This Privacy Notice relates to personal data processed and stored by Surrey Sports Park. Surrey Sports Park is a wholly owned subsidiary of the University of Surrey, which runs the sports facilities for students, staff and public members. We are registered as a data controller with the Information Commissioner’s Office and are committed to ensuring that the personal data we process is handled in accordance with data protection legislation. We have a named Data Protection Officer, Frances Teding Van Berkhout, who can be contacted via dataenquiries@surrey.ac.uk
This Privacy Notice is designed to protect you, our users by informing you how personal data is collected, how we look after that data and with whom we share it. Surrey Sports Park and the University of Surrey are committed to complying with the General Data Protection Regulation (GDPR).
WHAT PERSONAL DATA DO WE COLLECT AND WHY?
What personal data we collect from you depends on what you are doing when you visit us. For members we need to collect more personal data than for people who make the occasional visit.
PERSONAL DATA THAT WE COLLECT
- When you join us we will collect your name, date of birth, contact information and a limited amount of heath information.
- Your University student contact information including: current university card number, URN, student postal address, mobile and home number, student email address, DoB, gender, nationality, Emergency Contact name and number, Department code, Course name, University Status (eg, Current, Graduated etc) where you have consented to the University providing this to us.
- If you are not a member and make a booking here then we will need to collect your name, postal address, email address, date of birth and either a mobile or landline number.
- For all members and non-members bookings, individuals will be assigned a unique identifier which is used across our booking system to allow us to manage your use of our facilities.
- If you contact us by email, via the website, in person or by telephone we may keep a record of your contact information and enquiry and may subsequently use your contact details to respond to your enquiry.
- If you pay for your membership via Direct Debit we will collect your name, your bank’s name, account number and sort code details.
- We may also need to process your own / your child’s / family member’s personal data to protect your vital interests, for example, where we may have reason to believe that you or another person may suffer harm.
- When you sign up for any camps or courses using our platform Active Network, we collect your name, gender, DoB, Email and phone number. We also collect your child’s name, gender, dob, email, home number and address. This information used for registers and for marketing future camps/courses
- Surrey Sports Park uses Eventbrite to allow our customers to register/purchase tickets to a number of events. This includes events run by our franchises, Team Surrey or any other event that is run by Surrey Sports Park. We may collect your name, email address, postal address and payment method in order to process your order and provide you with tickets to events. This data may be used for future marketing.
WHY DO WE COLLECT AND PROCESS YOUR PERSONAL DATA?
We collect and process your data for the following purposes:
USE OF OUR FACILITIES
- We use your personal data so that you can use our facilities and for us to keep records of the process.
- We process your personal data if you have a contract with us. The most common form is when you have a membership with us to allow us to meet the terms of the contract that exists between us. This will include us collecting direct debit payments if you pay via this method.
- We are required by legal obligation to keep information about accidents which may occur at Surrey Sports Park and this will include personal data.
DETAILS OF YOUR TRANSACTIONS
- We collect data for any transactions you carry out through our website and directly on our premises so that we can administer the services you have with us. Please note that we never store your payment card details on our website or in our database.
BANKING
- If you pay for your membership through a Direct Debit mandate we need to store your bank account number, sort code, bank name and account name this data is hosted within the University of Surrey’s Azure cloud tenant.
- We process payment card (credit card or debit card) information at the time we take payment. This data is not stored on our system (XN Leisure). When you pay via a Direct Debit we share this data with a third party (Bottomline) to process your payment on our behalf. The data shared with Bottomline includes; member name, BACS reference number, member number, account number, sort code, name on account and bank name.
CUSTOMER FEEDBACK & SURVEYS/RESEARCH
- We will record customer comments about how we are performing.
- We will process the information that you provide with your consent when you take part in a survey or research. These surveys enable us to provide you with a better service.
YOUR COMMUNICATIONS PREFERENCES
- We keep a record of any permissions and preferences you give us about what types of
communication you are happy to receive from us.
HOW DO WE LOOK AFTER YOUR PERSONAL DATA?
- We maintain our systems in a secure environment, limiting access to your personal data to
those who need it to provide our services to you.
- We will contact you according to your preferences.
- We will update your personal data or preferences promptly when you ask us to.
- We will let you see what personal data we hold about you when you request it.
- We will never sell your personal data to a third party.
- We will ensure that all personal data is held within the EEA (European Economic Area).
RETENTION AND STORAGE
- We keep your personal data in line with our retention schedule. We only keep data for as long as we need to be able to.
- The data that Surrey Sports Park hold is hosted within the University of Surrey’s Azure cloud tenant.
SERVICES PROVIDED BY CONTRACTED THIRD PARTIES
We share your personal data externally with the following third parties;
- Our parent company, the University of Surrey
- We use the University of Surrey to process Direct Debit payments. This uses
external systems to allow Direct Debit payments to be validated and submitted –
these are provided by Bottomline and BACS
- We use the University of Surrey access control system to limit access to various parts
of our site (e.g. the swimming pool) to those members and guests who are eligible to
use the facility. Where access is granted we send your name, email, member identifier, member card number and membership type to the University to enable this to be implemented.
- We use the University of Surrey to invoice to individuals and to make payments to individuals who are suppliers of ours.
- The University of Surrey Students Union. For our members who have a
University of Surrey Student membership, we will provide a list of members to the Students
Union to ensure that all students taking part in Team Surrey activities have a Surrey Sports
Park membership
- XN Leisure – to support our Leisure Management System (LMS). There will be
times when they have access to the system for upgrades, enhancements and problem
resolution. Access to the LMS is controlled by us and changes are
monitored.
- MailChimp to send emails to our members and guests. You can withdraw consent
for us to send you marketing emails at any point. Access to the data held in MailChimp is
restricted to only those who need use it as part of their job.
- 4Global to allow us to manage the members and guest data. Access to the data held in 4Global is restricted to only those who need to use it as part of their job.
- Cascade 3d to support our reporting software. There will be times when they have access to our system for upgrades, enhancements and problem resolution. Access to the reporting software is controlled by us and changes are monitored. This data is held in the University of Surrey Azure cloud tenant.
- University of Surrey IT department – to support any IT related issues that you may have with your account
- HubSpot
- HubSpot CRM to manage the information we hold on you
- HubSpot Marketing to send marketing and service emails / surveys to our members and guests, where you have given us your consent to do so. You can withdraw consent at any point.
- HubSpot Service to assist you with any issues you have at Surrey Sports Park, including online enquiries, membership queries, etc
- Access to the data held in HubSpot is restricted to only those who need use it as part of their job.
MARKETING PARTNERS
- We will never sell or give your personal data to any third party for marketing or other purposes. Subject to your consent we may send you information we think you may be interested in receiving.
HOW DO WE USE YOUR PERSONAL DATA?
- We use your personal data to help us provide and improve our services for you. We may use your personal data in the following ways
- to provide you with any services that you have purchased
- to check your identity
- to validate your eligibility for memberships and activities
- to check that our copy of your personal data is correct
- to enable payment to be made
- to let you know about any changes to an existing booking
- to provide marketing communications, subject to your consent
- for research and analysis so we can develop and improve our services for your benefit
- to meet any legal obligations
- To enable you to take part in any of our promotional activities
KEEPING YOU INFORMED
- There are some communications that we will need to send to you as part of our service to you. Without these we would not be able to provide you with our services – examples of these include changes to passwords, confirmation of bookings, changes to opening hours, notification of major events that may impact you visiting us and notices about any direct debit payments.
- For all other communications with ourselves you can choose if you want to receive them. All of our emails allow you to unsubscribe from any email sent by us to that email address. You can also opt out by contacting us directly either via email, phone and when visiting us. Details are provided in the contacts section.
YOUR RIGHTS TO MANAGE YOUR PERSONAL DATA
As an individual whose data we process (a data subject), you have certain rights in relation to the processing.
You have the right to:
- Withdraw your consent in circumstances where we are processing your personal data on that basis;
- Ask us to confirm that your personal data is being processed and to access (i.e. have a copy) of that data as well as to be provided with supplemental information about the processing;
- Request that we rectify any inaccuracies where the data we hold on you is inaccurate or incomplete;
- Have your data erased by us, although in certain circumstances we may not be able to do this, for example, where we must comply with a legal obligation or in managing your health and social care;
- Restrict the processing of your personal data in certain ways;
- Obtain your personal data for reuse;
- Object to certain processing of your personal data.
To exercise any of these rights, please contact: dataenquiries@surrey.ac.uk.
If you have any concerns about the way that we have handled your personal data please contact us as we would like to have the opportunity to resolve your concerns. If you’re still unhappy, you have the right to lodge a complaint with the Information Commissioner’s Office. Please see their website at: https://ico.org.uk/make-a-complaint/.
Hydrow
SSP have a Hydrow machine in their gym. Hydrow stores data in the US. Please see Hydrow’s privacy policy for more details.
