Privacy Notice

Cardiff Metropolitan Sports Facilities (Cardiff Met Sport) is part of Cardiff Metropolitan University.

The following Privacy Notice describes how your data is managed by Cardiff Met Sport in accordance with data protection legislation - the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA18).

Cardiff Metropolitan University is the Data Controller and is committed to protecting the rights of individuals in line with the UK GDPR and the DPA18. Its Privacy Statement can be found here.

Data Protection Contact

Cardiff Metropolitan University's Information and Data Compliance Officer can be contacted via the following routes (if you have any further queries regarding the processing of your data): or


By means of this notice, Cardiff Met Sport wishes to notify you of the following:

  • The personal data and special category data it collects;
  • Why this data is collected and processed;
  • Who has access to this data including who Cardiff Met Sport shares the data with;
  • The legal basis for processing personal and special category data;
  • Technical and organisational measures to ensure personal data remains secure;
  • Retention periods; and
  • General information.

Personal Data Collected

  • Address
  • Date of Birth
  • Email Address(es)
  • Emergency Contact Information
  • GP Surgery
  • Membership ID(s)
  • Name(s)
  • TelephoneNumber(s)

Special Category Data Collected

(Please note: Special category data is personal data that needs more protection because it is sensitive)

  • Detailed Medical Information (for Physiotherapy and Massage Sessions only)

What Cardiff Met Sport uses your Personal Data for

Cardiff Met Sport processes personal information to provide you with its services; Junior Sports Programmes, membership (both internally and externally), and facility bookings.

Sharing Information with Other Organisations

Administering Appointments and Bookings

Cardiff Met Sport uses a booking system hosted by a third-party company, Gladstone. Any personal data processed by Gladstone is done so in accordance with the requirements of the DPA18 as well as the University's policies and procedures. For further information on how Gladstone may process your data, please visit

Cardiff Met Sport will not share your data with any third party unless there is a reason permitted by law.​

Cardiff Metropolitan University's Legal Basis for Processing Your Personal Data

In order to process your personal and special category data, Cardiff Met Sport must ensure that it is compliant with one of the 'Lawful Bases' for processing under Article 6 and Article 9 of the UK GDPR. This means that it must have a lawful reason for using/storing personal information for the purposes outlined in the "What Cardiff Met Sport uses your Personal Data for" section of this notice.

Article 6.1(f) - Legitimate Interests

Processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of personal data, in particular where the data subject is a child.

Article 9(a) - Explicit Consent

The data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject.

Article 9(h) - Health or Social Care

Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3.

Security of Processing

As the Controller, Cardiff Metropolitan University has implemented technical and organisational measures to ensure personal data processed remains secure, however absolute security cannot be guaranteed. Should you have a concern about a method of data transmission, the University will take reasonable steps to provide an alternate method. For more information about IT security at Cardiff Metropolitan University, and keeping your data safe, please click here.

Retention of Personal Data

The retention period(s) for your data may vary in line with legislative or financial requirements. However, no personal data will be kept for any longer than is entirely necessary and will be securely destroyed in accordance with Cardiff Metropolitan University's Records Management Policy.

Individual Rights

The lawful basis for processing can affect which Rights are available to individuals. Using Legitimate Interests as the lawful basis for processing, your Individual Rights include:

  • The Right to Access
  • The Right to Rectification
  • The Right to Erasure
  • The Right to Object
  • The Rights Related to Automated-Decision Making inc. Profiling

Using Consent/Explicit Consent as the lawful basis for processing, your Individual Rights include:

  • The Right to Access
  • The Right to Rectification
  • The Right to Erasure
  • The Right to Portability
  • The Right to Withdraw Consent

For more information about these Rights, please click here.


Cardiff Metropolitan University has a Data Protection Policy, which can be found here.

If you wish to make a complaint about the way your personal data has been processed you can find details of how to do so here.

If this process does not resolve your issue, or if you wish to take your complaint further, you have the right to contact the Information Commissioner. The contact details are:

Information Commissioner's Office - Wales
2nd Floor, Churchill House
Churchill Way
CF10 2HH

Telephone: 0330 414 6421