1. Introduction

This policy sets out the obligations regarding data protection and the rights of clients of the business in respect of their personal data under EU Regulation 2016/679 General Data Protection Regulation (“GDPR”).


The Policy is to ensure that all personal data kept and processed by NQY Surf School is dealt with in accordance with the GDPR. The data provided by NQY Surf School clients will be stored safely and only disclosed to relevant members of NQY Surf School staff whose role requires them to process some, or all, of that information

It aims to address key elements of the GDPR, namely

  • Why the data is kept 
  • Whose data is kept 
  • What data is kept 
  • When the data is used
  • Where the data is processed
  • How long the data is kept


The GDPR defines “personal data” as any information relating to a natural person who can be  identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.


NQY Surf School is committed not only to the letter of the law but also to the spirit of the law and places high importance on the correct, lawful and fair handling of all personal data respecting the legal rights, privacy and trust of all its members.


2. The Data Protection Principles

This policy aims to ensure compliance with GDPR. The GDPR sets out the following principles with which any party handling personal data must comply. All personal data must be:


  1. Processed lawfully, fairly and in a transparent manner in relation to the person.
  2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
  3. Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
  4. Accurate and, where necessary, kept up-to-date. Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay.
  5. Kept in a form which permits identification of the person for no longer than is necessary for the purposes for which the personal data is processed.
  6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage using appropriate technical and organisational measures.


3. Why the data is kept

NQY Surf School needs to keep personal details of customers in order to keep them informed about future events and activities provided by the surf school. Data is also kept incase of unfortunate incidents and emergency information is required at a future date. 


4. Whose data is kept

Clients’ relevant personal data is kept (see note 5). 

In accordance with the GDPR, NQY Surf School clients have the following rights.

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure also known as the right to be forgotten
  • The right to restrict processing
  • The right to data portability
  • The right to object


5. What data is kept

Each clients name, address, telephone number and email addresses will be kept.


6. When the data is used

The data is used each time a client takes part in an activity.


7. Where the data is processed

The data is processed in the homes of Frances Carter.

Paper copies of personal data are kept securely and out of view, in a locked room. 

No data is shared with 3rd parties without the explicit consent of the individual member. 

No data is sold to third parties for any reason.


8. How long the data is kept

The CSTBS will not retain any personal data for any longer than is necessary in light of the purpose(s) for which the data is collected, kept and processed.