Privacy Policy

 

Karen James Yoga – Information Commissioner’s Office (ICO) Registration ZA766474. My url website address is: http://www.karenjamesyoga.co.uk

The Data Protection Act 2018 is the UK’s Implementation of the General Data Protection Regulation (GDPR). This privacy policy sets out how Karen James the Data Protection Officer (DPO) uses and protects any information you supply when you use this website. 

Introduction

Everyone has rights with regard to the way in which their personal data is handled. In order to operate efficiently I need to collate and use information about the people with whom I work. This includes current, past clients, and others with whom I communicate.

We regard the lawful and correct treatment of personal information as integral to successful operation and to maintaining the confidence of the people I work and communicate with. To this end I fully endorse and adhere to the principles of the relevant Laws.

Definitions in this Privacy Notice

Data: Information stored electronically, on a computer, server or in certain paper-based filing systems.

Data Controller:  Karen James determines the purposes for which, and the manner in which, your Personal Data is processed. The Data Controller has overall responsibility for compliance with the Data Protection Laws.  Any questions about the operation of this Notice or any concerns that the Notice has not been followed should be referred to Karen James.

Data Subjects: All living individuals about whom I hold Personal Data. All Data Subjects have legal rights concerning the processing and storage of their personal information.

Personal Data: Information which can be used to directly or indirectly identify a living individual.

Processing:   Any activity in which the data is used, including (but not limited to) obtaining, recording, organising, amending, retrieving, using, disclosing, erasing, destroying and/or holding the data. The term “processing” also includes transferring personal data to third parties.

Supervisory Authority: The Authorised Body which is empowered to govern and manage how the GDPR is implemented and abided by  the UK the Supervisory Authority is the: Information Commissioner’s Office.

Sensitive Personal Data:This includes information about a person’s race, ethnicity, political opinions, convictions, religion, trade union membership, genetics, biometrics,  health, and sex life or orientation. Sensitive personal data can only be processed with the express written consent of the person concerned.

Notice Statement

In accordance with the GDPR anyone processing Personal Data must comply with the six principles of good practice. These provide that Personal Data must:

1. used fairly, lawfully and transparently
2. used for specified, explicit purposes
3. used in a way that is adequate, relevant and limited to only what is necessary 
4. accurate and, where necessary kept up to date
5. kept no longer than necessary  
6. handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, damage or destruction

For Personal Data to be processed lawfully, the basis for the processing must be one of the legal grounds set out in the Enactments. These include, among other things, your written consent to the processing, or that the processing is necessary for the performance of my contract with you.

In the event I collect Personal Data directly from you, this Notice should assist in informing you about:

1.1The purpose or purposes for which I intend to process your Personal Data.

1.2  The types of third parties, if any, with which I may share or disclose your Personal Data.

1.3  The means with which you can limit my processing and disclosure of your Personal Data.

If I receive Personal Data about you from other sources, I will provide you with this information as soon as possible thereafter.

When sensitive personal data is being processed, additional conditions and securities must be in place to ensure protection.

2. Processing for Limited Purposes

In the course of my business, I shall process the Personal Data received directly from you (for example, by you completing forms, sending me papers or from you corresponding with me by mail, phone, email or otherwise) and your Personal Data which I receive from any other source.

I shall only process your Personal Data to fulfil and/or enable me to satisfy the terms of my obligations and responsibilities in my role or for any other specific purposes permitted by the Enactments. Should I deem it necessary to process your Personal Data for purposes outside and/or beyond the reasons for which it was originally collected, I will contact you first, to inform you of those purposes and my intent and may also apply for your consent.

3. Adequate, Relevant Non-Excessive Processing

I will only collect and process your Personal Data as required to fulfil the specific purpose/s of my contract and agreements with you.

4. Accurate and up to date data

I shall ensure that all Personal Data held is accurate and up to date and will check the accuracy of any Personal Data at the point of collection and at regular intervals afterwards. If you become aware that any of your Personal Data is inaccurate, you are entitled to contact me and request that your Personal Data is amended. I will take all reasonable steps to destroy or amend inaccurate or out-of-date data.

5. The Timely Processing of the Data

I will not keep Personal Data longer than is necessary for the purpose or purposes for which it was collected. Once Personal Details are no longer required, I will take all reasonable steps to destroy and erase it.

6. Keeping Your Personal Data Secure

I am bound to this privacy policy, procedures and technologies which maintain the security of all your Personal Data from the point of collection to the point of destruction.

I maintain data security by protecting the confidentiality, integrity and availability of your Personal Data, and abide by the following definitions:

6.1 Confidentiality:  Ensure that the only people authorised to use your personal data can access it.

6.2  Integrity: Ensure make certain that your Personal Data is accurate and suitable for the purpose for which it is processed.

6.3  Availability: Have established procedures which means only authorised persons should be able to access your Personal Data if they need it for authorised purposes.

I also maintain security procedures which include, but are not limited to:

6.4  Methods of disposal. Paper documents containing Personal Data are shredded and digital storage devices shall be physically destroyed when they are no longer required.

6.5   Lock my PC/electronic device when it is left unattended.

6.6  My computer has appropriate password security, boundary firewalls and effective anti-malware defences.  

6.7 One or all of the following measures shall be applied to the personal data held; separating the personal data and/or pseudonymisation and/or the encoding of the data

I shall take appropriate security measures against unlawful and/or unauthorised processing of personal data, and against the accidental loss of, or damage to, your Personal Data.

I shall only transfer your Personal Data to a Data Processor (a Data User outside our business) if the Processor agrees to comply with my procedures and policies, or if the Processor puts in place security measures to protect Personal Data, which I consider adequate and are in accordance with the Enactments.

How I Will Use Your Personal Data

I will only collect and process your Personal Data to the extent that it is needed to fulfil my  operational and contractual needs or to comply with any legal requirements.

I shall access and use your Personal Data in accordance with your instructions and as is reasonably necessary:

• to fulfill my contractual obligations and responsibilities to you
• to provide, maintain and improve my bookkeeping services
• if I intend to use your personal data for the advertising and marketing of my services and/or the services.. I shall seek your separate express consent and you are entitled to opt out of these services at any time
• to respond to your requests, queries and problems
• to inform you about any changes to my services and related notices, such as security and fraud notices.

When I May Share Your Personal Data

There are times when we may need to share your Personal Data. This section discusses how and when we might share your Data.

In the course of us fulfilling our role as your wellbeing centre it will be necessary for us to disclose your Personal Data in certain situations:

• I need to share your Personal Data with certain bodies to fulfill my contract with you such HMRC, and other governmental, regulatory bodies.
• I use the following software providers to process electronic data, including personal data, Mind Body Online, Booking Hawk, Apple CLoud, Stripe. These providers state that they are GDPR compliant and/or applies equivalent/adequate safeguards.
• There may also be situations in which it is necessary for me to disclose your Personal Data to other third parties, which include but are not limited to: HMRC & Companies House.
• If I am under a duty to disclose or share your Personal Data in order to comply with any legal obligation, lawful requests, court orders and legal process.
• To enforce or apply any contract or other agreement with
• To protect our rights, property, or safety and that of others, in the course of investigating and preventing money laundering and fraud.

Your Rights and Requests Concerning Your Personal Data

I will process and manage all your Personal Data in line with your rights; in particular your rights to:

• request access to any data I hold about you
• prevent the processing of your Personal Data for direct-marketing purposes, if so instructed
• ask to have inaccurate Personal Data amended
• be forgotten, and have all relevant Personal Data erased (subject to our overriding legal obligations);
• prevent processing which is likely to cause damage or distress to you or anyone else
• request certain restrictions on the processing of your Personal Data
• receive a copy of your Personal Data and/or request a transfer of your Personal Data to another party. 
• not be subject to automated decision making
• be notified of a data security breach which affects your rights and freedoms, without undue delay
• if you have provided your express consent that your Personal Data may be processed for marketing and advertising purposes, you are entitled to withdraw that consent. Such a withdrawal will not affect any processing of the data completed before consent was withdrawn
• to make certain requests to me concerning how your Personal Data is managed.

Access and portability requests

You are entitled to request access to your Personal Data unless providing a copy would adversely affect the rights and freedoms of others.

You can also request information about the different categories and purposes of data processing; recipients or categories of recipients who receive your Personal Data, details on how long your Personal Data is stored for, information on your Personal Data’s source and whether I use automated decision-making.

You also have “Data Portability” rights which includes the right to request a copy of your Personal Data be sent to you or transmitted to another party. 

Correction requests

You are entitled to request I correct or complete your inaccurate or incomplete Personal Data without undue delay and I will update the information and erase or correct any inaccuracies as required.

Erasure requests

You can exercise your “right to be forgotten” and can request we erase your Personal Data. Once receiving a request I must erase the Personal Data without delay, unless an exception applies that permits me to continue processing your data.  Details of such exceptions are contained in the Enactments and include situations where I might need to retain the information to carry out  official duties and/or comply with legal obligations and/or for the establishment of exercising or defending legal claims, or it is in the public interest to retain your Personal Data.

Restriction requests 

You may request restrictions be applied to the processing of your Personal Data for some specific reasons such as you contest the accuracy of the data, the processing is unlawful or if I no longer need to process your Personal Data.  You can also request restrictions be applied if the processing is being done for public interest or third party reasons.

If such a request is received I can continue to store your Personal Data, but may only process it under certain circumstances, such as: you give consent for me to continue processing your data, I need to establish, exercise, or defend legal claims or I need to protect the rights of another individual or legal entity or for important public interest reasons.

Objection requests

You may also object to your Personal Data being processed under certain circumstances, including for direct marketing purposes and profiling related to direct marketing.

If I receive such an objection I will stop processing your Personal Data unless I can show a compelling legitimate ground for processing your Personal Data which overrides your interests and the basis of your request. 

Your Telephone Queries and Requests

When receiving telephone enquiries, in which Personal Data is requested I will only verbally disclose Personal Data held on my systems if I can confirm the caller’s identity so as to ensure that the data is only given to a person who is entitled to receive it.

I may suggest that a caller put their request in writing to assist in establishing the caller’s identity, and to enable me to clearly record the nature of the request and to assist in further identity checks.

If I have reasonable doubts about the identity of the person making the request, I may request additional information to confirm the caller’s identity.

Your Written Queries and Requests

When responding to written requests Personal Data will only be disclosed if I can confirm the identity of the sender and/or sufficient supporting evidence is provided by the sender establishing their identity.

Responding to Your Requests

Upon receiving a request from you concerning your Personal Data, I will respond within one month of receiving the request by email (unless you request a response in an alternative format).

If I am unable to immediately comply with your request I will inform you within my response stating whether I need to extend my response time (for up to a maximum of two months), along with an explanation for the delay.

If I do not take any action within one month after receiving your request, you are entitled to request an explanation from me as to why no action was taken and you may make a complaint to the ICO: Information Commissioner’s Office – casework@ico.org.uk

When responding to Personal Data requests I will provide the information free of charge providing a reasonable request. 

Your Complaints

If you feel that your questions or concerns regarding your Personal Data have not been dealt with adequately or that your request has not been fulfilled. You may make a complaint directly to ICO: Information Commissioner’s Office casework@ico.org.uk

Changes to our Data Protection Policy

I keep this privacy policy under regular review and reserve the right to amend and update the policy as required. Where appropriate, I will notify you of those changes by mail, email and/or by placing an updated version of the policy on this website.