Home 5 Policies 5 GDPR

GDPR

1. Policy Statement

Defensive Fitness Academy (The DFA) is committed to complying with the requirements of:

  • UK General Data Protection Regulation (UK GDPR)
  • Data Protection Act 2018

The DFA recognises its responsibility to process personal data lawfully, fairly, and transparently, and to protect the rights and freedoms of all individuals whose data we process.

2. Scope

This policy applies to:

  • All personal data processed by the DFA
  • All staff, instructors, volunteers, and contractors
  • All systems (paper and electronic)
  • All data relating to students, parents/guardians, staff, contractors, website users, and third parties

3. Definitions

Personal Data – Any information relating to an identified or identifiable person.
Special Category Data – Data revealing health information, racial or ethnic origin, religious beliefs, etc.
Processing – Collection, storage, use, sharing, deletion, or destruction of data.
Data Subject – The individual to whom the data relates.
Data Controller – The DFA (determines how and why data is processed).

4. Data Protection Principles

The DFA adheres to the six UK GDPR principles:

  1. Lawfulness, fairness and transparency
  2. Purpose limitation
  3. Data minimisation
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality (security)

We also uphold the principle of accountability.

5. Lawful Bases for Processing

The DFA processes personal data under the following lawful bases:

  • Contract – Student enrolment, employment contracts
  • Legal obligation – Safeguarding, health & safety, insurance
  • Legitimate interests – Running classes, internal administration
  • Consent – Marketing communications, photography, certain medical information
  • Vital interests – Emergency medical situations

Special category data (e.g., medical conditions) is processed under:

  • Explicit consent
  • Safeguarding obligations
  • Health & safety requirements

6. Categories of Data Processed

The DFA may process:

Students

  • Name, address, contact details
  • Date of birth
  • Emergency contacts
  • Medical information (where relevant)
  • Attendance records
  • Payment records
  • Safeguarding records (where applicable)

Parents/Guardians

  • Contact details
  • Relationship to student
  • Payment information

Staff/Instructors

  • Contact details
  • Employment records
  • DBS status
  • Qualifications
  • Payroll information

Website Users

  • IP address
  • Cookies (see Cookie Policy)
  • Contact form submissions

7. Data Security

The DFA implements appropriate technical and organisational measures, including:

  • Password-protected devices
  • Encrypted digital storage where applicable
  • Secure cloud-based systems
  • Restricted access to sensitive data
  • Locked storage for paper records
  • Secure disposal (cross-cut shredding)

Access is limited strictly to those who require it for legitimate business purposes.

8. Data Retention

Personal data is retained only as long as necessary for the purpose for which it was collected.

Retention periods are defined in the DFA Retention & Disposal Policy and reflect:

  • Legal requirements
  • Insurance obligations
  • Safeguarding best practice
  • HMRC requirements (minimum 6 years for financial records) 

9. Data Sharing

DFA may share personal data with:

  • Payment processors
  • Insurance providers
  • Professional advisers
  • Regulatory authorities (where legally required)
  • Safeguarding authorities (where required)

We do not sell personal data.

All third-party processors are required to comply with UK GDPR.

10. International Transfers

The DFA does not transfer personal data outside the UK.

11. Individual Rights

Under UK GDPR, individuals have the right to:

  • Be informed
  • Access their data (Subject Access Request)
  • Rectification
  • Erasure (“right to be forgotten”)
  • Restriction of processing
  • Data portability
  • Object to processing
  • Not be subject to automated decision-making

Requests must be responded to within one calendar month.

12. Subject Access Requests (SARs)

The DFA will:

  • Verify identity before disclosure
  • Provide information free of charge (unless excessive)
  • Respond within one calendar month
  • Keep a record of requests

Full procedure is detailed in the DFA SAR Procedure.

13. Data Breaches

A personal data breach is any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.

All breaches must be reported immediately to the DFA Data Protection Lead.

Where required, the DFA will report breaches to the:

  • Information Commissioner’s Office within 72 hours

Where a breach poses high risk to individuals, affected individuals will be notified without undue delay.

Full procedure is detailed in the DFA Data Breach Response Policy.

14. Safeguarding Data

Safeguarding records are:

  • Restricted to authorised personnel only
  • Stored securely and separately where appropriate
  • Shared strictly on a need-to-know basis

15. Photography & Media

Photographs or videos of students will only be used:

  • With written consent (for minors, parental consent required)
  • For specified purposes (marketing, website, social media)
  • In line with DFA safeguarding procedures

Consent may be withdrawn at any time.

No photography of any kind will be permitted of anyone under the age of 18.

16. Training & Responsibilities

All staff and instructors must:

  • Read and comply with this policy
  • Complete appropriate data protection awareness training
  • Immediately report suspected data breaches
  • Only access data necessary for their role

Failure to comply may result in disciplinary action.

17. Governance & Accountability

DFA maintains:

  • Records of Processing Activities (ROPA)
  • Data protection policies and procedures
  • Risk assessments where required
  • Contracts with processors

The designated Data Protection Lead is:

Name: Scott Deane
Email: scott@defensivefitness.co.uk

18. Complaints

Individuals may raise concerns with the DFA directly.

Please see our complaints policy page

They also have the right to complain to the:

19. DFA Subject Access Request (SAR) Procedure

19.1 Purpose

This procedure sets out how DFA handles Subject Access Requests (SARs) in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

It ensures that individuals can exercise their right to access personal data held about them and that DFA responds lawfully, promptly and consistently.

19.2. Scope

This procedure applies to all personal data processed by DFA relating to:

  • Students
  • Parents/Guardians
  • Staff and Instructors
  • Volunteers
  • Website users
  • Contractors

It covers both electronic and paper-based records.

19.3. What is a Subject Access Request?

A Subject Access Request (SAR) is a request made by an individual asking:

  • Whether DFA processes their personal data
  • To receive a copy of their personal data
  • To receive supplementary information about how their data is processed

A request does not need to mention “Subject Access Request” or “UK GDPR” to be valid.

A SAR can be made:

  • In writing (email, letter, website form)
  • Verbally (in person or by phone)

19.4. Responsibility

  • The Data Protection Lead (or designated responsible person) is responsible for managing SARs.
  • All staff must immediately forward any SAR to the Data Protection Lead.
  • No staff member should respond independently unless authorised.

19.5. How to Recognise a SAR

A SAR may include statements such as:

  • “Can I see the information you hold about me?”
  • “What data do you have on my child?”
  • “Please send me my records.”
  • “I want a copy of my personal information.”

If there is uncertainty, treat the request as a SAR and escalate immediately.

19.6. Identity Verification

Before disclosing any personal data, DFA must verify the identity of the requester.

19.6.1 Acceptable Verification

  • Photo ID (passport or driving licence)
  • Proof of address (utility bill within 3 months)
  • For parents/guardians: confirmation of parental responsibility

If identity cannot be verified, the response period will pause until sufficient verification is provided.

19.7. Timeframe for Response

The DFA will respond:

  • Within one calendar month of receipt
  • The time begins once identity is verified (if required)

The timeframe may be extended by up to two additional months if:

  • The request is complex
  • Multiple requests are made

If extended, the DFA will notify the requester within the first month and explain why.

19.8. Fees

  • SARs are generally free of charge.
  • A reasonable administrative fee may be charged if:
    • The request is manifestly unfounded or excessive
    • Repeated copies are requested

Any refusal or fee will be clearly explained in writing.

19.9. Information to Be Provided

The DFA will provide:

  • Confirmation of whether personal data is processed
  • A copy of the personal data
  • The purposes of processing
  • Categories of personal data
  • Recipients or categories of recipients
  • Retention period (or criteria used)
  • Information about rights (rectification, erasure, restriction, objection)
  • Right to complain to the Information Commissioner’s Office (ICO)
  • Source of data (if not collected directly)

Data will be supplied securely (encrypted email or secure transfer where appropriate).

19.10. Reviewing and Redacting Information

Before disclosure, the DFA will:

  • Review all relevant records
  • Remove third-party personal data unless:
    • Consent has been obtained, or
    • It is reasonable to disclose without consent

Exemptions under the Data Protection Act 2018 may apply, including but not limited to:

  • Safeguarding information
  • Legal privilege
  • Confidential references
  • Management forecasting

Any withheld information will be documented internally.

19.11. Refusal of Request

The DFA may refuse a SAR where it is:

  • Manifestly unfounded
  • Manifestly excessive

If refusing, the DFA will:

  • Inform the individual within one month
  • Explain the reason
  • Inform them of their right to complain to the ICO
  • Inform them of their right to seek judicial remedy

19.12. Special Considerations for Children

Where a SAR relates to a child:

  • The child’s capacity to understand their rights will be considered
  • Parents may make requests on behalf of children where appropriate
  • The best interests of the child will be prioritised

19.13. Record Keeping

The DFA will maintain a SAR Log, recording:

  • Date received
  • Name of requester
  • Nature of request
  • Identity verification completed
  • Date response sent
  • Any exemptions applied
  • Outcome

Records will be retained in line with the DFA Retention & Disposal Policy.

20. Policy Review

This policy will be reviewed annually or following any lockdown event to ensure its effectiveness and to make necessary updates.

 

Have questions?

Check out our FAQ section for answers to common questions.

Call us for a no-obligation chat:

0333 3390 660