Knox - Johnston Sports Centre
Privacy Policy




Welcome to The Knox – Johnston Sports Centre Privacy Notice.

The Knox – Johnston Sports Centre (KJSC) respects your privacy and is committed to protecting its members’ and visitors’ personal data, and ensuring that we adhere to all relevant UK Data Protection legislation at all times. 


This privacy notice will help explain how and why we collect, use and look after your personal data, outline your privacy rights and also provide details of how to contact us should you have any questions or concerns. 


At the KJSC we will always ensure that we: 

    • Process your personal data lawfully, fairly and in a transparent manner. 
    • Collect your personal data for a specified and clear purpose. 
    • Only collect what is needed and relevant for us to provide our services to you. 
    • Make sure that any personal data is accurate and kept up to date. 
    • Only keep your personal data for as long as we actually need it. 
    • Keep your personal data secure. 

This Privacy Notice was last updated on 3rd July 2023. 


Important information about who we are 

 

Who are you? The KJSC is located in central Berkhamsted and is managed by Berkhamsted School Enterprises Limited, part of the Berkhamsted Schools Group Limited. 


Are you registered with the ICO? Yes, we take our data protection obligations very seriously and our registration number (Berkhamsted Schools Group Limited) is ZA080432 – you can see our entry on the ICO’s Register here. 


Do you have someone who I can contact about any Data Protection queries or concerns? Yes, Berkhamsted Schools Group Limited have a dedicated Data Protection Advisor who can be contacted at dataprotection@berkhamsted.com; they are always happy to help with any queries or concerns, so do get in touch with them if you need their help, or have any feedback or suggestions on how we can improve the information we provide. 


What personal data we collect and when and why we use it 

 

How and when do you collect my personal data? We collect personal data in a number of ways, including in person when you make a booking at the KJSC, when you call to make an enquiry, via email, via our website, attend a training course at the KJSC, or book classes via our new booking app provided by ClubRight. 


What is the lawful basis for you collecting and using my personal data? There are a number bases that we will use to collect and process your personal data, but rest assured we always ensure that we have a lawful basis to do so, and will only collect the personal data actually required for any particular purpose. We will also ensure we undertake a careful assessment of your rights, and the impact of any processing should we rely on a legitimate interest. 

Our main processing activities and the lawful basis for our processing can be found below: 

    • Responding to enquiries – Legitimate Interest or Performance of a Contract. 
    • Setting up and managing your membershipPerformance of a Contract. 
    • Marketing Consent  and please be aware that you are able to withdraw consent and unsubscribe from any marketing emails at any time. 
    • Processing of health data (if provided) The processing of health data has greater restrictions, and should you provide us with health/medical data this will be on the basis of informed and freely given consent.  
    • Use of CCTV in and round the KJSC Legal Obligation to ensure public safety and crime prevention. 
    • Events and training courses - Legitimate Interest or Performance of a Contract. 


We must stress again that should any processing of personal data be on the basis of consent, then this can be withdrawn at any time. Should you wish to withdraw consent for marketing emails please use the “unsubscribe” link which can be found at the bottom of all our marketing emails. 


For any other objections to processing of your personal data, or to withdraw your consent for any other activities (aside from marketing), please contact our Data Protection Advisor at dataprotection@berkhamsted.com who will be happy to help. 


What personal data will I be asked to provide the KJSC? In managing enquiries, applications, memberships and running training courses at the KJSC, we may process the following types of personal data. 


    • Identity data including first name, maiden name, last name, username or similar identifier, marital status, title, family and lifestyle information, health data (subject to obtaining any specific consent from you), date of birth, job title/organisation, your image (photo/CCTV) and gender. 
    • Contact data including address, billing address, emergency contact details, email address and telephone numbers. 
    • Financial data including your bank account and payment card details. 
    • Transaction data including details about payments and classes booked at the KJSC. 
    • Profile data including your username and password, classes booked by you, your interests, preferences, courses attended, feedback and any survey responses. 
    • Usage data including information about how and when you use the facilities at the KJSC. 
    • Marketing and communications data including your preferences for receiving marketing from us, and your communication/contact preferences. 


How do you use my personal data? We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances: 

    • Where we need to manage your application and membership with the KJSC. 
    • Where it is necessary for our legitimate interests (or those of a third-party) and we have carefully considered the processing and ensured that any such processing does not unduly affect and impact your fundamental data protection rights. 
    • Where we need to comply with a legal or regulatory obligation. 

It is also important that the personal data we hold about you is accurate and up to date, so please do keep us informed if your personal data changes during your relationship with us. 


Does the KJSC carry our “profiling”? 

 

Do the KJSC undertake “profiling”? During your membership and use of our facilities we will hopefully get to know you better, and gain an understanding of how and when you use our facilities. However, the UK GDPR details an obligation we have to let you know if we undertake what they refer to as “Automated individual decision-making, including profiling. 

This term covers any profiling by purely automated means without any meaningful human intervention which has a legal or similarly significant impact on you as an individual, an example could be a decision made about a job offer purely by automated means without any human involvement. We can confirm that there is no such processing or “profiling” undertaken by the KJSC. 


How we protect and store your personal data 

 

How do you ensure the security of your systems and protect my personal data? We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, altered, disclosed or accessed in an unauthorised way. Such technical measures include the use of complex passwords, Two Factor Authentication (2FA) and encryption of data at rest and in transit when deemed appropriate. In addition, we limit access to your personal data to only those who require access to manage your enquiry, booking or membership with us. 

 

What other measures do you take to protect my personal data? We ensure that we use appropriate systems and suppliers to store your personal data and we have appropriate access control measures in place. In addition all colleagues at the KJSC undertake mandatory data protection and information security training. 

Where is my personal data stored and is it transferred outside of the UK? The KJSC uses systems, such as ClubRight where personal data is stored in the “Cloud”, so your personal data is not held on systems solely located within the KJSC. 


We ensure that any transfers of personal data outside of the UK to such systems are protected by appropriate safeguards, such as the use of Standard Contractual Clauses (SCCs), formal adequacy decisions, and International Data Transfer Agreements (IDTAs). The contracts we have with companies such as ClubRight, who provide our booking system, ensure these same obligations and safeguards are in place to protect your personal data whenever such transfers take place. 


How long do you keep personal data? We ensure that we only keep your personal data for as long as is reasonably required, and in line with best practice. 

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. 

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. 

Sharing your personal data 

 

Do you share my personal data outside of the Berkhamsted Schools Group? Yes, as with most sports centres the KJSC relies on a number of systems provided by third-parties, including our core booking system (ClubRight) to process your personal data and deliver our services to you, so to do this we need to enter and manage your personal data using these external systems. 

However, we always ensure that we use appropriate systems and suppliers, and have in place contracts with these third-parties to protect your personal data that they process on our behalf to deliver our services to you. 


We require all third-parties we work with to respect the security of your personal data and we do not allow them to use your personal data for their own purposes, and only permit them to process your personal data for specified purposes, and in accordance with our specific instructions. 


Do you sell my personal data? No, we will never sell your personal data or share your personal data with companies outside of the Berkhamsted Schools Group for any other purpose, unless there is a clear purpose that we have informed you of, or a legal obligation for us to do so. 

Your Data Protection rights 

 

What are my data protection rights and how can I exercise them? The UK GDPR and the Data Protection Act (2018) have strengthened the rights that individuals have over their personal data and which we have detailed below. 

    • The right to be informed – This Privacy Notice is part of how we explain how and why we process your personal data and ensure transparency. 
    • The right of access – You have a right to access copies of your personal data that we hold for you. 
    • The right to rectification – If the personal data we hold for you is wrong please let us know and we will ensure this is rectified as soon as possible. 
    • The right to erasure The right to have your personal data deleted in some specific circumstances. 
    • The right to restrict processing You are able to restrict the processing of your personal data in certain instances. 
    • The right to data portability – In certain circumstances we are obligated to transfer your personal data to another organisation. 
    • The right to objectThere are certain circumstances where you are able to object to us processing your personal data. 


We should stress that he above rights are not always applicable or absolute, so if you have any queries regarding your particular rights please do contact our Data Protection Advisor at dataprotection@berkhamsted.com who will be more than happy to help. 


We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.  

We may also contact you to ask you for further information in relation to your request to help speed up our response, and ensure we are clear how we can help with your request and get it right first time. 


How long will you take to respond to a request? We try to respond to all legitimate requests within one month and without undue delay. Occasionally it may take us longer than a month if your request is particularly complex, or you have made a number of requests. In this case, we will always notify you before a month has elapsed, and keep you updated on our progress. 


How to contact us 

 

At the KJSC we will always try our best to resolve any issues you may have relating to the service we provide, and of course how we collect and use your personal data. If you have any concerns or queries you can always contact our Data Protection Advisor at dataprotection@berkhamsted.com who is always happy to help. 

 

If you need to write to our Data Protection Advisor, please contact them by writing to them at Berkhamsted Schools Group Limited, 131 High Street, Berkhamsted, HP4 2DJ. You can also call them during office hours on (01442) 358000. 


You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues by visiting their website (Make a complaint | ICO); you can also call them on (0303) 123 1113. 


We would, however, appreciate the chance to deal with your concerns before you approach the ICO, who also advise individuals to contact the data controller (i.e. the KJSC) in first instance, so please do contact us as we would appreciate the opportunity to put things right if we can. 


Changes to this Privacy Notice 

 

This version of The Knox – Johnston Sports Centre Privacy Notice was last updated on the 3rd July 2023.