Penny’s Pilates - GDPR Data Protection 2018
The following list shows the information I hold on individuals attending my classes.
• Classes: those who currently attend regular classes or have attended classes in the past
• One to One and Small Groups: those who attend personal sessions or have attended personal
sessions in the past
Most of the information below is self-evident. Please remember you hold rights under the General
Data Protection Regulation (GDPR)
• Name (first, last)
• Address, including postcode
• Phone number (mobile and/or landline)
• Email Address
• Date of Birth/Age
• Emergency Contact Name and Number
• Health Questionnaire (PARQ)
• Physical/medical requirements
• Allergies or Intolerances
• Attendance Records
1) I will keep the records of people who no longer use my service but who have attended either
group classes or one to one session in the past. I will hold this information for seven years after a
person has last used my services, or until it is no longer necessary. I will then delete/shred it as
2) The Health Questionnaire is a list of questions with Yes/No answers, plus an open text area where
you can provide further information. This helps me to identify issues you might have and alerts me
to modify some Pilates moves, if required, for your comfort and safety.
4) At the start of each session of classes I generate one page per class listing the names of all
attendees. This provides me with a quick reference of who attended each session.
Your Rights Under GDPR
The eight rights of all individuals is a key part of the General Data Protection Regulations (GDPR)
(2018). These eight rights are to protect individuals when a business processes their personal data.
Below are summaries of the eight rights. You can find more detail on the internet. Some of the
points below do not apply to your data held by Penny’s Pilates. I do not obtain any of your data from
3rd parties and I do not share any of your data with 3rd parties. Furthermore, your data is used only
to help me provide the best service I can and to treat you as an individual.
If you have any queries or would like to exercise any of your rights under GDPR, please email
Your Rights Under GDPR
1.The right to be informed - This right is concerned with informing an individual how and why you’re
using their personal data. You should provide details of processing information, typically, through a
privacy notice. The details of the information that you must provide, is dependent on whether or not
you obtained the personal data from the individual directly or from a third party. General
information that you should always provide include who you are, what you’ll be doing with the info,
and who you’ll share it with.
2. The right of access - This is concerned with providing individuals with access to their data to
confirm it’s being processed, making them aware of what information is being used, and allow them
to verify that the processing is lawful.
3. The right to rectification - Sometimes referred to as the right to have information corrected, this
is concerned with the individual being entitled to having their data rectified if it’s inaccurate, out of
date or incomplete.
4. The right to erasure - Also known as the right to be forgotten, this is concerned with an
individual’s right to request to have their data removed when there’s no reason to continue
5. The right to restrict processing - This means the individual has the right to block or suppress the
processing of their data.
6. The right to data portability - This is concerned with allowing an individual to obtain and safely
reuse their data across different services for their own purposes. An example of when they might
want to do this includes using their data on a price comparison website, or to help understand their
7. The right to object - This means an individual has the right to object to their data being
8. Rights in relation to automated decision making and profiling - This means an individual has the
right not to be subject to a business’s automatic decision making in certain circumstances. It’s
concerned with a business providing safeguards for an individual against the risk that it might make
a potentially damaging decision, without human intervention.