How CSSC handles personal information
Civil Service Sports Council takes the privacy of your information very seriously. This Privacy Notice explains how we will collect and use the information you give us via our site: www.cssc.co.uk (the "Site") and otherwise when you are using our services, for instance when you complete any paper or Site forms or otherwise, or provide data to us by telephone.
We are committed to good information handling principles and the privacy and confidentiality of any personal information we deal with.
When we interact with you, we might give you supplementary privacy notices which are more specific to the personal data we’re collecting or using at that point. You should read those notices alongside this Privacy Notice.
In this Privacy Notice, the word "we" and "CSSC" refers to the Civil Service Sports Council. Unless otherwise stated, we are the data controller of any personal data collected via the Site, in any forms, via the telephone, email or otherwise. Our contact details are included in the contact us section below.
The terms "you" and "your" mean any visitors and users of this Site and individuals who otherwise interact with us in connection with our services.
We welcome comments or queries about this Privacy Notice and our information handling practices.
If you wish to provide comments, update any of your preferences or exercise any of your rights you can:
- Write to the Customer Services Manager at CSSC, Compton Court, 20-24 Temple End, High Wycombe, HP13 5DR;
- Email to send email;
- Call 01494 888 444 between 9am – 5pm Mon – Thurs and 9am – 4:30pm on Friday;
- Make changes by logging into our preference centre within My Account at any time when logged in;
- Contact our Data Protection Officer if you have any queries regarding our data protection practices by email to send email.
Our website is https://www.cssc.co.uk/ and is owned, and operated by us.
Under the General Data Protection Regulation ('UK GDPR') and Data Protection Act 2018 ('the Act'), personal data is defined as 'any information relating to an identified or identifiable natural person ('data subject'), by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person'.
The data controller
A data controller is the organisation who exercises control over the means and purposes for processing personal data and is responsible for, amongst other things, the security of all personal data in paper or electronic files. CSSC is the data controller as defined by relevant data protection laws and regulation.
The lawful bases for processing are set out in Article 6 of the UK GDPR. At least one of these must apply whenever personal data is being processed:
- (a) Consent: you have given your freely, specific, informed, or unambiguous) consent for your personal data to be processed for a specific purpose.
- (b) Contract performance: the processing is necessary for the performance of a contract you have with CSSC, or the processing is necessary to take specific steps before entering into a contract.
- (c) Compliance with a legal obligation: the processing is necessary for CSSC to comply with the law for tax, social security obligation, employment purposes (not including contractual obligations).
- (d) Protection of vital interests: the processing is vital to an individual's survival.
- (e) Public interest: the processing is necessary for CSSC to perform a task that is in the public interest or for its official functions, and the task or function has a clear basis in law.
- (f) Legitimate interests: the processing is necessary for CSSC’s legitimate interests, or the legitimate interests of a third-party, unless there is a good reason to protect the individual’s rights and that overrides those legitimate interests.
|Purpose of data use
|Personal data used
|Our lawful basis for using the information
|1. To administer and manage any membership you have with us including dealing with payments, sending you information about services, provision of services or product enquiries made by you.
|All contact and membership details, transaction and payment information, records of your interactions with us, and marketing preferences.
|This is necessary to enable us to properly manage and administer your membership contract with us.
|2. To send you information we think you might find useful or which you have requested from us, including our newsletters, SMS messages, information about membership, events, products, information about our commercial partners or to offer a more bespoke service to you.
Contact details and marketing preferences.
|The lawful basis for handling this data is consent/legitimate interests.
|3. To conduct research and data analysis and develop statistics to better understand event attendance and trends within the CSSC offering.
|Records of your attendance at any events or competitions hosted by us or your use of CSSC offering ie., online shop and my savings
|This is necessary to perform our legitimate interest with you to ensure that our membership is targeted and relevant.
|4. For the purposes of promoting CSSC, our events and membership packages.
Images in video and/or photographic form.
|Where you have given us your explicit consent to do so.
|5. To comply with health and safety requirements.
|Records of attendance, CCTV footage and other information obtained through electronic means such as swipe card and key fob records, medical information about your health.
|We have a legal obligation to provide you and other members of our organisation with a safe environment in which to participate in sport.
|6. To arrange for any trip or transportation to and from an event.
|Identification documents details of next of kin, family members and emergency contacts, transaction and payment information, health and medical information.
|This is based on consent but also in the case of an emergency we will rely on vital interests if we need to disclose any personal data.
|7. To use information about your physical or mental health (including any injuries) or disability status, to ensure your health and safety and to assess your fitness to participate in any events or activities we host and to provide appropriate adjustments to our sports facilities.
|Health and medical information.
Where you have given us your explicit consent to do so.
You should be aware that you are entitled, under data protection legislation, to withdraw your consent, where that has been given, at any time. You can withdraw your consent by contacting us. See more details in the Contact us section below. You can also withdraw your consent by accessing My Account when logged in.
You should be aware that if you do this and if there is no alternative lawful reason for us to rely on to justify the relevant use or other processing on your personal information, this may affect our ability to provide our services.
Your data subject rights are listed below:
- the right of access.
- the right to rectification.
- the right to erasure or right to be forgotten.
- the right to restriction of processing.
- the right to be informed.
- the right to data portability.
- the right to object.
- the right not to be subject to a decision based solely on automated processing.
If you wish to exercise any of these rights, please contact us on 01494 888444
The categories of personal data we collect.
Personal data collected from you in connection with our services includes the following and which are set out in more detail above:
your full name, date of birth, CSSC number, postal address, e-mail address, employer/business and professional information, job titles, next of kin and dietary requirements eg if you are attending an event or national, regional or area conference, telephone and fax numbers and any other personal data which is voluntarily provided to CSSC from time to time
bank and card details where you make payments to us.
Personal data also includes special categories of personal data, such as, health information, which we may collect in connection with any trips or events you choose to attend for health and safety purposes.
If you communicate with us by email over the internet you should be aware that the nature of the internet may not be secure and may pass through several different countries on route to us. Please do not email us with confidential or sensitive information such as your credit card details.
We comply with data privacy laws in relation to security but cannot accept responsibility for unauthorised access to your information that is outside our control. Further information regarding our approach to the security of personal information is included in the section below on Security of personal data.
The purposes for which we use personal data.
We will only use your personal data for the purposes that you would reasonably expect or that we state when we collect it and, where necessary, for which you have given us your consent.
In the course of our Services, we will analyse your information to build individual profiles. These profiles will be used to predict future interests and to offer a more bespoke service based on what you have previously taken part in. The aim is to provide you with offers that are relevant and interesting for you. The profiling is based on your participation in our scheme. This includes the communication of events, services and activities, and any interaction with it. You have the opportunity to opt-out of this at any time and depersonalise your service. To opt out, please update your cookie preferences, visit My Account, call 01494 888 444 or email send email.
Keeping you informed
We may contact you in writing, by telephone, or by email. If at any time you decide that you do not want your contact details used for these purposes or to change the way we contact you, please contact us or amend your preferences in My Account when logged in.
When you sign up with us, we will also share some limited personal information with People Value Ltd who operate CSSC savings to enable them to identify you:
- You should read their membership terms and conditions and the privacy policies provided by the benefits specialists Boostworks for details of how your personal information will be processed; and
- If you have provided your consent to receive CSSC savings emails, including Newsletters, these will contain details of retail savings offers, news, health and fitness services and insurance products from regulated providers of insurance products that you have stated may interest you.
Disclosure of your Personal Information to other third parties
- CSSC may share personal data with third parties under these circumstances:
- within our group companies and third-party business partners, or event organisers in order to deliver our services or verify your membership.
- with third parties so that they can deliver the services and benefits you are seeking, eg savings providers, or Boostworks, this may involve sharing membership information so the third party can verify your membership.
- agents, IT support, web developers, affiliates, savings providers, service providers conducting satisfaction surveys such as Survey Monkey, travel agents, tour operators, event venues and hotels.
- to our advisers.
- to comply with legal requirement and regulatory requirements, for the administration of justice, to protect vital interests, to protect the security or integrity of our databases or this Site, to take precautions against legal liability; or
- with regulatory authorities, courts, and governmental agencies to comply with legal orders, legal or regulatory requirements and government requests.
When we share personal data with another organisation or, where we are using an organisation to process personal data on our behalf, this will be governed by appropriate safeguards and contracts/agreements under the applicable data protection laws.
Retention of your personal data
We keep your personal information for no longer than is necessary to fulfil the purposes for which it was collected as described above or in another privacy notice provided to you, taking into account the following criteria:
- any laws or regulations that we are required to follow.
- whether we are in a legal or other type of dispute with each other or any third party.
- the type of information that we hold about you; and
- whether you are still a member of our services.
Retention of incomplete membership registrations. We will retain your data for 6 months in order to ease the completion of membership applications.
Retention in case of queries. We will retain it for a reasonable period (up to 5 years) in case of queries from you.
Retention in case of claims. We will retain it for the period in which you might legally bring claims against us (in the UK this means we will retain it for 6 years);
Retention for Recruitment. Once we have finished recruitment for the role you applied for, we will retain your personal data in accordance with our Retention Policy. If you are unsuccessful, we will retain your personal data for up to six months unless you have agreed to us contacting you when similar roles arise.
Lapsed and cancelled members. We may contact expired members up to 1 month via a third-party provider for the purposes of renewing membership and feedback.
If you would like further information about our data retention practices, please contact us (see Contact us below).
Security of personal data
We endeavour to use appropriate technical and physical security measures to protect personal information which is transmitted, stored, or otherwise processed from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access, whenever this is collected in connection with our services.
On our Site, these measures include computer safeguards and secured files and facilities. We have received ISO 27001 accreditation for compliance with best practice in information security management. Our service providers are also selected carefully and required to use appropriate protective measures.
In particular, we endeavour to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate: (a) pseudonymisation (such as where data is separated from direct identifiers so that linkage to an identity is not possible without additional information that is held separately) and encryption, (b) ensuring the ongoing confidentiality, integrity, availability and resilience of systems and services used to process your personal information, (c) ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and (d) ensuring a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational security measures.
If there is a breach of security involving your personal data and which may result in a risk or harm to you, we shall without undue delay, work to mitigate those and contact you and/or the supervisory authority (the ICO) in accordance with data protection legislation.
Links to other websites and providing information to third parties
Our Site may contain links to other sites outside CSSC’s Site which may not be operated by us. These hyperlinks are provided for your reference and convenience only and do not imply any endorsement of the activities of these third-party sites or any association with their operators. We do not control these websites and are not responsible for their data privacy and security on those sites. This Privacy Notice applies only to this Site (and supplements any other privacy notices we have provided in connection with any forms or when you otherwise provide us with personal data).
We urge you to review any privacy notice posted on any site you visit, or are otherwise provided with by a third party, before using the site or providing any personal information.
We only send information outside of the UK if you have specifically requested a trip outside of the UK which is organised with or via a third party or, in some cases, where we use a processor who is not located in the UK.
If we do need to transfer personal data out of the UK/EEA we will ensure that it is transferred:
- to a location which has been recognised as ensuring adequate protection by the UK Government;
- where we have taken steps to put in place safeguards (including around security) to protect your personal data. This includes use of the International Data Transfer Agreement or the UK
- Addendum with the European Standard Contractual Clauses which are approved by the European Commission. You can find out what these are here.
- if the transfer is necessary for one of the reasons specified in data privacy laws, such as the performance of a contract between us or in your interests; or
- you explicitly consent to the transfer eg in a form.
- If you have any questions please contact us (see Contact Us below).
Changes to this Privacy Notice
This Privacy Notice was last updated on 06/12/2023. CSSC reserves the right to vary this privacy notice from time to time. Such variations become effective on posting on this website.
Your right to lodge complaints with the Data Protection Supervisory Authority (the ICO)
You can contact us directly if you have any concerns or complaints regarding how your personal information is handled. We take privacy seriously and will respond promptly. You can access our complaints form here.
In addition to any other administrative or judicial remedy you might have, you have the right to lodge a complaint with the relevant data protection supervisory authority (the ICO) if you consider that we have infringed applicable data privacy laws when processing your personal information. Further information about complaining to the ICO can be found here - https://ico.org.uk/ which includes current contact details and how to lodge a complaint in writing or by telephone to their contact centre.