This privacy notice is for York Sport users. It sets out the ways in which York Sport gathers, uses, stores and shares your data. It also sets out how long we keep your data and what rights you have in relation to your data under the General Data Protection Regulation (GDPR).
For the purposes of this privacy notice, University of York is the Data Controller as defined in the General Data Protection Regulation (GDPR). We are registered with the Information Commissioner’s Office and our entry can be found here. Our registration number is: Z4855807.
WHERE DO WE GET YOUR DATA FROM?
Most of the data we hold comes directly from our users. In some case, such as training courses, data may be shared with us by a third party. We do not buy data from any source.
WHAT DATA DO WE HAVE?
Personal data including name, date of birth, home address, email address, language, gender, phone number photo, emergency contact details, financial information, any medical information given to us by you, proof of eligibility for price concessions by age, corporate employer or student status.
WHAT IS OUR LEGAL BASIS FOR PROCESSING YOUR DATA?
York Sport needs to collect and retain certain types of data, in various formats, about its members. Typically, data will be processed on the following grounds:
- contractual requirement or to take steps to enter into a contract with you e.g. to deliver membership benefits and sports services.
- because it is necessary for our or a third party’s legitimate interests e.g. to make you aware of relevant opportunities or for membership retention purposes;
- because you have given us your consent.
HOW DO WE USE YOUR DATA?
York Sport may process your personal data for the following purposes:
- to process your membership application;
- to manage your membership;
- to manage bookings;
- to communicate with you e.g. to tell you about scheduled or unscheduled closures, cancellations or other service disruptions;
- to enable us to provide appropriate support in the event of an emergency and notify next of kin;
- to send you marketing communications where consent has been given.
WHO DO WE SHARE YOUR DATA WITH?
York Sport is a subsidiary company of the University of York and may share information with relevant parts of the University e.g. finance and health and safety. More details about the University’s privacy measures can be found here.
In addition, the University may share customer data (e.g. name, Email Address, Date of Birth, Language, Gender, Picture, Phone Number, Home Address) with Technogym U.K. ltd to allow sign in on fitness suite equipment, record workout activity and integrate with York Sport Wellness smartphone App.
HOW DO WE KEEP YOUR DATA SECURE?
Both York Sport and the University takes information security extremely seriously and has implemented appropriate technical and organisational measures to protect personal data and special category data. Access to information is restricted on a need-to-know basis and security arrangements are regularly reviewed to ensure their continued suitability. For further information see, https://www.york.ac.uk/it-services/security/.
Data is shared with Technogym under a GDPR compliant contract that sets out appropriate security arrangements.
HOW DO WE TRANSFER YOUR DATA SAFELY INTERNATIONALLY?
In certain circumstances, it is necessary to transfer your Personal Data (including Special Category Data) outside the European Economic Area. In respect of such transfers, the University will comply with our obligations under Data Protection Law and ensure an adequate level of protection for all transferred data.
HOW LONG WILL WE KEEP YOUR DATA?
Except for in specific cases, this section sets out our guidelines for retaining specific types of data:
- Personal customer data: Personal data will be held for as long as the individual is an active paying customer or member of York Sport plus 1 year.
- Personal potential customer data (enquiries): Personal data of potential customers to York Sport (supplied by the individual while making an enquiry about, or trialling our services) will be kept for 1 month.
- Health and Safety: Records of incidents/ accidents occurring on our premises are passed on to our parent organisation The University of York’s Health and Safety department who retain records in accordance with their policies.
- Financial information: this information is passed on to our parent organisation The University of York’s Finance department, who retain records for 7 years, in accordance with University policy.
For some of York Sport’s services the retention policy detailed above could potentially act against the best interests of users. Therefore the following exceptions have been made:
Customers of our swimming lessons and related activities are likely to return after a longer period once they have stopped using the service. In the interest of making the process of returning to York Sport swimming as easy as possible for these individuals a longer retention period of 2 years after they cease using the service is in place.
WHAT RIGHTS DO YOU HAVE IN RELATION TO YOUR DATA?
Under the General Data Protection Regulation, you have a right of access to your data, a right to rectification, erasure (in certain circumstances), restriction, objection or portability (in certain circumstances). You also have a right to withdraw consent. You can verify or correct your information at any time by emailing email@example.com. You can also email firstname.lastname@example.org to update your marketing practices at any time. For all other requests, see https://www.york.ac.uk/records-management/generaldataprotectionregulation/individualsrights/.
QUESTIONS OR CONCERNS
If you have any questions about this privacy notice or concerns about how your data is being processed, please contact York Sport at email@example.com. You can also contact the University of York’s Data Protection Officer at firstname.lastname@example.org.
RIGHT TO COMPLAIN
If you are unhappy with the way in which the University has handled your personal data, you have a right to complain to the Information Commissioner’s Office. For information on reporting a concern to the Information Commissioner’s Office, see www.ico.org.uk/concerns.