Privacy policy
By participating in this activity, I and other associated parties, agree to Positive Pedals' GDPR Policy and Privacy Notice.
A downloadable copy of the policy can be obtained via the following link:
https://drive.google.com/file/d/1jf4EFU1fRpPDiPm2lePQlW7N22_F46tb/view?usp=drive_link
GDPR (General Data Protection Regulation) and Privacy Notice
1. Introduction, Purpose and Principles
1.1. This policy is the overarching policy for data security and protection for Positive Pedals (hereafter may be referred to as "us", "we", or "our").
1.2. We need to gather, process and use information (‘data’) about persons (‘data subjects’) as part of our activities and services.
1.3. We recognise data protection as a fundamental right and embrace the principles of data protection by design and by default.
1.4. The purpose of this Policy is to support the implementation of the Data Protection Act (2018) (aka GDPR) and all other relevant legislation.
1.5. We uphold the principles in the GDPR as outlined by the Information Commissioner’s Office (A guide to the data protection principles | ICO):
1.5.1.1. Lawfulness, fairness and transparency
1.5.1.2. Purpose limitation
1.5.1.3. Data minimisation
1.5.1.4. Accuracy
1.5.1.5. Storage limitation
1.5.1.6. Integrity and confidentiality (security)
1.5.1.7. Accountability
1.6. Positive Pedals is a ‘data controller’ for the purposes of personal data. This means we determine the purpose and means of the processing of personal data.
1.7. This policy does not form part of the contract of employment or contract for services and can be amended by Positive Pedals at any time. Moreover, the policy is active from the point of usage of services (i.e. this policy may differ from the time when a service was procured to the time it was delivered).
1.8. We will only collect data relevant for the purposes of the activities undertaken (i.e. recruitment/employment data collection processes significantly differ from data collection processes associated with the use of our services).
1.9. It is Positive Pedals intention to be fully compliant with the 2018 Act and GDPR. If any conflict arises between those laws and this policy, Positive Pedals intends to rectify such issues at the earliest opportunity to remain compliant with the 2018 Act and GDPR.
2. Scope and Definitions
2.1. Personal data refers to information which relates to a living person who can be identified from information on its own or when taken together with other information which is likely to come into our possession. It does not include anonymised data.
2.2. Implementation of this policy is the responsibility of all staff, including temporary staff, self-employed personnel, contractors and volunteers; all those carrying out work on behalf of Positive Pedals.
2.3. The usage of ‘staff’ in this policy may refer to employees, contractors, volunteers, trustees or similar; anyone delivering any services, activities or similar on behalf Positive Pedals may be referred to as staff unless specified otherwise.
2.4. This policy also applies to any person(s), who may, for whatever reason, obtain data in relation to data subjects associated with services, activities or similar delivered by Positive Pedals or associated organisations.
2.5. Everyone who works for or on behalf of Positive Pedals (including those volunteering or similar) is responsible for ensuring data is collected, stored and handled appropriately, in line with this policy and relevant legislation. This policy applies to all reasonably relevant persons unless specified otherwise.
2.6. This policy includes in its scope all data which we process either in hardcopy, digital copy or any other formats.
2.7. ‘Processing’ data means any operation which is performed on personal data such as but not limited to:
2.7.1. Collection, recording, organisation, structuring or storage.
2.7.2. Adaption or alteration.
2.7.3. Retrieval, consultation or use.
2.7.4. Disclosure by transmission, dissemination or otherwise making available.
2.7.5. Alignment or combination.
2.7.6. Restriction, destruction or erasure
2.7.7. Any other comparable processes.
2.8. This includes processing personal data which forms part of a filing system, any automated processing or similar processes.
2.9. Personal data might be provided to us by data subjects or someone else (such as a payment provider) or it could be created by us. It could be provided or created during the recruitment process, during a sign-up process to one of our services, during the course of the contract of employment (or services) or after its termination, among other avenues of creation.
2.10. We may collect and use the following types of personal data about data subjects:
2.10.1. Contact details and date of birth.
2.10.2. Emergency contacts information.
2.10.3. Demographic data, including those related to protected characteristics .
2.10.4. Images (i.e. those captured on CCTV, by photograph or video).
2.10.5. Identification documents.
2.10.6. Location tracking or similar information (i.e. during bike hire)
2.10.7. Special category data on participants to ensure project outcomes are being met.
2.10.8. Any other category of personal data which we may need in order to comply with legal, funding, insurance, and/or other relevant operational purposes.
2.11. Positive Pedal’s Board of Trustees acts as the data controller. Contact infopositivepedals@gmail.com if you require further information.
3. User/Data Subject Rights
3.1. Positive Pedals has an obligation to have robust measures in place to minimise and prevent data breaches from taking place. Should a breach of personal data occur (whether in respect of data subjects or someone else) evidence of the breach must be taken and retained. If the breach is likely to result in a risk to the rights and freedoms of individuals then, Positive Pedals must also notify the Information Commissioner’s Office within 72 hours.
3.2. If person(s) or staff become aware of a data breach, they must contact their superior, relevant personnel or the board of trustees immediately and keep any evidence in relation to the breach.
3.3. Data subjects can make a ‘subject access request’ (‘SAR’) to find out the information held about them. This request must be made in writing. We will usually not charge for this and will in most cases aim to do this within 30 days.
3.4. There is no fee for making a SAR. However, if the request is manifestly unfounded or excessive, Positive Pedals may charge a reasonable administrative fee or refuse to respond to the request.
3.5. Data subjects have the right to information about what personal data we process and how we process such data.
3.6. Data subjects can correct any inaccuracies in personal data.
3.7. Data subjects have the right to request Positive Pedals to erase personal data where we were not entitled under the law to process it or it is no longer necessary to process it for the purpose it was collected.
3.8. Data subjects have the right to object to data processing where we are relying on a legitimate interest to do so and data subjects think their rights and interests outweigh our own and they wish us to stop.
3.9. Data subjects have the right to object if we process personal data for the purposes of direct marketing.
3.10. Data subjects have the right to be notified of a data security breach concerning their personal data.
3.11. In some situations, we will not rely on consent as a lawful ground to process personal data. If we do however request consent to the processing of personal data for a specific purpose, data subjects have the right not to consent or to withdraw consent later. To withdraw consent, data subjects should contact the data controller.
3.12. Data subjects have the right to complain to the Information Commissioner. Data subjects can do this by contacting the Information Commissioner’s Office directly. Full contact details, including a helpline number, can be found on the Information Commissioner’s Office website (www.ico.org.uk). This website has further information on data subjects’ rights and our obligations.
3.13. Data subjects may have additional rights under GDPR or the 2018 Act or legislation superseding them. While Positive Pedals always strives for this policy to be exhaustive, accurate and up-to-date, Positive Pedals acknowledges that certain deficiencies may be present, that this policy may be incomplete or may become outdated due to changes in legislation and/or specific court rulings. If any such matters are found to be present, Positive Pedals invites data subjects, staff, or any other member of the public to aid to improve and rectify such issues at the earliest opportunity.
3.14. If you wish to exercise your rights or have any other queries, please contact us at:
infopositivepedals@gmail.com
4. Website, Web Services, Cookies and Similar
4.1. Introduction:
4.1.1. This section provides a more detailed overview of data collected via our website or other digital services we use. During the use of our website and other digital services (i.e. payment systems) data collection may occur automatically (i.e. via cookies) without users’ explicit content. Explicit consent is sought wherever possible.
4.1.2. The word website refers to our main website or sub-websites created via third party service providers or other digital services we may utilise.
4.1.3. Cookies are files which are downloaded to and stored on your device when you visit a website or utilise one of our other digital services (i.e. booking system). When you visit our webpage, the pages that you see are downloaded to your device. At the same time a cookie is downloaded. Our site sends the cookie and uses the cookie number to recognise you when you return to our webpage or go from page to page. You may also submit additional information to us, for instance when contacting us or when submitting information via submission boxes.
4.1.4. We have no or very limited control over cookies collected via third-party providers (i.e. payment system providers, booking system providers, internet browsers). Such providers have their own policies in place which may differ from the principles in this policy. We will strive to ensure third-party providers will keep data collection to a minimum wherever feasible.
4.2. Information we may collect:
4.2.1. Personal Data: Name, email address, phone number, and any other information you provide, for instance but not limited to when signing up or contacting us.
4.2.2. Usage Data: Information about how you use our website, including pages visited, time spent on the site, and any interactions with our services.
4.2.3. Cookies and Tracking Technologies: Information collected through cookies and other tracking technologies.
4.3. How We Use Your Information:
4.3.1. To Provide Services: To provide and improve our services, including responding to your inquiries and providing support.
4.3.2. Marketing and Communication: To send you promotional emails, newsletters, and other marketing communications.
4.3.3. Analytics: To analyse website usage and improve our services.
4.3.4. Legal Obligations: To comply with legal obligations and protect our and others’ rights, property, or safety.
4.4. Data Sharing and Disclosure
4.4.1. We may share your personal information with third parties as described in the following points:
4.4.2. Service Providers: We may share your information with third-party service providers who perform services on our behalf, such as payment processing or email marketing.
4.4.3. Legal Requirements: We may disclose your information if required by law or to protect our rights, property, or safety.
4.5. How do we protect data?
4.5.1. We take the security of your data seriously. We have internal processes in place to try to ensure your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by its staffs in the performance of their duties.
4.5.2. More information regarding our data protection procedures can be found in other parts of this policy.
4.6. Why do we collect personal information?
4.6.1. We collect non-personal and personal information for the following purposes:
4.6.2. To provide and operate our services, including but not limited to this webpage.
4.6.3. To provide our users with ongoing customer assistance and technical support.
4.6.4. To be able to contact our visitors and users with general or personalised service-related notices and promotional messages;
4.6.5. To create aggregated statistical data and other aggregated and/or inferred non-personal information, which we or our business partners may use to provide and improve our respective services;
4.6.6. To comply with any applicable laws and regulations.
4.7. Your Rights
4.7.1. Data subjects rights are outlined in detail in another section of this policy.
5. Positive Pedals Data Protection and Security Procedures
5.1. Positive Pedals pledges to adhere to high levels of data protection and security standards.
5.2. Maintaining data security means guaranteeing the confidentiality, integrity and availability of personal data, which is defined as follows:
5.2.1. Confidentiality means only those who are authorised to use the data can access it.
5.2.2. Integrity means personal data should be accurate and suitable for its intended purpose(s).
5.2.3. Availability means that authorised users should be able to access the data if they need it for authorised purposes. Personal data should therefore be stored on our central computer system instead of individual PCs.
5.3. Security procedures include:
5.3.1. Use of secure lockable desks and cupboards. Desks and cupboards should be kept locked if they hold confidential information of any kind (personal information is always considered confidential). Any breaches, whether observed by members of the public, staff, volunteer, contractors, or other people engaging with Positive Pedals, should be reported to the data protection officer.
5.3.2. Staff are required to regularly clean their computer files, emails and other data systems to wipe data that is no longer required. We recommend staff complete this every three months and at least every six.
5.3.3. We strive to collect the minimum amount of data required to carry out our services and activities and will utilise anonymised data wherever possible. Third-party service providers offering such services should be preferred wherever feasible.
5.3.4. Third party service providers – and their means of data storage - need to be based in GDPR compliant localities.
5.3.5. Automatic data deletions systems should be utilised wherever feasible.
5.3.6. Staff should ensure individual monitors do not show confidential information to passers-by and they log off from their digital devices whenever they are left unattended.
5.3.7. Staff must use secure passwords (i.e. those including special characters, numbers and a mix of capitalised and non-capitalised letters) and should not use the same password across different services.
5.3.8. Positive Pedals recommends the use of password managers to create and safe passwords. Any password manager must be secured by a very secure password, with two factor authentication enabled.
5.3.9. Staff devices are required to be password, pin, gesture, or similarly protected.
5.3.10. Staff shall not - under any circumstances - enter users, staff or any other confidential, private or identifiable information (including organisationally sensitive information) associated with Positive Pedals into large-language models or other artificial intelligence software/providers. Positive Pedals has no agreement in place with such models, software or providers to ensure that such data will be kept secure. Entering such data may expose such data to spheres beyond the control of Positive Pedals or intentions of the user entering such data.
5.3.11. Staff should utilise two-factor authentication whenever possible.
5.3.12. Staff must not share personal data informally.
5.3.13. Staff must keep personal data secure and not share it with unauthorised people.
5.3.14. Staff should not make unnecessary copies of personal data and should keep and dispose of any copies securely.
5.3.15. Staff should encrypt personal data before transferring it electronically to authorised external contacts.
5.3.16. Staff should anonymise data or use separate keys/codes so the data subject cannot be identified.
5.3.17. Never transfer personal data outside the European Economic Area except in compliance with the law and authorisation of the GDPR Lead.
5.3.18. Staff should not leave paper with personal data lying about.
5.3.19. Staff should not take personal data away from organisation’s premises without authorisation from the Data Protection Officer.
5.3.20. Staff should shred and dispose of personal data securely when finished with it.
5.3.21. Staff should ask for help from the Data Protection Officer if unsure about data protection or if staff notice any areas of data protection or security we can improve upon.
5.3.22. Staff must undertake and adhere to all other steps and principles outlined in this policy.
5.4. Users of our services and activities should follow similar safety protocols (i.e. use of unique and secure passwords, two-factor authentication, keeping the sharing of personal information to a minimum).
6. Additional Conditions for Staff, Employees and Related Personnel or Prospective Subjects That May Become Such
6.1. In addition to the sections above, ‘staff’ (please note the far-reaching definition utilised in the first section of this policy), prospective staff (i.e. applicants for vacancies) or comparable subjects, may be subject to more extensive data collection processes.
6.2. The word staff in this section refers to all those outlined in section 2 unless explicitly stated otherwise.
6.3. We have to process personal data in various situations during recruitment, employment (or engagement of contract for services) and following termination of data employment (or engagement). Examples include but are not limited to:
6.3.1. To decide whether to employ (or engage) someone or a contractor.
6.3.2. To decide how much to pay and decide on other terms of contract.
6.3.3. To check data subjects have the legal right to work in the UK.
6.3.4. To carry out the contract between us including where relevant, its termination.
6.3.5. Training and reviewing performance.
6.3.6. To decide whether or not to promote someone.
6.3.7. To decide whether and how to manage performance, absence or conduct.
6.3.8. To carry out a disciplinary or grievance investigation or procedure in relation to data subjects or someone else.
6.3.9. To determine whether we need to make reasonable adjustments to the workplace or role.
6.3.10. To monitor diversity and equal opportunities.
6.3.11. To monitor and protect the health and safety of every data subject.
6.3.12. To pay data subjects and provide pension and other benefits in accordance with their contract or similar agreements.
6.3.13. To pay tax, VAT, National Insurance and other relevant duties.
6.3.14. To provide a reference upon request from another employer.
6.3.15. To monitor compliance by data subjects, us and others with our policies and contractual obligations.
6.3.16. To comply with employment law, immigration law, health and safety law, tax law and other laws which affect Positive Pedals.
6.3.17. To answer questions from insurers in respect of any insurance policies and/or condition which relate to data subjects.
6.3.18. To enable running the business /organisation and plan for the future.
6.3.19. To support the prevention and detection of fraud or other criminal offences.
6.3.20. To defend Positive Pedals in respect of any investigation or litigation and to comply with any court or tribunal orders for disclosure.
6.3.21. For any other reasonable reason which we may notify data subjects of from time to time.
6.4. Where feasible and not in conflict with legal obligations (i.e. Positive Pedals may be obliged to collect certain information via the PVG scheme), data subjects have the right to withhold data outlined in this section of the policy.
6.5. Special category data may be collected from staff. Such data may consist of:
6.5.1. Protected characteristics as defined by the Equality Act 2010.
6.5.2. Trade Union membership.
6.5.3. Health.
6.5.4. Criminal convictions and offences.
6.5.5. Communications undertaken on behalf of Positive Pedals (i.e. those with funders or other relevant organisations or individuals in relation to Positive Pedals). Please note that such communications may contain information (i.e. political beliefs or other opinions) and as such may disclose information data subjects did not intent to disclose. Staff are strongly advised to keep the disclosure of personal or confidential information via Positive Pedals communication channels to a minimum.
6.5.6. Any other information relevant for operational purposes or to adhere to the Equality Act 2010.
6.6. We may also collect and use the following types of personal data about staff:
6.6.1. Recruitment information such as the application form, CV, references, qualifications and membership of any professional bodies and details of any pre-employment assessments.
6.6.2. Contact details and date of birth.
6.6.3. Emergency contacts information.
6.6.4. Marital status and family details.
6.6.5. Information about the contract of employment (or services) including start and end dates of employment, role and location, working hours, details of promotion, salary (including details of previous remuneration), pension, benefits, holiday entitlement, services provided and services received.
6.6.6. Bank details and information in relation to tax status including National Insurance number.
6.6.7. Identification documents including passport and driving licence and information in relation to immigration status and right to work in the UK.
6.6.8. Information relating to disciplinary or grievance investigations and proceedings (whether or not the data subject was the main subject of those proceedings).
6.6.9. Information relating to performance and behaviour at work.
6.6.10. Training records.
6.6.11. Electronic information in relation to use of IT systems/swipe cards/telephone systems.
6.6.12. Images (whether captured on CCTV, by photograph or video).
6.6.13. Special category data on participants to help us ensure project outcomes are being met.
6.6.14. Any other reasonable information we may need to hold of which we may notify data subjects from time to time.
7. We will use collected data for the following. Please note that this list may not be exhaustive:
7.1. Performing the contract of employment (or services) between us.
7.2. Complying with any legal obligation(s).
7.3. Project monitoring and evaluation and ensuring we have contact details of participants and their parents/guardians.
7.4. If it is necessary for legitimate interests (or for the legitimate interests of someone else). However, this can only be done if data subjects’ interests and rights do not override Positive Pedals (or theirs). Data subjects have the right to challenge legitimate interests and request we stop processing their data.
7.5. We can process personal data for these purposes without data subjects’ knowledge or consent. We will not use personal data for an unrelated purpose without telling data subjects about it and the legal basis that we intend to rely on for processing it.
7.6. If data subjects choose not to provide us with certain personal data, they should be aware we may not be able to carry out certain parts of the contract between us. For example, if data subjects do not provide us with bank account details, we may not be able to pay them. It might also stop us from complying with certain legal obligations and duties which we have such as to pay the right amount of tax to HMRC or to make reasonable adjustments in relation to any disability data subjects may suffer from.
7.7. Positive Pedals may share personal data with other organisations, companies, contractors, agents and/or similar to fulfil obligations under contract with data subjects or for legitimate interests. Such interests may include but are not limited to:
7.7.1. Payroll or other HR purposes
7.7.2. Insurance purposes
7.7.3. Disclosure Scotland/PVG checks
7.7.4. Employment Tribunals
7.7.5. Other services which may require services, advice, information or similar from other organisations or individuals.
7.8. We require those companies, organisations, individuals or similar to keep data subjects’ personal data confidential and secure and to protect it in accordance with the law and our policies. They are only permitted to process data for the lawful purpose for which it has been shared and in accordance with our instructions.
8. Any deliberate or negligent breach of this policy may result in disciplinary action being taken.
9. It is a criminal offence to conceal or destroy personal data which is part of a subject access request. This conduct could amount to gross misconduct under our disciplinary procedure, which could result in dismissal.
10. The same principles apply to those working in our physical premises and/or other locations (i.e. homeworkers).
11. Other laws and regulations may apply.
A downloadable copy of the policy can be obtained via the following link:
https://drive.google.com/file/d/1jf4EFU1fRpPDiPm2lePQlW7N22_F46tb/view?usp=drive_link
GDPR (General Data Protection Regulation) and Privacy Notice
1. Introduction, Purpose and Principles
1.1. This policy is the overarching policy for data security and protection for Positive Pedals (hereafter may be referred to as "us", "we", or "our").
1.2. We need to gather, process and use information (‘data’) about persons (‘data subjects’) as part of our activities and services.
1.3. We recognise data protection as a fundamental right and embrace the principles of data protection by design and by default.
1.4. The purpose of this Policy is to support the implementation of the Data Protection Act (2018) (aka GDPR) and all other relevant legislation.
1.5. We uphold the principles in the GDPR as outlined by the Information Commissioner’s Office (A guide to the data protection principles | ICO):
1.5.1.1. Lawfulness, fairness and transparency
1.5.1.2. Purpose limitation
1.5.1.3. Data minimisation
1.5.1.4. Accuracy
1.5.1.5. Storage limitation
1.5.1.6. Integrity and confidentiality (security)
1.5.1.7. Accountability
1.6. Positive Pedals is a ‘data controller’ for the purposes of personal data. This means we determine the purpose and means of the processing of personal data.
1.7. This policy does not form part of the contract of employment or contract for services and can be amended by Positive Pedals at any time. Moreover, the policy is active from the point of usage of services (i.e. this policy may differ from the time when a service was procured to the time it was delivered).
1.8. We will only collect data relevant for the purposes of the activities undertaken (i.e. recruitment/employment data collection processes significantly differ from data collection processes associated with the use of our services).
1.9. It is Positive Pedals intention to be fully compliant with the 2018 Act and GDPR. If any conflict arises between those laws and this policy, Positive Pedals intends to rectify such issues at the earliest opportunity to remain compliant with the 2018 Act and GDPR.
2. Scope and Definitions
2.1. Personal data refers to information which relates to a living person who can be identified from information on its own or when taken together with other information which is likely to come into our possession. It does not include anonymised data.
2.2. Implementation of this policy is the responsibility of all staff, including temporary staff, self-employed personnel, contractors and volunteers; all those carrying out work on behalf of Positive Pedals.
2.3. The usage of ‘staff’ in this policy may refer to employees, contractors, volunteers, trustees or similar; anyone delivering any services, activities or similar on behalf Positive Pedals may be referred to as staff unless specified otherwise.
2.4. This policy also applies to any person(s), who may, for whatever reason, obtain data in relation to data subjects associated with services, activities or similar delivered by Positive Pedals or associated organisations.
2.5. Everyone who works for or on behalf of Positive Pedals (including those volunteering or similar) is responsible for ensuring data is collected, stored and handled appropriately, in line with this policy and relevant legislation. This policy applies to all reasonably relevant persons unless specified otherwise.
2.6. This policy includes in its scope all data which we process either in hardcopy, digital copy or any other formats.
2.7. ‘Processing’ data means any operation which is performed on personal data such as but not limited to:
2.7.1. Collection, recording, organisation, structuring or storage.
2.7.2. Adaption or alteration.
2.7.3. Retrieval, consultation or use.
2.7.4. Disclosure by transmission, dissemination or otherwise making available.
2.7.5. Alignment or combination.
2.7.6. Restriction, destruction or erasure
2.7.7. Any other comparable processes.
2.8. This includes processing personal data which forms part of a filing system, any automated processing or similar processes.
2.9. Personal data might be provided to us by data subjects or someone else (such as a payment provider) or it could be created by us. It could be provided or created during the recruitment process, during a sign-up process to one of our services, during the course of the contract of employment (or services) or after its termination, among other avenues of creation.
2.10. We may collect and use the following types of personal data about data subjects:
2.10.1. Contact details and date of birth.
2.10.2. Emergency contacts information.
2.10.3. Demographic data, including those related to protected characteristics .
2.10.4. Images (i.e. those captured on CCTV, by photograph or video).
2.10.5. Identification documents.
2.10.6. Location tracking or similar information (i.e. during bike hire)
2.10.7. Special category data on participants to ensure project outcomes are being met.
2.10.8. Any other category of personal data which we may need in order to comply with legal, funding, insurance, and/or other relevant operational purposes.
2.11. Positive Pedal’s Board of Trustees acts as the data controller. Contact infopositivepedals@gmail.com if you require further information.
3. User/Data Subject Rights
3.1. Positive Pedals has an obligation to have robust measures in place to minimise and prevent data breaches from taking place. Should a breach of personal data occur (whether in respect of data subjects or someone else) evidence of the breach must be taken and retained. If the breach is likely to result in a risk to the rights and freedoms of individuals then, Positive Pedals must also notify the Information Commissioner’s Office within 72 hours.
3.2. If person(s) or staff become aware of a data breach, they must contact their superior, relevant personnel or the board of trustees immediately and keep any evidence in relation to the breach.
3.3. Data subjects can make a ‘subject access request’ (‘SAR’) to find out the information held about them. This request must be made in writing. We will usually not charge for this and will in most cases aim to do this within 30 days.
3.4. There is no fee for making a SAR. However, if the request is manifestly unfounded or excessive, Positive Pedals may charge a reasonable administrative fee or refuse to respond to the request.
3.5. Data subjects have the right to information about what personal data we process and how we process such data.
3.6. Data subjects can correct any inaccuracies in personal data.
3.7. Data subjects have the right to request Positive Pedals to erase personal data where we were not entitled under the law to process it or it is no longer necessary to process it for the purpose it was collected.
3.8. Data subjects have the right to object to data processing where we are relying on a legitimate interest to do so and data subjects think their rights and interests outweigh our own and they wish us to stop.
3.9. Data subjects have the right to object if we process personal data for the purposes of direct marketing.
3.10. Data subjects have the right to be notified of a data security breach concerning their personal data.
3.11. In some situations, we will not rely on consent as a lawful ground to process personal data. If we do however request consent to the processing of personal data for a specific purpose, data subjects have the right not to consent or to withdraw consent later. To withdraw consent, data subjects should contact the data controller.
3.12. Data subjects have the right to complain to the Information Commissioner. Data subjects can do this by contacting the Information Commissioner’s Office directly. Full contact details, including a helpline number, can be found on the Information Commissioner’s Office website (www.ico.org.uk). This website has further information on data subjects’ rights and our obligations.
3.13. Data subjects may have additional rights under GDPR or the 2018 Act or legislation superseding them. While Positive Pedals always strives for this policy to be exhaustive, accurate and up-to-date, Positive Pedals acknowledges that certain deficiencies may be present, that this policy may be incomplete or may become outdated due to changes in legislation and/or specific court rulings. If any such matters are found to be present, Positive Pedals invites data subjects, staff, or any other member of the public to aid to improve and rectify such issues at the earliest opportunity.
3.14. If you wish to exercise your rights or have any other queries, please contact us at:
infopositivepedals@gmail.com
4. Website, Web Services, Cookies and Similar
4.1. Introduction:
4.1.1. This section provides a more detailed overview of data collected via our website or other digital services we use. During the use of our website and other digital services (i.e. payment systems) data collection may occur automatically (i.e. via cookies) without users’ explicit content. Explicit consent is sought wherever possible.
4.1.2. The word website refers to our main website or sub-websites created via third party service providers or other digital services we may utilise.
4.1.3. Cookies are files which are downloaded to and stored on your device when you visit a website or utilise one of our other digital services (i.e. booking system). When you visit our webpage, the pages that you see are downloaded to your device. At the same time a cookie is downloaded. Our site sends the cookie and uses the cookie number to recognise you when you return to our webpage or go from page to page. You may also submit additional information to us, for instance when contacting us or when submitting information via submission boxes.
4.1.4. We have no or very limited control over cookies collected via third-party providers (i.e. payment system providers, booking system providers, internet browsers). Such providers have their own policies in place which may differ from the principles in this policy. We will strive to ensure third-party providers will keep data collection to a minimum wherever feasible.
4.2. Information we may collect:
4.2.1. Personal Data: Name, email address, phone number, and any other information you provide, for instance but not limited to when signing up or contacting us.
4.2.2. Usage Data: Information about how you use our website, including pages visited, time spent on the site, and any interactions with our services.
4.2.3. Cookies and Tracking Technologies: Information collected through cookies and other tracking technologies.
4.3. How We Use Your Information:
4.3.1. To Provide Services: To provide and improve our services, including responding to your inquiries and providing support.
4.3.2. Marketing and Communication: To send you promotional emails, newsletters, and other marketing communications.
4.3.3. Analytics: To analyse website usage and improve our services.
4.3.4. Legal Obligations: To comply with legal obligations and protect our and others’ rights, property, or safety.
4.4. Data Sharing and Disclosure
4.4.1. We may share your personal information with third parties as described in the following points:
4.4.2. Service Providers: We may share your information with third-party service providers who perform services on our behalf, such as payment processing or email marketing.
4.4.3. Legal Requirements: We may disclose your information if required by law or to protect our rights, property, or safety.
4.5. How do we protect data?
4.5.1. We take the security of your data seriously. We have internal processes in place to try to ensure your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by its staffs in the performance of their duties.
4.5.2. More information regarding our data protection procedures can be found in other parts of this policy.
4.6. Why do we collect personal information?
4.6.1. We collect non-personal and personal information for the following purposes:
4.6.2. To provide and operate our services, including but not limited to this webpage.
4.6.3. To provide our users with ongoing customer assistance and technical support.
4.6.4. To be able to contact our visitors and users with general or personalised service-related notices and promotional messages;
4.6.5. To create aggregated statistical data and other aggregated and/or inferred non-personal information, which we or our business partners may use to provide and improve our respective services;
4.6.6. To comply with any applicable laws and regulations.
4.7. Your Rights
4.7.1. Data subjects rights are outlined in detail in another section of this policy.
5. Positive Pedals Data Protection and Security Procedures
5.1. Positive Pedals pledges to adhere to high levels of data protection and security standards.
5.2. Maintaining data security means guaranteeing the confidentiality, integrity and availability of personal data, which is defined as follows:
5.2.1. Confidentiality means only those who are authorised to use the data can access it.
5.2.2. Integrity means personal data should be accurate and suitable for its intended purpose(s).
5.2.3. Availability means that authorised users should be able to access the data if they need it for authorised purposes. Personal data should therefore be stored on our central computer system instead of individual PCs.
5.3. Security procedures include:
5.3.1. Use of secure lockable desks and cupboards. Desks and cupboards should be kept locked if they hold confidential information of any kind (personal information is always considered confidential). Any breaches, whether observed by members of the public, staff, volunteer, contractors, or other people engaging with Positive Pedals, should be reported to the data protection officer.
5.3.2. Staff are required to regularly clean their computer files, emails and other data systems to wipe data that is no longer required. We recommend staff complete this every three months and at least every six.
5.3.3. We strive to collect the minimum amount of data required to carry out our services and activities and will utilise anonymised data wherever possible. Third-party service providers offering such services should be preferred wherever feasible.
5.3.4. Third party service providers – and their means of data storage - need to be based in GDPR compliant localities.
5.3.5. Automatic data deletions systems should be utilised wherever feasible.
5.3.6. Staff should ensure individual monitors do not show confidential information to passers-by and they log off from their digital devices whenever they are left unattended.
5.3.7. Staff must use secure passwords (i.e. those including special characters, numbers and a mix of capitalised and non-capitalised letters) and should not use the same password across different services.
5.3.8. Positive Pedals recommends the use of password managers to create and safe passwords. Any password manager must be secured by a very secure password, with two factor authentication enabled.
5.3.9. Staff devices are required to be password, pin, gesture, or similarly protected.
5.3.10. Staff shall not - under any circumstances - enter users, staff or any other confidential, private or identifiable information (including organisationally sensitive information) associated with Positive Pedals into large-language models or other artificial intelligence software/providers. Positive Pedals has no agreement in place with such models, software or providers to ensure that such data will be kept secure. Entering such data may expose such data to spheres beyond the control of Positive Pedals or intentions of the user entering such data.
5.3.11. Staff should utilise two-factor authentication whenever possible.
5.3.12. Staff must not share personal data informally.
5.3.13. Staff must keep personal data secure and not share it with unauthorised people.
5.3.14. Staff should not make unnecessary copies of personal data and should keep and dispose of any copies securely.
5.3.15. Staff should encrypt personal data before transferring it electronically to authorised external contacts.
5.3.16. Staff should anonymise data or use separate keys/codes so the data subject cannot be identified.
5.3.17. Never transfer personal data outside the European Economic Area except in compliance with the law and authorisation of the GDPR Lead.
5.3.18. Staff should not leave paper with personal data lying about.
5.3.19. Staff should not take personal data away from organisation’s premises without authorisation from the Data Protection Officer.
5.3.20. Staff should shred and dispose of personal data securely when finished with it.
5.3.21. Staff should ask for help from the Data Protection Officer if unsure about data protection or if staff notice any areas of data protection or security we can improve upon.
5.3.22. Staff must undertake and adhere to all other steps and principles outlined in this policy.
5.4. Users of our services and activities should follow similar safety protocols (i.e. use of unique and secure passwords, two-factor authentication, keeping the sharing of personal information to a minimum).
6. Additional Conditions for Staff, Employees and Related Personnel or Prospective Subjects That May Become Such
6.1. In addition to the sections above, ‘staff’ (please note the far-reaching definition utilised in the first section of this policy), prospective staff (i.e. applicants for vacancies) or comparable subjects, may be subject to more extensive data collection processes.
6.2. The word staff in this section refers to all those outlined in section 2 unless explicitly stated otherwise.
6.3. We have to process personal data in various situations during recruitment, employment (or engagement of contract for services) and following termination of data employment (or engagement). Examples include but are not limited to:
6.3.1. To decide whether to employ (or engage) someone or a contractor.
6.3.2. To decide how much to pay and decide on other terms of contract.
6.3.3. To check data subjects have the legal right to work in the UK.
6.3.4. To carry out the contract between us including where relevant, its termination.
6.3.5. Training and reviewing performance.
6.3.6. To decide whether or not to promote someone.
6.3.7. To decide whether and how to manage performance, absence or conduct.
6.3.8. To carry out a disciplinary or grievance investigation or procedure in relation to data subjects or someone else.
6.3.9. To determine whether we need to make reasonable adjustments to the workplace or role.
6.3.10. To monitor diversity and equal opportunities.
6.3.11. To monitor and protect the health and safety of every data subject.
6.3.12. To pay data subjects and provide pension and other benefits in accordance with their contract or similar agreements.
6.3.13. To pay tax, VAT, National Insurance and other relevant duties.
6.3.14. To provide a reference upon request from another employer.
6.3.15. To monitor compliance by data subjects, us and others with our policies and contractual obligations.
6.3.16. To comply with employment law, immigration law, health and safety law, tax law and other laws which affect Positive Pedals.
6.3.17. To answer questions from insurers in respect of any insurance policies and/or condition which relate to data subjects.
6.3.18. To enable running the business /organisation and plan for the future.
6.3.19. To support the prevention and detection of fraud or other criminal offences.
6.3.20. To defend Positive Pedals in respect of any investigation or litigation and to comply with any court or tribunal orders for disclosure.
6.3.21. For any other reasonable reason which we may notify data subjects of from time to time.
6.4. Where feasible and not in conflict with legal obligations (i.e. Positive Pedals may be obliged to collect certain information via the PVG scheme), data subjects have the right to withhold data outlined in this section of the policy.
6.5. Special category data may be collected from staff. Such data may consist of:
6.5.1. Protected characteristics as defined by the Equality Act 2010.
6.5.2. Trade Union membership.
6.5.3. Health.
6.5.4. Criminal convictions and offences.
6.5.5. Communications undertaken on behalf of Positive Pedals (i.e. those with funders or other relevant organisations or individuals in relation to Positive Pedals). Please note that such communications may contain information (i.e. political beliefs or other opinions) and as such may disclose information data subjects did not intent to disclose. Staff are strongly advised to keep the disclosure of personal or confidential information via Positive Pedals communication channels to a minimum.
6.5.6. Any other information relevant for operational purposes or to adhere to the Equality Act 2010.
6.6. We may also collect and use the following types of personal data about staff:
6.6.1. Recruitment information such as the application form, CV, references, qualifications and membership of any professional bodies and details of any pre-employment assessments.
6.6.2. Contact details and date of birth.
6.6.3. Emergency contacts information.
6.6.4. Marital status and family details.
6.6.5. Information about the contract of employment (or services) including start and end dates of employment, role and location, working hours, details of promotion, salary (including details of previous remuneration), pension, benefits, holiday entitlement, services provided and services received.
6.6.6. Bank details and information in relation to tax status including National Insurance number.
6.6.7. Identification documents including passport and driving licence and information in relation to immigration status and right to work in the UK.
6.6.8. Information relating to disciplinary or grievance investigations and proceedings (whether or not the data subject was the main subject of those proceedings).
6.6.9. Information relating to performance and behaviour at work.
6.6.10. Training records.
6.6.11. Electronic information in relation to use of IT systems/swipe cards/telephone systems.
6.6.12. Images (whether captured on CCTV, by photograph or video).
6.6.13. Special category data on participants to help us ensure project outcomes are being met.
6.6.14. Any other reasonable information we may need to hold of which we may notify data subjects from time to time.
7. We will use collected data for the following. Please note that this list may not be exhaustive:
7.1. Performing the contract of employment (or services) between us.
7.2. Complying with any legal obligation(s).
7.3. Project monitoring and evaluation and ensuring we have contact details of participants and their parents/guardians.
7.4. If it is necessary for legitimate interests (or for the legitimate interests of someone else). However, this can only be done if data subjects’ interests and rights do not override Positive Pedals (or theirs). Data subjects have the right to challenge legitimate interests and request we stop processing their data.
7.5. We can process personal data for these purposes without data subjects’ knowledge or consent. We will not use personal data for an unrelated purpose without telling data subjects about it and the legal basis that we intend to rely on for processing it.
7.6. If data subjects choose not to provide us with certain personal data, they should be aware we may not be able to carry out certain parts of the contract between us. For example, if data subjects do not provide us with bank account details, we may not be able to pay them. It might also stop us from complying with certain legal obligations and duties which we have such as to pay the right amount of tax to HMRC or to make reasonable adjustments in relation to any disability data subjects may suffer from.
7.7. Positive Pedals may share personal data with other organisations, companies, contractors, agents and/or similar to fulfil obligations under contract with data subjects or for legitimate interests. Such interests may include but are not limited to:
7.7.1. Payroll or other HR purposes
7.7.2. Insurance purposes
7.7.3. Disclosure Scotland/PVG checks
7.7.4. Employment Tribunals
7.7.5. Other services which may require services, advice, information or similar from other organisations or individuals.
7.8. We require those companies, organisations, individuals or similar to keep data subjects’ personal data confidential and secure and to protect it in accordance with the law and our policies. They are only permitted to process data for the lawful purpose for which it has been shared and in accordance with our instructions.
8. Any deliberate or negligent breach of this policy may result in disciplinary action being taken.
9. It is a criminal offence to conceal or destroy personal data which is part of a subject access request. This conduct could amount to gross misconduct under our disciplinary procedure, which could result in dismissal.
10. The same principles apply to those working in our physical premises and/or other locations (i.e. homeworkers).
11. Other laws and regulations may apply.