GDPR

At The Fifth Dimension, we have taken steps to ensure that we have done everything possible to be GDPR compliant in preparation for the deadline.

As your Health Club we need you to ‘opt-in’ so that we can keep you up to date with our latest news, club updates and class changes etc. We hope you're still interested in hearing from us as we'd like to stay in touch - but as with any communication we send you, you can unsubscribe at any time.

Your data privacy and security are important to us therefore we have updated our privacy policy to make it even more transparent. As a business, we are required to make sure that any information we hold that allows us to identify an individual is safe.

We have put together an FAQ document that hopefully helps to explain the obligations you have under GDPR. We'd appreciate it if you would take a minute and have a look at the information.


If you have any queries - simply contact us on 01453 769120 or email info@fifthdimension.org.uk

Thank you.


PRIVACY POLICY

This Privacy Policy explains how and why The Fifth Dimension Health Club (TFD) collects and
uses personal information, and what we do to ensure it is kept private and secure.


This Policy sets out the following:


1. About TFD and DFC (and how to contact us)
2. Our relationship to our data processor
3. What information we collect
4. Why we need your information
5. How we use your information
6. Website visitors and cookies
7. Other recipients of information
8. Communications
9. Storing your data
10. Keeping your data safe
11. Your rights
12. Updates to this Policy

 

1. About TFD and DFC (and how to contact us)


The Fifth Dimension Community Leisure (TFD) is a not for profit health club providing exercise
and wellbeing to the local community selling memberships either as a yearly payment or monthly
direct debit. Incorporated in England and Wales with number 07721540 Our registered office at
Ebley Wharf Mill, Ebley, Stroud, Gloucestershire, GL54SR. Debit Finance Collections PLC
(DFC), a company incorporated in England and Wales with number 03422873. Our registered
office is at 16 Davy Avenue, Knowlhill, Milton Keynes, Buckinghamshire, MK5 8PL.


You can contact our Data Protection Officer with questions about this Policy or your personal
data by writing to our office address (above, marking your letter for the attention of Mr Tom
Bragagnolo), telephoning 01453 769120 or emailing info@fifthdimension.org.uk You can also
visit DFC website www.debitfinance.co.uk.


For the purposes of data protection law we will be a controller of your personal information in
some situations (this means we make decision about how and why your information is used, and
have a duty to ensure your rights are protected). In other situations we will be processor of your
information (meaning we have no control of your information and only act on the instructions of
your Service Provider).


DFC are registered with the UK Information Commissioner’s Office under controller number:
Z504594X.


2. Our relationship to our data processor


DFC collect and process payments on behalf of TFD (the “Service Provider”).


In order to subscribe for the gym membership (Service Provider’s services), you may be asked to
visit an online portal and provide certain information, including contact details, payment
information and other information. DFC operate and administer this portal (and collect
information from you) on TFD Service Provider’s behalf.

3. What information we collect


We may collect some or all of the following information on individuals who use our services:

 

  • personal details (such as your name, address, date of birth, telephone number and email)
  • financial information (such as bank account details)

We will also store information about your payment history, including missed payments and
unpaid debts. If you telephone us we may record that conversation for training or security
purposes or in order to establish, defend or conduct a legal claim. We will also keep a record of
correspondence (including emails and letters) between us and you.


4. Why we need your information


We will only use your information with your consent, or because we need to use the information:

  • enter into, or perform, a contract with you
  • comply with a legal duty
  • for our own (or a third party’s) lawful interests, provided your rights don’t override the these (this includes operating our business, and recovering unpaid debts)

In any event, your information will only be used for the purpose(s) it was collected for (or another
closely related purpose, such as keeping records where necessary).


5. How we use your information


We use different types of information for different purposes. These are described below.


Identifying information and contact details


We collect basic information (such as your name and date of birth) in order to enable us to
identify you and for us and the DFC (Data Processor) to provide you with services. We also
collect contact details so that we and the DFC (Data Processor) can contact you.


Health data and other sensitive information.


In some cases TFD may request sensitive personal information (such as medical history or
ethnicity). If you have any questions or concerns about your sensitive information, you should
contact us directly.


Financial information


TFD and DFC use your financial information to collect and process payments, and will act as a
data controller in respect of this information.


If you fail to pay sums which are due (for example a subscription fee), TFD will instruct DFC to
recover the debt, In these situations we may use your information (including contact details, and
information about your payment history and dealings with us) in connection with debt recovery or
assignment. If this does occur, either us or the debt collection agency will contact and let you
know. We may also share relevant information with DFC, HM Courts and Tribunals Service and
our professional advisers.


6. Website visitors and cookies


Visitors to our website


We don’t normally collect or process personal information about visitors to our website unless
they choose to provide information. We may collect non-personal information about visitors to our
website as this helps us optimise and improve the website. This information might include your

internet protocol address, the browser being used to connect to our site, the device (e.g. its
operating system) and the connection type (e.g. the Internet service provider used). However,
none of this information will directly identify you.


Other websites


Our website may include hyperlinks to other websites. We are not responsible for the content or
functionality of any of those external websites. If an external website requests personal
information from you, the information you provide will not be covered by this Policy. We suggest
you read the privacy policy of any website before providing any personal information.


Google Analytics Cookies


We also use Google Analytics to track usage of our website and collect details of repeat visits.
These cookies do not collect any personal information about you. Google Analytics Privacy.


The cookies will identify your browser, the times and dates that you interacted with our site and
the marketing materials or referring pages that led you to our website. We use this information to
compile reports (e.g. regarding the number of visitors to the site, where visitors have come to the
site from and the pages they visited) and to help us improve the website. This information is
anonymous and will not identify you.


7. Other recipients of information


We respect the privacy of your information and will never sell or trade your personal data.
We will share information with DFC (our Data Processor) because this is necessary in order for
them to contract with you and for us to provide you with services (please see paragraphs 2 and 3
above for further details). If you have questions regarding TFD’s use of your data, you should
contact us directly.


8. Communications


We may contact you by email, telephone or post with updates or information about your account
with us, notifications regarding your payments and also with updates for classes, opening times
and events and to our terms of business or this Policy.


Marketing communications


We do send marketing emails, which contain information about The Fifth Dimension and our
services, to members we think might be interested in them. If you receive such an email, it could
be because you are an existing client or have enquired about our services.


If you receive marketing communications from us, you can change how you hear from us or
unsubscribe at any time. You can do this emailing or by writing to The Fifth Dimension
Community Leisure Ltd, Ebley Wharf Mill, Ebley, Stroud, Glos, GL54SR,
emailing info@fifthdimension.org.uk or calling 01453 769120


If you have received a marketing communication in error and wish to complain then please
contactinfo@fifthdimension.org.uk.


9. Storing your data


We only store personal information for as long as required in order to fulfil the purpose it was
collected for (or for a related compatible purpose, such as keeping a record of a transaction).


We regularly review what data we have and delete that which is no longer necessary. You also
have a right to request that your data be deleted (the right to be forgotten), please see paragraph
11 for further details.


The Direct Debit Guarantee


The Direct Debit Scheme provides customers who pay by Direct Debit with a guarantee to
protect against payment errors. The guarantee is not time limited and covers any payments you

make to us. In order to ensure you are able to exercise your rights under the guarantee, we keep
records of Direct Debit instructions and payments on file.


This information is not retained for a fixed period, and instead we keep it on file until we are
satisfied that there is no longer a reasonable prospect you might make a guarantee claim. Once
you cease using our services, we will restrict the use of this information so that it is securely
stored and only accessed in the event of such a claim.


International Transfers


We normally only store personal information within the European Economic Area (EEA). If one of
our subcontractors (such as a payment processor) needs to transfer it outside of the EEA then
we will take steps to make sure adequate levels of privacy protection, in line with UK data
protection law, are in place. These safeguards will usually be contractual and/or the result of a
European Union decision which allows the transfer (such as a US organisation which is certified
under the EU-US Privacy Shield framework).


Incorrect information


If you believe that any information we are holding on you is incorrect or incomplete, please write
to The Fifth Dimension, Ebley Wharf Mill, Ebley, Stroud, Glos, GL54SR, or
emailing info@fifthdimension.org.uk


10. Keeping your data safe


We employ a variety of physical and technical measures to keep your personal data safe and to
prevent unauthorised access to, or use or disclosure of it. Electronic data and databases are
stored on secure computer systems and we control who has access to them (using both physical
and electronic means). Our staff receive data protection training and we have a set of detailed
data protection procedures which personnel are required to follow when handling personal data.


DFC online portal complies with the Payment Card Industry Data Security Standard (PCI-DSS),
and we do not store card information. Any payment information you provide will be sent to us via
a secure connection. However, we cannot absolutely guarantee the security of the internet or
external networks or your own device, accordingly any online communications (e.g. information
provided by email or through our website) are at your own risk.


11. Your rights


We want to ensure you remain in control of your personal information. Part of this is making sure
you understand your legal rights, which are as follows:

 

  • the right to confirmation as to whether or not we have your information and, if we do, to obtain a copy of the personal data;
  • (from 25 May 2018) the right to have certain information provided to you in a portable electronic format, or transmitted to another data controller, where technically feasible;
  • the right to have inaccurate data rectified;
  • where personal data is processed on the basis of your consent, the right to withdraw that consent;
  • the right to object to your data being used for marketing or for legitimate interests purposes;
  • the right to restrict how your personal information is used; and
  • the right to be forgotten, which allows you to have your data erased in certain circumstances (though this is not an absolute right and may not apply if we need to continue using the information for a lawful reason).

If you would like further information on your rights or wish to exercise them, please write to Mr
Thomas Bragagnolo, The Fifth Dimension Community Leisure Ltd, Ebley Wharf Mill, Ebley,
Stroud, Glos, GL54SR, or emailinginfo@fifthdimension.org.uk making sure that you state your
request clearly.


Please keep in mind that there are exceptions to the rights above and, though we will always try
to respond to your satisfaction, there may be situations where we are unable to do so (for
example, because the information no longer exists or there is an exception which applies to your
request).


If you are not happy with our response, or you believe that your data protection or privacy rights
have been infringed, you should contact the UK Information Commissioner’s Office, which
oversees data protection compliance in the UK. Details of how to do this can be found
at www.ico.org.uk.


12. Updates to this Policy


TFD may update this Policy at any time. When we do, we will post a notification on the main
page of our website, revise the updated date at the bottom of this page. We encourage users to
frequently check this page for any changes to stay informed about how we are helping to protect
the personal information we collect.

This policy was last updated on 18 May 2018.

 


FAQ

EU General Data Protection Regulation (“GDPR”) – FAQs External Version – 1 st May 2018.
This document is a broad overview of the GDPR and does not provide legal advice.


Introduction
This set of FAQs highlights the key themes of the General Data Protection Regulation (“GDPR”) to help our customers understand the new legal framework for protecting personal data in the European Union (“EU”). It describes the key requirements of the GDPR as well as Fifth Dimension’s approach to them.


What is the GDPR?
In spring 2016, a new legal framework for collecting and processing personal data was adopted in the EU – the GDPR – which will enter into force on 25 May 2018. It introduces new and enhanced data protection requirements for companies.


Who does the GDPR apply to?
The GDPR applies to all companies operating in the European Economic Area (“EEA”- EU countries + Iceland, Liechtenstein and Norway) that process personal data of people based in the EEA. It also applies to non-EEA based companies offering goods or services to people based in the EEA and to those who monitor the behaviour of people based in the EEA.


Key Changes
What are the key changes under the GDPR?
The GDPR introduces several key changes to how companies can collect, use, share, store and transfer personal data.


For instance:

  • Definitions. The definitions of personal data and sensitive data have been expanded.
  • Consent. The conditions for obtaining a valid agreement by a person to use his/her personal data are more rigorous.
  • Individuals’ Rights. It will be easier for people to ask an organization for access to their data, to correct it, move it or erase it.
  • Transparency. Individuals must receive detailed information about how their data will be collected, used, shared, transferred and retained.
  • Privacy by Design. Companies must embed privacy into the design of their products and services throughout the whole product development lifecycle.
  • Accountability. Companies must document their data processing activities, data flows and compliance as well as their risk and impact assessments. In some cases, they have to appoint a data protection officer.
  • Processors and Sub-Processors. Data processors have direct obligations and liabilities under the GDPR, and must be authorized by the data controller to use sub-processors.
  • Data Transfers. Companies must implement a valid data transfer mechanism to transfer personal data outside of the EEA.
  • Contracts. Contracts must include mandatory provisions and clarify roles and responsibilities of each party handling personal data.
  • Data breach. Companies are required to notify data breaches to supervisory authorities within 72 hours of awareness and, in some cases, to affected individuals.
  • Sanctions. If companies don’t meet the obligations of the GDPR, they will face fines of up to 4% of their global annual turnover or EUR 20 million whichever is higher.

Consent
What is a valid consent under the GDPR?
To comply with the GDPR requirements, consent (or agreement by the person whose data is being used) must meet strict requirements it must be:

 

  • Clear, affirmative and unambiguous. The individual must provide consent by way of a clear and affirmative action, such as ticking a box when registering for a service or tapping an “I Agree” button when using a mobile application.
  • Informed. The individual must be aware of who is collecting the data and the purposes of the processing.
  • Clear and plain language. Consent needs to be separate and not be hidden within the terms of a privacy notice or terms of use.
  • Specific. Consent should be specific to the processing activity. Where there are multiple processing activities, consent may have to be given for each purpose.
  • Freely given. Individuals must have a genuine free choice and must be able to refuse or withdraw consent at any time without detriment.

Individuals’ Rights
What kind of requests might we receive from individuals under the GDPR?
Under the GDPR, people have enhanced rights about how their personal data is handled. Specifically, they have the right to:

  • Access the personal data held about them.
  • Object to certain types of processing, such as receiving marketing communications.
  • Request correction and deletion of their personal data.
  • Request the transfer of their personal data in a machine readable format to another company (data portability). They are entitled to make these requests free of charge and the data controller must respond to the requests within one month subject to subject to various considerations before responding.

Transparency
What are the transparency requirements under the GDPR?
People must receive detailed information relating to the processing of their personal data. This is the responsibility of the data controller and companies usually inform individuals about how their personal data is processed via a privacy notice. The GDPR increases the amount of information that needs to be provided. It also requires providing information in a concise (e.g., a layered privacy notice), easily accessible (e.g., via a prominent link on a website) form using clear and plain language.


Accountability

What does Accountability mean under the GDPR?
It means that companies need to comply with the GDPR requirements and be able to demonstrate
compliance. Practically, there are many ways to demonstrate compliance, including:

  • Adopting data protection policies
  • Maintaining records of processing
  • Appointing a data protection officer
  • Conducting a data protection impact assessment for high risk activities
  • Consulting with supervisory authorities if needed.

Data Transfers
What is the Fifth Dimension’s approach to the GDPR data transfer rules?
The GDPR continues to restrict transfers of personal data outside of the EEA unless the third country has obtained an “adequacy decision” from the EU Commission or the receiving entity has a valid data transfer mechanism in place.


Contracts
Why do we need to update contracts?
The GDPR requires mandatory provisions to be included in contracts with customers. It also requires contractual parties to clarify their respective roles and responsibilities when handling personal data.


Data Breach
What is the new Data Breach notification obligation?

Data controllers are required to notify a breach of personal data to the lead supervisory authority within 72 hours of awareness, unless the breach is not likely to create risks for the people whose data has been breached. In addition, the personal data breach must be communicated to the affected individuals without undue delay where the breach is likely to create a high risk for them.


Data processors must communicate any breach to the data controller without undue delay, and must assist the data controller in complying with its notification obligations.


The Fifth Dimension Community Leisure and the GDPR