Action Breaks Silence may be referred to as “ABS”
Action Breaks Silence may be referred to as “us” or “our” or “we”
“Client(s)” refer to schools and venues or staff
“You” or “Your” refers to the “client”
New General Data Protection Regulation (GDPR) will come into effect on 25 May 2018. This new EU Directive has been put into place in order to protect your personal data and privacy.
Action Break Silence are committed to protecting the privacy of our users and clients. The Privacy (GDPR) Policy is intended to inform clients on how we gather, define and utilise information (as detailed below). It applies to information collected by us or provided by the client, whether at one of our dojos, over our website or in any other way (such as over the telephone). It is also intended to assist clients in making informed decisions when using our website and/or services.
Action Breaks Silence are the controllers of the personal information provided by our clients and staff for the purposes of the GDPR.
In summary, the Action Breaks Silence policy states that for all our current clients and/or potential clients, most of whom will have made enquiries with us, we will:
- securely keep all relevant contact details of students and/or their parents/guardians, schools/venues and staff
- never sell data or mailing lists to 3rd parties
- use data only to relay ABS related information (as outlined in the Full Policy Statement below), updates and reports as well as for invoicing purposes
Information on our website and/or social media has either been supplied by the owner with a request to publish or is information already in the public domain.Full Policy Statement for Action Breaks Silence
Data Protection Code of Practice:
Our data protection code of practice lays out our procedures that ensure Action Breaks Silence comply with the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)
When clients or potential clients take up contact with Action Breaks Silence they may provide us with personal information such as name, address, phone numbers, email address, child(ren) name and date of birth, doctor’s name and phone number (encase of emergencies) and any relevant medical or health information relevant to participating in martial arts sports. Clients may provide us with information via a number of ways:
- By corresponding with us via email, in which case we may retain the content of email messages together with our email address and client responses
- By applying for you or your child(ren) to enrol in our courses, filling in/uploading our booking forms or applying for a job vacancy with us
- Through any preferences and areas of interests as advised by the client
- By information provided via the client’s phone or when the client/client’s child(ren) attend any of our classes/venues
- By providing personal data about other named applicants. Clients must have their authority to provide their personal data to us and share this data protection statement with them beforehand together with details of what the client has agreed on their behalf.
In summary what data do we store:
- Current clients’ and/or potential clients’ (most of whom will have made enquiries with us) relevant information such as karate student’s full name, karate students date of birth (age), full name of parent or guardian of karate student, email, phone number, home address, school/dojo/venue phone number and address as well as name of personal contacts at these venues, staff phone number and home address as well as email.
- Notes of conversations via email (email communications) or phone
- Any correspondence relating to Action Breaks Silence, between clients and staff
- Recording staff working hours
- Please note: WE DO NOT STORE PAYMENT DETAILS of clients such as card or bank details
- To relay Action Breaks Silence related information and marketing, updates and reports as well as for invoicing purposes
- To keep clients up to date with important changes to Action Breaks Silence
- To administer and provide products and services clients request or have an interest in
- To communicate with clients in the event that any products or services requested are unavailable
- To answer client or staff queries
- Communication with staff
- For record keeping purposes
- For profiling purposes to enable us to personalise and/or tailor any marketing communications that clients may consent to receive from us
- To release information to regulatory or law enforcement agencies, if we are required to do so
1.2. We may process certain sensitive personal data (known as special category data in the GDPR) where clients include it in information they send to us e.g. if information is included about your/your child(ren)’s health/medical history in booking/enrolment requests. We have processes in place to limit our use and disclosure of such sensitive data other than where permitted by law.
The legal basis for processing personal data
Under GDPR, the main grounds that we rely upon in order to process personal data are the following:
- Necessary for compliance with a legal obligation – we are subject to certain legal requirements which may require us to process client information. We may also be obliged by law to disclose client information to a regulatory body or law enforcement agency;
- Necessary for the purposes of legitimate interests – we will need to process client data for the purposes of our legitimate interests, provided we have established that those interests are not overridden by client rights and freedoms, including client rights to have information protected. Our legitimate interests include responding to requests and enquiries from clients, fulfilling enrolment/bookings, optimising our website and clients’ experience, informing clients about our products and services and ensuring that our operations are conducted in an appropriate and efficient manner.
Disclosure of information/Consent:
- In some circumstances, we may ask client consent to process data in a particular way in order to provide clients with outstanding related services. If this need arises, we will always ask clients for consent prior to sharing any personal data.
- Disclosure will take place on a “need to know” basis (only that information that the recipient needs to know will be disclosed).
How we may share data:
In Certain circumstances there may be a need to share data with other parties. Details of these parties are set out below along with the reasons for sharing it:
- Trusted third parties: in order to provide certain services there will be the need to share data with third party service providers such as IT infrastructure companies and email logistics providers. We will not share data with any third party where it is not necessary to do so to provide a service to our clients; nor will we sell data
- Regulatory and law enforcement agencies. As noted above, if we receive a request from a regulatory body or law enforcement agency and if permitted under GDPR and other laws we may disclose certain personal data with the new owner(s) of the of the business or company and their advisors;
- New business owners. If Action Breaks Silence merges with or is acquired by another business or company, we will share personal data with the new owners of the business or company and their advisors. In this event, clients will be sent notice via email.
We will only hold client or staff data for as long as is necessary for the purpose(s) for which we have collected it.
The criteria that we will use to determine retention periods will be determined by the nature of the data and the purposes for which it is kept e.g. If we receive the data though an enrolment entry, we will retain data for as long as is necessary to administer the enrolment. If we receive data for job applications, we will retain data for as long as is necessary to process the application and maintain application statistics. We will not directly market applicants for longer than three (3) years unless they consent to receive direct marketing by opting in again before the expiry of the three (3) year period. In certain circumstances, once we have deleted or anonymised client/applicant data, we many need to retain parts of it for example an email address, in order to comply with our obligations under the GDPR or other legislation, or for fraud detection purposes.
- All data will be retained for the appropriate lengths of time in compliance with all applicable legal, regulatory and contractual requirements.
All hard copy data will be destroyed by shredding and soft copies permanently deleted
Access to records or data:
Clients have the right of access to the data that we hold about them. Parents may access their child’s records (if this is in the child’s best interest and not contrary to a competent child’s wishes). Formal applications for access must be in writing to our office email: firstname.lastname@example.org
Any requests made in accordance with the above will be free of charge.
- Please note: We will require evidence of the client’s identity before we are able to act on the client’s request.
- Please also note that we are unable to comply with requests that relate to information or data of others without their consent.
Correction or completion of data:
If information we hold about clients is not accurate, out of date or incomplete and requires amendment or correction, the client has the right to have the data rectified, updated or completed. The client can let us know by contacting us via email email@example.com
Right of Erasure:
In certain circumstances the client has the right to request that the data we hold about them is erased e.g. If the data is no longer necessary for the purposes for which it was collected, or processed.
Agreement to hold data/right to object or cancel:
If clients do not wish personal data that we hold about them to be disclosed or used in the way that is set out in this policy and code of practice, please discuss the matter with our office. Clients have the right to object or withdraw their consent, however this may affect our ability to provide the client with the best service.
Clients may withdraw their consent at any time by emailing firstname.lastname@example.org
Security of information:
We take the security of information and data seriously. When clients submit data to us, we use industry standard Secure Sockets layer (SSL) encryption technology to guard the data.
We have security procedures in place to protect our paper based systems and computerised databases from loss and misuse, and only allow access to them when it is absolutely necessary to do so, and then under strict guidelines as to what use may be made of the personal data contained within them.
Email content & attachments:
- Contents of email communication and any attachments are confidential to the named recipient(s).
- Email may be corrupted, intercepted or amended and so we do not accept any liability for the contents received unless they are the same as sent by Action Breaks Silence.
Information found on our WEBSITE:
Information on our website and/or social media has either been supplied by the owner with a request to publish or with prior consent of the client or is information already in the public domain.
If clients are unhappy about the way we use the data, clients may contact us via email (email@example.com). Clients are also entitled to lodge a complaint with the UK Information Commissioner’s Office using any of the below contact methods:
Telephone: 030 123 1113
Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF