How CSSC handles personal data
We are committed to good information handling principles and the privacy and confidentiality of any personal information we deal with including that of Site visitors and persons we deal with otherwise (see above).
What is personal information?
“Personal Information” has the same meaning as personal data. Personal data is defined in data privacy laws applicable in your country. It includes any information relating to an identified or identifiable natural person. This means any individual who can be identified directly or indirectly by reference to an identifier such as name, identification number, location data, online identifiers (for example, IP addresses – if they can be used to identify you) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Put simply, this includes data which either by itself or with other data held by us or available to us, can be used to identify you.
Personal information also includes special or sensitive categories of personal data. This is data about your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning your health, sex life or sexual orientation.
The categories of personal information we may collect
Personal information collected from you or relevant third party sources may include the following:
We may combine or supplement this information with other information that we hold about you if you are a CSSC member, or have made inquiries of us before or from third party sources. We may also obtain information from publicly available sources such as the electoral roll, or other third parties who have a legitimate basis on which to pass on your information.
If you communicate with us by email over the internet you should be aware that the nature of the internet may not be secure and may pass through several different countries on route to us. Please do not email us with confidential or sensitive information such as your credit card details. We comply with data privacy laws in relation to security, but cannot accept responsibility for unauthorized access to your information that is outside our control. Further information regarding our approach to the security of personal information is included in the section below on Security of personal information.
Third party’s personal information
If you give us personal information about another person, in doing so you confirm that they have given you their prior permission to provide it to us and for us to be able to process their personal data (including any sensitive personal data).
You must also ensure this and other relevant privacy policies are brought to their attention so they can review how their personal information may be used.
The purposes for which we use personal information
We will only use your personal information for the purposes that you would reasonably anticipate or that we state when we collect it and, where necessary, for which you have given us your consent.
Some of these purposes may include the following:
The legal basis for our use and other processing of your personal information under applicable data privacy laws
We have described above the purposes for which we may use and otherwise process your personal information in connection with the Site or for our business purposes. We are required by law to indicate to you the legal basis for this use and other processing. This will include (as relevant):
Your consent may also be a lawful reason for processing your personal information in certain cases. This means your freely given, specific, informed and unambiguous consent which may be collected from you at the time at which it is requested including in relation to any direct marketing communications, see Keeping you informed below.
You should be aware that you are entitled under applicable data privacy law to withdraw your consent, where that has been given, at any time. You should be aware that if you do this and if there is no alternative lawful reason for us to rely on to justify the relevant use or other processing on your personal information, this may affect our ability to provide our services.
Keeping you informed
We will keep your name, address and contact details (including telephone numbers and email addresses) on our databases and (unless you have opted-out of this at the point at which we first collected your details from you) we may from time to time use that information to make you aware of our own same or similar products and sports, events and leisure services which may be of interest to you. We may contact you in writing, by telephone or email. If at any time you decide that you do not want your contact details used for these purposes, please contact us.
If you have provided your consent, CSSC may also disclose personal data to other group companies who may contact you by email or text that you have indicated is your preferred contact method and about sports, events and leisure activities administered or arranged by CSSC.
If you are members of MySavings+:
Disclosure of your Personal Information to third parties
CSSC may share personal information under these limited circumstances:
Where appropriate, before disclosing personal information to a third party, we contractually require the third party to take adequate precautions to protect that data and to comply with applicable privacy laws.
Retention of your personal information
We keep your personal information for no longer than is necessary to fulfil the purposes for which it was collected as described above.
The criteria we use to determine data retention periods for personal information includes the following:
If you would like further information about our data retention practices please contact us (see Contact us below).
Security of Personal Information
We endeavour to use appropriate technical and physical security measures to protect personal information which is transmitted, stored or otherwise processed from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access in connection with our Site. These measures include computer safeguards and secured files and facilities. We have received ISO 27001 accreditation for compliance with best practice in information security management. Our service providers are also selected carefully and required to use appropriate protective measures.
In particular, we endeavour to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate: (a) pseudonymisation (such as where data is separated from direct identifiers so that linkage to an identity is not possible without additional information that is held separately) and encryption, (b) ensuring the ongoing confidentiality, integrity, availability and resilience of systems and services used to process your personal information, (c) ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and (d) ensuring a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational security measures.
You have various rights under data privacy laws. These may include (as relevant) the right to:
Please be aware that some of these rights will only become relevant when changes to data privacy laws come into force in May 2018.
Please see the contact details in the Contact us section below if you wish to exercise any rights. We endeavour to acknowledge requests within 48 hours and full information will be sent promptly and within the relevant statutory timescale.
Links to other websites
Due to the global nature of the internet and many businesses, it may be that your personal information will from time to time be transferred to, or accessed by, parties located in other countries, including outside the European Economic Area (“EEA”). These other countries will either have different data protection laws than your country of residence or they may not have data protection laws. They may not be deemed by the European Commission as providing adequate protection for Personal Information.
Where such processing may occur outside of the EEA, steps will be taken to to put in place safeguards (including around security) to protect your Personal Information when it is in these other countries and ensure there is adequate and appropriate protection for any personal data outside the EEA. This includes use of European Model Clause contracts. You can find out what these are here: http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm. If you have any questions please contact us (see Contact Us below).
Your right to lodge complaints with the data privacy supervisory authority in your country
In addition to any other administrative or judicial remedy you might have, you have the right to lodge a complaint with the relevant data protection supervisory authority if you consider that we have infringed applicable data privacy laws when processing your personal information. The data privacy regulator’s details in the UK are as follows: Information Commissioner’s Office and their site is: https://ico.org.uk/ which includes current contact details.
If you wish to provide comments or exercise any of your rights you can: