PLEASE READ THESE TERMS AND CONDITIONS CAREFULLY BEFORE USING THIS SITE
OFJ Topco Ltd (“We“) are committed to protecting and respecting your privacy.
For the purpose of the Data Protection Act 1998 (the Act), the data controller is OFJ Topco Ltd, a company incorporated in England with registered number 12033667 whose registered address is Unit 15 Vision Industrial Estate, Kendall Avenue, London, W3 0AF.
Our nominated representative for the purpose of the Act is Stephen Wilson.
INFORMATION WE MAY COLLECT FROM YOU
We may collect and process the following data about you:
Information you give us. You may give us information about you by filling in forms on our site www.oxygenfreejumping.co.uk (our site) or by corresponding with us by phone, e-mail or otherwise. This includes information you provide when you register to use our site, subscribe to our service, place a Booking (as defined in our Terms and Conditions www.oxygenfreejumping.co.uk/terms-conditions/ enter a competition, promotion or survey and when you report a problem with our site. The information you give us may include your name, address, e-mail address and phone number, financial and credit card information, personal description and photograph.
Information we collect about you. With regard to each of your visits to our site we may automatically collect the following information:
– technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;
– information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our site (including date and time); products you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call our customer service number.
CHANGES OF CONTROL
We may sell, transfer or otherwise share some or all of our assets, including your personal data, in connection with a merger, acquisition, reorganisation or sale of assets or in the event of our insolvency. In such an event, we would need to transfer your personal data to relevant third parties, including any buyer of our business or its assets.
INFORMATION ON COOKIES
– Site functionality. These cookies allow you to use the site and its features.
– Site analytics. These cookies allow us to measure and analyse how you use the site, to improve its functionality and your experience.
– Advertising cookies. These cookies are used to deliver advertising relevant to you on a number of platforms. They also help to limit the number of times you may see an ad and allow us to measure the effectiveness of our marketing campaigns.
WHERE WE STORE YOUR PERSONAL DATA
All information you provide to us is stored on our secure servers. Any payment transactions will be encrypted using SSL technology. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
You have the right to ask us not to process your personal data for marketing purposes. We will usually inform you (before collecting your data) if we intend to use your data for such purposes or if we intend to disclose your information to any third party for such purposes. You can exercise your right to prevent such processing by checking the boxes on our Booking Form. You can also exercise the right at any time by contacting us at firstname.lastname@example.org.
Our site may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
ACCESS TO INFORMATION
The Act gives you the right to access information held about you. Your right of access can be exercised in accordance with the Act. Any access request may be subject to a fee of £10 to meet our costs in providing you with details of the information we hold about you.
The Board of Directors and management of Oxygen Freejumping located at 15 Vision Industrial Park, Kendal Avenue, London W3 0AF. committed to compliance with all relevant UK and EU laws in respect of personal data, and to protecting the “rights and freedoms” of individuals whose information Oxygen Freejumping collects in accordance with the General Data Protection Regulation (GDPR). To that end, Oxygen Freejumping has developed, implemented, maintains and continuously improves a documented personal information management system (‘PIMS’).
Define the scope of the PIMS taking into account organisational structure, management responsibility, jurisdiction and geography. The PIMS may include the whole of the company or a defined part of the company.
This policy applies to all Employees/Staff of Oxygen Freejumping, and interested parties such as outsourced suppliers. Any breach of the GDPR or this PIMS shall be dealt with under Oxygen Freejumping’s disciplinary policy and may also be a criminal offence, in which case the matter shall be reported as soon as possible to the appropriate authorities.
Partners and any third parties working with or for Oxygen Freejumping, and who have or may have access to personal information, shall be expected to have read, understood and to comply with this policy. No third party may access personal data held by Oxygen Freejumping without having first entered into a data confidentiality agreement], which imposes on the third party obligations no less onerous than those to which Oxygen Freejumping is committed, and which gives Oxygen Freejumping the right to audit compliance with the agreement.
Objectives of the PIMS
The objectives for the PIMS are to enable Oxygen Freejumping to meet its own requirements for the management of personal information; that it should support organisational objectives and obligations; that it should impose controls in line with Oxygen Freejumping’s acceptable level of risk; that it should ensure that Oxygen Freejumping meets applicable statutory, regulatory, contractual and/or professional duties; and that it should protect the interests of individuals and other key stakeholders.
Oxygen Freejumping is committed to complying with data protection legislation and good practice including:
Identify Privacy Risks
Oxygen Freejumping has identified all the personal data that it processes and this is contained in the Data Inventory Register
Oxygen Freejumping has a process for assessing the level of risk to individuals associated with the processing of their personal information. Assessments shall also be carried out in relation to processing undertaken by other organisations on behalf of Oxygen Freejumping.
Oxygen Freejumping shall manage any risks which are identified by the risk assessment in order to reduce the likelihood of a non-conformance with this policy.
Oxygen Freejumping shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data, where a type of processing is likely to result in a high risk to the “rights and freedoms” of natural persons.
Oxygen Freejumping shall conduct these assessments prior to any processing using new technologies and taking into account the nature, scope, context and purposes of the processing. A single assessment may address a set of similar processing operations that present similar high risks.
Where, as a result of a Data Protection Impact Assessment, it is clear that Oxygen Freejumping is about to commence processing of personal information that could cause damage and/or distress to the data subjects, the decision as to whether or not Oxygen Freejumping may proceed must be escalated for review to the Data Protection Officer/GDPR Owner. The Data Protection Officer / GDPR Owner shall, if there are significant concerns, either as to the potential damage or distress, or the quantity of data concerned, escalate the matter to the supervisory authority.
Data Protection Principles
All processing of personal data must be done in accordance with the following data protection principles of the Regulation, and Oxygen Freejumping’s policies and procedures are designed to ensure compliance with them.
Legality, Transparency & Fairness Principle
Personal data must be processed lawfully, fairly and transparently.
Oxygen Freejumping’s Fair Processing Procedure is set out in Fair Processing Notice
The GDPR introduces the requirement for transparency whereby the controller has transparent and easily accessible policies relating to the processing of personal data and the exercise of individuals’ “rights and freedoms”. Information must be communicated to the data subject in an intelligible form using clear and plain language.
The specific information that must be provided to the data subject must as a minimum include:
Purpose Limitation Principle
Personal data can only be collected for specified, explicit and legitimate purposes. Data obtained for specified purposes must not be used for a purpose that differs from the purpose for which it was originally collected.
Personal data shall be relevant and limited to what is necessary for processing:
Personal data must be accurate and kept up to date.
The Head of HR is responsible for ensuring that all staff are trained in the importance of collecting accurate data and maintaining it.
It is also the responsibility of individuals to ensure that data held by Oxygen Freejumping is accurate and up-to-date. Completion of an appropriate registration or application form etc shall be taken as an indication that the data contained therein is accurate at the date of submission.
Employees/Staff / [customers/others should notify Oxygen Freejumping of any changes in circumstance to enable personal records to be updated accordingly.
It is the responsibility of Oxygen Freejumping to ensure that any notification regarding change of circumstances is noted and acted upon.
The Data Protection Officer / GDPR Owner is responsible for ensuring that appropriate additional steps are taken to keep personal data accurate and up to date, taking into account the volume of data collected, the speed with which it might change and any other relevant factors.
The Data Protection Officer / GDPR Owner is responsible for making appropriate arrangements that, where third party organisations may have been passed inaccurate or out-of-date personal information, for informing them that the information is inaccurate and/or out-of-date and is not to be used to inform decisions about the individuals concerned; and for passing any correction to the personal information to the third party where this is required.
Storage Limitation Principle
On at least an annual basis, the Data Protection Officer / GDPR Owner shall review all the personal data maintained by Oxygen Freejumping, by reference to the Data Inventory Register, and shall identify any data that is no longer required in the context of the registered purpose and shall arrange to have that data securely deleted/destroyed
Where personal data is retained beyond the processing date, it shall be encrypted or pseudonymised in order to protect the identity of the data subject in the event of a data breach.
Personal data shall be retained in line with the retention of records procedure and, once its retention date is passed, it must be securely destroyed as set out in this procedure.
The Data Protection Officer / GDPR Owner must specifically approve any data retention that exceeds the retention periods defined GDPR DOC 2.3, and must ensure that the justification is clearly identified and in line with the requirements of the data protection legislation. This approval must be written.
Integrity and Confidentiality Principle
Personal Data shall be processed in a manner that ensures its security.
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
These controls shall be selected on the basis of identified risks to personal data, and the potential for damage or distress to individuals whose data is being processed.
Oxygen Freejumping shall conduct regular reviews of its technical and organisational measures and controls to assure they remain comply with policy and are effective.
The GDPR introduces the principle of accountability which states that the controller is not only responsible for ensuring compliance but for demonstrating that each processing operation complies with the requirements of the GDPR.
Specifically, controllers are required to maintain necessary documentation of all processing operations, implement appropriate security measures, perform DPIAs (Data Processing Impact Assessment), comply with requirements for prior notifications, or approval from supervisory authorities and appoint a Data Protection Officer if required.
Oxygen Freejumping shall not transfer personal data to any country or territory outside the European Union unless that country or territory ensures an adequate level of protection for the ‘rights and freedoms’ of data subjects in relation to the processing of personal data.
Prior to transferring data Oxygen Freejumping shall conduct an assessment to assure one or more of the specified safeguards or exceptions apply to the transfer of data:
In the absence of an adequacy decision, including binding corporate rules, a transfer of personal data to a third country, or an international organisation, shall take place only on one of the following conditions:
A list of countries that satisfy the adequacy requirements of the Commission are published in the Official Journal of the European Union.
Data subjects’ rights
Data subjects have the following rights regarding data processing, and the data that is recorded about them:
To make a subject access request regarding the processing of their data, the nature of information held and to whom it has been disclosed. The Oxygen Freejumping data Subject Access Request Process shall ensure that its response to the data access request complies with the requirements of the Regulation.
Personal data shall be provided to data subjects in a structured, commonly used and machine-readable format, and the right to have that data transmitted to another controller.
Data Subjects who wish to complain to Oxygen Freejumping about how their personal information has been processed may lodge their complaint directly with the Data Protection Officer / GDPR Owner by means of you need to modify your existing complaints procedure to include a GDPR complaints section, and you will need create a form, usually on the ‘Contact Us’ section of your website, into which data subjects can enter the details of their complaint. They will need to be shown the Fair Processing Notice at this point.
Data subjects may also complain directly to the ICO, and Oxygen Freejumping provides appropriate contact details on our Contact page.
Where data subjects wish to complain about how their complaint has been handled, or appeal against any decision made following a complaint, they may lodge a further complaint to the Data Protection Officer / GDPR Owner. The right to do this should be included in the GDPR section of Oxygen Freejumping’s complaints procedure.
Oxygen Freejumping understands ‘consent’ to mean that it has been explicitly and freely given, is a specific, informed and unambiguous indication of the data subject’s wishes by which he or she by statement, or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. The consent of the data subject can be withdrawn at any time.
Oxygen Freejumping understands ‘consent’ to mean that the data subject has been fully informed of the intended processing and has signified their agreement, while in a fit state of mind to do so and without pressure being exerted upon them. Consent obtained under duress or on the basis of misleading information shall not be a valid basis for processing. There must be some active communication between the parties which demonstrate active consent. Consent cannot be inferred from non-response to a communication. For sensitive data, explicit written consent of data subjects must be obtained unless an alternative legitimate basis for processing exists.
In most instances consent to process personal and sensitive data is obtained routinely by Oxygen Freejumping using standard consent documents e.g. when a new member of staff signs a contract of employment, or during induction for participants on programmes.
Where Oxygen Freejumping provides online services to children, parental, or custodial authorisation must be obtained. This requirement applies to children under the age of 16 (unless the Member State has made provision for a lower age limit – which may be no lower than 13).
Security of data
All Employees/Staff are responsible for ensuring that any personal data which Oxygen Freejumping holds and for which they are responsible, is kept securely and is not under any conditions disclosed to any third party unless that third party has been specifically authorised by Oxygen Freejumping to receive that information and has entered into a confidentiality agreement.
All personal data should be accessible only to those who need to use it, and access may only be granted in line with the Access Control Policy. You should form a judgment based upon the sensitivity and value of the information in question, but personal data must be kept:
Care must be taken to ensure that PC screens and terminals are not visible except to authorised Employees/Staff of Oxygen Freejumping. All Employees/Staff are required to enter into a Non Disclosure and an Acceptable Use Agreement before they are given access to organisational information of any sort.
Manual records may not be left where they can be accessed by unauthorised personnel and may not be removed from business premises without explicit authorisation. As soon as manual records are no longer required for day-to-day client support, they must be removed from secure archiving.
Personal data may only be deleted or disposed of in line with the Data Retention Procedure. Manual records that have reached their retention date are to be shredded and disposed of as ‘confidential waste’. Hard drives of redundant PCs are to be removed and immediately destroyed before disposal.
Processing of personal data ‘off-site’ presents a potentially greater risk of loss, theft or damage to personal data. Staff must be specifically authorised to process data off-site.
Rights of access to data
Data subjects have the right to access any personal data (i.e. data about them) which is held by Oxygen Freejumping in electronic format and manual records which form part of a relevant filing system. This includes the right to inspect confidential personal references received by Oxygen Freejumping, and information obtained from third-party organisations about that person.
Disclosure of data
Oxygen Freejumping must ensure that personal data is not disclosed to unauthorised third parties which includes family members, friends, government bodies, and in certain circumstances, the Police. All Employees/Staff should exercise caution when asked to disclose personal data held on another individual to a third party and shall be required to attend specific training that enables them to deal effectively with any such risk. It is important to bear in mind whether or not disclosure of the information is relevant to, and necessary for, the conduct of Oxygen Freejumping’s business.
The GDPR permits certain disclosures without consent so long as the information is requested for one or more of the following purposes:
All requests to provide data for one of these reasons must be supported by appropriate paperwork and all such disclosures must be specifically authorised by the Data Protection Officer / GDPR Owner.
Retention and disposal of data
Personal data may not be retained for longer than it is required. Once a member of staff has left Oxygen Freejumping, it may not be necessary to retain all the information held on them. Some data shall be kept for longer periods than others. Oxygen Freejumping’s data retention and data disposal procedures shall apply in all cases.
Disposal of records
Personal data must be disposed of in a way that protects the “rights and freedoms” of data subjects (e.g. shredding, disposal as confidential waste, secure electronic deletion) and in line with the secure disposal procedure.