Leisure privacy notice

This privacy notice is designed to help you understand how and why the North Yorkshire Council processes your personal data. This notice should be read in conjunction with our corporate privacy notice.

Who are we?

North Yorkshire Council is a ‘data controller’ as defined by Article 4(7) of the UK General Data Protection Regulation (UK GDPR). The council operate four leisure centres under the ‘zest’ brand.

The council has appointed Veritau to be its data protection officer. Their contact details are:

Information Governance Office


West Offices

Station Rise


North Yorkshire


Email: infogov@northyorks.gov.uk

Tel: 01904 552848

What personal information do we collect?

To provide our leisure centre service, we may collect the following personal data:

  • name
  • address
  • contact details, such as email address and telephone number
  • date of birth
  • usage and engagement with the products/ services you have bought from us
  • bank details including bank address, sort code and account number - if you buy something from us using a card, your card information is not held by us - it is collected by our third-party payment processors
  • images - if you become a member or sign up to our programmes your photograph may be taken electronically to allow our staff to easily verify your membership
  • we also have a variety of CCTV systems across our facilities which may capture your image - images may also be taken and used for marketing purposes, with your consent
  • preferences and consents – this includes information such as how you would prefer us to contact you, what your fitness aims are, whether you wish to receive marketing information from us, use of your image for marketing purposes, or confirmation that you understand risks associated with certain activities such as climbing
  • for service providers, we require copies of insurance and certificates

We may also collect certain categories of special category information:

  • health and additional support information – if you (or your child) have medical information or additional support needs that is relevant to disclose to us to ensure your/their safety and best possible experience, or if you have been referred to us by a professional - this includes any health information disclosed or discovered through our gym induction programme

Why do we collect your personal information?

We process your information for the following purposes:

  • process your membership or bookings
  • process your details into our electronic booking system to take payments/process invoices
  • improve our products and services.
  • ensure the security of our staff and customers
  • to record accidents
  • to ensure your health or additional support needs are considered and to ensure you understand any risks associated with your activity
  • provide tailored customer service by ensuring your preferences are considered, and that you are kept informed of operational updates or changes to our services (such as venue closures).

You may also consent to your information being used for the below purposes. Your information will only be used in this way if you consent to it and you can withdraw your consent at any time. These purposes are:

  • to provide you with specific marketing information such as information about new services, products or offers.
  • to include your image/video in marketing materials.

Who do we obtain your information from?

We obtain most of the information we hold about you from yourself when you register for our service however, we may also obtain information from:

  • GP surgeries and external professionals e.g. referrals

Who do we share this information with?

We may pass your information to our service partners, agents and associated organisations to allow us to service your membership and communicate with you. This includes:

  • public health
  • alliance leisure

We will also pass your information to other partners for the purpose of marketing or promotion of services offered by the council, but only if you have consented to this such as TA6.

How long do we keep your information for?

We are legally required to hold some types of information for certain periods of time. We set retention periods for all types of personal data and review data accordingly. For example, we will hold:

Data held

Retention period

Financial data

7 years

Accident data

3 years or if a minor, under 18, until the individual reaches 21 years old

Membership contracts, direct debit mandate

1 year after leaving

Health data for programmes

1 year after non-use of facilities

Health data from our gym inductions or gym GP referrals

1 year after non-use of facilities

Customer comments cards

1 year

Information from enquiries

Information will not be retained after contact has been made

Membership exit surveys

1 year

What is our lawful basis for processing your information?

North Yorkshire Council relies on the following lawful basis to process your personal data:

For the use of your image/ videos in marketing material and for where you have opted in to receive marketing communications, the Council relies on:

  • UK GDPR Article 6(1)(a) - the data subject has given consent to the processing of his or her personal data for one or more specific purposes

For all other processing activity, the council will rely upon the following lawful basis:

  • UK GDPR Article 6(1)(b) – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
  • UK GDPR Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject
  • UK GDPR Article 6(1)(f) – processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party

When processing special category data, the council will rely on the following lawful basis:

UK GDPR Article 9(2)(g) – processing of your special category data is necessary for reasons of substantial public interest (with a basis in law), meeting schedule 1, part 2 of the data protection act 2018 as below:

  • (18) Safeguarding of children and of individuals at risk

For more information about how we use your data, including your privacy rights and the complaints process, please see our corporate privacy notice.