tel: 051 390176
Inner visual

This Privacy Policy relates to customer data processed and stored by Tramore Water Centre CLG trading as “Splashworld” and “Target Fitness”.  It includes data captured on our website www.splashworld.ie, our various recording procedures, a CCTV policy, and a summary of you rights.

Tramore Water Centre CLG, is the data controller and is registered with the data commissioner’s office. This Privacy Policy informs customers and users about the collection, use and sharing of personal information we collect on our websites, on our App, at our centre through the various services we offer. This Privacy Policy is designed to protect you, our users by informing you how personal information is collected, how we look after that information and with whom we share it. Splashworld is committed to complying with the Data Protection Act 1998 and the General Data Protection Regulation (GDPR) from 25th May 2018. By using our website and our centre's services, you are consenting to us processing your information in the ways stated here.

What information do we collect and why?

The basis on which we collect and process your data is usually through consent.  Sometimes there is a contractual reason such as being able to process a monthly recurring card payment.  Occasionally there may be a legal reason for collecting data, such as for employees or, should you have an accident, we may need to provide details of this to the relevant health and safety authorities. We may also process your data based on our legitimate business interests for example in order to operate and improve our business.

The information we collect may include any of the following:

Any personal details you give us. Information you type into our websites or provide to one of our colleagues such as when you become a member, create your profile, update your member profile, make a booking, sign up for a class or visit our centre. This information may include your personal contact data, fitness-related data which has been obtained in order to create personalised fitness workouts for you or health related data. We use this to provide you with the services you request, tell you about services you are eligible for, to keep in contact with you, manage your account and the services we provide. If you contact us by email, via the website, in person or by telephone we may keep a record of your contact information and enquiry and may subsequently use your contact details to respond to your enquiry.

Information which allows us to recognise you.

Such as a unique ID number helps us identify you.

Details of your transactions.

We collect data for any transactions you carry out through our websites and services, so that we can administer the services you have with us. Please note that we never store your payment details on our website.

Sensitive Health Data

We collect any personal health data you provide to us when registering for membership.  Splashworld will not disclose your personal data to third parties except in exceptional circumstances, for example, if you suffer an injury or experience a medical difficulty on or in the vicinity of the Splashworld. We may ask you for information about your health in order to recommend appropriate exercise regime.

Banking data

We will store your bank account number and sort code data where you have a recurring card payment plan in place.  When the recurring card mandate finishes we will remove this data from our operational systems within 30 working days.

We process bank card information at the time we take payment.  This data is not stored on our systems and is processed on Payment Card Industry Data Security Standard compliant banking systems.

Information about website visits including IP address.

The IP address is your computer’s individual identification number.

We use your IP address to capture information about website visits so we can learn more about how our customers use the website in order to find ways to improve the website and our products and services for your benefit. Please see our Cookie Policy for more information.

Customer feedback

We may record customer comments and surveys about how we are performing. We will only do this on the basis of given consent.

Your communications preferences.

We keep a record of any permissions and preferences you give us about what types of communication you are happy to receive from us.

Data relating to children

Data recorded on children include swimming lessons (booking and level information) and teen gym membership information.

Children aged under 18 years must have a parent or guardian’s consent before providing personal information to us. We do not wish to collect any personal information without this consent.

How do we store and protect your personal information?

These are the basic guidelines we use to look after your personal data.

  • We maintain secure systems to protect your personal information
  • We respect your wishes about how we contact you, whether by post, telephone, email or text message
  • We will update your information or preferences promptly when you ask us to
  • We will respond fully to requests from you to see the information that we hold on you.
  • We will not hold your personal information for longer than is necessary for our legitimate business purposes.
  • We follow strict procedures when storing or handling information that you have given us. Some information is encrypted, such as payment transactions and password.
  • We will never sell your personal information to a third party.

Retention Policy

We retain personal information as long as we consider it useful to contact you, or as needed to comply with our legal obligations.  Where data is not needed for legal or statutory purposes we will delete this information if you request. See the contacts section to request your data to be deleted.

Services provided by contracted third parties

Splashworld may share information with third-party organisations that provide specific services on our behalf which enhance our products and your experience with us. These organisations act as a Data Processor under our instructions. There is a contract in place with each third party which includes strict terms and conditions to protect your privacy. Our current processing partner is Gladstone.

Marketing Partners

Splashworld will never sell your personal information to any third party for marketing or other purposes.

How do we use your information?

We use your information to help us provide and improve our services for you. We may use your information in the following ways.

  • to provide you with any services that you have purchased. check your identity.
  • to check your eligibility where appropriate
  • to update our records with any new information you give us
  • to notify you if we will be unable to provide a service you have booked before
  • to provide marketing communications (if you have given us your permission)
  • for research and analysis so we can develop and improve our services for your benefit
  • to tailor our communications to you to ensure relevance (if you do not want us to do this please contact us using the details below)
  • to comply with legal requirements.
  • To safeguard users of our services

Keeping you updated

There are certain communications we need to send to you so we can provide our services.  We call these service communications and include for example notices about your direct debit payments, change of password, registration confirmations, appointment reminders and waiting list announcements.  We would not be able to provide you with services if we did not send these.

We may from time to time contact you about our services or products we think you might find interesting by email, by post, telephone or SMS, but only if you have given us your permission to do so.

If you do not want us to contact you other than for service emails let us know when you next visit us or contact us using the details below. You may also opt-out of email or any other communications by contacting the Data Protection Officer at info@splashworld.ie, or by letting us know in one of our centres or health service groups.

Your rights to manage your personal data

Accuracy of data

We will always try to ensure the data we hold about you is accurate and relevant.  If you believe the information we hold about you is out of date or incorrect, please tell a member of staff or see the contacting us section below. You will need a form of identification to request any changes.

Seeing your data – subject access request

The Data Protection Act 1998 and the General Data Protection Regulation give you the right to know what personal information we hold about you. This is called a Subject Access Request. If you would like to make a request you should write to the Data Controller – see contacting us section.

Removing your data

If you no longer use our services and products and wish us to delete your personal data we will do this if there are no legal or statutory regulations requiring us to keep this information.   Please write to the Data Controller – see contacting us section.

Restricting processing

You can contact us using the details below to restrict the processing of your data including some processing we do under legitimate business interests.

Complaints about how we manage your data

If you are not happy about the way we manage your data please contact us as quickly as possible by contacting us.  You may also write to the Data Controller – who will investigate your complaint and get back to you as soon as possible.

Data Protection Commissioner’s Office (DPO)

The office of the Data Protection Commissioner is established under the 1988 Data Protection Act.  The Data Protection Amendment Act, 2003, updated the legislation, implementing the provisions of EU Directive 95/46. The Acts set out the general principle that individuals should be in a position to control how data relating to them is used.

The Data Protection Commissioner is responsible for upholding the rights of individuals as set out in the Acts, and enforcing the obligations upon data controllers. The Commissioner is appointed by Government and is independent in the exercise of his or her functions.  Individuals who feel their rights are being infringed can complain to the Commissioner, who will investigate the matter, and take whatever steps may be necessary to resolve it.

More info here: https://www.dataprotection.ie

Links to other websites

Our websites may contain links to and from external websites, advertisers and affiliates. If you follow a link to other sites please note that these will be governed by their own privacy policies. We cannot accept liability for data use on those websites.

Changes to this privacy policy

This policy may be updated from time to time on this page. If you have any questions or comments about our Privacy Policy or how we use your personal information please contact us at info@splashworld.ie

 

Closed Circuit Television Policy

Updated: May 24th, 2018

Introduction

The purpose of this policy is to regulate the use of Closed Circuit Television (CCTV) and its associated technology when monitoring both the internal and external environs of Splashworld premises under the remit of Tramore Water Centre CLG. A copy of this CCTV Policy will be made available on the www.splashworld.ie website, provided to all Splashworld staff, customers and members and a copy will be provided to visitors on request.

Scope

This policy applies to all personnel in and visitors to Splashworld, Railway Squre, Tramore, Co. Waterford. Moreover, it relates directly to the location and use of CCTV, and the monitoring, recording and subsequent use of such recorded material. The CCTV Policy is in place to enable Splashworld to operate the CCTV system within the the centre. This policy prohibits CCTV monitoring based on the characteristics and classifications contained in equality and other related legislation e.g. race, gender, sexual orientation, national origin, disability etc. Furthermore, CCTV monitoring is limited to uses that do not violate the reasonable expectation to privacy as defined by law. The CCTV cameras will be used to: protect the Splashworld buildings and assets, both during and outside of operational hours (the system will be in operation 24 hours a day, every day); promote the health and safety of personnel and visitors; support the Gardaí in a bid to deter and detect crime; and assist identifying, apprehending and prosecuting offenders. The personal data recorded and stored by the CCTV system will be used only for the purposes outlined in this policy document. Collection, storage and use of CCTV footage shall be in compliance with Data Protection legislation.

Data Controller

The data controller in respect of images recorded and stored by the CCTV system at the Splashworld premises. The data processor is also Splashworld. The manager and data protection officer is responsible for monitoring the implementation and compliance of the CCTV policy within Splashworld.

Fair Obtaining

The fair obtaining principles inherent in the Data Protection Acts 1988 and 2003 require that those people whose images may be captured on camera are so informed. Accordingly, the Splashworld Data Protection Officer will provide a copy of this CCTV Policy to staff, customers and , and on request to visitors to Splashworld. Adequate signage will be placed at each location in which CCTV 14 cameras are situated to indicate that CCTV is in operation (locations listed in following section). Signage shall include the name and contact details of the data controller as well as the specific purpose for which the CCTV camera is in place in each location.

Location of Cameras

14 cameras record activities throughout the premises as follows: External Camera looking at front entrance and steps. 2 Reception camera positioned over the changing hall door looking at the Reception desk. 3 cameras looking at the pool area and steps to flumes. 3 cameras in the pool changing hall looking at entrance points and lockers. 1 camera in the studio positioned facing door. 2 cameras in the gym at opposite ends pointing at entrances to either stairwell access. 1 at the top of stairs over the office door looking at people coming up the stairs and entering office/gym 1 on the back stairs looking at pool access and emergency doors.

Operation of the System

The recording system is an Alhua Technology, XVR 16 V1, solution which records video data over TCP/IP networks. The system can only be accessed by authorised personnel from Splashworld and DFS security (Installers of system). A Service Level Agreement has been put in place between Splashworld and DFS which details the terms of the contract including confidentiality agreements, data security and disclosure. The system is housed in the manager’s office room on the first floor to which the manager and facilities managers have access, in addition to DFS. The system can be accessed remotely using a unique password only available to the manager and DFS. Access by DFS is only by request of Splashworld and must be logged. Should the system be accessed or works conducted on it by unauthorised personnel or without Splashworld’s instruction, this will be viewed as extremely serious and will be grounds for automatic termination of the contract. Data Protection, Storage and Retention The data captured from the CCTV cameras is securely stored as electronic data in the manager’s office on the first floor. Typically, this data is recorded on a loop and will be retained for maximum of 30 days. It will be overwritten after that period. However, data may be retained for longer periods where in the opinion of Splashworld the events captured may give rise to court proceedings. The manager’s office is a restricted area. Unauthorised access to that area will not be permitted at any time. Access to the data is restricted to authorised personnel (see list). The area is swipe card secured with only the individuals identified in list having access. The storage devices are password protected. Supervising the access and maintenance of the CCTV system is the responsibility of Splashworld. Unauthorised access will be viewed as a data breach. In such an event, the Splashworld Data Breach Management Policy and Procedure must be followed.

Access Requests

Access to the CCTV system and stored images will be restricted to authorised personnel only (as indicated below). In relevant circumstances, CCTV footage may be accessed: By An Garda Síochána where the Splashworld are required by law to make a report regarding suspected crime; Following a request by An Garda Síochána when a crime or suspected crime has taken place and/or when it is suspected that illegal/anti-social behaviour is taking place on the Splashworld premises; To data subjects (or their legal representatives), pursuant to an access request where the time, date and location of the recordings is furnished to the Splashworld; To individuals (or their legal representatives) subject to a court order; To Splashworld’s insurance company where the insurance company requires the same in order to pursue a claim for damage done to the insured property. Any person whose image has been recorded, has a right to be given a copy of the information recorded, providing that such an image/recording exists (i.e. that it has not been deleted), and provided that an exemption/prohibition does not apply to the release. To exercise that right, a person must make an application in writing to the Splashworld using the Data Access Form found on the website, providing sufficient information to identify themselves, giving a reasonable indication of the time period sought, and identifying the location of the camera. If the person is under eighteen years, the parent or guardian may make an application. The cost for making this application is €6.35 and will be borne by the applicant. Requests must be responded to by Splashworld within 40 days. Access requests can be made to Gaye McAuliffe. When a data access request is received, the relevant footage is copied and a specific retention time is assigned to this copy. In giving a person a copy of his/her data, the data controller may provide a still/series of still pictures, a tape or a disk with relevant images. However, other people's images should be obscured before the data is released. Data will be delivered to the requester ensuring that security measures have been considered and implemented. A log of access to images will be maintained. If the image is of such poor quality as not to clearly identify an individual, that image may not be considered to be personal data.

Providing CCTV Images to An Garda Síochána

With regard to requests from An Garda Síochána to download footage, the Data Protection Commissioner recommends that requests for copies of CCTV footage should only be granted when a formal written (or fax) request is provided to the Splashworld stating that An Garda Síochána is investigating a criminal matter. For practical purposes, and to expedite a request speedily in urgent situations, a verbal request may be sufficient to allow for the release of the footage sought. However, any such verbal request must be followed up with a formal written request. It is up to the Splashworld to be satisfied that there is a genuine investigation underway. For practical purposes, a phone call to the requesting Garda's station may be sufficient, provided that you speak to a member in the District Office, the station sergeant or a higher ranking officer, as all may be assumed to be acting with the authority of a District/Divisional officer in confirming that an investigation is authorised. A log of all An Garda Síochána requests will be maintained by the Splashworld and data processors. Any such requests should be on An Garda Síochána headed paper, quote the details of the CCTV footage required and should also cite the legal basis for the request (i.e. Section 8(b) of the Acts). Prior to the Splashworld issuing any CCTV images to An Garda Síochána, it will be discussed and agreed with the responsible Splashworld staff member. There is a distinction between a request by An Garda Síochána to view CCTV footage and to download copies of CCTV footage. In general, An Garda Síochána making a request to simply view footage on the premises of a data controller or processor would not raise any specific concerns from a data protection perspective.

Review and Approval of the CCTV Policy

This policy will be reviewed and updated regularly to take into account changing Data Protection legislation or guidelines from the Data Protection Commissioner, An Garda Síochána, and relevant bodies.

Appendix: Glossary of Terms

CCTV – Closed-circuit television is the use of video cameras to transmit a signal to a specific place on a limited set of monitors. The images may then be recorded on video tape or DVD or other digital recording mechanism.

The Data Protection Acts – The Data Protection Acts 1988 and 2003 confer rights on individuals as well as responsibilities on those persons handling, processing, managing and controlling personal data. All staff must comply with the provisions of the Data Protection Acts when collecting and storing personal information. This applies to personal information relating both to employees of the organisation and individuals who interact with the organisation.

Data - information in a form that can be processed. It includes automated or electronic data (any information on computer or information recorded with the intention of putting it on computer) and manual data (information that is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system).

Personal Data – Data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller.

Access Request – this is where a person makes a request to the organisation for the disclosure of their personal data under Section 3 and/or section 4 of the Data Protection Acts.

Data Processing - performing any operation or set of operations on data, including: - Obtaining, recording or keeping the data, - Collecting, organising, storing, altering or adapting the data, - Retrieving, consulting or using the data, - Disclosing the data by transmitting, disseminating or otherwise making it available, - Aligning, combining, blocking, erasing or destroying the data.

Data Subject – an individual who is the subject of personal data.

Data Controller - a person who (either alone or with others) controls the contents and use of personal data. Data Processor - a person who processes personal information on behalf of a data controller, but does not include an employee of a data controller who processes such data in the course of their employment, for example, this might mean an employee of an organisation to which the data controller out-sources work. The Data Protection Acts place responsibilities on such entities in relation to their processing of the data.