How CSSC handles personal information
We are committed to good information handling principles and the privacy and confidentiality of any personal information we deal with.
The terms "you" and "your" mean any visitors and users of this Site and individuals who otherwise interact with us in connection with our services.
If you wish to provide comments, update any of your preferences or exercise any of your rights you can:
- Write to the Customer Services Manager at CSSC, Compton Court, 20-24 Temple End, High Wycombe, HP13 5DR;
- Email to send email;
- Call 01494 888 444 between 9am – 5pm Mon – Thurs and 9am – 4:30pm on Friday;
- Make changes by logging into our preference centre within My Account at any time when logged in;
- Contact our Data Protection Officer if you have any queries regarding our data protection practices by email to send email.
Our website is https://www.cssc.co.uk/ and is owned, and operated by us.
Under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and Data Protection Act 2018 ('the Act'), personal data is defined as 'any information relating to an identified or identifiable natural person ('data subject'), by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person'.
The data controller
A data controller is the individual or legal person who controls and is responsible to keep and use personal data in paper or electronic files. CSSC is the data controller as defined by relevant data protection laws and regulation.
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever personal data is to be processed:
- (a) Consent: you have given your freely, specific, informed or unambiguous) consent for your personal data to be processed for a specific purpose.
- (b) Contract performance: the processing is necessary for the performance of a contract you have with CSSC, which had asked you to take specific steps before entering into a contract.
- (c) Compliance with legal obligation: the processing is necessary for CSSC to comply with the law for tax, social security obligation, employment purposes (not including contractual obligations).
- (d) Protection of vital interests: the processing is vital to an individual's survival.
- (e) Public interest: the processing is necessary for CSSC to perform a task that is in the public interest or for its official functions, and the task or function has a clear basis in law.
- (f) Legitimate interests: the processing is necessary for CSSC legitimate interests, or the legitimate interests of a third-party, unless there is a good reason to protect the individual’s personal data that overrides those legitimate interests.
Your data subject rights are listed below:
- the right of access.
- the right to rectification.
- the right to erasure or right to be forgotten.
- the right to restriction of processing.
- the right to be informed.
- the right to data portability.
- the right to object.
- the right not to be subject to a decision based solely on automated processing.
The categories of personal information we collect
Personal information collected from you in connection with our services includes the following:
- Your full name, date of birth, CSSC number, postal address, e-mail address, employer/business and professional information, job titles, next of kin and dietary requirements eg if you are attending an event or national, regional or area conference, telephone and fax numbers and Any other personal data which is voluntarily provided to CSSC from time to time
- Bank and card details where you make payments to us.
Personal information also includes special categories of personal data, such as, health information, which we may collect in connection with any trips or events you choose to attend for health and safety purposes.
If you communicate with us by email over the internet you should be aware that the nature of the internet may not be secure and may pass through several different countries on route to us. Please do not email us with confidential or sensitive information such as your credit card details. We comply with data privacy laws in relation to security, but cannot accept responsibility for unauthorized access to your information that is outside our control. Further information regarding our approach to the security of personal information is included in the section below on security of personal information.
The purposes for which we use personal information
We will only use your personal information for the purposes that you would reasonably anticipate or that we state when we collect it and, where necessary, for which you have given us your consent, as set out in the table below.
In the course of our Services, we will analyse your information to build individual profiles. These profiles will be used to predict future interests and to offer a more bespoke service based on what you have previously taken part in. The aim is to provide you with offers that are relevant and interesting for you. The profiling is based on your participation in our scheme. This includes the communication of events, services and activities, and any interaction with it. You have the opportunity to opt-out of this at any time and depersonalise your service. To opt out, please update your cookie preferences, visit My Account, call 01494 888 444 or email send email.
|Purpose of data use||Personal information used||Our lawful basis for using the information|
|1. To administer any membership you have with us and managing our relationship with you, including dealing with payments and any support, service or product enquiries made by you||All contact and membership details, transaction and payment information, records of your interactions with us, and marketing preferences.||This is necessary to enable us to properly manage and administer your membership contract with us.|
|2. To arrange and manage any contracts for the provision of any services or products||
Contact details, transaction and payment information. Records of your interactions with us.
|This is necessary to enable us to properly administer and perform any contract for the provision of any services and products you have purchased from us.|
|3. To send you information which is included within your membership benefits package, including details about advanced ticket information, competitions and events, partner offers and discounts and any updates on our sport and leisure offerings||Contact and membership details.||This is necessary to enable us to properly manage and administer your membership contract with us.|
|4. To send you other marketing information we think you might find useful or which you have requested from us, including our newsletters, information about membership, events, products and information about our commercial partners and to occasionally inform you of new services we will be providing or we consider will be of interest to you.||
Contact details and marketing preferences.
|The lawful basis for handling this data is Contract/Consent|
|5. To answer your queries or complaints||Contact details and records of your interactions with us||We have a legitimate interest to provide complaint handling services to you in case there are any issues with your membership.|
|6. To offer a more bespoke service based on what you have previously taken part in. To provide you with offers that are relevant and interesting for you.||Your interaction with us, use of our website and marketing preferences.||This is necessary to perform our legitimate interest with you to ensure that our membership is targeted and relevant.|
|7. Retention of records||All the personal information we collect.||
We have a legitimate interest in retaining records whilst they may be required in relation to complaints or claims. We need to retain records in order to properly administer and manage your membership and run CSSC and in some cases we may have legal or regulatory obligations to retain records for the purposes of accounting and to audit our operations.
We process special category personal data on the basis of the “special category reasons for processing of your personal data” referred to above.
For criminal records history we process it on the basis of legal obligations or based on your explicit consent.
|8. The security of our IT systems||Your usage of our IT systems and online portals.||We have a legal obligation to ensure that our IT systems are secure.|
|9. To conduct research and data analysis and develop statistics to better understand event attendance and trends within the CSSC offering.||Records of your attendance at any events or competitions hosted by us or your use of CSSC offering ie., online shop and my savings||This is necessary to perform our legitimate interest with you to ensure that our membership is targeted and relevant.|
|10. For the purposes of promoting CSSC, our events and membership packages.||Images in video and/or photographic form.||Where you have given us your explicit consent to do so|
|11. To comply with health and safety requirements||Records of attendance, CCTV footage and other information obtained through electronic means such as swipe card and key fob records, medical information about your health.||We have a legal obligation to provide you and other members of our organisation with a safe environment in which to participate in sport.|
|12. To administer your attendance at any workshops, programmes or events you sign up to||All contact and membership details, transaction and payment data.||This is necessary under your contract with us to enable us to register you on to and properly manage and administer your attendance on the course and/or programme.|
|13. To arrange for any trip or transportation to and from an event||Identification documents details of next of kin, family members and emergency contacts, transaction and payment information, health and medical information.||This is necessary under your vital interests to enable us to make the necessary arrangements for the trip and/or transportation|
|14. To use information about your physical or mental health (including any injuries) or disability status, to ensure your health and safety and to assess your fitness to participate in any events or activities we host and to provide appropriate adjustments to our sports facilities.||Health and medical information||Where you have given us your explicit consent to do so|
|15. To gather evidence for possible grievance or disciplinary hearings||All the personal information we collect||We have a legitimate interest in doing so to provide a safe and fair environment for all members and to ensure the effective management of any disciplinary hearings, appeals and adjudications.|
|16. Complying with legal and regulatory requirement; and establishing and defence of legal rights.||Information needed for legal defence||For criminal records history we process it on the basis of legal obligation or based on your explicit consent|
You should be aware that you are entitled under data privacy law to withdraw your consent, where that has been given, at any time. You can withdraw your consent by contacting us. See more details in the Contact us section below. You can also withdraw your consent by accessing My Account when logged in.
You should be aware that if you do this and if there is no alternative lawful reason for us to rely on to justify the relevant use or other processing on your personal information, this may affect our ability to provide our services.
Keeping you informed
We may contact you in writing, by telephone or email. If at any time you decide that you do not want your contact details used for these purposes, please contact us or amend your preferences in My Account when logged in.
When you sign up with us, we will also share some limited personal information with People Value Ltd who operate CSSC savings to enable them to identify you:
- You should read their membership terms and conditions and the privacy policies provided by the benefits specialists People Value Ltd for details of how your personal information will be processed; and
- If you have provided your consent to receive CSSC savings emails, including Newsletters, these will contain details of retail savings offers, news, health and fitness services and insurance products from regulated providers of insurance products that you have stated may interest you.
Disclosure of your Personal Information to other third parties
- CSSC may share personal information with third parties under these circumstances:
- within our group companies and third party business partners, or event organisers in order to deliver our services or verify your membership;
- with third parties so that they can deliver the services and benefits you are seeking, eg savings providers, or tastecard, this may involve sharing membership information so the third party can verify your membership;
- agents, IT support, web developers, affiliates, savings providers, service providers conducting satisfaction surveys such as Survey Monkey, travel agents, tour operators, event venues and hotels;
- to our advisers;
- to comply with legal requirement and regulatory requirements, for the administration of justice, to protect vital interests, to protect the security or integrity of our databases or this Site, to take precautions against legal liability;
- with regulatory authorities, courts and governmental agencies to comply with legal orders, legal or regulatory requirements and government requests;
- if we sell or buy any business or assets, we may disclose your personal information to the prospective seller or buyer of such business or assets, or otherwise in the event of our merger, re-organisation, dissolution or similar event.
Where appropriate, before disclosing personal information to a third party or affiliate who process your information under our instructions as a data processor, we require the third party to take adequate precautions to protect that data and to comply with applicable privacy laws.
Retention of your personal information
We keep your personal information for no longer than is necessary to fulfil the purposes for which it was collected as described above or in another privacy notice provided to you, taking into account the requirements from the following criteria:
- any laws or regulations that we are required to follow;
- whether we are in a legal or other type of dispute with each other or any third party;
- the type of information that we hold about you; and
- whether you are still a member of our services.
Retention of incomplete membership registrations: we will retain your data for 6 months in order to ease the completion of membership applications.
Retention in case of queries: We will retain it for a reasonable period (up to 5 years) in case of queries from you.
Retention in case of claims: We will retain it for the period in which you might legally bring claims against us (in the UK this means we will retain it for 6 years).
Lapsed and cancelled members: We may contact expired members up to 1 month via a third-party provider for the purposes of renewing membership and feedback.
If you would like further information about our data retention practices please contact us (see contact us below).
Security of personal information
We endeavour to use appropriate technical and physical security measures to protect personal information which is transmitted, stored or otherwise processed from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access, whenever this is collected in connection with our services.
On our Site, these measures include computer safeguards and secured files and facilities. We have received ISO 27001 accreditation for compliance with best practice in information security management. Our service providers are also selected carefully and required to use appropriate protective measures.
In particular, we endeavour to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate: (a) pseudonymisation (such as where data is separated from direct identifiers so that linkage to an identity is not possible without additional information that is held separately) and encryption, (b) ensuring the ongoing confidentiality, integrity, availability and resilience of systems and services used to process your personal information, (c) ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and (d) ensuring a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational security measures.
If there is a breach of security involving your personal information which we are concerned will involve risks to you, we shall without undue delay, work to mitigate those and contact you and/or the data privacy supervisory authority in accordance with applicable laws.
Links to other websites and providing information to third parties
Other countries may have different data protection laws than your country of residence or they may not have data protection laws at all. They may not be deemed by the European Commission as providing adequate protection for personal information.
We only send information outside of the UK if you have specifically requested a trip outside of the UK which is organised with or via a third party. We do not otherwise have any suppliers outside the European Economic Area ("EEA").
We will only make transfers of personal information outside the EEA:
to a location which has been recognised as ensuring adequate protection by the relevant privacy supervisory authorities;
where we have taken steps to put in place safeguards (including around security) to protect your personal information. This includes use of European Model Clause contracts which are approved by the European Commission. You can find out what these are here.
if the transfer is necessary for one of the reasons specified in data privacy laws, such as the performance of a contract between us or in your interests; or
you explicitly consent to the transfer eg in a form.
If you have any questions please contact us (see Contact Us below).
Your right to lodge complaints with the data privacy authority in your country
You can contact us directly if you have any concerns or complaints regarding how your personal information is handled. We take privacy seriously and will respond promptly. You can access our complaints form here.
In addition to any other administrative or judicial remedy you might have, you have the right to lodge a complaint with the relevant data protection supervisory authority if you consider that we have infringed applicable data privacy laws when processing your personal information. The data privacy regulator’s details in the UK are as follows: Information Commissioner’s Office and their site is: https://ico.org.uk/ which includes current contact details and how to lodge a complaint in writing or by telephone to their contact centre.
Information security policy
The CSSC Information Security Policy (ISP) is concerned with protecting the system, equipment and processes of CSSC that support keeping information safe and protected, no matter how, or in what form, the information is either held, processed or shared. If you would like a copy of our Information Security Policy please email email@example.com.