1. Definitions used in this document, unless the context requires otherwise

We, us, our, the Controller means Fit Kidz

Original Agreement means the agreement for the supply of services between you the customer and us and any subsequent amendments

GDPR means the General Data Protection Regulations or equivalent UK legislation

2. Our obligation as Data Controller

2.1 We will treat the personal data as Confidential Information and process it only for the purposes of supplying services and not for any other purpose

2.2 Other than as directed in writing by us, we will not:

a) make or share copies of the personal data;
b) store the personal data on any unsecure device or electronic medium;
c) send or otherwise disclose the personal data to any other party.

2.3 We acknowledge that, in respect of personal data obtained directly from our customers, we will be acting in our own right as Data Controller and we will be responsible under GDPR for how we use it. In particular:

a) we will be responsible for informing data subjects of our identity as Data Controller and of the nature and purpose of the processing in line with Article 13 of GDPR;
b) we will be responsible for implementing appropriate technical and organisational measures as required by GDPR to protect the rights of data subjects;
c) we will be responsible for responding to requests from data subjects in exercising their rights of access and rectification in line with GDPR.

3. Standard Data Controller clauses

These clauses are required by GDPR and will apply to any situation in which we are acting as Data Controller

a) ensure that all our employees, agents and sub-contractors processing the data are subject to a duty of confidence;
b) implement appropriate technical and organizational measures to ensure the security of processing taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons;
c) do everything necessary in providing subject access and allowing data subjects to exercise their rights under the GDPR;
d) do everything necessary in meeting our obligations under GDPR in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;

4. Our Privacy Notice to you

We process personal data relating to our customers and all our employees, agents and sub-contractors to manage the contracts between all parties. We are required under GDPR to tell all parties about how and why we use it.

What information do we collect?

We collect and process a range of information which includes:

• name, address and contact details, including email address and telephone number;
• the terms and conditions of contracts with us including fees;
• details of professional and industry qualifications as well as insurance cover;
• details of bank accounts and payment history;
• information about criminal records;
• details of appointments and attendance;
• details of any complaints or disputes and related correspondence.

We store this information on paper records and on our IT systems which are hosted in the European Economic Area (EEA).

Why do we process your personal data?

We process your data on the basis of the contract we have with you, to meet our legal obligations under safeguarding and health and safety legislation and in line with our business interests.

Who has access to your data?

Your information may be shared internally, with our employees, agents, sub-contractors and third parties to the extent that access to the data is necessary for performance of their roles or services and subject to appropriate safeguards.

How do we protect data?

We take the security of your data very seriously. We have internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees, agents and sub-contractors in the performance of their duties.

Where we engage third parties to process personal data on our behalf, we do so, on the basis of written instructions, or under a duty of confidentiality and they are obliged to implement appropriate technical and organisational measures to ensure the security of data.

How long do we keep data?

The majority of the data that we collect, we will hold for the duration of your contract with us unless it was collected for a single purpose or it has expired. After your contract ends, we will retain your data for six years from the end of the tax year in which it ends and then the records will be destroyed. Our tax year runs April through to March.

As a data subject, you have a number of rights. You can:

• access and obtain a copy of your data on request;
• request us to change incorrect or incomplete data;
• request us to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing;
• object to the processing of your data where we are relying on our legitimate interests as the legal ground for processing.

Please contact us immediately should you wish to activate any of your rights.

If you believe that we have not complied with your data protection rights, you can complain to the Information Commissioner. ICO Helpline: 0303 123113