Climb Newcastle Privacy Notice
At Climb Newcastle Ltd (registered company number 06106416) we are committed to protecting your privacy. At all times we aim to respect any personal information you share with us, or that we receive from others, and keep it safe.
This Privacy Notice sets out our data processing practices and your rights and options regarding the ways in which your personal information is used and collected at our centres (Climb Newcastle @ The Pool and The Valley Climbing Centre) or on our websites (climbnewcastle.com and climbvalley.com).
Contents of this policy:
- How we collect personal information about you
- What personal information do we use?
- How and why will we use your personal information?
- Lawful bases
- Communications for marketing/ fundraising
- Children’s personal information
- How long do we keep your personal information?
- Will we share your personal information?
- Security/ storage of and access to your personal information
- International Data Transfers
- Exercising your Rights
- Changes to this Notice
- Links and third parties
- How to contact Climb Newcastle
(a) When you give it to us directly:
- For example, personal information that you submit through our website by registering as a user of our facilities, making a booking or signing up for our email newsletter; or personal information that you give to us when you communicate with us by email or telephone.
(b) When we obtain it indirectly:
- For example, your personal information may be shared with us by third parties including, for example, the Association of Climbing Walls (Britain) Limited (“ABC”), an organisation established to promote safe management practices in climbing walls, of which we are a member. We will notify you if and when we receive personal information about you and tell you how and why we intend to use that personal information.
(c) When it is available publicly:
- Your personal information may be available to us from external publicly available sources. For example, depending on your privacy settings for social media services, we may access information from those accounts or services (for example when you choose to interact with us via Facebook or Instagram.
(d) When you visit our website:
- When you visit our website, we automatically collect technical information, including the internet protocol (IP) address used to connect your device to the internet, browser type and version, time zone setting, browser plug-in types and versions and operating systems and platforms.
In general, we may combine your personal information from these different sources set out in (a)-(d) above, for the purposes set out in this Notice.
We may collect, store and otherwise process the following kinds of personal information:
- your name and contact details including postal address, telephone number, email address and emergency contact details;
- your date of birth;
- financial information, such as credit/ debit card details, for example if you sign up to our monthly subscription service.
- technical information when you visit our websites;
- details of your qualifications/ experience;
and/ or any other personal information which we obtain as per section 1.
Do we process special categories of data?
The EU General Data Protection Regulation (“GDPR”) recognises certain categories of personal information as sensitive and therefore requiring more protection, for example information about your health, ethnicity and religious beliefs.
In certain situations, we may collect and/or use these special categories of data (for example, information on climbers’ medical conditions relevant to their use of our facilities). We will only process these special categories of data if there is a valid reason for doing so and where the GDPR allows us to do so.
Your personal information, however provided to us, will be used for the purposes specified in this Notice. In particular, we may use your personal information:
- to register you as a user of our centres;
- to allow you to make a booking to use our facilities;
- to otherwise provide you with services, products or information you have requested; to provide further information about our work, services or activities (where you have provided your consent to receive such information through our e-mail newsletter);
- to assist you with certification schemes, such as NICAS;
- to display competition results;
- to answer your questions/ requests and communicate with you in general;
- to allow you to apply for a job or volunteer role with us;
- to keep our facilities safe and secure;
- to run/administer the activities of our centres, including our website;
- to satisfy legal obligations which are binding on us, for example in relation to regulatory, government and/or law enforcement bodies with whom we may work (for example requirements relating to the payment of tax or anti-money laundering);
- for the prevention of fraud or misuse of services; and/or
- for the establishment, defence and/ or enforcement of legal claims.
The GDPR requires us to rely on one or more lawful bases to use your personal information. We consider the grounds listed below to be relevant:
- Where you have provided your consent for us to use your personal information in a certain way (for example, we may ask for your consent to use your personal information to send you email newsletters, or to collect special categories of your personal information. Special categories of personal information are explained in paragraph 2 above).
- Where necessary so that we can comply with a legal obligation to which we are subject (for example, where we are obliged to share your personal information with regulatory bodies which govern our work and services).
- Where necessary for the performance of a contract to which you are a party or to take steps at your request prior to entering a contract (for example, to provide you access to our facilities as a registered user).
- Where it is in your/someone else’s vital interests (for example, in case of medical emergency suffered by a climber).
- Where there is a legitimate interest in us doing so. The GDPR allows us to collect and process your personal information if it is reasonably necessary to achieve our or others’ legitimate interests (as long as that processing is fair, balanced and does not unduly impact your rights as an individual).
In broad terms, our “legitimate interests” means the interests of running Climb Newcastle as a commercial entity and ensuring the best possible user experience.
When we process your personal information to achieve such legitimate interests, we consider and balance any potential impact on you (both positive and negative), and on your rights under data protection laws. We will not use your personal information for activities where our interests are overridden by the impact on you, for example where use would be excessively intrusive (unless, for instance, we are otherwise required or permitted to by law).
We may use your contact details to provide you with information about our work, events, services and/or activities which we consider may be of interest to you if you have consented to receiving our e-mail newsletter.
You can opt out of receiving emails from us at any time by clicking the “unsubscribe” link at the bottom of our emails.
When we process children’s personal information, where required we will not do so without their consent or, where required, the consent of a parent / guardian. In particular, registration must be carried out by a child’s parent / guardian. We will always have in place appropriate safeguards to ensure that children’s personal information is handled with due care.
In general, we are required to hold on to personal information from our registration form for six years after you have last used our facilities (for example seven years after collection if only visiting once), or in the case of children’s personal information, until three years after their 18th birthday. This is to meet specifically with the business need for the establishment, defence and/ or enforcement of legal claims. In the case of users completing paper registration forms (prior to October 2017) it may be impractical to destroy forms on the day that this period has expired, however after this period, any personal data held will be destroyed in a timely and secure manner.
However, if before that date (i) your personal information is no longer required in connection with such purpose(s), (ii) we are no longer lawfully entitled to process it or (iii) you validly exercise your right of erasure (please see Section 11 below), we will remove it from our records at the relevant time.
If you request to receive no further contact from us, we may keep some basic information about you on our suppression list in order to comply with your request and avoid sending you unwanted materials in the future.
We do not share, sell or rent your personal information to third parties for any marketing purposes.
However, we may disclose your personal information to selected third parties in order to achieve the purposes set out in this Notice. For example, to awarding bodies such as Mountain Training.
We reserve the right to disclose your personal information to third parties: in the event that we sell or buy any business or assets, in which case we will disclose your personal information to the (prospective) seller or buyer of such business or assets;
- if substantially all of our assets are acquired by a third party, personal information held by us may be one of the transferred assets;
- if we are under any legal or regulatory duty to do so; and/or
- to protect the rights, property or safety of the centre, its personnel, users, visitors or others.
We are committed to keeping your personal information safe and secure and we have appropriate and proportionate security policies and organisational and technical measures in place to help protect your information.
Your personal information is only accessible by appropriately trained staff, volunteers and contractors, and stored on secure servers which have features to prevent unauthorised access.
Paper forms are locked in a secure storage room.
Given that we are a UK-based organisation, we will normally only transfer your personal information within the European Economic Area (“EEA”), where all countries have the same level of data protection law as under the GDPR.
Unfortunately, no transmission of your personal information over the internet can be guaranteed to be 100% secure – however, once we have received your personal information, we will use strict procedures and security features to try and prevent unauthorised access.
Where we rely on your consent to use your personal information, you have the right to withdraw that consent at any time. This includes the right to ask us to stop using your personal information for marketing or fundraising purposes or to unsubscribe from our email list at any time. You also have the following rights:
- Right of access – you can write to us to ask for confirmation of what personal information we hold on you and to request a copy of that personal information. Provided we are satisfied that you are entitled to see the personal information requested and we have successfully confirmed your identity, we will provide you with your personal information subject to any exemptions that apply.
- Right of erasure – at your request we will delete your personal information from our records as far as we are required to do so (see the notes in section 7 regarding retention of registration data). In many cases we would propose to suppress further communications with you, rather than delete it.
- Right of rectification – if you believe our records of your personal information are inaccurate, you have the right to ask for those records to be updated. You can also ask us to check the personal information we hold about you if you are unsure whether it is accurate/up to date.
- Right to restrict processing – you have the right to ask for processing of your personal information to be restricted if there is disagreement about its accuracy or legitimate usage.
- Right to object – you have the right to object to processing where we are (i) processing your personal information on the basis of the legitimate interests basis (see paragraph 4), (ii) using your personal information for direct marketing or (iii) using your information for statistical purposes.
- Right to data portability – to the extent required by the GDPR, where we are processing your personal information (that you have provided to us) either (i) by relying on your consent or (ii) because such processing is necessary for the performance of a contract to which you are party or to take steps at your request prior to entering into a contact, and in either case we are processing using automated means (i.e. with no human involvement), you may ask us to provide the personal information to you – or another service provider – in a machine-readable format.
- Rights related to automated decision-making – you have the right not to be subject to a decision based solely on automated processing of your personal information which produces legal or similarly significant effects on you, unless such a decision (i) is necessary to enter into/perform a contract between you and us/another organisation; (ii) is authorised by EU or Member State law to which Climb Newcastle is subject (as long as that law offers you sufficient protection); or (iii) is based on your explicit consent.
Please note that some of these rights only apply in limited circumstances. For more information, we suggest that you contact us using the details in paragraph 14 below.
We encourage you to raise any concerns or complaints you have about the way we use your personal information by contacting us using the details provided in paragraph 14 below. You are further entitled to make a complaint to the Information Commissioner’s Office. For further information on how to exercise this right, please contact us using the details below.
We may update this Notice from time to time. We will notify you of significant changes by contacting you directly where reasonably possible for us to do so and by placing an update notice on our website. This Notice was last updated on 24th May 2018.
We link our website directly to other sites. This Notice does not cover external websites and we are not responsible for the privacy practices or content of those sites. We encourage you to read the privacy policies of any external websites you visit via links on our website.
Please let us know if you have any questions or concerns about this Notice or about the way in which Climb Newcastle processes your personal information by contacting us at the channels below. Please ask for / mark messages for the attention of Climb Newcastle's company directors.
Telephone: 0191 276 2174
Post: Climb Newcastle, Shipley Place, Byker, Newcastle Upon Tyne. NE6 2DQ