Privacy notice

1. Background

This privacy notice lets you know what happens to any personal data that you give to us, or any that we may collect from or about you. It applies to all courses and services, and instances where we collect your personal data.

This privacy notice applies to personal information processed by York MBSR Ltd and The Northern Centre for Mindfulness and Compassion Ltd.

Changes to this privacy notice

We may change this privacy notice from time to time by updating this page in order to reflect changes in the law and/or our privacy practices. We encourage you to check this privacy notice for changes whenever you visit our website.

Our Data Protection Officer

We have a dedicated data protection officer (“DPO”). You can contact the DPO by writing to the address below, marking it for the attention of the DPO or via email.

York MBSR Ltd
Priory Street Centre
15 Priory Street
York
YO1 6ET

Email: Relax@YorkMBSR.co.uk

2. What kinds of personal information about you do we process?

Personal information that we’ll process in connection with all of our courses and services, if relevant, includes:

  • Personal and contact details, such as title, full name, contact details
  • Your date of birth, gender and/or age
  • Details of emergency contacts
  • Courses and services, you have attended with us
  • Marketing to you, including history of those communications, whether you open them or click on links. Correspondence may include any of our courses and services
  • Information about your health relevant to service or course provided
  • Reason for attending a course or service
  • Any course or service specific questionnaires

3. What is the source of your personal information?

We’ll collect personal information directly from yourself.

4. Access to data

You have a right to access your personal data held by us and you can exercise that right by contacting us at the above address. Our aim is to respond to a request promptly and within the legally required limit.

5. What do we use your personal data for?

We use your personal data, including any of the personal data listed in section 2 above, for the following purposes:

  • Assessing an application for a courses or service, including course suitability, the price, the risk of doing so, availability of payment method and the terms
  • Managing the course or service you have with us
  • Updating your records, tracing your whereabouts and recovering debt (if appropriate)
  • Managing any aspect of the course or service
  • For management and auditing of our business operations including accounting
  • To monitor and to keep records of our communications with you and our staff
  • For developing statistics
  • For direct marketing communications. We’ll send marketing to you by email and social media (for example, Facebook).
  • To comply with legal and regulatory obligations, requirements and guidance

6. What are the legal grounds for our processing of your personal information (including when we share it with others)?

We rely on the following legal bases to use your personal data:

    1. Where it is needed and given consensually to provide you with our courses or services, such as:
      a) Assessing an application for a courses or service, including course suitability, the price, the risk of doing so, availability of payment method and the terms
      b) Managing courses and services you attend with us
      c) Updating your records, tracing your whereabouts to contact you about your account and doing this for recovering debt (where appropriate)
    2. Where it is in our legitimate interests to do so, such as:
      a) Managing your courses and services relating to that, updating your records, tracing your whereabouts to contact you about your account and doing this for recovering debt (where appropriate)
      b) To perform our courses, services and internal processes
      c) To follow guidance and recommended best practice of government and regulatory bodies
      d) For management and audit of our business operations including accounting
      e) To carry out monitoring and to keep records of our communications with you and our staff
      g) To administer our good governance requirements such as internal reporting and compliance obligations
      h) For developing statistics
      i) For direct marketing communications
      j) Where we need to share your personal information with people or organisations in order to run our business or comply with any legal and/or regulatory obligations
    3. To comply with our legal obligations
    4. With your consent for direct marketing communications

7. When do we share your personal information with other organisations?

We will only share personal data with others where we are legally permitted to do so. When sharing data with others we will ensure contractual agreements and security mechanisms are in place to protect your data.

We may share information with the following third parties for the purposes as listed above:

  • Business partners (for example, commissioned courses / services), where you are a beneficiary of the commissioned course or service
  • Governmental and regulatory bodies such as HMRC, the Information Commissioner’s Office
  • Other organisations and businesses who provide services to us such as debt recovery agencies, back up and server hosting providers, IT software and maintenance providers, document storage providers and suppliers of other back office functions

8. How and when can you withdraw your consent?

Where we’re relying upon your consent to process personal data, you can withdraw this at any time by contacting us using the details above.

9. Is your personal information transferred outside the UK or the EEA?

We’re based in the UK but sometimes your personal information may be transferred outside the European Economic Area. If we do so we’ll make sure that suitable safeguards are in place, for example by ensuring GDPR compliancy.

10. What should you do if your personal information changes?

You should tell us so that we can update our records using the contact details as above. Once informed that any personal data held by us is no longer accurate we will make changes based upon your updated information. We’ll then update your records if we can.

11. Do you have to provide your personal information to us?

We’re unable to provide you with our courses or services if you do not provide certain information to us. In cases where providing some personal information is optional, we’ll make this clear.

12. For how long is your personal information retained by us?

Unless we explain otherwise to you, we’ll hold your personal information based on the following criteria:

  • For as long as we have reasonable business needs, such as managing our relationship with you and managing our operations
  • For as long as we provide courses and/or services to you
  • For as long as someone could bring a claim against us; and/or
  • Retention periods in line with legal and regulatory requirements or guidance.

13. What are your rights under data protection laws?

Here is a list of the rights that all individuals have under data protection laws. They don’t apply in all circumstances. If you wish to use any of them, we’ll explain at that time if they are engaged or not. The right of data portability is only relevant from 25th May 2018.

  • The right to be informed about the processing of your personal information
  • The right to have your personal information corrected if it is inaccurate and to have incomplete personal information completed
  • The right to object to processing of your personal information
  • The right to restrict processing of your personal information
  • The right to have your personal information erased (the “right to be forgotten”)
  • The right to request access to your personal information and to obtain information about how we process it
  • The right to move, copy or transfer your personal information (“data portability”)

If you have a complaint about the use of your personal data, please contact us at the address above with details of your complaint. You also have the right to complain to the Information Commissioner’s Office (ICO) which enforces data protection laws: https://ico.org.uk/. Please refer to their website on your rights and how to complain to the ICO.

14. Your right to object

You have the right to object to certain purposes for processing, in particular to data processed for direct marketing purposes and to data processed for certain reasons based on our legitimate interests. You can contact using the address above to exercise these rights.

15. What are your marketing preferences and what do they mean?

You can opt out of any email marketing by following the unsubscribe links. You can also write to us at the address above marking it for the attention of the DPO. Or send us an email requesting to be unsubscribed.

16. Contact Us

If you have any questions about this privacy notice, or if you wish to exercise your rights or contact the DPO, you can contact us by writing or emailing using the contact details above, marking correspondence for the attention of the DPO.