Cardiff Metropolitan Sports Facilities (Cardiff Met Sport) is part of Cardiff Metropolitan
University.
The following Privacy Notice describes how your data is managed by Cardiff Met Sport in
accordance with data protection legislation - the UK General Data Protection Regulation (GDPR) and the Data
Protection Act 2018 (DPA18).
Cardiff Metropolitan University is the Data Controller and is committed to protecting the
rights of individuals in line with the UK GDPR and the DPA18. Its Privacy Statement can be found here.
Data Protection Contact
Cardiff Metropolitan University's Information and Data Compliance Officer can be contacted
via the following routes (if you have any further queries regarding the processing of your data):
Email:SWeaver@cardiffmet.ac.uk
or dataprotection@cardiffmet.ac.uk.
Overview
By means of this notice, Cardiff Met Sport wishes to notify you of the following:
- The personal data and special category data it collects;
- Why this data is collected and processed;
- Who has access to this data including who Cardiff Met Sport shares the data with;
- The legal basis for processing personal and special category data;
- Technical and organisational measures to ensure personal data remains secure;
- Retention periods; and
- General information.
Personal Data Collected
- Address
- Date of Birth
- Email Address(es)
- Emergency Contact Information
- GP Surgery
- Membership ID(s)
- Name(s)
- TelephoneNumber(s)
Special Category Data Collected
(Please note: Special category data is personal
data that needs more protection because it is sensitive)
- Detailed Medical Information (for Physiotherapy and Massage Sessions only)
What Cardiff Met Sport uses your Personal Data for
Cardiff Met Sport processes personal information to provide you with its services;
Junior Sports Programmes, membership (both internally and externally), and facility bookings.
Sharing Information with Other Organisations
Administering Appointments and Bookings
Cardiff Met Sport uses a booking system hosted by a third-party company, Gladstone. Any
personal data processed by Gladstone is done so in accordance with the requirements of the DPA18 as well as the
University's policies and procedures. For further information on how Gladstone may process your data, please
visit https://offers.gladstonesoftware.co.uk/privacypolicy.
Cardiff Met Sport will not share your data with any third party unless there is a reason permitted by law.
Cardiff Metropolitan University's Legal Basis for Processing Your Personal Data
In order to process your personal and special category data, Cardiff Met Sport must ensure that
it is compliant with one of the 'Lawful Bases' for processing under Article 6 and Article 9 of the UK GDPR.
This means that it must have a lawful reason for using/storing personal information for the purposes outlined in the
"What Cardiff Met Sport uses your Personal Data for" section of this notice.
Article 6.1(f) - Legitimate
Interests
Processing is necessary for the purposes of the legitimate interests pursued
by the Controller or by a third party except where such interests are overridden by the interests or fundamental
rights and freedoms of the Data Subject which require protection of personal data, in particular where the data
subject is a child.
Article 9(a) - Explicit
Consent
The data subject has given explicit consent to the processing of those
personal data for one or more specified purposes, except where Union or Member State law provide that the
prohibition referred to in paragraph 1 may not be lifted by the data subject.
Article 9(h) - Health or Social
Care
Processing is necessary for the purposes of preventive or occupational
medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health
or social care or treatment or the management of health or social care systems and services on the basis of
Union or Member State law or pursuant to contract with a health professional and subject to the conditions and
safeguards referred to in paragraph 3.
Security of Processing
As the Controller, Cardiff Metropolitan University has implemented technical and organisational
measures to ensure personal data processed remains secure, however absolute security cannot be guaranteed. Should
you have a concern about a method of data transmission, the University will take reasonable steps to provide an
alternate method. For more information about IT security at Cardiff Metropolitan University, and keeping your data
safe, please click here.
Retention of Personal Data
The retention period(s) for your data may vary in line with legislative or financial
requirements. However, no personal data will be kept for any longer than is entirely necessary and will be securely
destroyed in accordance with Cardiff Metropolitan University's Records Management
Policy.
Individual Rights
The lawful basis for processing can affect which Rights are available to individuals. Using
Legitimate Interests as the lawful basis for processing, your Individual Rights include:
- The Right to Access
- The Right to Rectification
- The Right to Erasure
- The Right to Object
- The Rights Related to Automated-Decision Making inc. Profiling
Using Consent/Explicit Consent as the lawful basis for processing, your Individual Rights
include:
- The Right to Access
- The Right to Rectification
- The Right to Erasure
- The Right to Portability
- The Right to Withdraw Consent
For more information about these Rights, please click here.
General
Cardiff Metropolitan University has a Data Protection Policy, which can be found here.
If you wish to make a complaint about the way your personal data has been processed you can
find details of how to do so here.
If this process does not resolve your issue, or if you wish to take your complaint further, you
have the right to contact the Information Commissioner. The contact details are:
Information Commissioner's Office - Wales
2nd Floor, Churchill House
Churchill
Way
Cardiff
CF10 2HH
Telephone: 0330 414 6421
Email: www.ico.org.uk