Policies

Privacy Policy

Last Updated: 05 Jun 2024

Please read this Privacy Policy carefully, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal data about you, so you are informed about how and why we collect, store, use and share your personal information. This Privacy Policy also explains your rights in relation to your personal information and how to contact us or supervisory authorities in the event you have a complaint. 
 
When we handle certain personal data about you, we do so subject to applicable data protection laws, including the UK General Data Protection Regulation and the Data Protection Act 2018. This Privacy Policy supplements our terms and conditions and is not intended to override them. 
 
Our website may provide links to third party websites. We are not responsible for the conduct of third party companies linked to the website and you should refer to the privacy notices of these third parties about how they may handle your personal information. 
  

2. Who we are 


When we say “we” or “us” in this Privacy Policy, we mean the Trust and Serco. Our business details are as follows: 

  • Bisham Abbey (part of ),

    Bisham Abbey National Sports Centre
    Bisham Village
    Marlow Road
    Bisham
    Marlow
    SL7 1RR

    Tel: +44 (0)1628 476911

    What3words: sparrows.baked.spilling

  • Serco Leisure Operating Limited (company number: 04687478) Based at Serco Leisure, Lancer House, Floor 2, 38 Scudamore Road, Leicester, LE3 1UQ
    ​ 

As the Trust and Serco work together and jointly determine the purposes and means of gathering and using your personal data, we are considered “joint controllers” of your personal data. 
 
Bisham Abbey is managed on behalf of the Trust by Serco as its managing agent.       
  

3. How your personal data is collected 

 
When using the term “personal data” or “personal information” in this Privacy Policy, we mean information (including opinions) that relates to you and from which you could be identified, either directly or in combination with other information which we may have in our possession. 
We may collect personal data about you when: 

  • the personal data is provided to us by you (e.g. when you contact us by email or telephone, when you enter a competition, fill in a survey) 
  • the personal data is collected in the normal course of our relationship with you (e.g. when you sign up to become a member, make an event booking, make a payment online or purchase products or services); 
  • the personal data has been made public by you (e.g. contacting the Trust via a social media platform); 
  • the personal data is received by us from third parties (e.g. parents and guardians, law enforcement authorities, previous managing agents acting on behalf of the Trust); 
  • the personal data is received from trusted suppliers (e.g. payment providers, marketing agencies); 
  • the personal data is collected via our IT systems (e.g. our website, CCTV surveillance, mobile applications); and 
  • the personal data is created by us, such as records of your communications with us including complaints. 

  

4. Cookies 

We use cookies on our website. Cookies are small text files that are downloaded onto your device when you visit a website. Please refer to our cookies policy for further information about our use of cookies. 
  

5. Personal data collected 

 
The categories of personal information about you which we may collect and use includes: 

  • Personal details: title, full name, business or home address (current and historic), telephone and mobile numbers, email address, gender, date of birth, age, signature. 
  • Family and Friends Information: family and dependents, emergency contacts. 
  • Public identifiers: photographs, CCTV images and recordings. 
  • Internal Identifiers: consent forms, membership identification number, loyalty/resident card number, 
  • Financial, Welfare and Insurance Details: purchase transaction history, financial, bank or credit card information, welfare and benefits information, insurance details including for special event bookings. 
  • Correspondence: details of referrals, quotes and other contact and correspondence with you. 
  • Services Usage: service usage statistics. 
  • Preferences: permissions, or preferences that you have specified, such as whether you wish to subscribe to our mailing list or agree to our terms and conditions. 
  • Incident History: health and safety accidents, security incidents, accident information, complaints communications, insurance claims history, reports and notes about health, treatment and care including details about hospital and doctor’s clinic visits. 
  • Special Category Personal Data: health and medical information, ethnic origin and biometric identifiers.   
  • Website Access Details: your computers unique identifier (e.g. IP Address), the date and time you accessed the Website. 

The provision of some information is optional, but, in certain circumstances we will not be able to deliver the services and/or products you have requested if we are not provided with all relevant personal data. 

  

6. How and why we use your personal data 

 
Data protection and privacy laws requires companies to have a “legal basis” or “lawful ground” to collect and use your personal information. Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information. 
 
We will only collect, use and share your personal information where we are satisfied that we have an appropriate legal basis to do this. This may be because: 

  • we have obtained your prior consent, including for direct marketing; 
  • we need to use your personal information in connection with the performance of a contract with you or to take steps at your request prior to entering into a contract with us; for example, we need your financial details when you sign up to a Direct Debit product; 
  • our use is necessary for the complying with our legal obligations; for example, in response to requests from government law enforcement authorities conducting an investigation. 
  • we need to use your personal information for our legitimate interest or those of a third party (and our interests are not overridden by your data protection rights), such as for monitoring service quality and business procedure compliance. 

A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests. We carry out balancing tests for all the data processing we do based of our legitimate interest and you can obtain information on our balancing tests by contacting us on the details below. 
 
Below is a summary of how we use and the legal basis we rely on to use your personal data (please refer to section 7 below for details about how we handle your special category personal data):  
  

What we use your personal information for 

Our reasons 

Provision of services: for the administration and delivery of the requested Leisure Centre services to you including processing your membership application or event booking, communicating with you and providing customer service. 

  • The use is necessary in connection with the performance of our contract with you or to take steps at your request prior to entering into a contract with us; or 
  • For our legitimate interests or those of a third party to provide the requested services and respond to any complaints or comments you may send us. 
  • For our our legitimate interests or those of a third party to support our administrative and business functions. 

Pre Exercise Assessments: details collected prior to starting membership and/or an exercise programme with us in order to assess activity requirements. 

  • For our legitimate interests or those of a third party to provide information to our insurers; 
  • For our legitimate interest or those of a third party to assist with providing safe and professional exercise guidance and programming. 

Fraud detection: to prevent and detect fraud against you or Serco such as providing proof of identity if you request a copy of your data. 

  • For our legitimate interests or those of a third party  to minimise fraud that could be damaging for us and for you; or 
  •   To comply with our legal and regulatory obligations. 

Safety: to ensure safe working practices and working environment.   

  • To comply with our legal and regulatory obligations; or 
  • For our legitimate interests or those of a third party by making sure we are following our own internal procedures and working efficiently and safely so we can deliver the best service to you. 

Security: for security purposes, such as preventing unauthorised access and modifications to systems and protecting our staff, premises and vehicles. 

  • For our legitimate interests or those of a third party to prevent and detect criminal activity. 
  • For our legitimate interests or those of a third party to protect the well-being of our staff and ensuring the physical and electronic security of our business, premises and assets; or 
  • To comply with our legal and regulatory obligations 

IT and website operations: for the operation and management of our websites and IT systems, providing content and communicating with you and ensuring the security and availability of our IT systems.   

  • For the performance of our contract with you or to take steps at your request before entering into a contract; or 
  • For our legitimate interests or those of a third party to operate our websites and IT systems including reporting faults. 

Marketing: to promote our services via by email, telephone, social media, post or in person or otherwise but ensuring that such communications are provided to you in compliance with applicable law. 

  • For our legitimate interests or those of a third party for the purpose of promotion; or 
  • We have obtained your prior consent 

Internal compliance: to ensure business policies are adhered to, such as policies covering security and internet use. 

  • For our legitimate interests or those of a third party for the purposes of ensuring we are following our own internal procedures to deliver the best service to you. 

Investigations and complaints management: to detect, investigate and/or prevent breaches of policy, complaints, claims, incidents and criminal offences.   

  • For our legitimate interests or those of a third party to detect and protect against breaches of our policies, applicable laws and for the establishment, exercise or defence of legal claims; or 
  • For our legitimate interests or those of a third party to establish the facts in the event of a complaint, claim or query from a caller; 
  • To comply with our legal and regulatory obligations. 

Compliance: compliance with our legal and regulatory obligations such as Health and Safety, including maintaining an internal record of compliance. 

  • To comply with our legal and regulatory obligations; or 
  • For our legitimate interests or those of a third party for the purpose of maintaining a record of compliance with our legal and regulatory obligations. 

Legal Proceedings: establishing, exercising and defending legal rights, including debt collection procedures. 

  • To comply with our legal and regulatory obligations; or 
  • For our legitimate interests or those of a third party for the purpose of establishing, exercising or defending our legal rights. 

Business Analysis: for business management and operational reasons. 

  • For our legitimate interests or those of a third party to provide an efficient and high quality service to you. 

Business Reorganisation: to share with third parties  the event of a change of management, sale, merger, reorganisation or similar event. 

  • For our legitimate interests or those of a third party to assist with the sale or potential sale, change of management or reorganisation of our business. 

Quality and Training: for quality assurance and staff and supplier training purposes. 

  • For our legitimate interests or those of a third party to monitor and assess the quality of our service delivery (including compliance with our customer service standards) and to provide training from time to time to those staff involved in the provision of our services as required; 

Record maintenance: to update and enhance customer records. 

  • For the performance of our contract with you or to take steps at your request before entering into a contract; 
  • To comply with our legal and regulatory obligations; or 
  • For our our legitimate interests or those of a third party to support our administrative and business functions. 

Research: to conduct market or customer satisfaction research, statistical analysis to help us manage our business such as analysing gym usage or engaging with you to obtain your views on our products and services. 

  • For our legitimate interests or those of a third party to provide an efficient and high quality service to you; or 
  • We have obtained your prior consent. 

Risk management: audit, compliance, controls and other risk management. 

  • For our legitimate interests or those of a third party to manage risks to which our business and staff are exposed. 

  

7. When is special category personal data collected and used? 

 
Special categories of information is given to certain kinds of personal data that is particularly sensitive and requires higher levels of protection. This is information about your health status, racial or ethnic origin, political views, religious or similar beliefs, sex life or sexual orientation, genetic or biometric identifiers, trade union membership. 
 
We may from time to time request that you provide special category personal information. We will primarily collect and use this information in the following scenarios: 

  • ask you about health concerns or disabilities when signing up for membership or purchasing other services so that we can ensure that what we deliver is both suitable and tailored to you. 
  • request to record your ethnicity so that we can compare in aggregate our membership base with the local population to ensure we’re representing our local communities. 
  • some facilities may use biometric information (e.g. facial recognition) as part of an access control system. 
  • you may choose to share special category information in your communications with us. 

We need to have further justification for collecting, storing and using this type of personal information, in addition to having one of the general bases set out in section 6 above. Where required by applicable laws, we will take steps to have in place an appropriate policy document and safeguards relating to the processing of such personal information. 
 
Where we do collect and handle special category personal information, we will only handle that information in accordance with applicable law, including where: 

  • we have your explicit consent – including where you voluntarily provide us with that information 
  • processing is necessary for the establishment, exercise or defence of legal claims; or 
  • processing is necessary for reasons of substantial public interest such as preventing and detecting unlawful acts of fraud. 

Less commonly, we may process this type of information where it is needed to protect your vital interests (or someone else's vital interests) and you are not capable of giving your consent, or where you have already made the information public. 
  

8. Direct marketing 

 
We may use your personal information to send you updates (by email, telephone, push notifications, post or text message) about our services including exclusive offers, promotions or products where you as a consumer have consented for us to do so. 
 
To protect your privacy rights and to ensure you have control over how we market to you: 

  • At any time you can update or correct your personal profile, or change your preferences for the way in which you would like us to communicate with you, including how you receive details of latest offers or news from us; 
  • If you have an online account with us, the easiest way to make updates to your marketing preferences and/or change your personal details is to log onto your account.  

You can opt out of receiving marketing communications from us at any time by: 

  • You can also click the "unsubscribe" link that you find on any online newsletters or marketing communication you receive; 
  • disabling push notifications within the setting screen of our mobile app. 
  • sending us an email to Membership.SM@serco.com.  Please ensure your correspondence is marked ‘Unsubscribe: Marketing Contact List’ and include your full name, membership number, email and telephone number to ensure your details are fully deleted from our direct marketing system (please specify whether you would like us to stop all forms of marketing or just a particular type of marketing) 
  • by replying STOP to any of our text messages 
  • call us directly and speaking to a member of our team on 01296 484 848 or in person at the front desk on your next visit. 

We will not sell your information, or share with other organisations without your prior permission for marketing purposes. We will take steps to limit direct marketing to a reasonable and proportionate level and only send you communications which we believe may be of interest or relevance to you. 
  

9. CCTV 

 
We currently have closed circuit television (CCTV) operating on our premises. The information processed may include visual images of personal appearance and behaviours and in certain circumstances various sound recordings of staff, customers and members of the general public who were in the immediate vicinity of the area under surveillance. 
 
We display signs to inform visitors and staff that they are under surveillance and may be video and sound recorded. This information is kept in secure environments and access is restricted to designated staff and any use shall be in compliance with the  security and privacy policies. 
 
We retain CCTV recordings centrally for up to 31 days, and for a longer period if they are relevant to an incident, complaint, investigation, legal proceedings or for as long as legally required by regulatory bodies and law enforcement agencies. 
  

10. Children’s information 

 
Our services may be booked directly and used by individuals aged 16 years or over. We do not knowingly collect or solicit personal information directly from anyone under the age of 16 or knowingly allow such persons to provide us with their personal information without parent or guardian consent. 
 
If you are under 16, do not send any information about yourself to us, including your name, address, telephone numbers, or email address, unless you have your parent's or guardian's permission. 
 
In the event we learn that we have collected personal information from anyone under the age of 18, and do not have a parent or guardian's consent, we will delete that information as quickly as possible. 
 
If you have any concerns, please contact via the details in section 17. 
 
In the event that we do hold personal data about children, we will handle that data in accordance with the terms of this Privacy Policy. 
  

11. Sharing your personal information with others 

 
We will only disclose personal information to a third party in very limited circumstances, or where we are permitted to do so by law. The third parties to whom we provide your personal data include: 
  

  • The British Wheelchair Sports Foundation Limited (WheelPower) registered in England & Wales under charity number 265498 and company number 01059490 
  • Other organisations within the Serco group of companies, where such disclosure is necessary to provide you with our services or to manage our business; 
  • with third parties who help manage our business and deliver services (e.g. Personal Trainers, payment service providers, marketing agencies, debt collectors, IT support service providers, analysis experts such as Experian, communication platform providers). These third parties have agreed to confidentiality restrictions and use any personal information we share with them or which they collect on our behalf solely for the purpose of providing the contracted service to us. 
  • third parties approved by you e.g. when you request your details to be transferred; 
  • our professional advisors (e.g. law firms, insurers, auditors, brokers); and 
  • Government, regulatory and law enforcement bodies where we are required in order: 
  1. to comply with our legal obligations; 
  1. to exercise our legal rights (e.g. pursue or defend a claim); and 
  1. for the prevention, detection and investigation of crime. 

The Trusts or Serco may share your personal information to third parties in connection with a reorganisation, restructuring, merger, acquisition, sale or transfer of assets, or in the event there is an operational or management change of the business. 

We also impose data protection obligations on contracted third parties to ensure they can only use your data to provide services to the Trust for the purposes listed above.  These third parties cannot pass your details onto any other parties unless instructed to by the Trust.   
  

12. Transferring your personal information globally 

 
The personal information that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area ("EEA") (for example, in the USA). It may also be processed by workers operating outside the EEA who work for us or for one of our service providers. 
 
We will take appropriate steps to ensure that transfers of personal data are in accordance with applicable law and carefully managed to protect your privacy rights and interests. To achieve this, transfers are limited to countries which are recognised as providing an adequate level of legal protection or where we are satisfied that alternative arrangements are in place to protect your privacy rights. To this end, we will: 

  • in the limited circumstances that information is transferred within Serco Group, ensure such transfers are covered by an intra-group data sharing agreement entered into be all relevant entities within Serco Group, which contractually obliges each member to ensure that personal information receives an adequate and consistent level of protection. 
  • when transferring personal data to third parties outside the EEA: 
  • put in place binding corporate agreements, which will include the standard contractual clauses approved by the European Commission for transferring personal information outside the EEA, to ensure that your information is safeguarded; or 
  • ensure that the country in which your personal information will be handled has been deemed "adequate" by the European Commission or the company is registered and compliant with a European Commission approved privacy shield scheme. 
  • carefully validate any requests for information from law enforcement or regulators before disclosing the information. 

We will co-operate with any regulators as required by law to ensure that we remain transparent about the way we handle your personal information. 
In any case, our transfer, storage and handling of your personal information will continue to be governed by this Privacy Policy. If you would like further information about the global handling of your personal information, please contact us by emailing DPOLeisure@serco.com
  

13. Security of your personal information 

 
We take precautions including administrative, technical and physical measures to safeguard your personal information against loss, theft and misuse, as well as against unauthorised access, modification, disclosure, alteration and destruction.  We protect your personal information using a variety of security measures including: 

  • password access; 
  • data back-up; 
  • encryption; 
  • firewalls; 
  • placing confidentiality requirements on employees and service providers; 
  • providing training to our employees to ensure that your personal data in handled correctly;   
  • destroying or permanently anonymising personal information if it is no longer needed for the purposes it was collected; and 
  • secure physical storage units for hard copy files with appropriate security restrictions, preventing damage, and unauthorised access to your personal information. 

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our website; any transmission is at your own risk. Once we have received your information, we have in place robust procedures and security features to try to prevent unauthorised access 
  

14. How long do we keep your personal information? 

 
We will store your personal information for as long as is reasonably necessary for the purposes for which it was collected, as explained in this Privacy Policy, including where we maintain an ongoing business relationship you. 
 
Generally, we will retain your personal data in accordance with any applicable limitation period (as set out in any applicable law), which will usually be six (6) years following the expiry of our business relationship with you.  
  
In some circumstances we may store your personal information for longer periods of time, for instance where we are required to do so in accordance with legal, regulatory, tax, accounting requirements or to have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your personal information or dealings.  When no longer necessary to retain your personal information, we will delete or anonymise it. 
  

15. Your legal rights in respect of your personal information 

 
You have legal rights in connection with personal information. Under certain circumstances, by law you have the right to: 

  • Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it. 
  • Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected. 
  • Request erasure of your personal information (commonly known as the "right to be forgotten"). This enables you to ask us to delete or remove personal information in limited circumstances, where: (i) it is no longer needed for the purposes for which it was collected; (ii) you have withdrawn your consent (where the data processing was based on consent); (iii) following a successful right to object (see Object to processing); (iv) it has been processed unlawfully; or (v) to comply with a legal obligation to which the Trust and/or Serco is subject. 

We are not required to comply with your request to erase personal information if the processing of your personal information is necessary for a number of reasons, including: (i) for compliance with a legal obligation; or (ii) for the establishment, exercise or defence of legal claims. 

  • Object to processing of your personal information by us or on our behalf which has our legitimate interests as its legal basis for that processing, if you believe your fundamental rights and freedoms outweigh our legitimate interests. If you raise an objection,  we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms. You can object at any time to your personal information being processed for direct marketing (including profiling). 
  • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, but only where: (i) its accuracy is contested, to allow us to verify its accuracy; (ii) the processing is unlawful, but you do not want it erased; (iii) it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise or defend legal claims; or (iv) you have exercised the right to object, and verification of overriding grounds is pending. 

We can continue to use your personal information following a request for restriction, where: (i) we have your consent; (ii) to establish, exercise or defend legal claims; or (iii) to protect the rights of another natural or legal person. 
  

  • Request the transfer of your personal information. You can ask us to provide your personal information to you in a structured, commonly used, machine-readable format, or you can ask to have it transferred directly to another data controller, but in each case only where: (i) the processing is based on your consent or on the performance of a contract with you; and (ii) the processing is carried out by automated means. 
  • Obtain a copy, or reference to, the personal data safeguards used for transfers outside the European Union. We may redact data transfer agreements to protect commercial terms. 
  • Withdraw consent to processing where the legal basis for processing is solely justified on the grounds of consent (please refer to section 8 for details about withdrawing consent to direct marketing). 

Please note, to ensure security of personal information, we may ask you to verify your identity before proceeding with any such request. 
 
We reserve the right to charge a fee where permitted by law, for instance if your request is manifestly unfounded or excessive. 
 
If you would like to exercise any of these rights, please submit your requests to: DPOLeisure@serco.com or call +44 (0)1256 745900. 
 
Subject to legal and other permissible considerations, we will make every effort to honour your request promptly to inform you if we require further information in order to fulfil your request.   
 
We may not always be able to fully address your request, for example if it would impact the duty of confidentiality we owe to others, or if we are legally entitled to deal with the request in a different way. 
  

16. Requests about your child’s information 

 
Children have the same rights over their own personal information as an adult. However, as young children may not understand these rights or are not capable of exercising these right, in some cases their parents / guardians may do so on their behalf. 
  

17. Data protection contacts 

Serco has a Data Protection Officer (DPO) that oversees compliance with this Privacy Policy. 

If you have any questions about this Privacy Policy or how we handle your personal information, please address to:  
 
Data Protection Officer 
Serco Limited   
Enterprise House                                                                                                                   
18 Bartley Wood Business Park                                                                                   
Bartley Way                                                                                                                     
RG27 9XB 
  
Alternatively, please email DPOLeisure@serco.com or call +44 (0)1256 745900. 
  
Supervisory authority 
We ask that you please attempt to resolve any issues with us first by contacting the DPO, however you have a right to contact your local supervisory authority at any time and lodge a complaint (which in the UK is the Information Commissioner's Office). The supervisory authority will then investigate your complaint accordingly. 
  

18. Changes to this privacy policy 

 
This Privacy Policy was last reviewed and updated on 5th June 2024. We may amend this Privacy Policy from time to time to keep it up to date with legal requirements and the way we operate our business. Please regularly check this page for the latest version of this Privacy Policy.