General Data Protection Regulation Policy
GDPR stands for General Data Protection Regulation and replaces the previous Data Protection Act Directives that were in place. It was approved by the EU Parliament in 2016 and comes into effect on 25th May 2018.
GDPR states that personal data should be ‘processed fairly & lawfully’ and ‘collected for specified, explicit and legitimate purposes’ and that individuals data is not processed without their knowledge and are only processed with their ‘explicit’ consent. GDPR covers personal data relating to individuals. Pilates Through Life is committed to protecting the rights and freedoms of individuals with respect to the processing of client’s personal data
The Data Protection Act gives individuals the right to know what information is held about them. It provides a framework to ensure that personal information is handled properly.
GDPR includes 7 rights for individuals
1) The right to be informed
Pilates Through Life needs to know client’s names, addresses, telephone numbers, email addresses along with relevant medical history for the treatment or activity they are involved in for the safety and interest of the client. This information is confidential and will not be shared with any external companies for marketing purposes.
2) The right of access
At any point an individual can make a request relating to their data and Pilates Through Life will need to provide a response (within 1 month). Pilates Through Life can refuse a request, if we have a lawful obligation to retain data, but we will inform the individual of the reasons for the rejection.
3) The right to erasure
You have the right to request the deletion of your data where there is no compelling reason for its continued use. However, Pilates Through Life has a legal duty to keep client details for 7 years Data is archived securely and removed after the legal retention period.
4) The right to restrict processing
Clients can object to Pilates Through Life processing their data. This means that records can be stored but must not be used in any way, for example for communication purposes.
5) The right to data sharing
Pilates Through Life requires data to be shared with our online booking system (team-up) These recipients use secure file transfer systems and have their own policies and procedures in place in relation to GDPR.
6) The right to object
Clients can object to their data being used for certain activities like marketing or research.
7) The right not to be subject to automated decision-making including profiling.
Automated decisions and profiling are used for marketing based organisations. Pilates Through Life does not use personal data for such purposes.
Storage and use of personal information
All paper copies of client records are kept in a locked filing cabinet in our studio. The information provided on registration forms is entered on to our secure password protected database with “Team up”, who have their own policies and procedures in place in relation to GDPR. Members of staff can have access to these files but information taken from the files about individual clients is confidential and apart from archiving, these records remain on site at all times. These records are removed after the legal retention period.
All office computers are securely protected, with passwords required for access. Any portable data storage used to store personal data, e.g. USB memory stick, camera and iPads are password protected and/or stored in a locked filing cabinet.
GDPR means that Inline Health must;
* Manage and process personal data properly
* Protect the individual’s rights to privacy
* Provide an individual with access to all personal information held on them
This Policy was adapted in May 2018.
Policy review date: May 2019