000 or any future temporary or permanent alternative service provider

 

Customers applying for membership or courses online

With our third party provider of software and storage of customer personal data Itineris Limited Co. number 4285360 or any future temporary or permanent alternative service provider

Corporate Customers joining through the corporate online joining platform – name, type of membership, centre location, approval status and membership number

With the corporate customer’s employer for the purposes of validating the application for corporate membership. No special category data is shared.

Individuals joining the sports foundation

With our third party providers of software and storage of customer personal data Empower Inc Limited co. number 05363658 or any future temporary or permanent alternative service provider. Your name, sport and the funding amount will be shared with our sport partners (organisations that operate within the sports industry and have knowledge of athletes at a competitive level including but not limited to Sports Aid, the National Governing Bodies and the British Olympic Association).

Customers using football bookings at certain facilities

Our Agent, Recreational Sporting  Limited registered in England & Wales Reg No. 12921560 or any future temporary or permanent alternative service provider

Spa Customers

With our third party provider of software and storage of customer personal data Booker Inc of 165 Broadway, Suite 702, New York, NY 10006 U.S. or any future temporary or permanent alternative service provider

Golfing customers

With our third party provider of software and storage of customer personal data ESP Leisure Ltd (Company Reg No: 2550976) or any future temporary or permanent alternative service provider

Customers who purchase tickets for events

With our third party contractors (ticketing agents) who process the data for ticket sales and production:

1.    Spektrix Ltd. Reg No: 6220078 data hosted by Pulsant Limited co. no. : 03625971

2.    Advanced Computer Software Group Limited reg. No. 05965280

3.    Tickets.Com Limited  Reg No 02309315

4.    See Group Limited Reg No. 6348619

or any future temporary or permanent alternative service providers

Customers of our bowling services

With our third party providers of software Meriq AB, a company registered in Sweden under number SE556627391701 and processing of customer personal data by Amazon Web Services in Europe, and by Bowling Vision Ltd, Company number: 6031508 in the U.S. or any future temporary or permanent alternative service providers

Fitness customers using the Technogym application

With Technogym UK Limited registration number 2782468 who process the data using sub-processors

1.    AMAZON WEB SERVICES, Inc. - 410 Terry Avenue North, Seattle, WA 98109-5210 (server hosting as a cloud provider) storing in EU (Dublin) Region

2.    SENDGRID Inc., Biedrichstrasse 8  D-61200 Woelfersheim/Frankfurt, Germany (email cloud provider) storing in EU and US

3.    GOOGLE INC., 1600 Amphitheatre Parkway, Mountain View, California 94043 USA storing in EU (Belgium)  region - some services are supported with resources located in the USA

4.    TomWare S.c.a.r.l. - via L.B. Alberti, 21/A - 48124 – Ravenna storing in EU (Italy)

or any future temporary or permanent alternative service providers

Students of our London Leisure College

With our third party provider of software and storage of customer data Accessplanit Limited registration number 07083596 or any future temporary or permanent alternative service provider

Customers of our Healthwise Service

With our third party providers of software and storage of customer personal data

i.      Ethical Technology Limited company no. 2208123 and Rackspace

ii.     KI Performance Lifestyle Limited company number 06738270

or any future temporary or permanent alternative service providers

Customers who are booking social events at one of our venues (e.g. weddings, parties etc)

With our preferred suppliers of event services at the customer’s request

Visitors to and users of Better website

Data is collected on our behalf by Morse Digital Co. No. OC368394 and then forwarded to one of our third party processors - Insite or Legend - or any future temporary or permanent alternative service provider - depending on the nature of the data.

Customers and users of Nursery services/facilities

With our third party providers of software Parenta Group Limited . Co No 05249690 or any future temporary or permanent alternative service provider

Customers’ contact details who have opted in for marketing purposes

This is processed by a third party contractor Dotdigital Group PLC Reg. No 06289659 or any future temporary or permanent alternative service provider

Individuals who have suffered injury or illness or been involved in an incident at one of our venues

With our third party provider of software for our web based incident reporting system - Acclaim Safety Systems Ltd reg 03923418 and their data storage provider - UK Fast reg no. 03845616 or any future temporary or permanent alternative service providers

 

 

Facial images and associated data for facial recognition technology (FRT) and customer membership numbers

With our third party provider of software and data storage for our facial recognition function and for inspection to compute licence fee to

CCTech Ltd, Company No. 11800859, company Reg. No.  09343422  or any future temporary or permanent alternative service provider

Customers’ relevant medical information. For example an assessment report or onward referral

Where required we may share details regarding outcomes of health intervention with a GP or the medical professional who made the referral.

Were a medical risk present we may contact GP to share information.

If an onward referral is required we may with consent make a referral (including relevant medical data) to a health team.

Targeting Cookies

Access is provided to : Doubleclick.net, Adservice.google.com & Rfihub.com for marketing and profiling purposes – e.g. sending you promotional or marketing information that your data suggests may be of interest to you. They do not contain any personally identifiable information.

7. TRANSFER OF DATA OUTSIDE OF THE EU – STATEMENT

GLL generally does not share or transfer any customer visitor or supplier personal data outside of the EEA. However some software providers are located, or store customer data, in the U.S. In such instances, the EU-US Privacy Shield is engaged. The European Commission has decided this provision ensures adequate protection to allow personal data to be transferred to the United States.

GLL will not share, disclose or transfer your personal data outside the EEA or the US without ensuring the relevant contract includes the standard data protection clauses adopted by the European Commission; in this way, GLL is providing adequate safeguards for the transfer of this data outside of the EEA.

Our software provider Zendesk Inc uses data storage centres some of which are located in the Asia Pacific region.

8. HOW WE STORE YOUR DATA

Data

How it is stored

Paper / hard copy personal data

In an appropriately secure manner and location with appropriately controlled access

Electronic personal data

On an appropriately secure server with appropriately controlled access or in a cloud storage facility within the UK managed by an approved third party contractor.

9. DATA RETENTION

Data

Retention Principle

All personal data

Data is processed and stored only as long as it is needed for the purpose for which it was collected, subject to the following overriding principles:

1.   where legal obligations require us to keep the information for longer or for a specified period

2.   until the expiry of any limitation period in relation to potential claims against GLL

3.   until the expiry of a reasonable period of time in relation to potential complaints or claims against GLL

 

GLL has set out an internal protocol in relation to retention periods which takes account of the obligation to keep data only for as long as it is needed as well as all statutory or other legal obligations regarding the retention of such records.

10. RIGHTS OF THE DATA SUBJECT

You have the following rights in respect of your data:

1.   The right to be informed about who is controlling your data, how, and for what purpose they intend to process the data, with whom they may share the data, and for how long they will keep the data. Full information is at :

RIGHT TO BE INFORMED

All of these are summarised within this Privacy Notice and full details are available on the ICO website here:

RIGHT TO BE INFORMED

2.   The right of access – you have the right to receive confirmation that your data is being processed. You also have the right to access your personal data in order to verify the lawfulness of the processing. Further information is available here :

RIGHT OF ACCESS

You can contact us at privacy@gll.org to request access to your data.

 

Further information on how and when we must respond and handle requests and when we may charge a fee are set out here :

RIGHT OF ACCESS

3.   The right to rectification – you can ask for inaccurate or incomplete personal data to be rectified. Full details are here:

RIGHT TO RECTIFICATION

Further information on how quickly we will meet your request, or the occasions on which we may decline to meet your request can be found here.

RIGHT TO RECTIFICATION

If we decline to meet your request, we will explain why, and remind you of your right to complain to the Information Commissioner’s Office or ultimately seek a judicial remedy.

4.   The right to erasure or the right to be forgotten – you can ask for your personal data to be deleted or removed in specific circumstances. Full details on these circumstances can be found here:

RIGHT TO ERASURE

We will deal with requests for erasure in accordance with the provisions set out here:

RIGHT TO ERASURE

We will only store and process data that is specifically required for genuine and proper business reasons and for the protection of our business from financial risk and only for the appropriate length of time.

5.   The right to restrict processing – you can ask us to “block” or suppress the processing of your personal data circumstances. Full details about those circumstances can be found here:

RIGHT TO RESTRICT PROCESSING

We will restrict processing of your personal data as requested unless we cannot or choose not to for the permitted reasons which are set out here:

RIGHT TO RESTRICT PROCESSING

Otherwise, we will retain just enough information about you to ensure that the restriction is respected in future.

6.   The right to data portability – this allows you to obtain and re-use certain elements of your personal data for your own purposes across different services; it allows you to move copy or transfer your data easily from one IT environment to another in a safe and secure way, without hindering its usability. Full details are available here:

RIGHT TO DATA PORTABILITY

How quickly and in what format we will provide your data will be governed by the details here:

RIGHT TO DATA PORTABILITY

If we are going to decline your request, we will within one month of the request explain to you why not and will inform you of your right to complain to the Information Commissioner’s Office, and your right to a judicial remedy.

7.   The right to object – you have the right to object to certain types of processing, or processing for specific reasons. The details are set out here:

RIGHT TO OBJECT

           i.       processing based on “legitimate interests” or “the performance of a task in the public interest/exercise of official authority (including profiling) on grounds relating to your particular situation;

 

          ii.       to direct marketing (including profiling);

 

         iii.       and to processing for purposes of scientific/historical research and statistics on grounds relating to your particular situation;

We will comply with your request to stop processing your data in accordance with the requirements and provisions set out here:

 

 

  i.       if you notify us of the grounds of objection specific to your situation we will stop processing the personal data unless:

a.   we can demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedoms; or

b.   the processing is for the establishment, exercise or defence of legal claims.

 ii.       We will, without delay and free of charge, stop processing personal data for direct marketing purposes as soon as we receive an objection.

iii.       if you notify us of the grounds of objection specific to your situation we will stop processing the personal data unless we are conducting research where the processing of personal data is necessary for the performance of a public interest task.

8.   Rights in relation to automated decision making and profiling – you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects, or which similarly significantly affects you. Full details can be found here:

RIGHTS RE AUTOMATED DECISIONS

We use or may use in the future automated decision making in the form of Facial Recognition Software for controlling access to our facilities and services. We will comply with the requirements set out here:

RIGHTS RE AUTOMATED DECISIONS

We may profile personal data and sometimes special category data for the purposes of marketing and promotion where individuals have opted into receiving this. You can ask for us to stop sending you marketing information by contacting privacy@gll.org

11. WITHDRAWING CONSENT

For personal data where we are relying upon your consent as the legal basis for processing (please refer to section 3. Above) you may withdraw your consent at any time by altering your preferences in your online portal, or by notifying us at privacy@gll.org.

12. MAKING A COMPLAINT

If you feel you have a complaint regarding the processing of your personal data, please contact the Data Protection Officer at privacy@gll.org.

13. HOW TO CONTACT GLL’S DATA PROTECTION OFFICER

If you wish to contact GLL’s Data Protection Officer, please write to the address or the email at the top of this privacy notice.

14. IF YOU STILL HAVE A CONCERN REGARDING YOUR PERSONAL DATA

You may report your concern to the Information Commissioner’s Office – contact details may be found on the ICO website https://ico.org.uk/for-organisations.