This policy provides an explanation as to what happens to any personal data that you share with us, or that we collect from you either directly via this Website or via email.
Certain businesses are required under the Data Protection Act to have a data controller. For the purpose of the Data Protection Act 1998 and updates in 2018 our data controller is Dom Greenwood and can be contacted via email at email@example.com
In operating our Website we may collect and process the following data about you:
• Details of your visits to our Website and the resources that you access including, but not limited to, traffic data, location data, weblog statistics and other communication data.
• Information that you provide by filling in forms on our Website, such as when you register to receive information such as a newsletter or contact us via the contact us page.
• Information provided to us when you communicate with us for any reason.
On occasion, we may gather information about your computer for our services, and to provide statistical information regarding the use of our Website to our advertisers. Such information will not identify you personally, it is statistical data about our visitors and their use of our site. This statistical data does not identify any personal details whatsoever. It is used by us to analyse how visitors interact with our websites so that we can continue to develop and improve our websites.
We may gather information about your general internet use by using a cookie file that is downloaded to your computer. Where used, these cookies are downloaded to your computer automatically. This cookie file is stored on the hard drive of your computer. They help us to improve our website and the service that we provide to you.
All computers have the ability to decline cookies. This can be done by activating the setting on your browser which enables you to decline the cookies. Please note that should you choose to decline cookies, you may be unable to access particular areas of our Website.
Any advertisement featured on this website or link to a website controlled by a third party may also incorporate cookies over which we have no control. Such cookies (if used) would be downloaded once you click on the advertisement or link to the third party website.
For more information on cookies you can read the guidance at www.allaboutcookies.org
We may use Google Analytics for SEO purposes and to improve their online marketing efforts. For a detailed explanation of how Google Analytics cookies work and what data it gathers, please visit: https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage
We partner with certain organisations to carry out certain aspects of our operation. For example, we use a company called Harlands to make direct debit collections on our behalf for members of our clubs in the UK. We share with Harlands all of the information which is necessary to make these collections and in order for them to be able to meet their obligations under the Direct Debit Guarantee Scheme.
Data that is provided to us is stored on our secure servers. Details relating to any transactions entered into via our site will be encrypted to ensure its safety.
The transmission of information via the internet is not completely secure and therefore we cannot guarantee the security of data sent to us electronically and the transmission of such data is entirely at your own risk. Where we have given you (or where you have chosen) a password so that you can access certain areas of our site, you are responsible for keeping this password confidential.
The énergie group operates a health and fitness franchise business in the United Kingdom as well as in several other countries.
This is the policy for the use of CCTV in clubs operating under the following brands in England and Wales:
• énergie Fitness
• énergie Fitness Clubs
• énergie Fitness for Women
2. Purpose of the Policy
The purpose of this policy is to make a clear statement of the way in which énergie, and the clubs operating under its various brands in the United Kingdom, make use of CCTV.
The policy describes the following:
• The rationale for using CCTV
• The areas in which we use CCTV and the areas in which we do not use CCTV
• How we make members of the public, staff who work in the clubs and any other visitors aware of the fact that CCTV is in operation
• How we store the recorded images and how long we keep them for before destroying them
• The circumstances under which we would consider releasing the images to a third party such as the police or other law enforcement agencies
• Request from individuals who believe they have appeared images captured on CCTV – Data Access Requests
• Our use of security companies
3. Rationale for the Use of CCTV
CCTV allows us to monitor activity in and around our clubs. It can be used to help us investigate the actions of individuals in connection with specific events such as an accident, theft or assault.
The main reasons we use CCTV include, but are not limited to, the following:
• To protect the health and safety of visitors and staff
• To help us to ensure that club rules are respected
• To help with training and giving feedback to our staff
• To assist the law enforcement authorities in a bid to deter and detect crime
• To protect our buildings, equipment and other resources by deterring those who might damage or steal them
• To monitor the behaviour of our staff while they are at work
• To investigate whether there is any fraudulent use of our clubs, for example, when a membership card or fob is used by an individual other than the one to whom it was issued
4. The Areas in which we Use CCTV
The layout of our clubs varies from site to site. However, in general terms, we would use CCTV in the following areas:
• In the reception area
• On the main gym floor
• In the studio if there is one
• In the free weights area
• In the corridors and stairwells
• In the areas around the outside of the building including the car park if there is one – this could include areas such as the pavement or a road which were used by members of the public who have no connection with énergie or any of it franchises or clubs
• In areas used by staff which ae not normally accessible to the public, such as an office or staff room
• Any other areas not specifically mentioned in the exclusions below
We would never install CCTV in the following areas:
• Changing rooms
• Sauna/steam room
5. How we Publicise our Use of CCTV
We make members of the public, staff who work in the clubs and any other visitors aware of the fact that CCTV is in operation by displaying prominent signage such as the example shown below:
A sign such as the above would be displayed in each area in which a camera was located. We will also publicise the reasons why we are making recordings as well as the contact details for the data controller. For example, by display information such as the following:
|Version||Date Of Revision||Author||Description Of Changes|
|1.0||28th May 2017||David Waugh||Initial Version|
The information that we collect and store relating to you is primarily used to enable us to provide our services to you. In addition, we may use the information for the following purposes:
Where applicable, we may disclose your personal information to any member of our group. This includes, where applicable, our subsidiaries, our holding company and its other subsidiaries.
We may also disclose your personal information to third parties:
You might find links to third party websites on our Website. These websites should have their own privacy policies which you should check. We do not accept any responsibility or liability for their policies whatsoever as we have no control over them.
The Data Protection Act 1998 & 2003 gives you the right to access the information that we hold about you. Should you wish to receive details that we hold about you please contact us using the contact details below.
This is the data breach policy for énergie Global Brand Management (énergie) which also trades using the following brand names:
• énergie Direct Franchising
• énergie Fitness
• énergie Fitness Clubs
• énergie Fitness for Women
We take the security of the data which we hold very seriously and go to great lengths to ensure that it is adequately protected and is used only for the purposes for which it was collected. We have a series of policies and procedures in place to ensure that we comply with all current legislation. We train our staff to ensure that they are aware of their responsibilities in protecting the data and how they should act when using it. We also employ sophisticated means to protect our data from malicious attack and attempts to gain unauthorised access or make unauthorized use of the data which we hold. We destroy or anonymise data as soon as there is no longer a justification for us to hold it in relation to the purposes for which it was collected.
Despite all of the above it is, unfortunately, impossible for us to completely protect all of the data which we hold from theft, attack, unauthorised use or failure to follow agreed procedures. This policy describes the measures we take to monitor whether any breaches have occurred and the procedures we will follow should we become aware that a breach may have occurred.
This policy applies to the following individuals and orgainsations:
• All individuals who work for the énergie Group in the United Kingdom and all territories covered by the General Data Protection Regulations (GDPR) regulations whether they are employed directly or are contracted to work on behalf of the organization
• All individuals who work in the fitness clubs located in the United Kingdom and all territories covered by the GDPR which are owned by ourselves or our franchisees whether they are employed directly or are contracted to work in the clubs on a regular or casual basis
• Our partners who process and collect data on our behalf, for example, the Harlands Group which processes direct debits on our behalf. Each of our partner organsiations whom we deem to be covered by this policy has been sent a copy and has given an assurance that they will abide by its contents.
This policy applies to the following data:
• All data and information which we hold related to private individuals including, but limited to the following:
o Members, prospective members and ex members of our clubs
o Current and past franchisees and those individuals who have expressed an interest in finding out more about becoming a franchisee
o Staff and other workers, for example studio instructors and cleaners, who work or have worked at our clubs and those of our franchisees and individuals who have expressed an interest in working at our clubs
o Staff and other workers who work in our own offices or in the field in whatever capacity we employ them
• Sensitive data related to our business, for example, records of our finances or legal affairs
• Sensitive data related to the businesses of our franchisees, for example, our assessments of their performance, records of their finances or legal affairs
This policy applies to the data described above held in any form, including but not limited to:
• élan4Clubs and élanHQ and their related databases which are the main software applications which we use to manage and monitor the performance of our clubs as well as many other administrative operations which take place at our offices
• Other applications which are used in our offices and those of our franchsiees, for example, Infusionsoft which we use to manage our relationship with franchisees and prospective franchisees or Exchequer which we use to manage our finances
• Any other electronic form such as in Excel spreadsheets, Word documents, email contents, etc
• Information recorded on paper or any other physical media whether that be a formal document stored for record keeping or legal purposes or an informal document such as an ad hoc note
Monitoring whether a Breach has Occurred
We take the following measures to monitor whether a breach has occurred and to ensure that we become aware should a breach or a potential breach come to the attention of any of our staff, members of our club or any other individual:
• By publishing this policy on our public facing websites we promote awareness of its existence and make any visitor to our public facing website aware of the steps they can take should they suspect that a breach has occurred or may occur in the future. The policy itself contains clearly describes how anyone can communicate their concerns to named individuals within énergie.
• This policy is published on élan which is the software application which is used in our clubs and our central operation to manage and monitor the operation of our clubs. As a result, the policy is made available to our own staff, our franchisees and the individuals who work in their clubs. The policy clearly lays out what they must do in the event that they suspect that a breach has occurred or may occur in the future.
• We make use of sophisticated cyber protection software which monitors activity in our data centres and reports any unusual activity such as large volumes of data being downloaded to unknown IP addresses.
• We train our staff, franchisees and those individuals who work in our clubs in various ways, for example, by running sessions at our quarterly development meetings, the course we run on a regular basis for new franchisees and club managers (the énergie Basic Management Course) and other ad hoc training sessions which we run from time to time.
• We include all of our data protection policies in our operating manual which is made available to our franchisees and club managers.
• We designate specific individuals within énergie and Hedgehog Business Solutions (who are our software partner and main data processor) with the responsibility of monitoring for any breach or potential breach and acting upon any information which is provided.
Advice and Support
Any individual who requires advice or support in relation to this policy or an incident they feel it may cover should first of all speak to their manager or the owner of the club at which they work. If this is not possible or felt to be appropriate or if further advice or support is needed then the matter may be referred to any of the following:
• The énergie helpdesk by ‘phone on 020 3874 5202 or by email to firstname.lastname@example.org
• énergie’s data protection officer by ’phone on 01908 396 212 or by email to email@example.com
• By mail to:
Data Protection Enquiries
NB Please use email or ‘phone if you feel that your query needs to be addressed urgently.
This policy requires that any individual who is included in its scope (described above) who suspects that a theft, breach, unintended exposure or unauthorised access of the data described above must report the fact as soon as is reasonable possible and in any case within one working day of the information coming to their attention.
If possible, a written description of the nature of the breach or suspected breach along with details of the date and time at which occurred should be provided to any of the contacts listed above as sources of help and advice. Information may be supplied anonymously but it would be most helpful if the name and contact information of the person reporting the breach could be supplied.
An examples of practices which may be likely to lead to a breach should also be reported in the same way.
What we will do when Issues are Reported to us
The matter will be initially reviewed by the Data Protection Officer (DPO) who will consider the circumstances and the information which has been supplied. One or more of the following actions may be taken:
• If it seems likely that a breach has taken place and there is a credible risk that further access to the same information or to other information may occur, or if a practice has been reported which seems to have a high risk of resulting in an imminent breach, immediate steps will be taken to protect the resource, for example, by shutting down the function or service which was used to gain access to the information or strengthening the security around it.
• As soon as there is firm evidence of the nature of any data having been inappropriately accessed and where it is possible to identify those individuals who may have been affected a communication plan will be developed in conjunction with our own communications scheme involving legal and human resource departments to decide whether an=d how to communicate the breach to:
o internal employees
o the public
o those directly affected
• The communication is likely to include information such as:
o The date and time on which the breach occurred
o The data which has been accessed, eg names, contact numbers, email addresses
o The steps which we are taking to investigate the matter and ensure that it does not reoccur
• The matter itself may also be brought to the attention of any one or more of the following:
o The manager of any persons involved in the matter
o The managers and owners of any clubs connected with the matter or who have members potentially affected by the matter
o The Office of the Data Commissioner
o The law enforcement authorities
o Third party suppliers
o The CEO and other members of énergie’s board
o Other members of staff
o Any other individual or body we believe is appropriate
• The Systems and Technology Director will be informed and will liaise with the DPO throughout the incident to ensure that the DPO’s requests for further information and action are complied with.
• The DPO will formulate a plan of action in conjunction with the Systems and Technology Director on the steps needed to deal with the matter. Where appropriate and where practical, individuals from énergie, its franchisees and those who work in its clubs, its suppliers and any other relevant partners will be included as sources of information or to otherwise assist in the implementation of the plan.
• The Systems and Technology Director will assess whether the CEO should be informed immediately or whether it is acceptable to wait until further information has been gathered.
• If action is needed from a third party or if the DPO considers that they need to be made aware of the matter then the DPO will contact them immediately or as soon as is practical after sufficient information has been gathered to properly inform the third party.
• As provided by énergie Global Brand Management’s cyber insurance and where necessary and appropriate, the insurer will provide access to forensic investigators and experts who will help determine how the breach or exposure occurred; the types of data involved; the number of internal/external individuals and/or organizations impacted; and analyze the breach or exposure to determine the root cause.
• If, at any time throughout the investigation and resolution of the matter, the Systems and Technology Director feels that the CEO’s authority is needed to obtain information or implement a necessary action, the CEO will be contacted immediately to discuss the need and to ensure that appropriate action results.
• The DPO will follow the plan and will, as far as possible, gain a full understanding of the nature and extent of the matter.
• In all cases where a breach or potential breach has been reported, the DPO will write a full report of the incident and submit it to the Systems and Technology Director and the CEO. The report will include any recommendations which the DPO believes should be considered. Such recommendations could include, but are not limited to the following:
o Creation of new policies or the review and amendment of existing policies and practices
o Review of training programmes where existing policies have not been properly followed
o Disciplinary action against any individuals who have acted carelessly or maliciously
Any Énergie Global Brand Management personnel found in violation of this policy may be subject to disciplinary action, up to and including termination of employment. Any third-party partner company found in violation may have their network connection terminated.
|Version||Date Of Revision||Author||Description Of Changes|
|1.0||10th August 2017||David Waugh||Initial Version|
We welcome any queries, comments or requests you may have regarding this policy please do not hesitate to contact us via the website www.energiefitness.com
If you would prefer to write to us then our contact address is:
Data Protection Enquiries