Protecting your personal
information is extremely important to Julie’s Swim School (“the Company”, “we”
or “our”). This policy explains when and
why we collect personal information about our employees and clients, how we use
it, how we keep it secure and your rights in relation to it.
is Personal Information?
The GDPR defines ‘personal
data’ as any information relating to an identified or identifiable natural
person (a “data subject”). When we talk
about personal information we mean information about an individual that can
identify them, such as their name, address, email, telephone number and bank
details. A “data subject” can be a
customer, employee, business contact or supplier. Any reference to “information” or “data” in
this policy is a reference to personal information about a living individual.
We may collect, use and
store your personal data as described in this policy.
do we collect information about you?
Depending on which ‘data
subject’ category you are in the Company may collect personal information from
you in various ways; directly
from you when you contact us by phone, via our contact us form on our website,
via messenger, our Facebook page, other social media or email to make an
you are applying for a job the Company will also collect personal information
from your CV or the application form. We
may also receive information if you have been introduced by another person such
as a friend or relative
information do we collect
If you are a
client (potential or existing) we may ask for the following personal
information about you; name
& address, contact
details such as email address and phone numbers, bank
names and dates of birth, details
of medical and/or additional needs. We
may also seek to take and hold visual images. If you are an employee, as
well as your personal data, we may collect and hold and process the following
records (details of sick leave, medical conditions, disabilities, prescribed
records (interview notes, CVs, application forms, performance reviews,
remuneration details including salaries, pay increases etc., records of
disciplinary matters including reports and warnings, details of grievances
including notes from interviews, procedures followed and outcomes).
We are keen to protect the
privacy of children under age 13 (this is the age proposed in the Data
Protection Bill under which children cannot provide their own consent to the
use of personal data).
We will use the parent or
guardian’s email address to send the parent or guardian notifications about our
privacy practices, communications about the swim school timetable or about
other features of the swim school and for such features as described in this
do we use your information for?
We use your details to
help us provide the best possible swimming lessons for you/your child. We
also use it to contact you about bookings, send you up to date information on
classes, details on upcoming intensive course and additional course and
information on items for sale which may interest you. We
will also send you newsletters from time to time, conduct online surveys and/or
run competitions. Your
bank details may be needed to collect payments or process refunds. Visual
images may be used for training purposes or on our website or for social media
or advertising purposes.
All of the data held for
existing employees is used to process all aspects of your employment;
data, NI numbers and bank details are required for the processing of your
records, such as assessments and performance reviews are used to promote your
of disciplinary matters are held as the data may be necessary for the defence
of legal claim.
your information in accordance with Data Protection laws
Data protection laws
require us to meet certain conditions before we are allowed to use your
personal information in the way we describe in this policy. To use your personal information, we will
rely on the following conditions, depending on the activities we are carrying
Providing our contracts
and services to you: We will process
your personal information to carry out our responsibilities resulting from any
agreements you’ve entered into with us and to provide you with the information,
products and services you’ve asked from us which may include online services.
Complying with applicable
laws: We may process your personal
information to comply with any legal obligation we are subject to.
Legitimate interests: To use your personal data for any other
purpose described in this policy, we’ll rely on a condition known as
“legitimate interests”. It’s in our
legitimate interests to collect your personal data as it provides us with the
information we need to deliver our services to you more effectively. We may use your information to;
Carry out market research and product development, which can
include creating customer demographics and/or profiling. We may sometimes work
with carefully selected third parties to do this, for example using advertising
services provided by organisations such as Google or Facebook and may share
data with them, which could be combined with the information they hold about
Continue to send marketing information, via email only, to
customers who purchased a service or product before 25th May 2018 and did not
opt-out, until such time as they have reviewed their marketing preferences
(which can be done at any time).
Develop and test the effectiveness of marketing activities.
Develop, test and manage our brands, products and services.
Study and also manage how our customers use products and services
Manage risk for us and our customers.
requires us to carry out an assessment of our interests in using your personal
data against the interests you have a citizen and the rights you have under
data protection laws.
outcome of this assessment will determine whether we can use your personal data
in the ways described in this policy, except in relation to marketing, where we
will always rely on your consent.
Consent: We may provide you with marketing information
about our services or products where you have provided your consent for us to
do so. You may opt out of marketing at
any time by emailing us at Alternatively, you can use the Contact
Us section of our website. You
can also manage your marketing preferences on our customer portal.
Category (Sensitive) Data: Where
you have consented, we will process any medical, health and additional needs
information you have provided and any other sensitive information obtained from
a third party (e.g. your GP or other medical professional), solely for the
purposes of allowing us to offer the best service
Where your Data is held
The data we collect from
you is stored at a destination inside the European Economic Area (“EEA”). We’ll take all reasonably necessary steps to
make sure that your data is treated securely and in accordance with this
We will only transfer your
data to a recipient outside the EEA where we are permitted to do so by law, for
instance, where the transfer is;
on standard data protection clauses adopted or approved by the European Commission
a territory that is deemed adequate by the European Commission, or
the recipient is subject to an approved certification mechanism and the
personal information is subject to appropriate safeguards, etc.
information via email is not completely secure; anything you send is done so at
your own risk. Once received, we will
secure your information in accordance with our security procedures and
we share your information with any third parties?
No, we do not share, rent
or sell your information with any third parties, with the following exceptions;
we use third party providers for services such as payroll and pension for
employees and only the relevant information required for them to deliver the
service is disclosed;
were compelled to by any legal authority
business was sold to a new owner along with our pool rights and/or customer
long do we keep your information?
We shall not keep your
personal data for any longer than is necessary in light of the purpose or
purposes for which that personal data was originally collected, held and
processed. We will review your personal
data every year to establish whether we are still entitled to process it. If we decide that we are not entitled to do
so, we will stop processing your personal data and securely destroy all
personal data once we no longer need it.
We have implemented
generally accepted standards of technology and operational security in order to
protect all our data subjects’ personal data from loss, misuse of unauthorised alteration
There are times when
personal data is held, accessed and processed via an app on mobile phones or
tablets specifically “SwimBiz” - provided by Thinksmart Software. All teachers will meet the following
strong and secure password is required to log into the account on the device
where the data is stored.
no circumstances should any passwords be written down or shared
security software from a reputable supplier must be installed (and enabled) on
users are required to log out after each use and the password must not be saved
on the device
Breach and Response Plan
If any breach, or
potential breach, of personal data occurs, then the response plan must be
Personal data breaches can
by an unauthorised third party
or accidental action (or inaction) by the Company or those organisations who
process personal data on behalf of the Company
personal data to an incorrect recipient
devices containing personal data being lost or stolen
of personal data without permission; and
of availability of personal data
When an incident takes
place, Julie Simonelli must be informed promptly. Julie Simonelli will establish whether, in
their view, a personal data breach has occurred.
If it is deemed that a
breach has occurred then the likelihood and severity of the resulting risk to
peoples’ rights and freedoms should be established. If it is unlikely that there is a risk to
data subjects’ rights and freedoms then the Company will not be required to
report the data breach.
If it is likely that there
is a risk to data subjects’ rights and freedoms then the Company will notify
the Information Commissioner’s Office (“ICO”).
The ICO should be notified of a personal data breach within 72 hours of
becoming aware of it even if all details have not been obtained. Further information can be submitted as soon
The following information
will be given to the ICO;
description of the nature of the personal data breach including, where
possible, the approximate number of individuals concerned and the approximate
number of personal data records concerned.
description of the likely consequences of the personal data breach; and
description of the measure taken, or proposed to be taken, to deal with the
personal data breach.
The Company will inform,
without undue delay, the affected individuals about the personal data breach
when it is likely to result in a high risk to their rights and freedoms. Advice will also be provided to help the
affected individuals protect themselves from the effects of the personal data
The nature of the breach
will be described in clear and plain language including the following;
name and contact details of someone from the Company from whom more information
can be obtained.
description of the likely consequences of the data breach; and
description of the measures taken, or proposed to be taken, to deal with the
data breach and including, where appropriate, the measures taken to mitigate
any possible adverse effects.
You have rights under the
access your personal data
b) To be provided with information about
how your personal data is processed
c) To have your personal data corrected
d) To have your personal data erased in
e) To object or restrict how your data is
have your data transferred to yourself or another organisation in certain
If you have any questions
regarding our data processing practices or wish to exercise any of your rights,
including changing your marketing preferences, please contact Julie Simonelli
using the contact details set out below.
you can access and update your information
The accuracy of your
information is important to us. If you
change email address or if any of the other information we hold is inaccurate
or out of date, please contact us using the details shown at the end of this
You have the right to ask
for a copy of the information the Swim School holds about you. Such requests (SAR) should be direct to Julie
Simonelli, using the contact details at the end of this document. We do not charge a fee for the handling of a
SAR, however, we reserve the right to charge reasonable fees for additional
copies of information that has already been supplied to a data subject and for
requests that are unfounded or excessive.
of this policy
We will keep this policy
under regular review and reserve the right to amend this policy from time to
time without prior notice. You are
advised to check our website www.juliesswimschool.com
regularly for any amendments (but amendments will not be made
This Policy aims to ensure
compliance with the General Data Protection Regulation (GDPR) when dealing with
your personal data. Further details on
the GDPR can be found at the website for the Information Commissioner (www.ico.gov.uk).
For the purposes of the GDPR we will be the “controller” of all personal
data we hold about you.
This policy was last
updated in May 2018.
37 Balmoral Road