The purpose of this policy is to explain how the Lensbury Ltd (‘Lensbury’) looks after personal data. The principal activities of the Lensbury are the provision of hotel, conference and leisure facilities, and managing a proprietary club.
The Lensbury complies with all legislation for the collection, use, security and administration of data collected about our members and guests. The data controller is Lensbury, registered at Broom Road, Teddington TW11 9NU.
The data the Lensbury holds on individuals:
• Is used lawfully and transparently
• Is used for the purposes explained to you at the time your information was collected
• Is held securely and confidentially
• Is accurate and kept up to date
• Is kept for only as long as there is a legitimate need or to meet legal requirements
• Is never sold to any third party
• Is never transferred outside of the EU.
2.1.1. Current members provide ‘basic contact’ information (full name, title, address, email and telephone number) and sensitive information (date of birth and photograph). In some instances we capture additional sensitive information (refer to Section 3). Members receive key subscription information and the Lensbury News by hard copy. Members, who have provided their email addresses, receive e-bulletins from the Lensbury on a periodic basis. Members can “unsubscribe” to the e-bulletins as they wish by hitting the “unsubscribe” link provided on each e-bulletin. By choosing this, members email details are still held but they will no longer receive the e-bulletins. Members also can provide their contact preferences to receive information related to their membership by filling out the “preferences” section of the members’ website.
2.1.2. Leaving members ‘Basic contact’ information will remain on our systems for seven years but sensitive information will be deleted three years from cancellation of membership. Basic contact information may be used during that seven year period for annual offers to former members. Former members may “unsubscribe” to these annual e-bulletins by hitting the “unsubscribe” link provided with each e-bulletin or by filling in the preference box (through the Members’ website or by hard copy at Members’ Reception.)
2.1.3. Members’ guests provide basic contact information on entry to the Lensbury for health and safety reasons to enable us to know who is on the Lensbury site and to monitor the number of times an individual non-member is using the Lensbury (as there is an annual limit on number of visits as a guest of a member). This information is held for three years.
2.2. Conference centre
2.2.1. Conference Centre and hotel meeting/event organisers provide contact and financial information required for the carrying out of their contracted services in the conference centre and the hotel.
2.2.2. Enquiries for use of the Conference Centre and hotel by meeting/event organisers provide basic contact information in the course of providing a quote of services. This information is kept on file for two years, with the ability to “unsubscribe” from marketing lists provided with any e-bulletin sent.
2.2.3. Professional event organisers, who have a legitimate interest in the conference centre and hotel facilities, are kept in a marketing database and have the ability to “unsubscribe” from marketing lists provided with any e-bulletins sent.
2.4. Hotel guests provide ‘basic contact’, financial and sensitive information in respect of physical limitations, if applicable (see 3.2 below), on booking at the hotel. ‘Basic contact’ information is held for seven years. Limited personal financial information is held in encrypted form and deleted within seven days after check out. Information on medical and physical conditions and disclaimers are held as long as legally prescribed. For adults, this information is held currently on file for three years. Hotel guests are offered the chance to “opt-in” for marketing at check-in. Consent for marketing emails can be withdrawn at any time, by contacting the hotel (who will update the preference information held) or by activating the “unsubscribe” link in any e-bulletin.
2.4.1. Enquiries for hotel bookings provide ‘basic contact’ information and this information is held for two years. Hotel enquiries are offered the chance to “opt-in” for marketing. Consent for marketing emails can be withdrawn at any time, by contacting the hotel (who will update the preference information held) or by activating the “unsubscribe” link in any e-bulletin.
2.5. Freelancers, provide ‘basic contact’ information, as well as documentation to support their working status and right to work. This encompasses qualification certificates, unique tax reference number, proof of ID and National Insurance number. This information will be kept for seven years after the termination of their contract.
2.7. Suppliers provide basic contact information and sensitive financial information required to carry out their contracts with the Lensbury. This information is held for seven years in line with accounting requirements. Prospective suppliers basic contact information is held for two years.
3.1. We hold sensitive information such as date of birth, gender, photograph, physical status reports and medical information related to personal exercise programmes and the ability to engage in physical exercise. Information on medical and physical conditions and disclaimers are held as long as legally prescribed. Currently, this information for adults is deleted three years from cancellation date of membership.
3.2. We hold sensitive information on physical limitations of hotel guests to assist them with emergency evacuation under HSE requirements (‘PEEPs’ – Personal Emergency Evacuation Plans). This information is collected at time of hotel registration and is retained for six months.
3.3. We hold sensitive information on medical conditions in the Lensbury Spa. We use the information you provide us when visiting the spa to manage our bookings and to inform our therapists when offering treatments. We need your permission to process information about your health and we will be unable to offer any treatments without it. Information on medical and physical conditions and disclaimers are held as long as legally prescribed. For adults, this information is held currently on file for three years.
3.4. Members and users of the conference centre and hotel accommodation also provide confidential financial information. This is held for seven years following the termination of a contractual relationship under accounting guidelines.
3.5. Members’ children’s information is held as part of the contractual relationship of membership and to safeguard their health and safety. Information on medical and physical conditions and parental disclaimers are held as long as legally prescribed.
3.6. Information on non-members children (name and gender, date of birth, contact details and health issues), that engage in activities organised by the Lensbury, is also held to safeguard their health and safety. Information on medical and physical conditions and parental disclaimers are held as long as legally prescribed. If you are not happy for us to hold this information, you do not have to agree but this may mean your child is unable to take part in a supervised activity.
An individual’s use of Club facilities is logged and used for statistical and planning purposes for the development and maintenance of Club facilities and offers. Information is also held for health and safety, security and licensing purposes.
Members using our Lensbury Club website, App and social media platforms are logged by our reporting software. These Club platforms are used to provide members and subgroups of members with general broadcast information relating to the Club and for specific information relating to subsets of members – i.e. tennis club members, etc.
7.1. Data security
The Lensbury has an actively managed IT infrastructure which includes up to date, secure hardware and software systems supported by network and security specialists. This includes crisis planning in the event of any breaches. Regulators and individuals will be notified of any breach or suspected breach within 72 hours of a suspected breach.
7.2. Access security
Further, access to personal data is limited to specific employees, who require access to carry out their operational and managerial duties. Third parties are given access to personal data only for the purposes instructed by the Lensbury management, following appropriate due diligence and contractual agreements with the third parties.
We may capture your image on CCTV when you visit the Lensbury. We use CCTV for the prevention and detection of crime and the health and safety of guests, members and staff. CCTV recordings are deleted automatically after 28 days unless they are retained in connection with an investigation, in which case we keep them until after the investigation is concluded.
8.1. To carry out contracted services
If you are a member of the Lensbury or a commercial user we will use your information to:
• Administer your membership or booking
• Communicate with you about the Lensbury facilities and services
• Confirm your identity
• Exercise the Lensbury’s contractual rights.
8.2. To comply with a legal obligation or regulatory guidelines
The Lensbury has a number of legal obligations to a variety of authorities and will use individual’s data to meet those statutory obligations and where it is in the public interest (for example in the detection of crime):
• HMRC and other tax authorities
• Health and Safety Executive
• Information Commissioner’s Office
• Police and other law enforcement agencies
• Gender Pay Gap reporting.
8.3. To meet our legitimate interests
The Lensbury will use your personal data for legitimate management reasons including but not limited to:
• For accounting, auditing and corporate governance reasons;
• To respond to ad hoc enquiries and requests;
• To provide management information, training, performance monitoring, manage commercial and other risks, and trend analysis for product development;
• For debt recovery;
• Provide customer support;
• Business restructuring.
8.4. Where we have obtained your explicit written consent to do so
• for marketing services not related to the Lensbury and its products and services, and;
• where the personal data is not already in the public domain.
8.5. ‘De-personalisation’ of personal data
Sometimes data has a value in an aggregated form. Where we aggregate data, taking out all personal references, we will do this for management reasons and for supply to trade associations, NGO’s, academic research, etc. This use of data does not require individual’s consent.
You may ask for a copy of your data, you may ask for corrections to be made and you may ask for your data to be deleted. In some cases you will not be allowed to delete your information and this is usually due to a regulatory or a contractual reason. If we cannot delete your information, we will let you know the reason we cannot. You may:
9.1. Request access to your personal information. This enables you to receive a copy of the personal information we hold about you and to check that we are processing it lawfully.
9.2. Request correction of the personal information we hold about you to have any incomplete or inaccurate information we hold corrected.
9.3. Request erasure of your personal information. You may also ask for complete deletion of your personal data, where the original reason for handing over the data no longer is pertinent. If the Lensbury has a legal reason or one of “legitimate interest” and cannot delete the information, we will explain that to you in writing.
9.4. Any request should be made by email or letter:
Email: [email protected]
Letter: Data Protection Officer, Lensbury Ltd, Broom Road, Teddington, TW11 9NU
9.5. Your right to complain – complaints, if not handled by the Lensbury, may be made to the ICO (Information Commissioner’s Office), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. Telephone: 0303 123 1113 or access their website at ico.org.uk.
This policy will be reviewed on an annual basis and any substantive changes will be communicated to members and commercial users via the Lensbury websites. (www.Lensburyclub.com and www.lensbury.com).