GDPR

Booking a lesson on ice or online:

The purposes of the processing: To be able to identify and contact the customer to update them on lesson booking specifics or feedback.

What kind of data you process: Customers name, childs name, address, e-mail, telephone number(s).

Who has access to it: Paul Crocker.

Any third parties (and where they are located) that have access: David Smith of Guardian ITC – 71-75 Shelton Street, London, WC2H 9JQ (Web host provider)

What you’re doing to protect the data (e.g. encryption): Data stored in a password protected database on a secure server. Stored on my phone behind a passcode and face ID for the app.

When you plan to erase it (if possible):

Data held for around 2-3 years before being deleted as a past booking.

 

Buying a virtual product:

The purposes of the processing: To be able to identify and contact the customer to update them on order processing specifics or feedback.

What kind of data you process: Customers name, address, e-mail, telephone number(s), social media user names.

Who has access to it: Paul Crocker.

Any third parties (and where they are located) that have access: David Smith of Guardian ITC – 71-75 Shelton Street, London, WC2H 9JQ (Web host provider)

What you’re doing to protect the data (e.g. encryption): Data stored in a password protected database on a secure server. Stored on my phone behind a passcode and face ID for the app.

When you plan to erase it (if possible):

Data held for around 2-3 years before being deleted as a past booking.

 

Joining my mailing list:

The purposes of the processing:

To update interested people on my latest services, offers, and projects.

What kind of data you process: name, e-mail address.

Who has access to it: Paul Crocker

Any third parties (and where they are located) that have access: Send in Blue mailing list company

What you’re doing to protect the data (e.g. encryption): Data held on database for send in blue protected by password, on my website also protected by password.

When you plan to erase it (if possible): Data held for around 2-3 years before being deleted as a past booking.

 

Paying over the phone/by text:

The purposes of the processing: To process payment for a service or product

What kind of data you process: name, address, card number, expiry date, security code, bacs details including account number, bank name, sort code and name on account.

Who has access to it: Paul Crocker

Any third parties (and where they are located) that have access:

What you’re doing to protect the data (e.g. encryption): Shredding after use or deleting digitally after use.

When you plan to erase it (if possible): Immediately after use.

 

Personal data shall be:

  1. processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
  4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

 

Processing data

 

  1. Processing shall be lawful only if and to the extent that at least one of the following applies:

      1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
      2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
      3. processing is necessary for compliance with a legal obligation to which the controller is subject;
      4. processing is necessary in order to protect the vital interests of the data subject or of another natural person;
      5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
      6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

  1. Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing for compliance with points (c) and (e) of paragraph 1 by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing including for other specific processing situations as provided for in Chapter IX.
  2. The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by:
      1. Union law; or
      2. Member State law to which the controller is subject.

The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions to adapt the application of rules of this Regulation, inter alia: the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations as provided for in Chapter IX. 4The Union or the Member State law shall meet an objective of public interest and be proportionate to the legitimate aim pursued.

  1. Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject’s consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia:
    1. any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;
    2. the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;
    3. the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10;
    4. the possible consequences of the intended further processing for data subjects;
    5. the existence of appropriate safeguards, which may include encryption or pseudonymisation.

 

 

Consent

  1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
  2. If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
  3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
  4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

Conditions applicable to child’s consent in relation to information society services

  1. Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.
    Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.
  2. The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.
  3. Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child.