Margam Park Adventure are committed to protecting and respecting your privacy.
The rules on processing of personal data are set out in the General Data Protection Regulation (the “GDPR”).
Data controller – A controller determines the purposes and means of processing personal data.
Data processor – A processor is responsible for processing personal data on behalf of a controller.
Data subject – Natural person
Categories of data: Personal data and special categories of personal data
Personal data – The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier (as explained in Article 6 of GDPR). For example name, passport number, home address or private email address. Online identifiers include IP addresses and cookies.
Special categories personal data – The GDPR refers to sensitive personal data as ‘special categories of personal data’ (as explained in Article 9 of GDPR). The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual. Other examples include racial and ethnic origin, sexual orientation, health data, trade union membership, political opinions, religious or philosophical beliefs.
Processing – means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Third party – means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
2. Who are we?
Margam Park Adventure is the data controller. This means we decide how your personal data is processed and for what purposes. Our contact details are: 07825446846 or email@example.com
3. The purpose(s) of processing your personal data
We may collect the following data from you:
• Information you give us. You may give us information about you by filling in forms on our site www.margamparkadventure.co.uk or by corresponding with us by phone, e-mail or otherwise. This includes information you provide when you submit a contact us / booking form via our website.
• Information we collect about you. With regard to each of your visits to our site we may automatically collect the following information:
• technical information, including the Internet Protocol (IP) address used to connect your computer to the Internet, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;
• information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our site (including date and time); products you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call our customer service number.
• Information we receive about you from other sources. We work closely with third parties (including, for example, business partners, sub-contractors in technical, payment and delivery services, advertising networks, social media networks, analytics providers, search information providers, credit reference agencies) and may receive information about you from them. We may also obtain information about you from publicly available sources e.g. company websites, to contact you in a professional capacity about our services (eg direct marketing about our team building days)
• Information we ask from you. To process your enquiry or booking, we will ask you for additional information including your full name, address, e-mail address and phone number. Before participating in one of our events, we ask all participants to complete a consent and medical form (or parental consent form for children under 18 years old who are participating), which asks for information about you or your child including: parent or participant’s name, your contact details, your child’s name (if relevant), emergency contact name, emergency contact phone number, dietary requirements, information about medical conditions we need to be aware of that may affect participation, and photograph consent. We may take photographs or video of people attending our events, we seek consent either verbally or on a consent form. If we need to process a refund, we will ask you for your bank or card details.
We use your personal data for the following purposes:
• To process customer enquiries;
• To process customer bookings and contracts;
• To process payments and refunds;
• To maintain our own accounts and records;
• To inform individuals of news, events, blog posts or activities;
• To make improvements to our site;
• To better understand our customers and their behaviours and needs to inform the review and development of our services and to inform our marketing activities;
• Photographs and video are used within our marketing materials online and offline to showcase our services;
• To put measures in place to ensure we can meet participant’s needs and requirements;
• To provide information to the emergency services in case of a medical emergency.
4. The categories of personal data concerned
With reference to the categories of personal data described in the definitions section, we process the following categories of your data:
• Personal data. The personal data you give us may include: your name, home address, personal email address, personal phone number, your child’s name, your child’s age, photographs and video, your bank details or debit/credit card information, your IP address and cookies. In addition, we may receive information such as your demographics information, interests, and how you interact online. This information is amalgamated and anonymised by the networks that provide it to us. Information we obtain from publicly available sources may include your job title and organisation and work contact details (e.g. phone number and email address)
• Special categories of data. We will ask participants for health information (this will be about you or child, whoever is the participant) – we ask for information about any disability, medical condition, allergy or food allergy, intolerance or requirement that may affect participation.
5. What is our legal basis for processing your personal data?
(a) Personal data (article 6 of GDPR)
Our lawful basis for processing your general personal data:
• Consent of the data subject:
• To make improvements to our site: cookie consent statement and privacy statement on website
• To process customer enquiries: consent statement on website enquiry form
• To put measures in place to ensure we can meet participant’s needs and requirements: consent statement and button on Parental Medical and Consent Form and consent statement and button on Participant Medical and Consent form.
• To provide information to the emergency services in case of a medical emergency: consent statement and button on Parental Medical and Consent Form and consent statement and button on Participant Medical and Consent Form
• Photographs and video are used within our marketing materials online and offline to showcase our services: photo consent requested verbally or on the Medical and Consent Form (participants and parental forms) and details provided about how to withdraw consent. On the electronic consent forms, opt-in preferences only (i.e. boxes aren’t pre-filled)
• To inform individuals of news, events, blog posts or activities: privacy consent statement provided on all relevant forms and where relevant, boxes with opt-in preferences and ability to change preferences.
• Processing necessary for the performance of a contract with the data subject or to take steps to enter into a contract:
• To process customer bookings and contracts: additional customer details are requested in order to confirm booking contract, customers made aware this information is needed in order to process a booking
• To process payments and refunds: payment is needed to fulfil the service and to create a contract.
• To maintain our own accounts and records: customer contract details needed for our records and accounts so that we meet regulatory requirements (e.g. with HMRC)
• Processing necessary for the purposes of the legitimate interests of the data controller or a third party, except where such interests are overridden by the interests or fundamental rights or freedoms of the data subject
• Business to business (B2B) or organisation direct marketing activities: a Legitimate Interests Assessment (LIA) has been carried out for this purpose. Data is obtained from publicly available sources (websites, social media), individuals are only contacted if we believe they have a genuine interest and need for our services, and individuals are given opportunities to opt-out (e.g. unsubscribe from emails, verbally during a phone call) and details are recorded on a secure database.
(b) Special categories of personal data (article 9 of GDPR)
Our lawful basis for processing your special categories of data:
• Explicit consent of the data subject:
• To put measures in place to ensure we can meet participant’s needs and requirements: consent statement and button on Parental Medical and Consent form and consent statement and button on Participant Medical and Consent form.
• To provide information to the emergency services in case of a medical emergency: consent statement and button on Parental Medical and Consent form and consent statement and button on Participant Medical and Consent form
For your information, more information on lawful processing can be found on the ICO website.
6. Sharing your personal data
Your personal data will be treated as strictly confidential, and will be shared only with Margam Park Adventure Instructors and companies or individuals contracted to deliver services for Margam Park Adventure. Important exceptions – we will share your data where we have a legal obligation to do so or in the event of a medical emergency. We have addressed this on our Medical and Consent Form within the consent statement; and in the case of an individual posting content on our site where a third party claims this constitutes a violation of their intellectual property rights or of their right to privacy, we have the right to disclose your identity to them as per our terms of website use policy.
7. How long do we keep your personal data?
We keep your personal data for no longer than reasonably necessary and we only retain your data for the following purposes and use the following criteria to determine how long to retain your personal data:
• Data provided on Medical and Consent forms is kept for three years after an event
• Incident and accident reporting forms and corresponding Medical and Consent Forms are kept for three years after the event and the accident
• Invoices and contracts are kept for at least 5 years to meet HMRC’s requirements; and will be deleted/destroyed after 6 years
8. Providing us with your personal data
We require your personal data as it is a requirement necessary to enter into a contract.
Exception: – you are under no obligation to provide us with your data when you browse our site. You can change your cookie settings, but please note that this disrupt some functions of our website and may affect your experience of using our site.
9. Your rights and your personal data
Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data:
• The right to request a copy of the personal data which we hold about you;
• The right to request that we correct any personal data if it is found to be inaccurate or out of date;
• The right to request your personal data is erased where it is no longer necessary to retain such data (please refer to section 7);
• The right to withdraw your consent to the processing at any time;
• The right to request that we provide you with your personal data and where possible, to transmit that data directly to another data controller, (known as the right to data portability), (where applicable i.e. where the processing is based on consent or is necessary for the performance of a contract with the data subject and where the data controller processes the data by automated means);
• The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
• The right to object to the processing of personal data, (where applicable i.e. where processing is based on legitimate interests (or the performance of a task in the public interest/exercise of official authority); direct marketing and processing for the purposes of scientific/historical research and statistics).
10. Transfer of Data Abroad
We do not transfer personal data outside the EEA, except where we use online platforms that have servers based outside of the EEA.
Any online platforms used are checked for GDPR compliance, which includes ensuring that they have appropriate safeguards in place if their servers are based outside of the EEA.
11. Further processing
If we wish to use your personal data for a new purpose, not covered by this Privacy Notice and Policy, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions.
13. How to make a complaint
To exercise all relevant rights, queries or complaints please in the first instance contact us via telephone 07825446846 or via email firstname.lastname@example.org
If this does not resolve your complaint to your satisfaction, you have the right to lodge a complaint with the Information Commissioners Office on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, England.