Privacy & Cookie Policy

PLEASE READ THESE TERMS AND CONDITIONS CAREFULLY BEFORE USING THIS SITE

WEBSITE PRIVACY AND COOKIE POLICY

OFJ Topco Ltd (“We“) are committed to protecting and respecting your privacy.

This policy (together with our terms of use) and any other documents referred to on it) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it. By visiting www.oxygenfreejumping.co.uk you are accepting and consenting to the practices described in this policy.

For the purpose of the Data Protection Act 1998 (the Act), the data controller is OFJ Topco Ltd, a company incorporated in England with registered number 12033667 whose registered address is Unit 15 Vision Industrial Estate, Kendall Avenue, London, W3 0AF.

Our nominated representative for the purpose of the Act is Stephen Wilson.

INFORMATION WE MAY COLLECT FROM YOU

We may collect and process the following data about you:

Information you give us. You may give us information about you by filling in forms on our site www.oxygenfreejumping.co.uk (our site) or by corresponding with us by phone, e-mail or otherwise. This includes information you provide when you register to use our site, subscribe to our service, place a Booking (as defined in our Terms and Conditions www.oxygenfreejumping.co.uk/terms-conditions/ enter a competition, promotion or survey and when you report a problem with our site. The information you give us may include your name, address, e-mail address and phone number, financial and credit card information, personal description and photograph.

Information we collect about you. With regard to each of your visits to our site we may automatically collect the following information:

– technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;

– information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our site (including date and time); products you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call our customer service number.

CHANGES OF CONTROL

We may sell, transfer or otherwise share some or all of our assets, including your personal data, in connection with a merger, acquisition, reorganisation or sale of assets or in the event of our insolvency. In such an event, we would need to transfer your personal data to relevant third parties, including any buyer of our business or its assets.

INFORMATION ON COOKIES

We use cookies when you visit our site, full disclosure of usage of these is highlighted in the sections above. By using our site you agree to us placing cookies on your device and accessing them when you visit our site. Further information about cookies can be found at www.aboutcookies.org. We use cookies in the following ways:

– Site functionality. These cookies allow you to use the site and its features.

– Site analytics. These cookies allow us to measure and analyse how you use the site, to improve its functionality and your experience.

– Advertising cookies. These cookies are used to deliver advertising relevant to you on a number of platforms. They also help to limit the number of times you may see an ad and allow us to measure the effectiveness of our marketing campaigns.

WHERE WE STORE YOUR PERSONAL DATA

The data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (“EEA”). It may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. Such staff maybe engaged in, among other things, the processing of your payment details and the provision of support services. By submitting your personal data, you agree to this transfer, storing or processing. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy policy.

All information you provide to us is stored on our secure servers. Any payment transactions will be encrypted using SSL technology. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

YOUR RIGHTS

You have the right to ask us not to process your personal data for marketing purposes. We will usually inform you (before collecting your data) if we intend to use your data for such purposes or if we intend to disclose your information to any third party for such purposes. You can exercise your right to prevent such processing by checking the boxes on our Booking Form.  You can also exercise the right at any time by contacting us at info@oxygenfreejumping.co.uk.

Our site may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates.  If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies.  Please check these policies before you submit any personal data to these websites.

ACCESS TO INFORMATION

The Act gives you the right to access information held about you. Your right of access can be exercised in accordance with the Act. Any access request may be subject to a fee of £10 to meet our costs in providing you with details of the information we hold about you.

CHANGES TO OUR PRIVACY POLICY

Any changes we may make to our privacy policy in the future will be posted on this page and, where appropriate, notified to you by e-mail. Please check back frequently to see any updates or changes to our privacy policy.

CONTACT

Questions, comments and requests regarding this privacy policy are welcomed and should be addressed to info@oxygenfreejumping.co.uk

OTHER TERMS OF PRIVACY

Policy

The Board of Directors and management of Oxygen Freejumping located at 15 Vision Industrial Park, Kendal Avenue, London W3 0AF. committed to compliance with all relevant UK and EU laws in respect of personal data, and to protecting the “rights and freedoms” of individuals whose information Oxygen Freejumping collects in accordance with the General Data Protection Regulation (GDPR). To that end, Oxygen Freejumping has developed, implemented, maintains and continuously improves a documented personal information management system (‘PIMS’).

Scope

Define the scope of the PIMS taking into account organisational structure, management responsibility, jurisdiction and geography. The PIMS may include the whole of the company or a defined part of the company.

This policy applies to all Employees/Staff of Oxygen Freejumping, and interested parties such as outsourced suppliers. Any breach of the GDPR or this PIMS shall be dealt with under Oxygen Freejumping’s disciplinary policy and may also be a criminal offence, in which case the matter shall be reported as soon as possible to the appropriate authorities.

Partners and any third parties working with or for Oxygen Freejumping, and who have or may have access to personal information, shall be expected to have read, understood and to comply with this policy. No third party may access personal data held by Oxygen Freejumping without having first entered into a data confidentiality agreement], which imposes on the third party obligations no less onerous than those to which Oxygen Freejumping is committed, and which gives Oxygen Freejumping the right to audit compliance with the agreement.

Objectives of the PIMS

The objectives for the PIMS are to enable Oxygen Freejumping to meet its own requirements for the management of personal information; that it should support organisational objectives and obligations; that it should impose controls in line with Oxygen Freejumping’s acceptable level of risk; that it should ensure that Oxygen Freejumping meets applicable statutory, regulatory, contractual and/or professional duties; and that it should protect the interests of individuals and other key stakeholders.

Oxygen Freejumping is committed to complying with data protection legislation and good practice including:

• processing personal information only where this is strictly necessary for legitimate organisational purposes;
• collecting only the minimum personal information required for these purposes and not processing excessive personal information;
• providing clear information to individuals about how their personal information will be used and by whom;
• processing only personal information that is relevant and adequate;
• processing personal information fairly and lawfully;
• maintaining an inventory of the categories of personal information processed by Oxygen Freejumping;
• keeping personal information accurate and, where necessary, up to date;
• retaining personal information only for as long as is necessary for legal or regulatory reasons or, for legitimate organisational purposes;
• respecting individuals’ rights in relation to their personal information, including their right of subject access;
• keeping all personal information secure;
• only transferring personal information outside the EU in circumstances where it can be adequately protected;
• the application of the various exemptions allowable by data protection legislation;
• developing and implementing a PIMS to enable this policy to be implemented;
• where appropriate, identifying internal and external stakeholders and the degree to which these stakeholders are involved in the governance of Oxygen Freejumping’s PIMS; and
• the identification of workers with specific responsibility and accountability for the PIMS.

Responsibilities

• Oxygen Freejumping is a [data controller and/or data processor] under the GDPR.
• Top Management and all those in managerial or supervisory roles throughout Oxygen Freejumping are responsible for developing and encouraging good information handling practices within the organisation; responsibilities are set out in individual job descriptions.
• Data Protection Officer/GDPR Owner, a member of the senior management team, is accountable to Board of Directors of Oxygen Freejumping for the management of personal information within Oxygen Freejumping and for ensuring that compliance with data protection legislation and good practice can be demonstrated. This accountability includes:
  • development and implementation of the PIMS as required by this policy; and
  • security and risk management in relation to compliance with the policy.
• All Managers are responsible for ensuring compliance to GDPR and this policy in respect of data processing that takes place within their area of responsibility.
• The Data Protection Officer/GDPR Owner has specific responsibilities in respect of procedures such as the Subject Access Request Procedure and are the first point of call for Employees/Staff seeking clarification on any aspect of data protection compliance.
• Compliance with data protection legislation is the responsibility of all members of Oxygen Freejumping who process personal information.
• Oxygen Freejumping’s Training Policy (Reference) sets out specific training and awareness requirements in relation to specific roles and to members of Oxygen Freejumping generally.
• Members of Oxygen Freejumping are responsible for ensuring that any personal data supplied by them, and that is about them, to Oxygen Freejumping is accurate and up-to-date.

Identify Privacy Risks

Oxygen Freejumping has identified all the personal data that it processes and this is contained in the Data Inventory Register

Oxygen Freejumping has a process for assessing the level of risk to individuals associated with the processing of their personal information. Assessments shall also be carried out in relation to processing undertaken by other organisations on behalf of Oxygen Freejumping.

Oxygen Freejumping shall manage any risks which are identified by the risk assessment in order to reduce the likelihood of a non-conformance with this policy.

Oxygen Freejumping shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data, where a type of processing is likely to result in a high risk to the “rights and freedoms” of natural persons.

Oxygen Freejumping shall conduct these assessments prior to any processing using new technologies and taking into account the nature, scope, context and purposes of the processing.  A single assessment may address a set of similar processing operations that present similar high risks.

Where, as a result of a Data Protection Impact Assessment, it is clear that Oxygen Freejumping is about to commence processing of personal information that could cause damage and/or distress to the data subjects, the decision as to whether or not Oxygen Freejumping may proceed must be escalated for review to the Data Protection Officer/GDPR Owner. The Data Protection Officer / GDPR Owner shall, if there are significant concerns, either as to the potential damage or distress, or the quantity of data concerned, escalate the matter to the supervisory authority.

Data Protection Principles

All processing of personal data must be done in accordance with the following data protection principles of the Regulation, and Oxygen Freejumping’s policies and procedures are designed to ensure compliance with them.

Legality, Transparency & Fairness Principle

Personal data must be processed lawfully, fairly and transparently.

Oxygen Freejumping’s Fair Processing Procedure is set out in Fair Processing Notice

The GDPR introduces the requirement for transparency whereby the controller has transparent and easily accessible policies relating to the processing of personal data and the exercise of individuals’ “rights and freedoms”. Information must be communicated to the data subject in an intelligible form using clear and plain language.

The specific information that must be provided to the data subject must as a minimum include:

• the identity and the contact details of the controller and, if any, of the controller’s representative;
• the contact details of the Data Protection Officer, where applicable;
• the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
• the period for which the personal data shall be stored;
• the existence of the rights to request access, rectification, erasure or to object to the processing;
• the categories of personal data concerned;
• the recipients or categories of recipients of the personal data, where applicable;
• where applicable, that the controller intends to transfer personal data to a recipient in a third country and the level of protection afforded to the data;
• any further information necessary to guarantee fair processing.

Purpose Limitation Principle

Personal data can only be collected for specified, explicit and legitimate purposes. Data obtained for specified purposes must not be used for a purpose that differs from the purpose for which it was originally collected.

Minimisation Principle

Personal data shall be relevant and limited to what is necessary for processing:

• The Data Protection Officer/GDPR Owner is responsible for ensuring that information, which is not strictly necessary for the purpose for which it is obtained, is not collected.
• All data collection forms (electronic or paper-based), including data collection requirements in new information systems, must be approved by the Data Protection Officer / GDPR Owner.
• The Data Protection Officer / GDPR Owner shall ensure that, on an annual basis all data collection methods are reviewed by internal audit or external experts to ensure that collected data continues to be relevant and not excessive.
• If data is given or obtained that is excessive or not specifically required by Oxygen Freejumping’s documented procedures, the Data Protection Officer / GDPR Owner is responsible for ensuring that it is securely deleted or destroyed.

Accuracy Principle

Personal data must be accurate and kept up to date.

The Head of HR is responsible for ensuring that all staff are trained in the importance of collecting accurate data and maintaining it.

It is also the responsibility of individuals to ensure that data held by Oxygen Freejumping is accurate and up-to-date. Completion of an appropriate registration or application form etc shall be taken as an indication that the data contained therein is accurate at the date of submission.

Employees/Staff / [customers/others should notify Oxygen Freejumping of any changes in circumstance to enable personal records to be updated accordingly.

It is the responsibility of Oxygen Freejumping to ensure that any notification regarding change of circumstances is noted and acted upon.

The Data Protection Officer / GDPR Owner is responsible for ensuring that appropriate additional steps are taken to keep personal data accurate and up to date, taking into account the volume of data collected, the speed with which it might change and any other relevant factors.

The Data Protection Officer / GDPR Owner is responsible for making appropriate arrangements that, where third party organisations may have been passed inaccurate or out-of-date personal information, for informing them that the information is inaccurate and/or out-of-date and is not to be used to inform decisions about the individuals concerned; and for passing any correction to the personal information to the third party where this is required.

Storage Limitation Principle

On at least an annual basis, the Data Protection Officer / GDPR Owner shall review all the personal data maintained by Oxygen Freejumping, by reference to the Data Inventory Register, and shall identify any data that is no longer required in the context of the registered purpose and shall arrange to have that data securely deleted/destroyed

Where personal data is retained beyond the processing date, it shall be encrypted or pseudonymised in order to protect the identity of the data subject in the event of a data breach.

Personal data shall be retained in line with the retention of records procedure and, once its retention date is passed, it must be securely destroyed as set out in this procedure.

The Data Protection Officer / GDPR Owner must specifically approve any data retention that exceeds the retention periods defined GDPR DOC 2.3, and must ensure that the justification is clearly identified and in line with the requirements of the data protection legislation. This approval must be written.

Integrity and Confidentiality Principle

Personal Data shall be processed in a manner that ensures its security.

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

These controls shall be selected on the basis of identified risks to personal data, and the potential for damage or distress to individuals whose data is being processed.

Oxygen Freejumping’s compliance with this principle is contained in its Information Security Policy set out in the Privacy Policy.

Oxygen Freejumping shall conduct regular reviews of its technical and organisational measures and controls to assure they remain comply with policy and are effective.

Accountability Principle

The GDPR introduces the principle of accountability which states that the controller is not only responsible for ensuring compliance but for demonstrating that each processing operation complies with the requirements of the GDPR.

Specifically, controllers are required to maintain necessary documentation of all processing operations, implement appropriate security measures, perform DPIAs (Data Processing Impact Assessment), comply with requirements for prior notifications, or approval from supervisory authorities and appoint a Data Protection Officer if required.

International Transfers

Oxygen Freejumping shall not transfer personal data to any country or territory outside the European Union unless that country or territory ensures an adequate level of protection for the ‘rights and freedoms’ of data subjects in relation to the processing of personal data.

Prior to transferring data Oxygen Freejumping shall conduct an assessment to assure one or more of the specified safeguards or exceptions apply to the transfer of data:

Safeguards

• Adequacy: An assessment of the adequacy by the data controller taking into account the following factors:
  • the nature of the information being transferred;
  • the country or territory of the origin, and final destination, of the information;
  • how the information will be used and for how long;
  • the laws and practices of the country of the transferee, including relevant codes of practice and international obligations; and
  • the security measures that are to be taken as regards the data in the overseas location. (This is a UK-specific option.)
• Binding corporate rules: Oxygen Freejumping may adopt approved Binding Corporate Rules for the transfer of data outside the EU. This requires submission to the relevant Supervisory Authority for approval of the rules that Oxygen Freejumping is seeking to rely upon.
• Model contract clauses: Oxygen Freejumping may adopt approved model contract clauses for the transfer of data outside of the EU. If Oxygen Freejumping adopts the model contract clauses approved by the relevant Supervisory Authority there is an automatic recognition of adequacy.

Exceptions

In the absence of an adequacy decision, including binding corporate rules, a transfer of personal data to a third country, or an international organisation, shall take place only on one of the following conditions:

• the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
• the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request;
• the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
• the transfer is necessary for important reasons of public interest;
• the transfer is necessary for the establishment, exercise or defence of legal claims;
• the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
• the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down in Union or Member State law for consultation are fulfilled in the particular case.

A list of countries that satisfy the adequacy requirements of the Commission are published in the Official Journal of the European Union.

Data subjects’ rights

Data subjects have the following rights regarding data processing, and the data that is recorded about them:

• The right to be informed of the processing of their personal data and 3rd Parties that hold data
• The right of Access to their personal data.

To make a subject access request regarding the processing of their data, the nature of information held and to whom it has been disclosed.  The Oxygen Freejumping data Subject Access Request Process shall ensure that its response to the data access request complies with the requirements of the Regulation.

Personal data shall be provided to data subjects in a structured, commonly used and machine-readable format, and the right to have that data transmitted to another controller.

• The Right to Rectification. Require the Data Controller to rectify errors in personal data.
• The Right of Erasure. The “Right to be Forgotten”.  Request erasure including when
  • Processing is no longer necessary for the intended purpose
  • When the Data Subject Withdraws Consent
  • When the Data Subject objects to processing and there are no overriding legitimate grounds for the processing
• The Right to Restrict Processing by requesting a suspension of processing of their personal data
• The Right to Object to:
  • Processing for purposes of direct marketing.
  • Processing for purposes of scientific/historical research and statistics
  • Processing based on the legitimate interests or the performance of a task in the public interest/exercise of official authority
• Automated Decision Making and Profiling Rights
  • To be informed about the mechanics of automated decision-taking process that will significantly affect them.
  • Not to have significant decisions that will affect them taken solely by automated process.
  • The right to object to any automated profiling without consent.

Complaints

Data Subjects who wish to complain to Oxygen Freejumping about how their personal information has been processed may lodge their complaint directly with the Data Protection Officer / GDPR Owner by means of you need to modify your existing complaints procedure to include a GDPR complaints section, and you will need create a form, usually on the ‘Contact Us’ section of your website, into which data subjects can enter the details of their complaint. They will need to be shown the Fair Processing Notice at this point.

Data subjects may also complain directly to the ICO, and Oxygen Freejumping provides appropriate contact details on our Contact page.

Where data subjects wish to complain about how their complaint has been handled, or appeal against any decision made following a complaint, they may lodge a further complaint to the Data Protection Officer / GDPR Owner. The right to do this should be included in the GDPR section of Oxygen Freejumping’s complaints procedure.

Consent

Oxygen Freejumping understands ‘consent’ to mean that it has been explicitly and freely given, is a specific, informed and unambiguous indication of the data subject’s wishes by which he or she by statement, or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. The consent of the data subject can be withdrawn at any time.

Oxygen Freejumping understands ‘consent’ to mean that the data subject has been fully informed of the intended processing and has signified their agreement, while in a fit state of mind to do so and without pressure being exerted upon them. Consent obtained under duress or on the basis of misleading information shall not be a valid basis for processing. There must be some active communication between the parties which demonstrate active consent. Consent cannot be inferred from non-response to a communication. For sensitive data, explicit written consent of data subjects must be obtained unless an alternative legitimate basis for processing exists.

In most instances consent to process personal and sensitive data is obtained routinely by Oxygen Freejumping using standard consent documents e.g. when a new member of staff signs a contract of employment, or during induction for participants on programmes.

Where Oxygen Freejumping provides online services to children, parental, or custodial authorisation must be obtained. This requirement applies to children under the age of 16 (unless the Member State has made provision for a lower age limit – which may be no lower than 13).

Security of data

All Employees/Staff are responsible for ensuring that any personal data which Oxygen Freejumping holds and for which they are responsible, is kept securely and is not under any conditions disclosed to any third party unless that third party has been specifically authorised by Oxygen Freejumping to receive that information and has entered into a confidentiality agreement.

All personal data should be accessible only to those who need to use it, and access may only be granted in line with the Access Control Policy. You should form a judgment based upon the sensitivity and value of the information in question, but personal data must be kept:

• in a lockable room with controlled access; and/or
• in a locked drawer or filing cabinet; and/or
• if computerised, password protected in line with corporate requirements in the Access Control Policy; and/or
• stored on (removable) computer media which is encrypted to Oxygen Freejumping encryption Policy.

Care must be taken to ensure that PC screens and terminals are not visible except to authorised Employees/Staff of Oxygen Freejumping. All Employees/Staff are required to enter into a Non Disclosure and an Acceptable Use Agreement before they are given access to organisational information of any sort.

Manual records may not be left where they can be accessed by unauthorised personnel and may not be removed from business premises without explicit authorisation. As soon as manual records are no longer required for day-to-day client support, they must be removed from secure archiving.

Personal data may only be deleted or disposed of in line with the Data Retention Procedure. Manual records that have reached their retention date are to be shredded and disposed of as ‘confidential waste’. Hard drives of redundant PCs are to be removed and immediately destroyed before disposal.

Processing of personal data ‘off-site’ presents a potentially greater risk of loss, theft or damage to personal data. Staff must be specifically authorised to process data off-site.

Rights of access to data

Data subjects have the right to access any personal data (i.e. data about them) which is held by Oxygen Freejumping in electronic format and manual records which form part of a relevant filing system. This includes the right to inspect confidential personal references received by Oxygen Freejumping, and information obtained from third-party organisations about that person.

Disclosure of data

Oxygen Freejumping must ensure that personal data is not disclosed to unauthorised third parties which includes family members, friends, government bodies, and in certain circumstances, the Police. All Employees/Staff should exercise caution when asked to disclose personal data held on another individual to a third party and shall be required to attend specific training that enables them to deal effectively with any such risk.  It is important to bear in mind whether or not disclosure of the information is relevant to, and necessary for, the conduct of Oxygen Freejumping’s business.

The GDPR permits certain disclosures without consent so long as the information is requested for one or more of the following purposes:

• to safeguard national security;
• prevention or detection of crime including the apprehension or prosecution of offenders;
• assessment or collection of tax duty;
• discharge of regulatory functions (includes health, safety and welfare of persons at work);
• to prevent serious harm to a third party;
• to protect the vital interests of the individual, this refers to life and death situations.

All requests to provide data for one of these reasons must be supported by appropriate paperwork and all such disclosures must be specifically authorised by the Data Protection Officer / GDPR Owner.

Retention and disposal of data

Personal data may not be retained for longer than it is required. Once a member of staff has left Oxygen Freejumping, it may not be necessary to retain all the information held on them. Some data shall be kept for longer periods than others. Oxygen Freejumping’s data retention and data disposal procedures shall apply in all cases.

Disposal of records

Personal data must be disposed of in a way that protects the “rights and freedoms” of data subjects (e.g. shredding, disposal as confidential waste, secure electronic deletion) and in line with the secure disposal procedure.