General Data Protection Regulation (GDPR) Privacy Notice

I issue this privacy notice in the interests of transparency over how I use (“process”) the personal data that I collect from clients (“you”). Personal data for these purposes means any information relating to an identified or identifiable person. 

“Sensitive personal data” means personal data consisting of information as to –

1. the racial or ethnic origin of the individual,
2. their religious or philosophical beliefs,
3. their physical or mental health or condition,
4. their sexual life,
5. the commission or alleged commission by them of any offence,
6. any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings,
7. genetic data Data Controller For data protection purposes the “data controller” means the person or organisation who determines the purposes for which and the manner in which any personal data are processed. The data controller is Swesh Personal Training

Purpose of processing the data

It is necessary for me to process personal data of clients for the following reasons: 

1. I will need the information in order to identify the individual for the purposes of invoicing and/or collecting payments;
2. I will need to maintain that information for the purposes of ensuring the health and safety of individuals on my premises.

The legal basis for processing the personal data of clients is that: 

1. Processing the personal data is necessary for performing a contract for invoicing and taking payments.
2. Processing is necessary to comply with a legal obligation as I am obliged to inform certain agencies (e.g. HRMC) of my client base.
3. Processing the data is necessary to protect the vital interests of an individual (for example, I am responsible for the health and safety of clients when they are on my premises and so it is necessary to process data relating to those individuals for that reason); and/or
4. Processing the data is necessary for the purposes of my “legitimate interests” as the data controller (except where such interests are overridden by the interests, rights or freedoms of the individual).

My “legitimate interests” for these purposes are: 

1. the need to gather data for the purposes of safeguarding the health and safety of clients.
2. the need to process employee data for the purposes of direct marketing (you have the right to object to direct marketing.)

I may from time to time process sensitive personal data, for example medical records or other information relating to the health and well-being of an individual. In that case I will either obtain the explicit consent of the individual to the processing of such data. There is no legal requirement for you to provide sensitive data to me but it is in your personal interest to do so if it may impact upon your health and safety.

Recipients of personal data

Your personal data may be received by the following categories of people: 

1. My professional advisers
2. Register of Exercise Professionals (REPs), current insurance broker. 

I do not envisage that your data would be transferred to a third country. If I perceive the need to do that, I would discuss that with you and explain the legal basis for the transfer of the data at that stage. 

Duration of storage of personal data

I will keep personal data for no longer than is strictly necessary, having regard to the original purpose for which the data was processed. 

Your rights in relation to your personal data

The right to be forgotten. You have the right to request that your personal data is deleted if:

1. a) it is no longer necessary for me to store that data having regard to the purposes for which it was originally collected; or
2. b) in circumstances where I rely solely on your consent to process the data (and have no other legal basis for processing the data), you withdraw your consent to the data being processed; or
3. c) you object to the processing of the data for good reasons which are not overridden by another compelling reason for me to retain the data; or
4. d) the data was unlawfully processed; or
5. e) the data needs to be deleted to comply with a legal obligation.

However, I can refuse to comply with a request to delete your personal data where we process that data: 

2. a) to exercise the right of freedom of expression and information;
3. b) to comply with a legal obligation or the performance of a public interest task or exercise of official authority;
4. c) for public health purposes in the public interest;
5. d) for archiving purposes in the public interest, scientific research, historical research or statistical purposes; or
6. e) the exercise or defence of legal claims.

The right to data portability. You have the right to receive the personal data which you have provided to me, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided where: 

1. a) the processing is based on consent or on a contract; and
2. b) the processing is carried out by automated means. 

Note that this right only applies if the processing is carried out by “automated means” which means it will not apply to most paper-based data.

The right to withdraw consent. Where I process your personal data in reliance on your consent to that processing, you have the right to withdraw that consent at any time. You may do this in writing via email to: Sweshpt@hotmail.co.uk

The right to object to processing. Where I process your personal data for the performance of a legal task or in view of my legitimate interests you have the right to object on “grounds relating to your particular situation”. If you wish to object to the processing of your personal data you should do so in writing stating the reasons for your objection. Where you exercise your right to object, I must stop processing the personal data unless: 

• I can demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedoms; or 
• the processing is for the establishment, exercise or defence of legal claims.
  

The right of subject access. So that you are aware of the personal data I hold on you, you have the right to request access to that data. This is sometimes referred to as making a “subject access request”. 

The right to rectification. If any of the personal data I hold on you is inaccurate or incomplete, you have the right to have any errors rectified. Where I do not take action in response to a request for rectification you have the right to complain about that to the Information Commissioner’s Office.  

The right to restrict processing. In certain prescribed circumstances, such as where you have contested the accuracy of the personal data, I hold on you, you have the right to block or suppress the further processing of your personal data.

Rights related to automated decision making and profiling. The GDPR defines “profiling” as any form of automated processing intended to evaluate certain personal aspects of an individual, in particular to analyse or predict: 

• economic situation; 
• health; 
• personal preferences; 
• reliability; 
• behaviour; 
• location; or 
• movement 

You have the right not to be subject to a decision when it is based on automated processing; and it produces a legal effect or a similarly significant effect on you. However, that right does not apply where the decision is necessary for purposes of the performance of a contract between you and us. 

Complaints Where you take the view that your personal data are processed in a way that does not comply with the GDPR, you have a specific right to lodge a complaint with the relevant supervisory authority. The supervisory authority will then inform you of the progress and outcome of your complaint. The supervisory authority in the UK is the ICO.