7Futures is committed to protecting the privacy of your data.
This privacy notice explains who we are, how and why we collect, store and use personal information, your rights in relation to your personal information, and how to contact us and the authorities in the event you have a complaint.
For the purposes of UK data protection laws, the Data Controller is 7Futures, Laurel Drive, 7 George Fox Lane, Fenny Drayton, Warwickshire, CV13 6BE.
We are registered with the Information Commissioner’s Office, registration number ZA386013.
In this notice the term ‘client’ refers to an organisation which contracts to use the services of 7Futures.
WHO WE ARE
7Futures is a UK based provider of health and wellbeing events and programmes to businesses across a variety of sectors. We are engaged by employers to provide events and services for employees. To do this, we act as a data processor for our clients. In certain cases we also hold personal data for current and potential users of our service, and are responsible as a data controller for this information.
DATA PROTECTION PRINCIPLES
Our company is committed to being transparent about how it collects and uses data and to meeting its data protection obligations. We will comply with data protection law and principles which means that your data will be:
- Used lawfully, fairly and in a transparent way.
- Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
- Relevant to the purposes we have told you about and limited only to those purposes.
- Accurate and kept up to date.
- Kept only as long as necessary for the purposes we have told you about.
- Kept securely.
This policy applies to our processing of personal data for individuals other than:
- 7Futures employees, who should refer to the GDPR Privacy Notice for employees, workers and contractors; and
- Applicants to vacancies with 7Futures who should refer to the Candidate Privacy Notice on our website.
REASONS WE CAN LEGALLY COLLECT AND USE YOUR PERSONAL INFORMATION
We may use your personal information for a number of different purposes and for each purpose we must have a lawful basis for processing your personal data.
We may rely upon the following lawful bases to collect and use your personal or sensitive data:
Consent: where you have given clear consent for us to process your personal data for a specific purpose.
Contract: where the processing is necessary for a contract you have with us.
Legal obligation: where the processing is necessary for us to comply with the law (not including contractual obligations).
Vital interests: where the processing is necessary to protect someone’s life.
Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.
Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party unless there is a g ood reason to protect your personal data which overrides those legitimate interests.
THE PERSONAL INFORMATION WE COLLECT AND USE
Information from client organisations.
7Futures is contracted by client organisations to deliver wellbeing events and programmes. In the course of the engagement and planning process, 7Futures may be made aware of commercially sensitive information about the client organisation. This will be treated as highly confidential and will not be shared. Processing of this information is necessary for performance of the contract.
Client organisations may provide 7Futures with personal data of their employees. Where we are provided with personal data by the client organisation, it is the responsibility of the client organisation to ensure they have a legal basis for the provision of such information to 7Futures.
Such employee data may include employee name, gender, age, department, job title, email address, work phone number, mobile telephone number. This data is used for the sole purpose of providing our service to the client organisation and the legal basis for processing is the performance of a contract with our client.
On behalf of the client we may contact employees directly either by email, letter, text, telephone or via project websites and intranets. This communication may be to invite individuals directly to launch days, health events, workshops, body composition analysis, wellness checks (including but not limited to grip strength, blood pressure, glucose and cholesterol testing), one-to-one coaching, counselling sessions, health and safety events, internal events, team building and motivational events or other events we may organise in order to provide a service to the client. We may also provide post-event resources and additional information and issue feedback surveys. The legal basis for processing is the performance of a contract with our client.
Information from individuals.
We may receive personal data from individuals who register prior to attending events we run on behalf of client organisations. We use this data for the performance of a contract with our client i.e. delivering the health and well-being event.
We may receive personal data from attendees at our events. The personal data we receive may include the following: name, gender, age, department, job title, work email address, personal email address, work phone number and mobile phone number.
In addition at certain events we may process sensitive personal information such as weight, height blood pressure, body composition analysis, information on physical and mental health and fitness, medical conditions and injuries. We process this information in order to provide appropriate health and well-being services and advice to you.
By attending these events and participating in activities such as blood pressure testing, body composition analysis, wellness checks and other measurements of body function and fitness, you consent to 7Futures processing your sensitive personal data. Such data may include confidential verbal and written information gained during the process of provision of service including data provided through online or written personality, motivational and well-being questionnaires. Data may include file notes to assist us in providing relevant resources for you.
We process this data in order to provide you with an indication of progress made against your health objectives should you choose to revisit our services in the future, or should you seek further health measures with another provider and wish to compare with the results we hold for you.
We do not share your personal data with third parties and we take appropriate measures to safeguard sensitive data.
In certain cases we may provide anonymized results to client organisations in order that they may measure the effectiveness of their investment in health and well-being activities for employees. Any such report will anonymise your data with that collected from other individuals and data will not identify individuals. (You will be given prior notice of any such anonymized reporting and may refuse your consent.)
IF YOU FAIL TO PROVIDE PERSONAL INFORMATION
Where we need to collect personal data by law or under the terms of the contract we have with you, and you do not provide that data when requested we may not be able to perform the contract we have or are trying to enter into with you. In this case we may stop providing that service but will notify you if this is the case at the time.
The company takes the security of your data seriously and has internal policies and controls in place to ensure that your data is not accidentally destroyed misused or disclosed and is not accessed except by our employees in the proper performance of their duties. We limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and are subject to a duty of confidentiality. We have a range of security measures concerning access to our premises and systems.
We have put in place procedures to deal with any suspected security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
HOW LONG WILL DATA BE HELD?
We will only retain your personal data for as long as is necessary to fulfil the purposes for which it is collected.
When deciding how long to keep data we assess the amount of data, nature and sensitivity, potential risk of harm from unauthorised use or disclosure, processing purposes and whether these may be achieved by other means and our legal requirements.
We hold data on client organisations for as long as we are providing the services to the client, or to comply with our legal obligations, enforce the terms of our contracts, resolve disputes or prevent abuse.
We hold data information on employees or other service users of the client for the duration of our contract with the client, and generally erase it within 18 months of the contract termination. We hold this data to enable you to compare any change in your health measures at a future event or consultation, or if you seek further health measures with another provider and wish to compare with any results we hold for you.
As a data subject, under certain circumstances, by law you have the right to:
- Request access to your personal information (commonly known as a 'data subject access request'). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
- Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
- Object to processing of your personal information where we are relying on a legitimate interest) or those of the third party and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
- Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal information to another party.
If you have any questions regarding this policy, or if you would like to speak to us about the manner in which we process your personal data, or to exercise any of the above rights, please email our Data Security Manager: Mark Davies, firstname.lastname@example.org or telephone 07595 983620
You also have the right to make a complaint to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues, at any time. The ICO’s contact details are as follows:
Information Commissioner’s Office
Telephone – 0303 123 1113 (local rate) or 01625 545 745
Website – https://ico.org.uk/concerns