At Lampton Leisure, we take seriously our responsibility to protect your personal data and we ensure that respecting privacy is at the heart of all that we do. We fully adhere to the requirements set out in the General Data Protection Regulation (GDPR) and other data protection laws.
When you share your personal data with us through our website, online apps and other channels, we take steps to keep your personal data safe and secure and make sure it is processed in a fair, transparent and lawful way.
We work in partnership with the London Borough of Hounslow, and together we have robust policies, procedures and systems in place, and our data protection training and cyber security training is mandatory for all our staff. These controls help us to ensure that we consider the privacy and security implications of all our business activities when designing and delivering our services.We have a dedicated Data Protection Officer (DPO), Cyber Security Manager and Senior Information Risk Officer (SIRO) that oversee our approach to privacy, security and data protection. Our DPO can be contacted by e-mailing InformationGovernance@hounslow.gov.uk.
Like all organisations who collect and use personal data, Lampton Leisure must apply the seven GDPR principles. These principles are:
Personal data must be processed in a lawful, fair and transparent manner.
This means when we collect and use personal data, we must identify the lawful basis for doing so, we must make sure we are not doing anything with that personal data in breach of any other laws. We must handle the personal data in ways the person (data subject) would reasonably expect or must explain why we have done any unexpected processing. We must be clear, open and honest about how and why we use personal data.
Personal data must be collected for specific, explicit and legitimate purposes and not used in a manner that is incompatible with those purposes.
This means when we collect personal data, we must be clear with the person about why we need it and what we will do with it. We may only process the personal data for a new purpose if that purpose is compatible with our original purpose, or we get the data subjects consent or we have a clear obligation set out in law.
Personal data must be adequate, relevant and limited to what is necessary.
This means we must only collect and use personal data that is necessary for the stated purpose or purposes. We must make sure the personal data is sufficient for fulfilling those purposes. We must review the personal data that we hold and delete anything we no longer need.
Personal data must be accurate, and where necessary kept up to date.
This means that we must take reasonable steps to keep the personal data that we collect, and process correct and up to date. From time to time we will review the personal data we hold, and we may contact you to make sure the personal data we have about you is correct and does not contain any errors. We must make sure that we comply with your right to rectification of your personal data.
Personal data must be kept in a format which allows identification of the person for no longer than is necessary and for the purposes for which it is used.
This means we must always know what personal data we hold. We must be able to justify how long we keep personal data, and we may not keep that personal data for longer than is necessary. We must regularly review personal data and erase it or anonymise it when it is no longer needed.
Personal data must be used in a manner that is compatible with appropriate security measures in place to protect that data.
This means that our policies, procedures, processes, systems and practices must be adequate and ensure that personal data is always protected from unlawful access and kept secure.
Personal data must be handled in compliance with the GDPR.
This means we must take responsibility for complying with the GDPR. We must keep records of the steps we have taken to comply with the GDPR. We must make sure that our organisational and technical control measures, such as our policies, procedures, processes systems and training are available and are fit for purpose in compliance with the GDPR. We must ensure that we review and update our control measures at appropriate intervals.
We collect a range of personal data and the type depends on the service that you have requested from us.
The personal data we currently collect are:
We operate several leisure facilities in Hounslow and provide services for our customers, in the centres, online and by telephone.
Your personal data may be collected when you register your interest with us and use our website or online apps, you will be asked for your personal data to enable us to process your request.If you cease to use our services, we will remove your contact details after 2 years.
Should you choose to become a member, we will collect personal data about you and if appropriate your family to enable us to set up your membership and deliver services to you. This could be online, face to face in one of our centres or over the phone.
Once your membership ceases, we will remove your bank details from our system, membership records will remain while you continue to use our facilities. We will retain transaction records for up to 7 years for activity and usage reporting.
Completing health questionnaires (Physical activity readiness questionnaires PARQ)We will want to ensure that you exercise safely. When you join you may be asked to complete a health questionnaire.
Booking classes and activities
If you book to attend a class or take part in one of our activities, you will be asked for personal data to help us deliver the service to you.
If you visit one of our centres, we will record the fact that you have attended, and your image maybe captured on our CCTV that is place to detect and prevent crime. This also helps us to better understand how we are performing and help us to continuously improve our services to our customers.Attendance may also be recorded if you use your membership card to enter through the turnstile.
If you, or your child is registered with our swim school programme, our swimming teachers may record information about your/their progress.
If you have used any of our you may be asked to fill in a feedback form, we use this information to respond to your comments directly and to help to improve our services.
We retain customer feedback data for up to 2 years. We do not limit the duration of anonymised customer feedback.
In order to ensure the safety of our staff and customers, we operate CCTV systems in our centres. These systems are used to detect and prevent crime or to monitor the safety of swimmers.
CCTV recordings are retained for a period of up to a month before deletion and may be held for longer if required as evidence in legal proceedings.
Before we process your personal data, we must review the purposes of our processing and have a valid lawful basis for processing your data. The GDPR provides six lawful bases for processing (consent, contract, legal obligation, vital interest, public task and legitimate interests and we rely on five of these lawful bases for our processing:
Offering real choice and control
This means when you have explicitly told us that we may collect and use your personal data, such as by asking us to add you to one of our mailing lists that offer information about our products, services. We will offer you the chance to opt in or out of receiving this type of information.
Performance and compliance with the contract
The means we may collect, use and process your personal data where it is necessary for the performance of a contract, such as a membership or class booking or in order to take steps at your request before entering a contract with you to:
Processing is necessary for compliance with a common law or statutory obligationThis means we may process personal data to comply with law, for example to respond to a claim under insurance law.
Processing is necessary in order to protect the vital interests of the data subject or another natural person
This means we may collect, use and process personal data to protect your vital interests or the vital interests of another person, for example by contacting the relevant authorities if we believe an individual is likely to come to immediate harm.
Processing is necessary for the purposes of the legitimate interestsThis means we must consider the most appropriate basis for processing your personal data in pursuit of our legitimate interests. We must take extra care in our responsibility to consider and protect your rights and interests. We rely on the three – part test:
At Lampton Leisure, our legitimate interests are:
In pursuit of these interests we may:
Our staff, suppliers and subcontractors will have access to your personal data for the purpose(s) it was collected. We will only disclose the minimum amount of personal data in order to provide the service that you require.
We have implemented data processing policies and we check that our suppliers and contractors have control measures to ensure that your personal data is kept safe and your rights observed while the data is in their care.
We may use the services of third-party data processors to deliver our services for example to host our website, to process direct debit payments or send emails on our behalf.
In order to process payments, we may pass your payment details to the Bank
Some of our services, such as our online booking app are provided by a third-party software company.Lampton Leisure operate our leisure centres on behalf of the local authority London Borough of Hounslow.
At the end of our contract, in order to ensure continuity of service, it may be necessary to pass your data on to the London Borough of Hounslow, or another company that they select to run the facility. Where we do so, you will always be informed that the operation of the service is changing hands.In the unlikely event that Lampton Leisure were sold to a third party, details of our customers would be passed on to that third party as a part of the sale of the business.
Lampton Leisure have implemented a range of technical and organisational control measures to ensure that your personal data is properly protected at all times. Our IT systems are hosted in secure data centres with access controls to restrict access to authorised personnel.
All the personal data that we collect, and hold is kept in accordance with our data retention policies. These policies are guided by the legal and regulatory frameworks that we are subject to in proving our services and helps us to ensure that we do not keep personal data for longer than is necessary and for the purpose(s) it was collected for.
The GDPR legislation provides you with a number of rights in relation to your personal data, including your right to access your personal data and ask us to correct any mistakes and delete and restrict the use of your personal data. You also have the right to object to us using your personal data, to ask us to transfer the personal data you provided to us, to ask us to withdraw your permission to use your personal data. See your right in detail below (certain exemptions apply and you can contact our DPO for more information InformationGovernance@hounslow.gov.uk)
You have the right to be informed about how we collect and use of your personal data.
You have the right to access and receive a copy of your personal data, and other supplementary information. This right of access is commonly referred to a subject access request, data subject access request or ‘SAR’.
You have the right to ask that inaccurate personal data about you rectified or completed if incomplete. You can make the request verbally or in writing.
You have the right to ask that your personal data is erased. This right is commonly known as ‘the right to be forgotten’.
You have the right to object to the processing of your personal data in certain circumstances. These circumstances include:
When the person the personal data is about contests the accuracy of their personal data and we are in the process of validating the accuracy of that personal data
In an event that the personal data has been unlawfully processed and when the person the personal data is about opposes erasure and requests restriction instead
When we no longer need the personal data and the person the data is about needs us to keep it for a legal claim
When the person the personal data is about objects to us processing their personal data under grounds set out in Article 21(1) of the GDPR (Right to object) and we are considering whether our grounds for our legitimate interest overrides that of the person.
You have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable way. You also have the right to request that we transmit this data directly to another controller.
You have the right to object to us processing your personal data in certain circumstances, including your right to request that we stop using your personal data for direct marketing purposes.
You are not required to pay any charge for exercising your rights. Please contact our data protection officer at InformationGovernance@hounslow.gov.uk if you wish to make a request.
If you have any questions, comments, complaints and suggestions about this privacy notice and you can contact our customer relations team at firstname.lastname@example.org
If you are dissatisfied with the way we have handled your personal data, you can make a complaint to our customer relations team by e-mail email@example.com or complete our online form and you can find more information about our complaint and comments policies https://www.hounslow.gov.uk/info/20158/customer_services/1402/make_a_complaint_or_comment/2
You can also complain to the Information Commissioner’s Office (ICO) if you are unhappy with how we have used your personal data.
In addition, regardless of whether you make a complaint under our complaints policies and procedures you have the right to complain to the ICO if you are unhappy with how we have used your data.
Information Commissioner’s OfficeWycliffe HouseWater LaneWilmslowCheshireSK9 5AFHelpline number: 0303 123 1113ICO website: https://www.ico.org.uk
Where we provide links to websites of other organisations this privacy notice does not cover how that organisation processes personal data. We encourage you to read the privacy notices on the other websites you visit.