PRIVACY POLICY Policy statement Leicester Racecourse (‘we’, ‘us’, and ‘our’) is committed to fully complying with all the requirements of the General Data Protection Regulation (GDPR).
Scope This data protection policy explains how we will comply with our responsibilities and obligations under the GDPR and applies to:
- All personal data whose use is controlled by us, whether kept on paper or electronically (i.e. Computers);
- All our staff and any of our data processors.
NB: This policy should be read and used in conjunction with our other following policies:
- Internet and email policy;
- Social media policy;
- Cookies policy;
- Mobile phone and mobile devices policy.
Objective The objective of this policy is to:
- Ensure we follow the principles of personal data;
- Ensure personal data is processed in a consistent manner throughout the organisation at all times;
- Clarify responsibilities for implementing, complying and monitoring this policy;
- Give guidance to staff and data processors about how to identify and minimise the risks of breaching the GDPR as well as the possible consequences of doing so.
Definitions Personal datameans any information relating to an identified or identifiable person ('data subject') such as a name, postal/email address or an identification number. Examples of personal data typically processed by us are:
- First and last names;
- Postal and email addresses;
- Telephone numbers;
- Bank account and payment card details;
- Identity documents (e.g. passports & driving licence);
- Identity numbers (e.g. National Insurance and Bank accounts);
- Career & educational documents (e.g. CVs & qualifications);
- Any contact information (e.g. next of kin);
Special categories of personal datameans personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation and data concerning criminal convictions or offences. Examples of special category personal data typically processed by us are:
- Health and medical information about players and other staff;
- Information about gender, ethnic origin and race of children in community programmes;
- CCTV imagery (which includes facial recognition);
- Staff sickness records.
Data subjectmeans any individual whose personal data is processed by us. Examples of our data subjects are:
- Raceday Guests & Customers;
- Owners, Trainers and Jockeys;
- Employees, Interns and Volunteers;
- Next of kin;
- Job applicants;
- Sponsors;
- Clients;
- Suppliers;
- Contacts.
Processing means any use of personal data such as the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination, erasure and destruction. NB: This means that virtually anything we do with personal data will be processing.
Data controller means the organisation which decides the purposes and means of the processing of personal data NB: We are the data controller for the purposes of this policy.
Data processormeans an individual or organisation that processes personal data on our behalf. Examples of our data processors are:
- NucleusHR;
- Nest;
- Clarity;
- Premier Racing Safety
- BHA;
- Constant Security
Personal data breach means
a breach of security leading to the accidental, or unlawful, destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Consent means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data.
Staffmeans anyone working at or for us including:
- Board members;
- Directors;
- Permanent, interim and temporary employees;
- Trainees;
- Interns;
- Volunteers;
Principles of data protectionPersonal data shall be:
- Processed lawfully, fairly and in a transparent manner;
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’);
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- Accurate and, where necessary, kept up to date (‘accuracy’);
- Kept for no longer than is necessary (‘storage limitation’);
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
Roles and responsibilities Our Board Members and Directors have ultimate responsibility for ensuring compliance with GDPR, the principles of data protection and this policy.
The Data Controller has day-to-day operational responsibility for ensuring we comply with the GDPR and the principles of data protection and this policy. They can be contacted at
dataprotection@leicester-racecourse.com All staff have a responsibility to comply with the GDPR, the principles of data protection and this policy when carrying out their duties. Line managers are responsible for supporting staff’s adherence with this policy. All data processors have a responsibility to comply with the GDPR, the principles of data protection and this policy when carrying out their contractual and statutory obligations to us. Failure to comply with this policy may result in legal and/or disciplinary action.
RightsData subjects’ have the right to:
- Be informed about the collection and use of their personal data;
- Access their personal data;
- Rectification of inaccurate personal data;
- Erasure (deletion) of their personal data (also known as the ‘right to be forgotten)*;
- Restrict processing of their personal data*;
- Data portability - to easily move, copy or transfer their personal data;
- Object to
7.1. processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);7.2. direct marketing (including profiling); and7.3. processing for purposes of scientific/historical research and statistics;
- Appropriate decision-making in relation to automated decision making and profiling.
*This is not an absolute right and only applies in certain circumstances.
How We Collect DataWe may obtain your data through a variety of means, including (but not limited to):
- when you purchase or use any of our products or services;
- via enquiry, registration, and live chat platforms;
- via feedback forms and forums;
- when you fill out a survey, or vote in a poll on our website;
- via cookies. You can find out more about this in our Cookies Policy;
- via our telephone calls with you, which may be recorded;
- when you provide your details to us either online or offline; and
- when you provide a service to us (as a supplier).
Subject Access Requests Any data subject may make a Subject Access Request, (‘SAR’). Anyone member of staff
or data processor
in receipt of a SAR must pass it on to their line manager as soon as possible as a matter of urgency.
Security All staff and data processors are
responsible for ensuring that any personal data which we are responsible for is kept securely. Examples of keeping personal data secure are:
- Paper files/records should be kept in locked cabinets when not in use;
- Monitors/computer screens should be visible only to those who need to see them;
- Paper files/records should not be removed from our business premises without appropriate authorisation;
- Desks should be cleared when not in use;
- Personal data no longer required for day-to-day use should be sent to secure archiving.
Disclosure (sharing)This includes the disclosure (sharing) of personal data by:
- Staff with other teams /departments; and
- Staff with third parties/other organisations (including our data processors);
- Our data processors to third parties.
Personal data must not be disclosed unless the recipient is authorised to have access to that personal data and then only in accordance with the GDPR. Examples of unauthorised recipients are:
- Family members;
- Friends;
- In certain circumstances, the police.
Staff and data processors should exercise great caution when asked to disclose personal data and if in doubt should seek advice from their line manager before doing so. All decisions to disclose personal data must be recorded and all such disclosures must be specifically authorised by the General Manager.
CCTV
Leicester Racecourse use GDPR-compliant facial recognition system for security and legal purposes. As a Company, we use accurate, adequate and only relevant data for the minimum amount of time necessary to fulfil the purpose of processing. We reserve the right to pass such imagery to any legal authority if required to do so.
Retention Personal data must not be kept for any longer than is necessary and only in accordance with our retention policy.
Disposal (deletion) When it is no longer necessary to keep it, personal data must be disposed of securely. This means that:
- Paper will be shredded on site, or disposed of externally as confidential waste;
- Computer equipment will be disposed of securely by specialist contractors.
Transfer outside the EEAThe GDPR generally prohibits the transfer (sending) of personal data outside the European Economic Area (EEA) unless:
- An ‘adequacy decision’ has been made for the destination country; or
- The transfer is subject to appropriate safeguards; or
- A ‘derogation’ can be relied upon, e.g. –
- Where it is necessary for the conclusion or performance of a contract that we have with the data subject or another person; or
- It is in our legitimate interests (this will only be available to and used by us in very limited circumstances);
- With the data subject's explicit consent (this can only be available to and used by us in very limited circumstances).
These restrictions mean that personal data cannot be freely transferred outside the EEA and that it will be a breach of the GDPR to do so unless any such transfer can be made in accordance with the above. All decisions to transfer personal data outside the EEA must be specifically authorised by the Data Controller.
Data protection Impact assessments A data protection impact assessment (DPIA) is a process to help identify and minimise the data protection risks of a project. The GDPR includes a new obligation to conduct a DPIA for types of processing likely to result in a high risk to individuals’ interests and is good practice for any major new project which requires the processing of personal data. Any circumstances where a DPIA may be required should not be undertaken without the approval of your line manager.
Marketing The rules about sending marketing messages, mean, in summary, that we should not contact individuals without being satisfied that they do not object to hearing from us and that by contacting them we are not being a nuisance to them.
Contact us If you have any questions or queries in relation to your private information, please do not hesitate to contact David Maykels, General Manager and Data Protection Officer for Leicester Racecourse by email on
dataprotection@leicester-racecourse.com