Privacy & Cookie Policy Privacy Policy About Us Scope Who We Are Registration with the Information Commissioner’s Office Updates to this Privacy Policy Sources of Data We Collect Personal Data Collected by RLSS UK7.1 When we collect personal data7.1.1 Special Category Data (SCD)7.2 Explaining the Legal Bases we rely on7.2.1 Consent7.2.2 Contract7.2.3 Legitimate Interest7.2.4 Legal Obligation7.2.5 Vital Interest7.2.6 Public Interest7.3 Administrative purposes for which we collect your data7.3.1 RLSS UK Members7.3.2 RLSS UK Trainer Assessors7.2.3 RLSS UK Course Candidates: Community-based, Regulated and Non-Regulated Awards7.3.4 RLSS UK Under 13 Children’s Data7.3.5 Athletes and Officials/Coaches/Team Managers7.3.6 RLSS UK Shop7.3.7 RLSS UK Volunteers7.3.8 Fundraisers7.3.9 Donations made via post and through www.rlss.org.uk7.3.10 Donations via GiveTap7.3.11 RLSS UK Honours7.3.12 Marketing7.4 Changing your Marketing Preferences7.5 Contacting you using Legitimate Interest for research purposes7.5.1. Research Projects7.5.2. Use of anonymised research data7.5.3 Disposal of data Children Under 16 and Vulnerable People Stories and Experiences Data Sharing Sub-Contract Processing Data Augmentation Profiling Secure Storage of Data International Transfers Your Rights Your right to lodge a complaint with a Supervisory Authority Child friendly Privacy Policy Cookie Policy Cookie Policy Introduction About cookies Cookies that we use Cookies used by our service providers Managing cookies Cookie preferences Our details Privacy Policy Download a PDF copy of our Privacy Policy Last updated: November 2023 1. About us Since 1891, the Royal Life Saving Society UK (RLSS UK) has been sharing its expertise in water safety, lifesaving, and lifeguarding to educate everyone to enjoy water safely. Charity Numbers: England and Wales (1046060) and Scotland (SC037912) Our Mission – To be the leader in lifesaving and lifeguarding, sharing our expertise and knowledge to give everyone the skills to save lives and enjoy water safely. Our Vision - Nations free from drowning, where everyone is able to enjoy water safely. Our Purpose - To educate nations so everyone can enjoy water safely – because no one should drown. RLSS UK’s work is vital in every city, town, community and household, as we are the UK’s leading provider of water safety education and qualifications. RLSS UK is also the National Governing Body, recognised by Sport England, for the sport of Lifesaving. RLSS UK is the industry leader in water-related safety qualifications and training. We deliver national water safety campaigns, and 47 volunteer branches provide our essential footprint across the UK and Ireland, helping us enhance communities so everyone can enjoy being in, on or near water safely – because no one should drown. RLSS UK’s website is www.rlss.org.uk. To help us continue our important Charity work providing water safety education, we often need to collect data, doing so whilst strictly keeping in line with the Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulations (UK GDPR) lawful bases for processing, which we have outlined in this Policy. We do this respecting your privacy and with your continued trust in us as a National Awarding Body and established Charity. If you would like to know more about what data we collect and how we use it, please continue reading this Policy. 2. Scope This RLSS UK Privacy Policy clarifies the different types of personal data that RLSS UK (“RLSS UK”, “we,” and “us”) and its respective 3rd parties and affiliated companies collect, how we use it, when it may be shared and importantly the rights you have for your own data. We will explain the processes we use to communicate with you, helping to achieve our mission to share our expertise and knowledge with as many people as possible. Using the data we collect, we can improve our services and products, helping to enhance everyone’s potential to save lives and enjoy water safely. We thank you for understanding and for helping us to prevent drowning, stop unnecessary loss of life and aid families affected by the tragedies that can occur within water. This Privacy Policy applies to the RLSS UK websites available at www.rlss.org.uk, www.shop.rlss.org.uk and to any other websites, applications, brands or products owned and operated by RLSS UK that direct the viewer or user to this Privacy Policy. 3. Who We Are RLSS UK is a limited company and has 47 membership branches located across the UK and Ireland. RLSS UK Enterprises Limited has a registered office at Redhill House, London Road, Worcester, WR5 2JG, United Kingdom (Company Number 02559199). RLSS UK Enterprises Limited is the lifesaving qualification awarding body, offering OFQUAL CCEA and regulated qualifications and non-regulated vocational training programmes. More than 90,000 RLSS UK pool lifeguards are trained in the National Pool Lifeguard Qualification (NPLQ), and around 95 per cent of all pool lifeguards are trained by RLSS UK. RLSS UK also sells and fulfils a range of products to help support the delivery of vocational and non-vocational awards and qualifications, mainly via the online RLSS UK Shop https://shop.rlss.org.uk RLSS UK is the controller of all personal data processed by the charity, the above operating company and the 47 membership branches. 4. Registration with the Information Commissioner’s Office For the purpose of the Data Protection Act (2018) and the UK General Data Protection Regulations (UK GDPR), the Royal Life Saving Society UK (RLSS UK) is registered as a data controller with the Information Commissioners Office, with registration number 2811194. RLSS UK’s Privacy Officer is: Privacy OfficerRLSS UKRedhill HouseLondon RoadWORCESTERWR5 2JGTel: 0300 3230 096Email: [email protected] 5. Updates to this Privacy Policy As times are ever-changing, every so often, this policy will need updating. It is under constant review, so please refer back to it as and when you need it. Any important updates will be communicated to our members. 6. Sources of Data We Collect All of the personal data RLSS UK collects is provided directly from our Members, Trainer Assessors (TAs), candidates, customers and organisations associated with RLSS UK. We only collect the necessary data to provide the services you require from us, and you only need to provide the data you wish to share with us as long as that data enables us to fulfil your requirements. If you are not happy to share the data RLSS UK requires to carry out administration, this may result in you being unable to access our services. RLSS UK also collects data through Cookies. More information about this can be found on our Cookie Policy, which can be found by clicking here. 7. Personal Data Processed by RLSS UK 7.1 When We Collect Personal Data RLSS UK collects, stores, and processes personal data for several purposes, mainly for the administration of the organisation and the Charity, financial accounting and marketing. We may collect personal information when you: donate to us; complete one of our qualifications or awards; become a Trainer Assessor with us; sign up to become a member with us; purchase something from our online shop; volunteer or fundraise for us; support one of our campaigns; sign up for our newsletter or Lifesavers magazine; contact us regarding a situation you are aware of in or around water; when you access our website. To fulfil these services, we may need to collect your name, email and postal address, contact number, and date of birth. If you donate, purchase something or become a member we may need to collect your bank details or your taxpayer status so we can collect gift aid. Please be assured all of the data we collect has specified retention periods, and we only collect what is absolutely necessary for us to carry out our duties. Our data retention schedules are clarified under section 7.3 of this Policy. 7.1.1 Special Category Data (SCD) Certain types of personal data are known as Special Category Data (SCD) in accordance with Article 9 of the UK GDPR. Special Category Data clarifies more sensitive data, such as an individual’s racial or ethnic origin, religious beliefs, political opinions, biometric data, medical data or data concerning their sexual orientation. RLSS UK rarely has the need to collect SCD; however, if there is an occasion we would collect such data, we would only collect this once we have established a legal basis to process such data. An example of when we may need to collect SCD is when we carry out specific surveys it can be valuable for us to know the racial or ethnic origin of the individual, as this helps us as an organisation to become more aware of our inclusivity. To process this data, we would first need to obtain your consent under Article 9 1(a) and Article 6 1(a) of the UK GDPR. In order to lawfully process SCD we need to identify a lawful basis under both Article 6 and Article 9 of the UK GDPR; however, these do not have to be linked. 7.2 Explaining the Legal Bases we rely on The UK General Data Protection Regulations are there to provide you with peace of mind that your data is only collected when necessary and treated lawfully and fairly whilst we hold it. RLSS UK relies on the following Legal Bases for our processing: 7.2.1 Consent In many circumstances, we collect and use your data only when we have obtained your consent. We do this while providing a clear outline of why we are collecting your data, what we propose to do with it and what it will help us to achieve. When you give us your data directly you are giving us your consent to process your data. We process data with your consent under Article 6 1(a) of the UK GDPR, where the data subject has given consent to the processing of his or her personal data. Examples of when we collect your data from consent are: Donating to us; Volunteering on our behalf; Signing up to one of our events or competitions; Opting into our marketing preferences. 7.2.2 Contract In some instances, we require you to be part of a contract in order for us to carry out our responsibilities so we can provide you with the best service possible. Contracts are formed so expectations from both sides can be met. We process data using a contract under Article 6 1(b) of the UK GDPR where processing is necessary for the performance of a contract. Examples of when we collect your data for contractual reasons are: When signing up to become an RLSS UK Member; When you become a RLSS UK Trainer Assessor; By obtaining one of our awards or qualifications; When purchasing a product or service from RLSS UK Shop. 7.2.3 Legitimate Interest In certain situations, we have legitimate interest for using your data. We will never do so if it impacts your rights and freedoms, it is only under circumstances that are reasonably expected. We process data using Legitimate Interest under Article 6 1(f) of the UK GDPR where processing is necessary for the purposes of legitimate interest. Examples of Legitimate Interest reasons for using your data are: To inform RLSS UK Trainers Assessors of any updates to do with their qualifications, to make sure they are delivering the most up to date information to their candidates; To maintain our National Records Database of the competitors who achieve a national record within lifesaving events; To maintain the records of Honours recipients who have achieved an Honour for historical purposes. Please refer to section 7.3 for further information on Contacting you using Legitimate Interest. 7.2.4 Legal Obligation Sometimes it is the law that requires us to collect and process your data, for example; if you select to provide Gift Aid when donating we process data by submitting a claim to HMRC. We process data using Legal Obligation under Article 6 1(c) of the UK GDPR where processing is necessary for compliance with a legal obligation. 7.2.5 Vital Interest In very rare circumstances Vital Interests can be relied on as a lawful basis for processing data, such as during a medical emergency where an individual cannot speak for themselves. We process data using Vital Interests under Article 6 1(d) of the UK GDPR where processing is necessary in order to protect the vital interests of the data subject or of another natural person. 7.2.6 Public Interest In very limited circumstances we may need to use data in the public interest, this would occur under safeguarding and wellbeing concerns or to prevent a crime. We process data using Public Interest under Article 6 1(e) of the UK GDPR where processing is necessary for the performance of a task carried out in the public interest. 7.3 Administrative purposes for which we collect your data We collect and retain data for the following purposes: 7.3.1 RLSS UK Members Type of data: Purpose of Processing: Name: So we know who is signing up for membership Address: So we can post your RLSS UK Membership card Location: This helps us to place you in the appropriate Branch Contact number: This is optional but helps us to contact you about your membership Email address: So we can keep you updated with important information to do with your membership and any inform you of the benefits you receive for being an RLSS UK Member Financial data: Not retained - 3rd party companies used for taking payments; Stripe: used for payments made through tahdah; Go Cardless: used for direct debit payments; Evo: internally used handheld card machine for card payments. Legal Basis: Article 6 1(b): We collect this data as processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract Retention Period: 7 years after membership expires 7.3.2 RLSS UK Trainer Assessors Type of data: Purpose of Processing: Name: So we know who is becoming a Trainer Assessor with us Address: So we can post your RLSS UK Membership card Location: This helps us when you organise courses through Course Finder Contact number: This helps us to contact you about courses you are running and about your qualifications Email address: So we can keep you updated with important information about your courses and qualifications Financial data: Not retained - 3rd party companies used for taking payments; Stripe: used for payments made through tahdah; also for payments for Continuous Professional Development (CPD) hours. Legal Basis: Article 6 1(b): We collect this data as processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract Retention Period: 7 years from last RLSS UK account log-in date or last achievement date, whichever is most recent 7.3.3 RLSS UK Course Candidates: Community-based, Regulated and Non-Regulated Awards Type of data: Purpose of Processing: Name: So we know who is taking the award or qualification Address: This is optional Location: This is optional Contact number: This helps us to contact you for any queries about your award or qualification Email address: So we can email candidates their certificates and any information to do with your award or qualification Financial data: Not collected or retained. Payments for courses are made through our ATC/P’s Legal Basis: Article 6 1(b): We collect this data as processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract Retention Period: 7 years from last RLSS UK account log in date or last achievement date, whichever is most recent 7.3.4 RLSS UK Under 13 Children's Data: Children from the age of 13+ are able to give consent for their own data. This section refers to Children under the age of 13: Type of data: Purpose of Processing: Name: So we know who is being awarded a certificate Address: So we know where to send certificates Location: This helps us to place you in the appropriate Branch Contact number: This helps us to contact the responsible parent/legal guardian for any queries about their child’s award or certificate Email address: Usually this is a responsible parent/legal guardians email address that is only used for updates on certificates or awards, however a child can enter their own email address if they wish Financial data: Not collected or retained. Payments for awards and courses are made to local clubs Legal Basis: Legal basis: Article 6 1(a): We collect this data only when the data subjects' parent or legal guardian has given their consent to the processing of their personal data for one or more specific purposes Retention Period: 7 years from last RLSS UK account log in date or last achievement date, whichever is most recent 7.3.5 Athletes and Officials/Coaches/Team Managers Type of data: Purpose of Processing: Name: So we know who is attending or entering one of our events or competitions Address: This is optional Location: So we can inform you of events in your local area Contact number: This helps us with any queries about events you have entered or are interested in Email address: So we can keep you updated with important information to do with our events and competitions Financial data: Not retained – 3rd party company used; Stripe: used for payments for events through the RLSS UK website. Legal Basis: Legal basis: Article 6 1(b): We collect this data as processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract Retention Period: 7 years from last RLSS UK account log in date or last achievement date, whichever is most recent 7.3.6 RLSS UK Shop Type of data: Purpose of Processing: Name: So we know who has made an order with us Address: So we know where to post the goods Location: Is confirmed through your address Contact number: This helps us to contact you over any queries concerning your order with us Email address: So we can keep you updated with important information to do with your order such as delivery times and dates Financial data: Not retained – 3rd party company used; Shopify: used for payments for online products. Legal Basis: Legal basis: Article 6 1(b): We collect this data as processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract Retention Period: 7 years from the date of last order 7.3.7 RLSS UK Volunteers Type of data: Purpose of Processing: Name: So we know who is volunteering on our behalf Address: This is optional Location: This helps us to place you in the appropriate Branch Contact number: This helps your local branch to contact you about volunteering opportunities Email address: So we can keep you updated with volunteering opportunities or provide details on any current volunteering you are taking part in Financial data: Not collected or retained Legal Basis: Legal basis: Article 6 1(a): We collect this data only when the data subject has given their consent to the processing of their personal data for one or more specific purposes. Retention Period: 7 years from the date of last contact 7.3.8 Fundraisers Type of data: Purpose of Processing: Name: So we know who is fundraising for us Address: Optional, but helps us to know where you are located Location: So we know which areas of the country are convenient for you to travel to Contact number: So we can contact you about any fundraising events Email address: So we can inform you about any fundraising events Financial data: Not collected or retained Legal Basis: Legal basis: Article 6 1(a): We collect this data only when the data subject has given their consent to the processing of their personal data for one or more specific purposes. Retention Period: 7 years from date of last contact 7.3.9 Donations made via post and through www.rlss.org.uk Type of data: Purpose of Processing: Name: So we know who has donated to us and who to thank Address: This is optional Location: This is confirmed if you provide your address Contact number: Only retained if you hold an RLSS UK Account (powered by tahdah) with us or have signed up to our 12-month GWYC Membership as members receive 6 emails throughout the year Email address: Only retained if you already hold an RLSS Account with us Financial data: Postal donations: data not collected or retained, donations usually sent as cash or as a cheque Donations made through RLSS UK website: 3rd party company used; Stripe Legal Basis: Legal basis: Article 6 1(a): We collect this data only when the data subject has given their consent to the processing of their personal data for one or more specific purposes Retention Period: 7 years from date of last contact 7.3.10 Donations via GiveTap Type of data: Purpose of Processing: Name: Retained if you have signed up to our 12-month GWYC Membership as members receive 6 emails throughout the year Address: Not retained Location: If a branch has collected the donation on a branch event and the funds need to be transferred to the branch Contact number: Not retained Email address: Retained if they have signed up to our 12-month GWYC Membership as members receive 6 emails throughout the year Financial data: Not retained Legal Basis: Legal basis: Article 6 1(a): We collect this data only when the data subject has given their consent to the processing of their personal data for one or more specific purposes. Anonymous data is exempt from the UK GDPR as stated in Article 26 (6), ‘This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes’ Retention Period: 7 years from date of last contact 7.3.11 RLSS UK Honours Type of data: Purpose of Processing: Name: So we know who has been nominated or who to present an Award to Address: So we can send information and certificates to recipients Location: This helps us to place you in the appropriate Branch Contact number: So we can contact you about nominations Email address: So we can invite and contact you about the Honours Ceremony Financial data: Not collected or retained Legal Basis: Legal basis: Article 6 1(a): We collect this data only when the data subject has given their consent to the processing of their personal data for one or more specific purposes. Anonymous data is exempt from the UK GDPR as stated in Article 26 (6), ‘This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes’ Retention Period: 7 years from date of last contact Note: Certain candidates may have achieved an RLSS UK Honour and will remain on the system indefinitely as this is classed as data of historical purpose 7.3.12 Marketing Type of data: Purpose of Processing: Name: So we know how to address you Address: Optional Location: Optional Contact number: Optional Email address: To inform you of marketing opportunities Financial data: Not collected or retained Legal Basis: Legal basis: Article 6 1(a): We collect this data only when the data subject has given their consent to the processing of their personal data for one or more specific purposes Retention Period: 7 years from date of last contact 7.4 Changing your Marketing preferences We will only send you marketing emails when you have confirmed you are happy to hear from us. You can opt out of RLSS UK marketing by: updating your Marketing preferences via your RLSS UK Account; selecting ‘Unsubscribe’ at the bottom of our emails; emailing us on [email protected]; calling and speaking to our Customer Service team on 0300 323 0096. To update your Marketing preferences through your RLSS UK Account, on your homepage choose the ‘Settings’ tab and select ‘Email Subscriptions’. If choosing to unsubscribe via an email you have received, please allow around 48 hours for any changes to come into place. If you have purchased a product from us or have had direct contact with us, we may need to send you a transactional email. These are not promotional like marketing emails but will contain important information such as order delivery updates or a password reminder. Occasionally, we will undertake a Legitimate Interest Assessment (LIA) in order to gauge whether we have genuine reason to contact you. This will not be for marketing purposes but for surveys, research opportunities or service emails. Please be mindful, if you hold a current qualification of ours, we may need to contact you with important updates, so be assured opting out of marketing from us won’t impact those emails so we can always keep you up to date. If you have shown interest in one of our services or have purchased an item from our shop, you may receive marketing associated with that interest, unless you have previously decided to opt out of marketing from us. One of the benefits RLSS UK Members receive when signing up with us is to receive a quarterly RLSS UK newsletter, which provides news and updates going on within the Charity. The content of our newsletters are targeted towards the type of membership you have joined, for instance the Lifesaving Academy Membership Newsletter’s will have content more relevant and significant to children of that age group. Members also receive our RLSS UK Lifesavers magazine which is sent out twice a year. Members are given the option to receive this as a printed hardcopy or as an online version. Both the Member newsletter and the magazine can be unsubscribed from via your RLSS UK Account. Whatever you decide we will always give you the option to change your mind. 7.5 Contacting you using Legitimate Interest for research purposes From time to time, we may carry out research projects using feedback collected from individuals who have experience of our organisation. This helps ensure we can continue to provide all our stakeholders with the best possible advice, training, events, products and services. Where relevant, Legitimate Interest Assessments are carried out which help ensure we have a valid reason for contacting you for this purpose. 7.5.1 Research Projects Examples of when we may contact you to take part in research projects under the UK GDPR Article 6 1(f) may include: To take part in a market research survey related to a qualification you have recently undertaken with RLSS UK; To take part in a feedback survey about a recent RLSS UK event you have attended; To take part in a market research survey to help us understand how we can create a more inclusive society for all; To request your participation in academic research into lifesaving techniques, in order to improve the guidance, we include in our lifesaving qualifications and awards. In all cases you will be provided with full details on all components of the research, it’s objectives and what’s involved, before you are asked to consent to take part. Most surveys we send out are completely anonymous. This means we will not gather or store any of your personal data. Any data collected is therefore exempt for the UK GDPR as stated in Article 26 (6), ‘This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes. In the unusual circumstance it is not possible for a survey or research project to be anonymous, full details will be provided to the individual asked to take part, including what personal data will be collected and how it will be used and stored. 7.5.2 Use of anonymised research data Once collected, anonymised research data from individual surveys may be submitted to a data repository to support future projects. Aggregated, anonymised results from our research may be made available to others within the society, to those in our partner organisations and/or the general public. In all cases, the results are used to support RLSS UK in our mission to be the leader in lifesaving and lifeguarding in the UK and Ireland; sharing our expertise and knowledge with as many people as possible, giving everyone the potential to save lives and safely enjoy water. Shared survey results may include free text comments provided by respondents, in an anonymised format. You can at any time opt-out of any further contact regarding research projects by emailing us at [email protected]. 7.6 Disposal of data RLSS UK shall ensure that we will not retain personal data for any longer than is necessary. Once the retention period of data we hold has ceased, we will remove and permanently delete it from our RLSS UK computers and servers. Periodically, we will review our retention periods and consider the purpose for originally retaining that data. If it no longer fulfils a function within the organisation, we will consider whether we are able to dispose of that data earlier than anticipated. This helps us fall in line with the UK GDPR’s Storage Limitation Principle, Article 5 1(e), in which personal data must be kept in a form that makes it possible to identify data subjects for no longer than is necessary for the purposes of processing. Certain data we hold is kept longer for historical purposes, such as recipients of Honours Awards. For such reasons we are permitted to hold this data indefinitely, under the UK GDPR Article 5 1(e), ‘personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest’. 8. Children Under 16 and Vulnerable People We are happy to support and encourage children who would like to engage with us, either by taking one of our qualifications, competing in one of our events or fundraising on our behalf. Complying with the Data Protection Act 2018, children aged 13 and over are legally able to provide consent for us to use their data and can take control of how we handle their data. Candidates under the age of 13 will only qualify for an RLSS UK Account if it is linked to a responsible parent/legal guardian's account. This means the linked individual will have permission to speak on behalf of the child and to make any amendments to the account. Once a child turns 13 years of age, if they choose to dissolve the link to their parent/guardians account, they will need to actively request this with our Customer Services team. A parent/guardian may remove a linked account through the family button on their RLSS UK Account. If a parent/guardian of a child aged 13-16 would like their accounts linked, we would be able to do this at the request of both parties. Children over the age of 16 are no longer legally required to have a parent or guardian consent to the use of their data, so we would always expect to speak with the account holder to discuss anything. If the account holder would prefer for us to speak with their parent or guardian, we can happily do that with their verbal consent over the phone. Please be assured we take the greatest care in safeguarding when linking accounts, and always do the necessary checks to ensure we are communicating with the correct person. We work hard to support vulnerable people when they choose to help us by fundraising or whether they would like to take part in an event or complete one of our qualifications. They can decide how much information they are comfortable sharing with us, so we can accommodate any adjustments needed to ensure they feel safe whilst working with us. 9. Stories and Experiences Stories, experiences and occasions involving lifesaving are a very important part of helping RLSS UK to promote our message, as they reinforce our aims making them more meaningful and significant to the public. They help to demonstrate and support our work, which we couldn’t do without your help. With your permission, we may use these in our newsletters, Lifesavers magazine and on our social media. We will only do this once you have given your consent. 10. Data Sharing In order to provide the best service possible, RLSS UK may share data within our own organisation, such as between your RLSS UK Account and your RLSS UK Shop Account, to help us fulfil a request you have made. For example, if you have made an order through your RLSS UK Shop account and we need to call you in order to fulfil that order, we may use the number you provided us on your RLSS UK Account. Any shared data will fall in line with our data retention and storage policies. RLSS UK shares personal data with the following organisations: Organisation name/category of organisation Purpose of the sharing Data Storage Location RLSS UK Trading Subsidiaries: RLSS UK Enterprises and RLSS UK Shop To help us to offer the best service possible to our customers, sometimes we may be required to share data within our own organisation RLSS UK Accounts (powered by tahdah) - All personal data is stored in secure UK data centres operated by organisations with ISO 270001 certification. RLSS Commonwealth To aid RLSS Commonwealth with data on UK Members RLSS UK Digital Service Providers (tahdah Limited, Intercom and Galtec) We employ specialist companies to host our database and facilitate our IT services meaning that they potentially have access to any personal data collected via the channel they manage for us. These organisations are data processors and governed by legal obligations set out in the UK GDPR All personal data is stored in secure UK data centres operated by organisations with ISO 270001 certification. Official Organisations We share the personal data of some of our membership because of a legal obligation with official authorities such as governing bodies, insurance companies, police and child welfare All personal data is stored in secure UK data centres operated by organisations with ISO 270001 certification. Disclosure & Barring Service To disclose a copy of a person’s criminal record All personal data is stored in secure UK data centres operated by organisations with ISO 270001 certification. RLSS UK Branches We share the personal data of some of our members with members of their local Branch All personal data is stored securely by members of the RLSS UK Branch in which the data is disclosed Linn Systems Limited (Linnworks) Data and Stock Management - Order management system that will talk virtually to Shopify and Walkers to fulfil orders and manage stock levels All personal data is stored in secure UK data centres operated by organisations with ISO 270001 certification. Shopify Plus Platform Website Platform that our e-commerce website is built on All personal data is stored in secure UK data centres operated by organisations with ISO 270001 certification. Statement Agency that manages the build and ongoing maintenance of our e-commerce website hosted on the Shopify Plus Platform All personal data is stored in secure UK data centres operated by organisations with ISO 270001 certification. Forever (formally known as Sitel) Warehouse and Distribution who will be in charge of the warehousing, fulfilment and distribution of orders. All personal data is stored in secure UK data centres operated by organisations with ISO 270001 certification. Excelify.io Export and Import Data All personal data is stored in secure UK data centres operated by organisations with ISO 270001 certification. CyberSource on behalf of Total Processing UK Payment Gateway All personal data is stored in secure UK data centres operated by organisations with ISO 270001 certification. Laerdal For the supply and dispatch of medical therapy and training products All personal data is stored on secure servers Access Website provider, holds data for individuals to access resources. Holds cookies data All data is storage is Cloud-based Sage Finance System Finance Software Platform – all internal finance matters All data is storage is Cloud-based Datel Configured the Sage program for RLSS, used as support team for software All data is storage is Cloud-based 11. Sub-Contract Processing RLSS UK uses sub-contract organisations to process personal data under a written contract which defines that they must comply with stringent data privacy requirements. RLSS UK only employs organisations that comply with the provisions of the UK General Data Protection Regulations. These organisations are audited to ensure compliance. RLSS UK’s processors include: Processor Name: Reason for Processing: tahdah For the secure hosting of the database Intercom For business messaging services Galtec For the IT services helpdesk MailChimp To facilitate the sending of group emails M Leach Jewellers For engraving medals and trophies Laerdal For the supply of medical therapy and training products Print Waste Recycling Services For the secure removal of waste and confidential waste materials Scottish Widows and NEST For staff pension schemes Linnworks For data and stock management Shopify Plus For RLSS UK Shop website purchases Stripe Card payment service Worldpay Online credit card platform Go Cardless Direct debit payments through tahdah Evo Handheld card machine for card payments GiveStar Charity donations platform Forever (formally known as Sitel) For warehouse and distribution io For the import and export of data Cybersource As a payment gateway Access Website provider Sage Finance Software Platform Datel Sage program configurator support team Iris Payroll system 12. Data Augmentation RLSS UK uses augmentation services to satisfy its legal obligation to ensure the accuracy of personal data being processed by using, for example: Royal Mail Postal Address File (PAF) to update redirected addresses and to ensure address accuracy and completeness. 13. Profiling RLSS UK does not carry out any form of automated processing of personal data that could be used for profiling purposes. 14. Secure Storage of Data All personal data are stored in secure UK data centres operated by organisations with ISO 270001 certification. Our Cloud servers are located in London, UK. 15. International Transfers On July 10th 2023, the European Commission (“EC”) adopted its decision that the EU-U.S. Data Privacy Framework (“DPF”) offers an adequate level of protection for EU personal data (the “Adequacy Decision”), comparable to that provided under the EU General Data Protection Regulation (“GDPR”). With this adequacy decision in place, U.S. companies that are certified under the DPF may lawfully transfer EU personal data to the U.S., without the need for additional safeguards. To reflect this decision, the UK Government has published the Data Protection (Adequacy) (United States) Regulations 2023 (SI 2023/1028) (the UK-US Data Bridge Regulations) which adopted an adequacy decision for the US (the UK-US Data Bridge) which came into force on the 12th October 2023. In particular, the UK-U.S. Data Bridge provides that for the purposes of Part 2 of the Data Protection Act 2018 (“the Act”) and the UK General Data Protection Regulation (“UK GDPR”), the Secretary of State designates the U.S. as ensuring an adequate level of personal data protection for data transfers that meet the following criteria: the transfer is to a person in the U.S. listed as participating in the UK Extension to the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”); and the transfer will be subject to the EU-U.S. DPF Principles upon receipt by the recipient. You can read the UK-US Data Bridge here, the explanatory note here, the factsheet here, the EU-US DPF Principles here, and the DPF List here. Organisation Country Purpose Safeguards MailChimp USA To send group emails to members and candidates on our database about things that they have opted in, to hear about. MailChimp participates in and has certified its compliance with the EU- U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. They are committed to subjecting all Personal Information received from EEA member countries, United Kingdom, and Switzerland, respectively, in reliance on each Privacy Shield Framework, to each Framework’s applicable Principles. MailChimp is responsible for the processing of Personal Information they receive under each Privacy Shield Framework and subsequently transfer to a third party acting as an agent on their behalf. They comply with the Privacy Shield Principles for all onward transfers of Personal Information from the EEA, United Kingdom, and Switzerland, including the onward transfer liability provisions. Members located in Switzerland, United Kingdom and the EEA are subject to their Data Processing Addendum which can be found here, as described in their Standard Terms of Use. SurveyMonkey USA To facilitate the sending of member surveys from time to time. SurveyMonkey Inc. participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield. SurveyMonkey is committed to subjecting all personal information and data received from European Union (EU) member countries and Switzerland, in reliance on the Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Framework, visit the U.S. Department of Commerce’s Privacy Shield List. https://www.privacyshield.gov/ 16. Your Rights If you would like to exercise any of these rights, then please either call us on 0300 3230 096 and ask to speak with the Data Protection Officer or email us on [email protected] with your request. Right of access You have the right to obtain confirmation from RLSS UK as to whether personal data concerning you are being processed and, where that is the case, access to that personal data. Right to rectification You have the right to ask RLSS UK to rectify inaccurate personal data concerning you. Right to erasure (right to be forgotten) You have the right (under certain circumstances, but not all) to request RLSS UK erase personal data concerning you. Right to restriction of processing You have the right (under certain circumstances, but not all) to ask RLSS UK to restrict the processing of your personal data. For example, you may request this if you are contesting the accuracy of personal data held about you. Right to data portability You have the right (under certaon circumstances, but not all) to request RLSS UK provides you with the personal data about you that have provided to RLSS UK in a structured, commonly used and machine-readable format. You also have the right to ask RLSS UK to transmit those data to another controller. Right to withdraw consent If the lawful basis for processing is consent, you have the right to withdraw that consent by contacting [email protected]. Right to object to direct marketing Where your personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for marketing. Rights in relation to automated decision-making and profiling RLSS UK does not perform any automated decision-making based on personal data that produces legal effects or similarly significantly affects you. 17. Your right to lodge a complaint with a supervisory authority If you have any queries about the way we use your personal data, or if you wish to exercise any of your rights concerning your personal data, please contact RLSS UK’s Data Protection Officer using either the email address or our Head Office Address below: RLSS UKRedhill House227 London RoadWorcesterWR2 5JG Tel: 0300 323 0096Email: [email protected] If you are not satisfied with the response you receive, you have the right to lodge a complaint with the supervisory authority. In the UK this is: Information Commissioner's OfficeWycliffe HouseWater LaneWilmslowCheshireSK9 5AF Tel: 0303 123 1113Email: [email protected] Cookie Policy Download the Cookie Policy Updated January 2019. Introduction 1.1 Our website www.rlss.org.uk uses cookies. 1.2 Insofar as those cookies are not strictly necessary for the provision of our website and services, we will ask you to consent to our use of cookies when you first visit our website. Credit 2.1 This document was created using a template from SEQ Legal (https://seqlegal.com). About cookies 3.1 A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server. 3.2 Cookies may be either "persistent" cookies or "session" cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed. 3.3 Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies. Cookies that we use 4.1 We use cookies for the following purposes: (a) Necessary cookies Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies. Cookie Name Used by Description Expiration _cfduid Cloudflare Used by the content network, Cloudflare, to identify trusted web traffic. It does not contain any personal information. 1 year ASP.NET_SessionId Website Used for authenticating a user's session after logging in. Closes when the user exits the browser. It does not contain any personal information. End of session ARRAffinity Website Tells our infrastructure which server to handle the request. It does not contain any personal information and is used only for analytical purposes. End of session MemberLoggedIn Website A binary flag which stores whether a user is logged in or not. It does not contain any personal information. End of session _stripe_sid Stripe Used by our payment provider, Stripe, in order to process payments on checkout. End of session _stripe_mid Stripe Used by our payment provider, Stripe, in order to process payments on checkout. 1 year nsr Stripe Used by our payment provider, Stripe, in order to process payments on checkout. End of session (b) Statistic cookies Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously. Cookie Name Used by Description Expiration @@History/@@scroll|# Website Used by AppInsights to allow for monitoring of the platform database. It does not contain any personal information and is used only for analytical purposes. End of session _ga and _gid Google Analytics Used to distinguish between website users in Google Analytics. 2 years _gat Google Analytics Used to moderate calls to the Google Analytics service. It does not contain any personal information and is used only for analytical purposes. End of session ai_session and ai_user Website Tracks users as they navigate the website, predominately for infrastructure performance insights. It does not contain any personal information. End of session p.gif Typekit Used by the font provider, Typekit, if you are using one of their fonts. Used for compliance and billing purposes only. It does not contain any personal information. End of session __utma Google Analytics Stores the amount of visits of a user, the time of their first visit, the previous visit, and the current visit. It does not contain any personal information and is used only for analytical purposes. 2 years __utmz Google Analytics This performance cookie stores where a user came from (e.g., search engine, search keyword, link). It does not contain any personal information and is used only for analytical purposes. 6 months __unam ShareThis Set as part of the ShareThis service and monitors "click-stream" activity, e.g. web pages viewed, navigation from page to page, time spent on each page, etc. The ShareThis service only identifies a user if they have separately signed up with ShareThis for a ShareThis account and given them consent. Checks how long a user stays on a site: when a visit starts and ends. It does not contain any personal information and is used only for analytical purposes. 14 months cc_cookie_accept Website Stores whether the user has accepted the cookie message or not. It does not contain any personal information and is used only for analytical purposes. 365 days (c) Marketing cookies Marketing cookies are used to track visitors across websites. The intention is to display relevant and engaging ads for the individual user and, thereby, more valuable for publishers and third-party advertisers. Cookie Name Used by Description Expiration NID Google Registers a unique ID that identifies a returning user's device. It can be used for targeted ads. It does not contain any personal information. 6 months collect Google Analytics Used to send data to Google Analytics about a user's device and behaviour. It does not contain any personal information. End of session r/collect Doubeclick.net These cookies are managed by DoubleClick, an advertising platform we use to display adverts. End of session IDE, DSID, _ct_rmm Doubleclick.net These cookies are managed by DoubleClick, an advertising platform we use to display adverts. 2 years DisplayName Website Keeps track of a donor's preference to show their name during a Direct Debit. End of session VISITOR_INFO1_LIVE YouTube Used by YouTube if you've embedded a YouTube video in your posts. Tries to estimate a user's bandwidth on pages with integrated YouTube videos. It does not contain any personal information. 179 days YSC YouTube Used by YouTube if you've embedded a YouTube video in your posts. Registers a unique ID to keep statistics of what videos from YouTube a user has seen. It does not contain any personal information. End of session Cookies used by our service providers 5.1 Our service providers use cookies, and those cookies may be stored on your computer when you visit our website. 5.2 We use Google Analytics to analyse the use of our website. Google Analytics gathers information about website use by means of cookies. The information gathered relating to our website is used to create reports about the use of our website. Google's privacy policy is available at: https://www.google.com/policies/privacy/. Managing cookies 6.1 Most browsers allow you to refuse to accept cookies and to delete cookies. The methods for doing so vary from browser to browser and from version to version. You can, however, obtain up-to-date information about blocking and deleting cookies via these links: (a) https://support.google.com/chrome/answer/95647?hl=en (Chrome); (b) https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences (Firefox); (c) http://www.opera.com/help/tutorials/security/cookies/ (Opera); (d) https://support.microsoft.com/en-gb/help/17442/windows-internet-explorer-delete-manage-cookies (Internet Explorer); (e) https://support.apple.com/en-gb/guide/safari/sfri11471/mac (Safari); and (f) https://privacy.microsoft.com/en-us/windows-10-microsoft-edge-and-privacy (Edge). 6.2 Blocking all cookies will have a negative impact on the usability of many websites. 6.3 If you block cookies, you will not be able to use all the features on our website. Cookie preferences 7.1 At this time, you can not manage your preferences relating to the use of cookies on our website. Our details 8.1 This website is owned and operated by Access on behalf of the Royal Life Saving Society UK (RLSS UK). 8.2 The Royal Life Saving Society UK (RLSS UK) is a registered charity in England and Wales (1046060) and in Scotland (SC037912). Company limited by guarantee registered in England and Wales (3033781). 8.3 Our principal place of business is at RLSS UK, Red Hill House, 227 London Road, Worcester, WR5 2JG; 8.4 You can contact us: By post RLSS UKRed Hill House227 London Road WorcesterWR5 2JG Website contact form by email at [email protected] Child friendly Privacy Policy Note - this is the child-friendly summary of (and not a substitute for) our Privacy Policy (Privacy & Cookie Policy | Royal Life Saving Society UK ( RLSS UK )). If you would like more information on any of these queries regarding your data, please ask an adult to help you read RLSS UK’s main Privacy Policy. Who are we? We are the Royal Life Saving Society UK (RLSS UK), a charity who provide water-related safety awards, qualifications, and training to help everyone enjoy water safely. What is a Privacy Policy? Here at RLSS UK, we know how important it is to keep your personal data safe. This privacy policy lets you know what we do with your data and how we look after it. What is personal data and why do we need it? Information about you that can be used to identify you is your personal data. This could be your name, your date of birth or where you live. We only ask for your personal data that is necessary for us to carry out our services and will only use it for the reason we originally requested it. When you take one of our awards, you need to hold an RLSS UK account with us so we can give you a certificate. If you are 13+ you can set this up yourself, just enter your details to create an account (Sign up (tahdah.me)) and you will receive your own RLSS UK Society number. Then we will know the information you would like to go on your certificate for any awards you take with us. You can pop into your RLSS UK account at any time to update your details. If you are younger than 13, we need your parents or guardians' consent to use your data, so they will need to set up their own account and link this to yours. If you hold an RLSS UK Account with us, we process your data under the UK GDPR (General Data Protection Regulation) Article 6 1(b), where processing is necessary for the performance of a contract. Once you hold an RLSS UK Account, you can choose to become a member with us. For anyone under the age of 16, we offer our Lifesaving Academy Membership. Membership comes with certain benefits, if you would like more information, please click on the following link to have a look at our Membership page: Lifesaving Academy 0-15-years | Royal Life Saving Society UK ( RLSS UK ). We also offer Rookie Lifeguard products on our website: Rookie Lifeguard Essentials (rlss.org.uk). Please ask a parent or guardian if you are interested in purchasing one of our products. Who can see your personal data? If you hold an RLSS UK account with us, your parent or guardian might be able to see your data, depending on if they have their account linked to yours. RLSS UK staff members will have access to your data, but only the sections of personal data they need to carry out their work. When we have to share your information with other people, we will only share it so we can do our job or when the law says that we have to. There are times we might need to ask for help doing our work, and someone else will use your data for us. This could mean your personal data might go around the world, but don’t worry – we’ll make sure it’s safe. There is a list of who we could share with on our main Privacy Policy. How long do we keep your personal data? We keep your data only for as long as we need it. There are times we have to follow rules about how long we can keep your personal data, and we have a special page that tells you how long we keep it. For example, once you have completed an award or qualification we keep your data for the duration of it. Children’s personal data is just as, if not more, important as adults' personal data, so we treat them both equally. If you want to know more about this, let us know. Do you have a say in what happens to your personal data? Yes, you have what are called ‘rights’ for the use of your data. One of these is the right to know what we do with it, so that is why this page is so important. You can ask us what personal data we are holding about you, or you can ask us to delete your data. If you think your personal data is incorrect you can tell us, and we will fix it. Rights depend on the reason we are holding your personal data, please ask an adult to help you read our primary privacy policy if you wish to know more about your rights. Whose rules do we have to follow? RLSS UK’s Data Protection Officer is here to protect your data, and to make sure everyone at RLSS UK knows how to keep your data safe. If you would like to speak to our Data Protection Officer, you can ask a parent or guardian to email them at [email protected] or to speak to them by calling us on 0300 323 0096. The Information Commissioners Office (ICO) help to guide us on how to best take care of your data. If you would like to speak to the ICO, you can ask a parent or guardian to find their contact details on our primary privacy policy (Privacy & Cookie Policy | Royal Life Saving Society UK ( RLSS UK )). About our website When you move about our website, you leave little footprints known as ‘cookies’ that help us to get to know you. We can use your footprints to show you things you will find interesting, they can also help us to remember you ready for the next time you visit our website. From your footprint, we know what language you would prefer to use or information you have previously entered like your email address. We cannot tell who you are from your footprints, but we can tell your likes and dislikes for our website. We keep these footprints very safe and never share them with anyone else. You can ask us what we know about you from these footprints, and even ask us to change or delete them. We take your privacy very seriously, if you would like to know any more about the cookies we keep then please ask an adult to help you look through our cookie policy (Privacy & Cookie Policy | Royal Life Saving Society UK ( RLSS UK )). Manage Cookie Preferences