Data Protection Policy

This Data Protection policy will lay out the procedures undertaken by HYBH Sports Therapy to ensure that HYBH Sports Therapy is compliant with relevant data protection legislation. It has been written in accordance with the information provided by the Information Commissioner’s office prior to the release of the GDPR.

ESTABLISHING A LAWFUL BASIS FOR HANDLING DATA
In accordance with Article 5 (2), This policy will document the ‘lawful basis’ by HYBH Sports Therapy to handle data. This ‘lawful basis’ is set out in Article 6 of GDPR. The lawful basis may be as follows:
Where express consent has been given.
HYBH Sports Therapy utilises a mailing list in order to communicate lesson or treatment availability. Express consent must be provided in order to be added to such a mailing list.
No credit card data is stored as all purchases are paid for via BACS.

Legitimate Interests
Data may be collected for legitimate interests such as marketing purposes. This may include the marketing of events.

Legal Obligations
As a service providing manual therapy, a medical form is filled out and signed by any client. This will collect and store data and is documented only in paper form. These files and kept under lock and key.

CONSENT REVIEWS
Any mailing lists have an express option to ‘opt out’ every 3 months.

GATHERING DATA FOR CONTRACTUAL PURPOSES
In accordance with S6 s(1) b attending a course will require the collection of data to enable contractual obligations to be fulfilled. This is a necessary procedure and only minimal data will be collected to enable this to take place appropriately. Such data will include:
Email addresses
Home/business address
Telephone number
The above specified information enables appropriate invoicing to take place. Data will be stored for accountancy purposes only GDPR compliant software. At no point, will data be passed on to any other organisation.

LEGAL OBLIGATIONS AND THE COLLECTION OF DATA

In accordance with S6 (1) (C) HYBH Sports Therapy will collect relevant data when acting in conjunction with another course provider. This section also applies to the collection of data from prospective employees and contractors to enable HMRC obligations to be fulfilled appropriately.

SAFEGUARDING PRIVACY

HYBH Sports Therapy will ensure privacy by engaging fully with the right to be informed. Privacy notices will include the following: The purpose of processing the data How long the data will be held for Who it will be shared with This privacy information will be served at the time of data collection in the following foreseeable situations Purchasing a event via the website

Privacy notices

Will be tailored for to suit the purposes of collection but will include in accordance with the guidelines provided by the Information Commissioner’s Office The contact details of HYBH Sports Therapy the name and contact details of the relevant representative The purpose of the processing The lawful basis of the processing The legitimate interests for the processing The categories of personal data obtained The retention period of the personal data Details of the contractual obligations Details of transfers of the personal data to any third countries or international organisations The right to withdraw consent The right to lodge a complaint with a supervisory authority This content will be contained in ‘just in time notices’ prior to online website purchases or telephone/email purchases.

ENSURING RIGHT OF ACCESS TO PERSONAL DATA

HYBH Sports Therapy will allow a right of access to both personal data and supplementary information free of charge. Any requests for information will be provided within one month of receiving the request. Where requests are complex and numerous the provision of data will be provided within a two-month period. Where requests are excessive and repetitive and administration fee of £50 will be charged to cover the administrative costs involved. Responses will be provided in an electronic format

ENSURING RIGHT TO RECTIFICATION

HYBH Sports Therapy recognises that an individual has the right to have inaccurate personal data rectified or completed if incomplete. Requests for rectification can be made either verbally or in writing HYBH Sports Therapy will ensure that rectification will occur within one month of the request being made ENSURING RIGHT TO ERASURE

Data erase

HYBH Sports Therapy recognises the rights of individuals to have their personal data erased. A request for erasure may be made either verbally or in writing HYBH Sports Therapy will respond to the request within one month of it being erased, this time will be extended to two months where the request is complex Where data is being processed by HYBH Sports Therapy and a request for erasure is made, the processing of the data will cease

RIGHTS RELATED TO AUTOMATED DECISION MAKING INCLUDING PROFILING

Online purchasing is a form of automated decision making as acceptance onto a course occurs at the point of the online purchase. Data will be gathered as a result of this process to enable the fulfilment of the contractual obligation. The extent of information collected will be communicated in an appropriate privacy statement. HYBH Sports Therapy does not engage in automated profiling marketing systems. Automated decision-making systems are only used to enable a sale of a course or event

ENSURING ACCOUNTABILITY AND GOVERNANCE

In accordance with Article 5 (2) HYBH Sports Therapy ensures accountability and governance through the following procedures: Regular internal audits Appropriate staff training Maintenance of relevant processing documentation Appointment of a Data Protection Officer: Mr Stephen King

DATA PROTECTION IMPACT ASSESSMENTS

A data protection impact assessment will be carried out where processing is likely to result in a high risk to individual’s interests. This is likely to be where special category information is collected.

SECURITY

HYBH Sports Therapy ensures that all data will be processed and stored securely to meet with GDPR requirements

PERSONAL DATA BREACHES

HYBH Sports Therapy will report any personal data breaches that risk rights and freedoms of a data subject to the relevant parties involved. All breaches of data will be recorded.