Your Personal Data’s Journey through Nuffield Health’s ‘Refer a friend’ Promotion
This document/page explains how your personal data will be processed by Nuffield Health and any third parties as part of the ‘Refer a friend’ promotion. This applies to:
- The existing Nuffield Health gym member who is referring their friend. In this document/page we will refer to this member as the ‘Existing Member’; and
Your Personal Data’s Journey through Nuffield Health’s ‘Refer a friend’ PromotionThe friend who is being referred by the Existing Member. In this document/page we will refer to this person as the ‘Referred Friend’.
What information may you be asked to provide
- Home gym
- Membership number
- Bank account details (account name, sort code, account no.)
- Telephone number
- Email address
- Home gym
- Membership number
Where we may collect your information from
1. You (Existing Member)
You will input your information directly into the ‘refer a friend’ system.
You (Referred Friend)
You will sign up for gym membership in the usual way (which will require you to provide personal data to Nuffield Health to set up your membership – subject to separate terms and conditions). You will then provide your home gym and membership number to the friend that referred you.
2. Your Friend
If you are a Referred Friend, you will provide your membership number and your home gym to the Existing Member, who will then put that information into the ‘refer a friend’ system.
3. Information we already hold about you
As both the Existing Member and the Referred Friend are gym members with Nuffield Health, we will already have collected personal data about you for that membership.
Why we need this information and how we might use it
We are required to collect the information that we have outlined above for a number of different purposes which are listed below:
- To contact you in relation to a claim
e.g. because there is an issue with the bank details you have provided.
- To verify your compliance with the terms and conditions of this promotion
i.e. that both parties have been members for 30 days; that neither member is in debt; that the Existing Member refers a maximum of 3 friends etc.. (please see promotional terms and conditions for all that apply).
- To pay the Existing Member the referral fee of £50.
Who your Personal Data may be shared with
Nuffield Health have teamed up with a third party organisation called Insyt Agency Limited (‘Insyt’). They will provide the system you visit to input your details, your Referred Friend’s details and register your claim. Insyt will be collecting the information set out above, on behalf of Nuffield Health.
In order to ensure that the claim submitted by the Existing Member for the referral fee is valid and complies with the terms and conditions, Nuffield Health will share with Insyt a list of membership numbers to confirm those member accounts which are in debt (and therefore not eligible to receive the referral fee) and those member accounts which are live (to verify that the Existing Member and Referred Friend are both active Nuffield Health gym members.
WISE (formerly Transferwise) are a third party organisation who process payment details for Insyt. The Existing Member’s bank details are not stored by Insyt, instead they are securely sent directly to WISE who process the Existing Member’s referral fee to the bank account they provided. WISE are regulated by the Financial Conduct Authority and are regularly audited by independent finance and IT auditors. They hold a number of certifications including those relating to payment card information (PCI DSS) and information security (ISO27001).
- Insyt use a number of other third parties who provide specific elements to support the organisation in providing the services for this promotion – further details are set out in the table below.
Which countries your personal data will be processed in
|Organisation||Processing/reason for processing||Country||Personal Data transferred to that country|
|Nuffield Health||Verifying compliance with T&Cs||UK||Membership number|
|Insyt use a number of third parties to provide their services, which involves the processing personal data as set out below:|
|WNS Global Services (UK) Limited||Customer Services||Philippines||Name, Email, Telephone number|
|Twillio Inc||Text messaging||USA||Telephone number|
|Google Analytics||Analytics||EEA||Website tracking|
|Microsoft Azure||Cloud Storage||EEA||Claim data i.e. all the details the Existing Member puts into the system|
|LexisNexis||Fraud Detection||EEA||Name, Email, Telephone number|
|Wise||Payment||EEA||Bank account details|
Fair and Lawful Processing
Each organisation is required to demonstrate that they are processing personal data fairly and lawfully, to do this we must have a ‘lawful basis for processing’ personal data. Consent is probably the condition that has gained the most attention but we only rely on consent in limited circumstances e.g. to share information with a third party or your GP.
The ‘refer a friend’ promotion will mainly be processing data based on the following lawful basis for processing:
- Article 6 (1)(b) Processing is necessary for the performance of a contract to which the individual is party or in order to take steps at the request of the individual prior to entering into a contract.
- Article 6 (1)(f) Legitimate interests: the processing is necessary because of a legitimate interest or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
Your rights in respect of your Personal Data
The law gives you certain rights in respect of the information that we hold about you. Below is a short overview of the key rights available to you.
- Data Subject Access Request - with some exceptions designed to protect the rights of others, you have the right to a copy of the personal data that we hold about you. Where the data is data that you have given to us, you have the right to receive your copy of it in a common electronic format, and to provide copies of it to other people if you wish (Right to Data Portability).
- Right to Rectification - you have the right to have the personal data we hold about you corrected if it is factually inaccurate. This right does not extend to matters of opinion, such as assessments of performance or fitness to work.
- Right to Erasure - in some limited circumstances, you have the right to have personal data that we hold about you erased (the “right to be forgotten”). This right is not generally available where we still have a valid legal reason to keep the data (for example, because we are obliged to do so by law).
- Right to Restrict Processing - you also have the right in some circumstances to request that temporary restrictions are placed on how we process your personal data, for example if you contest its accuracy or where we are processing it on the basis of our legitimate interest and you contest our assessment that our interest overrides your rights.
The above is not a complete and exhaustive statement of the law
When things go wrong
Nuffield Health pride ourselves with the quality of our services and consistent positive customer satisfaction, however, we understand that in a small number of cases you may have cause to raise a concern or complaint. It is important that Nuffield Health learn from these concerns to continually enhance our services and as such we carry out thorough investigations. In order to fully investigate your concern we may need to share information with our compliance team, senior leaders or other parties outside of your club. For example, if you raised concerns about a member of staff we might need to share this information with our Central HR team, and their professional body (where appropriate). In any case, we will only share as limited amount of information as is necessary to investigate the concern.
We may also need to share details of your concern with your members of staff at the club
If a concern relates to a person, we may need to disclose your concern to that person in order to fully investigate it.
If the concern has come via a third party e.g. a regulator, body or solicitor, we may need to disclose your data with them in order to resolve, defend or investigate a concern.
How long we will keep your Personal Data for
In accordance with HMRC requirements, payment/financial data will be retained for a period of 6 years plus the remainder of the current financial year (so in effect, 7 years).
Personal data, in the form of membership numbers shared with Insyt for the purpose of verifying compliance with the terms and conditions, will be deleted immediately upon sending to Insyt and Insyt will delete the data at the end of the current financial year.
Any other personal data collected by Insyt that does not fall into either of the above categories, will be retained for a period of 3 years, after which time it will be deleted.
Whilst the Existing Member’s compliance with the promotional terms and conditions will be verified by data provided by Nuffield Health to Insyt, this is not considered an wholly automated decision. There will be human involvement in all the decisions made as part of this promotion.
Should you remain dissatisfied you have a right to complain to the Information Commissioner’s Office on 0303 123 1113 or through their website https://ico.org.uk/