Data Protection & Privacy Statement

  1. Purpose of the statement
  2. Scope of the statement
  3. Data protection principles
  4. Data subject rights
  5. Personal data collected
  6. Uses of personal data
  7. Disclosures of personal data
  8. Retention & deletion of personal data
  9. Processing of sensitive data and vulnerable users
  10. Processing unseen by the data subject, including tracking
  11. Contact details
  12. Changes to this statement

Purpose of the statement

The purpose of this data privacy statement is to demonstrate the commitment of Brigid Aitken t/a Thornhall Chalet to upholding the data protection interests, rights and freedoms of my customers, employees and any other data subjects whose personal data we process.

Scope of the statement

The scope of this statement extends to our obligations under the The Data Protection Act 2018 which includes the General Data Protection Regulation (GDPR). It covers all processing carried out by Thornhall Chalet for Brigid Aitken as a data controller. It also covers activities related to Pilates, Yoga and NIA classes run by Brigid Aitken. For the avoidance of doubt, it does not cover processing for which Thornhall Chalet is acting as a data processor to another data controller unless stated otherwise. One example of this would be our use of card payment systems, where the card payment service provider is the data controller and company name is the data processor operating under the instructions of the card payment service provider.

For customers of Thornhall Chalet, this statement should be read in conjunction with our Terms & Conditions of business.

For users of the Thornhall Chalet website, this document should be read in conjunction with the website Terms of Use document.
Data protection principles
When processing personal data, Thornhall Chalet and Brigid Aitken will uphold the rights and freedoms of data subjects by adhering to the following principles:

Personal data shall be:

Processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);

Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (“purpose limitation”);

Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);

Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of the data subject (“storage limitation”);

Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).

Data subject rights

As a data subject of company name GDPR gives you the following rights:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure (the right to be forgotten)
  • The right to restriction of processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling

You also have the right to lodge a complaint about our processing of your personal data with the Information Commissioner’s Office (ICO). www.ico.org.uk

To exercise your rights as a data subject you should contact me at info@thornhall.co.uk. It will be necessary for me to ask you to identify yourself and the nature of your request before I can deal with your enquiry. All requests related to your rights as a data subject are known as Subject Access Requests (SARs) and I will only deal with them in writing by post or by email. I will not be able to engage in this by telephone.

Personal data collected

Article 4 of the GDPR defines “personal data” as,

“Any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”

Thornhall Chalet processes personal data about individuals in the following categories:

  • Prospective Customer
  • Existing Customer
  • Lapsed Customer
  • Contractor

Pilates, Yoga and NIA activities process personal data about individuals in the following categories:

  • Prospective Customer
  • Existing Customer
  • Lapsed Customer

The personal data processed in each case is specified by a Privacy Notice at the point of data capture in the case of data supplied directly by the data subject (Article 13) or within 28 days of the use of the personal data if supplied indirectly, not by the data subject but by a third party (Article 14).

Items of personal data processed are (per category):

Thornhall Chalet

  • Customer: Identity information (name); contact information (address, telephone number, place of work, email address, online chat transcripts, transaction history.
  • Lapsed customer: Name, email address, address, telephone number, transaction history,
  • Contractor: Name, email address, address, telephone number, transaction history.
  • Data derived from the consumer’s use of the organisations services, websites and applications.
  • Data derived from the consumer’s use of the internet and devices and any payment services.

Pilates, Yoga and NIA

  • Customer: Identity information (name); contact information (address, telephone number, mobile number, email address); transaction history; special category medical data (as recorded in a medical questionnaire required for insurance purposes).
  • Lapsed Customer: Name, email address, address, telephone number, transaction history; special category medical data (as recorded in a medical questionnaire required for insurance purposes).

Uses of personal data

Thornhall Chalet

  1. Providing primary services provided as a holiday accommodation service provider.
  2. Enhancing the services provided.
  3. Facilitating an online session on the website at www.thornhall.co.uk

Pilates, Yoga and NIA

  1. Providing exercise classes and tuition.
  2. Administering exercise classes and tuition.
  3. Maintaining records for insurance purposes.

Disclosures of personal data

Thornhall Chalet uses third party service partners (“data processors” or “joint data controllers”) to assist in the processing of personal data. As the data controller, Thornhall Chalet discloses certain items of personal data to these data processors. Each of these third parties is bound by contract to process personal data only in thy way specified by the data controller and to support the data controller in upholding the rights and freedoms of you as a data subject.

These data processors are located within the EEA and operate in accordance with the GDPR.

  1. Website Hosting System: Allstrat Ltd with Heart Internet as a sub processor.
  2. Email Processor 1: Allstrat Ltd with Heart Internet as a sub processor.
  3. Email Processor 2: BT
  4. Online Booking Service: Freetobook (as a joint data controller)
  5. Online Payments Processor: Paypal (as a data controller in their own right)
  6. Online Booking Agents: AirBnB and VisitScotland

Retention & deletion of personal data

Thornhall Chalet retains personal data only for as long as the purpose of processing demands (limitation principle). It is then deleted or destroyed in accordance with the Data Retention & Disposal Policy. Thornhall Chalet retains all customer and transaction detail for accounting purposes for a period of 6 years following the conclusion of the financial year in which the transaction occurred. All data is then securely destroyed using shredding for paper records and secure deletion for electronic records.

Processing of sensitive data and vulnerable users

Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data, for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation is prohibited by GDPR.

This prohibition does not apply only if one of the following applies:

  • The data subject has given explicit consent to the processing of those personal data for one or more specified purposes.
  • Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subjects;
  • Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent.
  • Processing relates to personal data which are manifestly made public by the data subject;
  • Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
  • Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
  • Processing is necessary for the purposes of preventative Or occupational medicine for the assessment of the working capacity of the employee medical diagnosis the provision of health or social care or treatment or the management of social or social care systems and services on the basis of Union or member state law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
  • Processing is necessary for reasons of public interest in the area of public health such as protecting against serious cross border threats to health or ensuring high standards of quality and safety of healthcare and of medicinal products or medical devices, on the basis of Union or member state law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject in particular professional secrecy;
  • Processing is necessary for archiving purposes in the public interest scientific or historical research purposes or statistical purposes in accordance with article 89/1 based on union or member state law which should be proportionate to the aim pursued respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Thornhall Chalet does not process any special categories of sensitive data.

Pilates, Yoga and NIA classes have an insurance requirement for a basic medical questionnaire to be completed before the classes can start. You will be asked before collection to provide explicit consent for this special category personal data to be collected and stored safely. The data items requested will be made clear to you before collection.
Processing unseen by the data subject, including tracking
The website at Thornhall Chalet uses cookies. Some of these cookies are essential for the operation of the website. You are able to choose to disable the analytics (tracking) cookies on the website if you so wish by clicking on the “C” icon displayed at the bottom right of the website page and following the instructions.

Reporting A Data Breach

To raise a report of a data breach involving processing related to Thornhall Chalet please contact me at info@thornhall.co.uk .

Contact details
Brigid Aitken, t/a Thornhall Chalet

Thornhall Chalet
Dyke by Forres
IV36

Changes to the Data Privacy Statement

Changes to this statement will be made and published on the website at www.thornhall.co.uk.

Effective from date: 14/4/2019