How CSSC handles personal information
This policy covers any personal information captured on the Active Wellbeing website and how it is processed and stored. In this policy we refer to Civil Service Sports Council as the data processor as Active Wellbeing is a Civil Service Sports Council initiative.
We are committed to good information handling principles and the privacy and confidentiality of any personal information we deal with.
The terms “you” and “your” mean any visitors and users of this Site and individuals who otherwise interact with us in connection with our services.
What is personal information?
When we use the term “Personal information”, we mean the same as “personal data”. Personal data is defined in data privacy laws applicable in your country. It includes any information relating to an identified or identifiable natural person. This means any individual who can be identified directly or indirectly by reference to an identifier such as name, identification number, location data, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Put simply, this includes data which either by itself or with other data held by us or available to us, can be used to identify you.
The categories of personal information we collect
If making a pledge, the following personal information is collected from you;
- your full name, e-mail address, employer/business department, region and your written pledge.
If ordering a workplace resources pack, the following additional information is collected from you;
- your telephone number.
If you communicate with us by email over the internet you should be aware that the nature of the internet may not be secure and may pass through several different countries on route to us. We comply with data privacy laws in relation to security, but cannot accept responsibility for unauthorized access to your information that is outside our control. Further information regarding our approach to the security of personal information is included in the section below on Security of personal information.
The purposes for which we use personal information
We will only use your personal information for the purposes that you would reasonably anticipate or that we state when we collect it and, where necessary, for which you have given us your consent.
The legal basis for our use and other processing of your personal information under data privacy laws
We are required to indicate our processing activities with your personal information and the legal basis for those activities (see the table below). The legal basis includes handling your personal information:
- for our legitimate commercial interests to deliver our services to you provided these are not overridden by your interests and fundamental rights and freedoms. You can contact us to ask us for more information on the specific interests and how we balance those to ensure privacy is respected;
- for processing which is necessary for compliance with our legal obligations laid down by European Union law (where relevant) and by national laws in all of our countries;
- with your consent. This means your freely given, specific, informed and unambiguous consent which may be collected from you at the time at which it is requested, including in relation to any direct marketing communications, see Keeping you informed
You should be aware that you are entitled under data privacy law to withdraw your consent, where that has been given, at any time. You can withdraw your consent by contacting us on firstname.lastname@example.org or by using the unsubscribe link on communications you receive.
You should be aware that if you do this and if there is no alternative lawful reason for us to rely on to justify the relevant use or other processing of your personal information, this may affect our ability to provide our services.
Keeping you informed
We will keep your name, address and contact details (including telephone numbers and email addresses) on our databases and (unless you have opted-out of this at the point at which we first collected your details from you) we may from time to time use that information to make you aware of our own same or similar products and sports events and leisure services which may be of interest to you. We may contact you in writing, by telephone or email. If at any time you decide that you do not want your contact details used for these purposes, please contact us on email@example.com
Disclosure of your Personal Information to other third parties
CSSC may share personal information with third parties under these circumstances:
- If downloading a digital resource pack, 18a Productions will use this for data reporting on behalf of CSSC.
- IT support and web developers 18a Productions and service providers conducting satisfaction surveys such as Survey Monkey,
- To our partner CSEP (Civil Service Employee Policy), this includes government departments for evaluation but no personal data is passed.
- To comply with legal requirement and regulatory requirements, for the administration of justice, to protect vital interests, to protect the security or integrity of our databases or this Site, to take precautions against legal liability;
- Where appropriate, before disclosing personal information to a third party or we require the third party to take adequate precautions to protect that data and to comply with applicable privacy laws.
Retention of your personal information
We keep your personal information for no longer than is necessary to fulfil the purposes for which it was collected as described above or in another privacy notice provided to you, taking into account the requirements from the following criteria:
- any laws or regulations that we are required to follow;
- whether we are in a legal or other type of dispute with each other or any third party;
- the type of information that we hold about you;
- whether you are still a member of our services; and
- retention in case of queries. We will retain it for a reasonable period (up to 2 years) in case of queries from you and for the purposes of analysis and research.
Retention in case of claims. We will retain it for the period in which you might legally bring claims against us (in the UK this means we will retain it for 6 years);
If you would like further information about our data retention practices please contact us (see Contact us below).
Security of personal information
We endeavour to use appropriate technical and physical security measures to protect personal information which is transmitted, stored or otherwise processed from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access, whenever this is collected in connection with our services.
On our Site, these measures include computer safeguards and secured files and facilities. We have received ISO 27001 accreditation for compliance with best practice in information security management. Our service providers are also selected carefully and required to use appropriate protective measures.
In particular, we endeavour to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate: (a) pseudonymisation (such as where data is separated from direct identifiers so that linkage to an identity is not possible without additional information that is held separately) and encryption, (b) ensuring the ongoing confidentiality, integrity, availability and resilience of systems and services used to process your personal information, (c) ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and (d) ensuring a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational security measures.
If there is a breach of security involving your personal information which we are concerned will involve risks to you, we shall without undue delay, work to mitigate those and contact you and/or the data privacy supervisory authority in accordance with applicable laws.
You have various rights under data privacy laws. These may include (as relevant) the right to:
- access information held about you. You must make your request in writing and provide us with enough information to permit us to identify your personal information. In certain circumstances under the privacy laws, we may not be required to provide all the details of personal data held;
- amend and rectify personal information that is inaccurate and notify any third party recipients of the necessary changes;
- request restriction of information processing concerning you or to object to processing of your personal information;
- the right to request the erasure of your personal information where it is no longer necessary for us to retain it;
- the right to data portability including to obtain personal information in a commonly used machine readable format in certain circumstances such as where our processing of it is based on a consent;
- the right to object to automated decision making including profiling (if any) that has a legal or significant effect on you as an individual and the right to object to marketing; and
- the right to withdraw your consent to any processing for which you have previously given that consent, without affecting the lawfulness of any processing based on your consent prior to its withdrawal.
Please see the contact details in the Contact us section below if you wish to exercise any rights. We endeavour to acknowledge requests within two working days and the appropriate response and information promptly and within the relevant statutory timescale (usually one month).
Links to other websites and providing information to third parties
Your right to lodge complaints with the data privacy supervisory authority in your country
You can contact us directly if you have any concerns or complaints regarding how your personal information is handled. We take privacy seriously and will respond promptly. You can submit complaints to firstname.lastname@example.org
In addition to any other administrative or judicial remedy you might have, you have the right to lodge a complaint with the relevant data protection supervisory authority if you consider that we have infringed applicable data privacy laws when processing your personal information. The data privacy regulator’s details in the UK are as follows: Information Commissioner’s Office and their site is: https://ico.org.uk/ which includes current contact details and how to lodge a complaint in writing or by telephone to their contact centre.
If you wish to provide comments, update any of your preferences or exercise any of your rights you can:
- email email@example.com
- call 01494 888 444 between 9am – 5pm Mon – Thurs and 9am – 4:30pm on Friday;
- contact our Data Protection Officer if you have any queries regarding our data protection practices by email to firstname.lastname@example.org.
- Please send any Subject Access Requests to email@example.com.