Privacy Policy

Malvern Active - Malvern College Enterprises Ltd.

October 2021

Malvern Active is a trading name of Malvern College Enterprises Ltd, registered in England no. 2706656, which is a wholly-owned subsidiary of Malvern College, registered charity no. 527578.

In order to carry out its ordinary duties to members, Malvern Active may process a range of personal data about past, current and prospective users as part of its daily operation. Some examples are:
• For the purposes of enrolling new users with Malvern Active’s range of services (and to confirm the identity of prospective users);
• To provide sports and leisure facility services, including swimming lessons, personal training, exercise classes and gym membership;
• Maintaining relationships with the Malvern Active community, including direct marketing activity;
• For the purposes of management planning and forecasting, research and statistical analysis, including that imposed or provided for by law;
• To enable relevant authorities to monitor Malvern Active’s performance and to intervene or assist with incidents as appropriate;
• To safeguard users’ welfare whilst using Malvern Active facilities and provide an appropriate level of care;
• To monitor (as appropriate) use of the School's IT and communications systems in accordance with the School's Policy one the Acceptable use of ICT and e-Safety;
• To make use of photographic images of users in Malvern Active publications, on the Malvern Active website and (where appropriate) on Malvern Active’s social media channels;
• For security purposes, including CCTV in accordance with Malvern College’s CCTV policy; and
• Where otherwise reasonably necessary for Malvern Active’s purposes, including to obtain appropriate professional advice and insurance for Malvern Active.

This includes:
• names, addresses, telephone numbers, email addresses and other contact details
• medical information relevant to the use of Malvern Active facilities (e.g. details of any physical injury that might affect the use of gym equipment)
• communication record (letter, email or SMS)
• bank details, e.g. about users who pay fees to Malvern Active
• credit/debit card details in the case of users asking to pay fees by this means;
• Password information for users who access the Malvern Active online booking system, device information and IP address of any device used to connect to the online booking system or the Malvern Active app.
• images of users attending Malvern Active activities, and images captured by Malvern College’s CCTV system (in accordance with the Malvern College’s policy on taking, storing and using images of children);

Malvern Active expects that much of its data processing may fall within the category of its (or its community’s) “legitimate interests” provided that these are not outweighed by the impact on individuals and provided it does not involve special or sensitive types of data.
Some activity Malvern Active will need to carry out in order to fulfil its “legal rights, duties or obligations” including those under a contract with the Malvern Active members.
Malvern Active considers that it is acting in the “public interest” when providing health and fitness facilities for the local community.
There may be occasions when Malvern Active will act in the “vital interests” of preventing someone from being seriously harmed or killed.

Generally, Malvern Active receives personal data from the individual directly. This may be via a form, or simply in the ordinary course of interaction or communication (such as email or telephone conversations). However, in some cases, personal data may be supplied by third parties or collected from publicly available resources.

Occasionally, Malvern Active will need to share personal information relating to its community with third parties, such as professional advisers (lawyers and accountants) or relevant authorities (HMRC, police or the local authority).
For the most part, personal data collected by Malvern Active will remain within Malvern Active, Malvern College Enterprises and Malvern College, and will be processed by appropriate individuals only in accordance with access protocols (i.e. on a ‘need to know’ basis).
In accordance with Data Protection Law (including GDPR – the General Data Protection Regulation), some of Malvern Active’s processing activity is carried out on its behalf by third parties - our chosen and contracted suppliers - such as IT systems (Gladstone - Fitness & Leisure Member Management Software), web developers (Mosaique - Website Agency), email platform (MailChimp) or cloud storage providers. This is always subject to contractual assurances that personal data will be kept securely and only in accordance with Malvern Active's specific directions, i.e. your data will never be used by these suppliers for their own benefit or marketing purposes. 

Malvern Active will retain personal data securely and only in line with how long it is necessary to keep for a legitimate and lawful reason. Most sensitive personal data relating to users of Malvern Active, including bank details and medical information, will be deleted when the user no longer uses Malvern Active facilities, and all personal data will be deleted within 12 months after the user stops using the facilities. Credit/debit card details are only taken at the request of users, generally by telephone call, and are destroyed immediately if submitted on a form. They are never recorded on any Malvern Active system.
Incident reports and files relating to the safeguarding of children will need to be kept much longer, in accordance with specific legal requirements. It should also be noted that fully-selective deletion of data from the Malvern Active Management Information Systems may not always be possible for technical reasons.
If you have any specific queries about how this policy is applied, or wish to request that personal data that you no longer believe to be relevant is considered for erasure, please contact Malvern College’s Commercial Director, Claudia Hamm, However, please bear in mind that Malvern Active, Malvern College Enterprises Ltd and Malvern College may have lawful and necessary reasons to hold on to some data.

Individuals have various rights under Data Protection Law to access and understand personal data about them held by Malvern Active, and in some cases ask for it to be erased or amended or for Malvern Active to stop processing it, but subject to certain exemptions and limitations.
If you wish to exercise any of these rights you should put your request in writing to Malvern College’s Commercial Director, Claudia Hamm,
Malvern Active will endeavour to respond to any such written requests as soon as is reasonably practicable and in any event within statutory time-limits, which is one month in the case of requests for access to information. The School will be better able to respond quickly to smaller, targeted requests for information. If the request is manifestly excessive or similar to previous requests, Malvern Active may ask you to reconsider or charge a proportionate fee, but only where Data Protection Law allows it.
You should be aware that certain data is exempt from the right of access. This may include information which identifies other individuals, or information which is subject to legal professional privilege.
Data Protection Law provides you with the following rights:
The right of access
Your right to obtain confirmation as to whether or not personal data are being processed, and, where that is the case, access to the personal data along with details regarding the nature of processing.
The right of rectification
Your right to obtain the rectification of inaccurate personal data.
The right of portability
Your right to receive the personal data concerning provided to us, in a structured, commonly used and machine-readable format.
The right to be forgotten
Your right to erase your personal data.
The right to restrict processing
Your right for your data to be effectively ‘frozen’; stored and not further processed.
The right to object
Your right to object to how your personal data is processed as outlined in this privacy policy.

Children whose personal data is held by Malvern Active (e.g. those children enrolled on the Malvern Active learn to swim scheme) can make subject access requests for their own personal data, provided that, in the reasonable opinion of Malvern Active, they have sufficient maturity to understand the request they are making (see section Whose Rights below). Indeed, while a person with parental responsibility will generally be entitled to make a subject access request on behalf of younger children, the information in question is always considered to be the child’s at law.
A child of any age may ask a parent or other representative to make a subject access request on his/her behalf. Moreover (if of sufficient age) their consent or authority may need to be sought by the parent making such a request. This will depend on both the individual child and the personal data requested, including any relevant circumstances at home. All information requests from, or on behalf of, children – whether made under subject access or simply as an incidental request – will therefore be considered on a case by case basis.

Where Malvern Active is relying on consent as a means to process personal data (for the example the use of images for marketing purposes), any person may withdraw this consent at any time (subject to similar age considerations as above). Please be aware however that Malvern Active may have another lawful reason to process the personal data in question even without your consent.
That reason will usually have been asserted under this Privacy Notice, or may otherwise exist under some form of contract or agreement with the individual or because a purchase of goods, services or membership has been requested.

The rights under Data Protection Law belong to the individual to whom the data relates. However, Malvern Active will often rely on parental consent to process personal data relating to children (if consent is required) unless, given the nature of the processing in question, and the child’s age and understanding, it is more appropriate to rely on the child’s consent.
Parents should be aware that in such situations they may not be consulted, depending on the interests of the child, the parents’ rights at law or under their contract, and all the circumstances.
In general, Malvern Active will assume that children’s consent is not required for ordinary disclosure of their personal data to their parents, e.g. for the purposes of keeping parents informed about the child’s progress in swimming lessons, and in the interests of the child’s welfare, unless, in Malvern Active’s opinion, there is a good reason to do otherwise.
However, where a child seeks to raise concerns confidentially with a member of staff and expressly withholds their agreement to their personal data being disclosed to their parents, Malvern Active may be under an obligation to maintain confidentiality unless, in Malvern Active’s opinion, there is a good reason to do otherwise; for example where Malvern Active believes disclosure will be in the best interests of the child or other children, or if required by law.

Malvern Active will endeavour to ensure that all personal data held in relation to an individual is as up to date and accurate as possible. Individuals must please notify of any significant changes to important information, such as contact details, held about them.
An individual has the right to request that any out-of-date, irrelevant or inaccurate or information about them is erased or corrected (subject to certain exemptions and limitations under Data Protection Law): please see above for details of why Malvern Active may need to process your data, of whom you may contact if you disagree.
Malvern Active will take appropriate technical and organizational steps to ensure the security of personal data about individuals, including policies around use of technology and devices, and access to Malvern Active systems. All staff will be made aware of this policy and their duties under Data Protection Law and receive relevant training.

Malvern Active will update this Privacy Notice from time to time. Any substantial changes that affect your rights will be provided to you directly as far as is reasonably practicable.

Any comments or queries on this policy should be directed to Mr Rob Young, the Sports Complex Operations Manager, at
If you believe that Malvern Active has not complied with this policy or acted otherwise than in accordance with Data Protection Law, you should notify the Managing Director - Allan Walker, You can lodge a complaint with the Information Commissioner’s Office (ICO), although the ICO recommends that steps are taken to resolve the matter with Malvern Active before involving the regulator.

Updated February 2022