Skip to main content

Language: English / GĂ idhlig

Main navigation
Loading…

SPCB: Gym users

This privacy statement explains how we collect and use personal information as a data controller for the following process: using the Parliament gym.

Some of the language used in privacy notices can be specialised.  The Information Commissioner's website provides a useful introduction to key terms and concepts.

The purpose of the processing

We will process your personal data when using the Parliament gym. Your full name will be recorded in order for us to keep track on those who have permission to use the gym, having completed an induction and agreed to the disclaimer form. This allows the Scottish Parliamentary Corporate Body (SPCB) Facilities Management Office and Security Office to manage the safe use of the facility. For gym users without Scottish Parliament email accounts, a personal email address will be requested in order to share service updates.

We may also require to process your personal data through QR Codes for the purposes of complying with the Scottish Parliament’s obligations under Test and Protect.

Further information about the use of QR codes in our privacy notice

Read the FAQ about QR codes in the Parliament

Categories of information processed

Normal category data such as first names, surnames and in limited cases personal email addresses.

Source of the information

Information is provided by the gym user with their consent via a disclaimer form hosted by Microsoft Forms on the SPCB’s sharepoint site. Personal email addresses will be requested separately when required via email from the SPCB’s Contract Manager for the gym service. Providing a personal email address is optional and the gym user can decline to provide this information if they wish and still use the gym.

Legal basis for data processing

Data protection law states that we must have a legal basis for handling your personal data.

The legal basis for the processing as described above is that it is necessary for the purposes of the legitimate interests of the SPCB to provide safe use of the facilities to building users (Article 6(1)(f) UK General Data Protection Regulation (UK GDPR)).

For the processing of personal data through QR Codes the legal basis is that it is necessary for performance of a legal obligation (Article 6(1)(c) UK GDPR).

Retention of data

Information will be kept until the gym user leaves the organisation. Records will be checked every 6 months and any users who have left the organisation will be removed. Data will be held on Microsoft Forms, with limited access to only those required to manage it.

Your rights 

Data protection legislation sets out the rights which individuals have in relation to personal data held about them by data controllers. Applicable rights are listed below. You can exercise your data subject rights in particular circumstances depending on the purpose for which the data controller is processing the data and the legal basis upon which the processing takes place.

The following rights may apply:

Access to your information

You have the right to request a copy of the personal information about you that we hold. 

Further information on how to make a 'data subject access request'.    

Correcting your information

You have the right to ask us to correct the personal data we hold about you. We want to make sure that your personal information is accurate, complete and up to date and you may ask us to correct any personal information about you that you believe does not meet these standards.

Objecting to how we may use your information

You have the right at any time to require us to stop using your personal information for direct marketing purposes. In addition, where we use your personal information to perform tasks carried out in the public interest then, if you ask us to, we will stop using that personal information unless there are overriding legitimate grounds to continue.

  • Please note that the right to object to the processing of personal data does not apply where the data subject has consented to the processing, subject to the right to withdraw consent.
  • The right to object to the processing of personal data for the purposes of a public interest task is restricted if there are legitimate grounds for the processing which override the interest of the data subject.
  • The right of erasure and the right to object to processing of personal data do not apply where personal data is processed for the performance of a legal obligation. This will be considered on a case by case basis and depends on what personal data is involved and the risks further processing of that data could pose to you.

Deletion of your information

You have the right to ask us to delete personal information about you where:

  • You consider that we no longer require the information for the purposes for which it was obtained.
  • We are using that information with your consent and you have withdrawn your consent – see Withdrawing consent to using your information below.
  • You have validly objected to our use of your personal information – see Objecting to how we may use your information above.
  • Our use of your personal information is contrary to law or our other legal obligations.
  • Please note that the right allowing for deletion or erasure of personal data (right to be forgotten) does not apply in cases where personal data is processed for the purposes of the performance of a task carried out in the public interest.
  • The right of erasure and the right to object to processing of personal data do not apply where personal data is processed for the performance of a legal obligation. This will be considered on a case by case basis and depends on what personal data is involved and the risks further processing of that data could pose to you.

Restricting how we may use your information

In some cases, you may ask us to restrict how we use your personal information.  This right might apply, for example, where we are checking the accuracy of personal information about you or assessing the validity of any objection you have made to our use of your information. The right might also apply where this is no longer a basis for using your personal information, but you don't want us to delete the data.  Where this right is validly exercised, we may only use the relevant personal information with your consent, for legal claims or where there are other public interest grounds to do so.  

Please contact us using the details below if you wish to use any of these rights.  

Changes to our privacy statement

We keep this privacy statement under regular review and will put any updates on this website.  You can get paper copies of the privacy statement using the contact information below.   

This privacy statement was last updated on 16 November 2021.  

Complaints

We seek to resolve directly all complaints about how we handle personal information but you also have the right to lodge a complaint with the Information Commissioner's Office.

Or by phone at: 0303 123 1113

Contact information and further advice

If you have any further questions about the way in which we process personal data, or about how to exercise your rights, please contact the Head of Information Governance at:
The Scottish Parliament
Edinburgh
EH99 1SP

Telephone: 0131 348 6913

(Calls are welcome through the Text Relay service or in British Sign Language through contactSCOTLAND-BSL.)

Email: dataprotection@parliament.scot

Please contact us if you require information in another language or format

Share this page

Share this page on x Share this page on pinterest Share this page on linkedin