The information that we collect and store relating to you is primarily used to enable us to provide our services to you. In addition, we may use the information for the following purposes:
• To invite you to attend marketing events such as our Discovery Days if you register an interest in becoming a franchisee
• To invite you to visit one of our health and fitness clubs so that you can find out more about the facilities and membership options which are available or to have a free trial using the facilities in one or more of our clubs or to encourage you to become a member of one of our health and fitness clubs if you register an interest in joining up.
• To request that you provide us with a review containing your views on the quality of the services and facilities we supply to you as well as your impression of the quality of service you receive from our staff.
• To request that you consider recommending the services or products which we supply and to provide us with details which will allow us to contact a friend or colleague who you think would be interested in a service or product which we supply such as membership of one of our health clubs or in becoming a franchisee.
• To contact you to provide you with more information about a post that is available in our central team or in one of our clubs if you have registered an interest in joining as an employee or as a freelance worker such as a personal trainer or a studio instructor.
• To provide you with general information related to products or services in which you have expressed an interest and to provide information on other products or services which we feel may be of interest to you if you have consented to receive such information.
• To meet our contractual commitments to you, for example to notify you of any price changes to a membership which you may sign up for or to inform you of a temporary or permanent change to opening hours or any other factor which may affect your enjoyment of the facilities at one of our health and fitness clubs of which you may become a member.
• To notify you about any changes to our website, such as improvements or service/product changes, that may affect our service.
• If you are an existing customer, we may contact you with information about goods and services similar to those which were the subject of a previous sale to you.
• We may use your data, or permit selected third parties to use your data, so that you can be provided with information about unrelated goods and services which we consider may be of interest to you. We or they may contact you about these goods and services by any of the methods that you consented to at the time your information was collected.
• We will only contact you for marketing purposes or allow third parties to contact you for marketing purposes if you have provided consent for this to happen. Furthermore, you will only be contacted using the means of contact to which you have consented.
• If you do not want us to use your data for the purposes of marketing by ourselves or third parties you will have the opportunity to withhold your consent to this when you provide your details to us on the form on which we collect your data.
• Please be advised that we do not reveal information about identifiable individuals to our own marketing agencies but we may, on occasion, provide them with aggregate statistical information about our visitors such as your area of residence or age group.
Disclosing your information
Where applicable, we may disclose your personal information to any member of our group. This includes, where applicable, our subsidiaries, our holding company and its other subsidiaries.
We may also disclose your personal information to third parties:
Where we sell any or all of our business and/or our assets to a third party
Where we are legally required to disclose your information
To assist fraud protection and minimise credit risk
Third party links
You might find links to third party websites on our Website. These websites should have their own privacy policies which you should check. We do not accept any responsibility or liability for their policies whatsoever as we have no control over them.
Access to information
The Data Protection Act 1998 & 2003 gives you the right to access the information that we hold about you. Should you wish to receive details that we hold about you please contact us using the contact details below.
Data Breach Policy
This is the data breach policy for énergie Global Brand Management (énergie) which also trades using the following brand names:
• énergie Direct Franchising
• énergie Fitness
• énergie Fitness Clubs
• énergie Fitness for Women
We take the security of the data which we hold very seriously and go to great lengths to ensure that it is adequately protected and is used only for the purposes for which it was collected. We have a series of policies and procedures in place to ensure that we comply with all current legislation. We train our staff to ensure that they are aware of their responsibilities in protecting the data and how they should act when using it. We also employ sophisticated means to protect our data from malicious attack and attempts to gain unauthorised access or make unauthorized use of the data which we hold. We destroy or anonymise data as soon as there is no longer a justification for us to hold it in relation to the purposes for which it was collected.
Despite all of the above it is, unfortunately, impossible for us to completely protect all of the data which we hold from theft, attack, unauthorised use or failure to follow agreed procedures. This policy describes the measures we take to monitor whether any breaches have occurred and the procedures we will follow should we become aware that a breach may have occurred.
This policy applies to the following individuals and orgainsations:
• All individuals who work for the énergie Group in the United Kingdom and all territories covered by the General Data Protection Regulations (GDPR) regulations whether they are employed directly or are contracted to work on behalf of the organization
• All individuals who work in the fitness clubs located in the United Kingdom and all territories covered by the GDPR which are owned by ourselves or our franchisees whether they are employed directly or are contracted to work in the clubs on a regular or casual basis
• Our partners who process and collect data on our behalf, for example, the Harlands Group which processes direct debits on our behalf. Each of our partner organsiations whom we deem to be covered by this policy has been sent a copy and has given an assurance that they will abide by its contents.
This policy applies to the following data:
• All data and information which we hold related to private individuals including, but limited to the following:
• Members, prospective members and ex members of our clubs
• Current and past franchisees and those individuals who have expressed an interest in finding out more about becoming a franchisee
• Staff and other workers, for example studio instructors and cleaners, who work or have worked at our clubs and those of our franchisees and individuals who have expressed an interest in working at our clubs
• Staff and other workers who work in our own offices or in the field in whatever capacity we employ them
• Sensitive data related to our business, for example, records of our finances or legal affairs
• Sensitive data related to the businesses of our franchisees, for example, our assessments of their performance, records of their finances or legal affairs
This policy applies to the data described above held in any form, including but not limited to:
• élan4Clubs and élanHQ and their related databases which are the main software applications which we use to manage and monitor the performance of our clubs as well as many other administrative operations which take place at our offices
• Other applications which are used in our offices and those of our franchsiees, for example, Infusionsoft which we use to manage our relationship with franchisees and prospective franchisees or Exchequer which we use to manage our finances
• Any other electronic form such as in Excel spreadsheets, Word documents, email contents, etc
• Information recorded on paper or any other physical media whether that be a formal document stored for record keeping or legal purposes or an informal document such as an ad hoc note
Monitoring whether a Breach has Occurred
We take the following measures to monitor whether a breach has occurred and to ensure that we become aware should a breach or a potential breach come to the attention of any of our staff, members of our club or any other individual:
• By publishing this policy on our public facing websites we promote awareness of its existence and make any visitor to our public facing website aware of the steps they can take should they suspect that a breach has occurred or may occur in the future. The policy itself contains clearly describes how anyone can communicate their concerns to named individuals within énergie.
• This policy is published on élan which is the software application which is used in our clubs and our central operation to manage and monitor the operation of our clubs. As a result, the policy is made available to our own staff, our franchisees and the individuals who work in their clubs. The policy clearly lays out what they must do in the event that they suspect that a breach has occurred or may occur in the future.
• We make use of sophisticated cyber protection software which monitors activity in our data centres and reports any unusual activity such as large volumes of data being downloaded to unknown IP addresses.
• We train our staff, franchisees and those individuals who work in our clubs in various ways, for example, by running sessions at our quarterly development meetings, the course we run on a regular basis for new franchisees and club managers (the énergie Basic Management Course) and other ad hoc training sessions which we run from time to time.
• We include all of our data protection policies in our operating manual which is made available to our franchisees and club managers.
• We designate specific individuals within énergie and Hedgehog Business Solutions (who are our software partner and main data processor) with the responsibility of monitoring for any breach or potential breach and acting upon any information which is provided.
Advice and Support
Any individual who requires advice or support in relation to this policy or an incident they feel it may cover should first of all speak to their manager or the owner of the club at which they work. If this is not possible or felt to be appropriate or if further advice or support is needed then the matter may be referred to any of the following:
• The énergie helpdesk by ‘phone on 020 3874 5202 or by email to email@example.com
• énergie’s data protection officer by ’phone on 01908 396 212 or by email to firstname.lastname@example.org
• By mail to:
Data Protection Enquiries
NB Please use email or ‘phone if you feel that your query needs to be addressed urgently.
This policy requires that any individual who is included in its scope (described above) who suspects that a theft, breach, unintended exposure or unauthorised access of the data described above must report the fact as soon as is reasonable possible and in any case within one working day of the information coming to their attention.
If possible, a written description of the nature of the breach or suspected breach along with details of the date and time at which occurred should be provided to any of the contacts listed above as sources of help and advice. Information may be supplied anonymously but it would be most helpful if the name and contact information of the person reporting the breach could be supplied.
An examples of practices which may be likely to lead to a breach should also be reported in the same way.
What we will do when Issues are Reported to us
The matter will be initially reviewed by the Data Protection Officer (DPO) who will consider the circumstances and the information which has been supplied. One or more of the following actions may be taken:
• If it seems likely that a breach has taken place and there is a credible risk that further access to the same information or to other information may occur, or if a practice has been reported which seems to have a high risk of resulting in an imminent breach, immediate steps will be taken to protect the resource, for example, by shutting down the function or service which was used to gain access to the information or strengthening the security around it.
• As soon as there is firm evidence of the nature of any data having been inappropriately accessed and where it is possible to identify those individuals who may have been affected a communication plan will be developed in conjunction with our own communications scheme involving legal and human resource departments to decide whether an=d how to communicate the breach to:
• internal employees
• the public
• those directly affected
• The communication is likely to include information such as:
• The date and time on which the breach occurred
• The data which has been accessed, eg names, contact numbers, email addresses
• The steps which we are taking to investigate the matter and ensure that it does not reoccur
• The matter itself may also be brought to the attention of any one or more of the following:
• The manager of any persons involved in the matter
• The managers and owners of any clubs connected with the matter or who have members potentially affected by the matter
• The Office of the Data Commissioner
• The law enforcement authorities
• Third party suppliers
• The CEO and other members of énergie’s board
• Other members of staff
• Any other individual or body we believe is appropriate
• The Systems and Technology Director will be informed and will liaise with the DPO throughout the incident to ensure that the DPO’s requests for further information and action are complied with.
• The DPO will formulate a plan of action in conjunction with the Systems and Technology Director on the steps needed to deal with the matter. Where appropriate and where practical, individuals from énergie, its franchisees and those who work in its clubs, its suppliers and any other relevant partners will be included as sources of information or to otherwise assist in the implementation of the plan.
• The Systems and Technology Director will assess whether the CEO should be informed immediately or whether it is acceptable to wait until further information has been gathered.
• If action is needed from a third party or if the DPO considers that they need to be made aware of the matter then the DPO will contact them immediately or as soon as is practical after sufficient information has been gathered to properly inform the third party.
• As provided by énergie Global Brand Management’s cyber insurance and where necessary and appropriate, the insurer will provide access to forensic investigators and experts who will help determine how the breach or exposure occurred; the types of data involved; the number of internal/external individuals and/or organizations impacted; and analyze the breach or exposure to determine the root cause.
• If, at any time throughout the investigation and resolution of the matter, the Systems and Technology Director feels that the CEO’s authority is needed to obtain information or implement a necessary action, the CEO will be contacted immediately to discuss the need and to ensure that appropriate action results.
• The DPO will follow the plan and will, as far as possible, gain a full understanding of the nature and extent of the matter.
• In all cases where a breach or potential breach has been reported, the DPO will write a full report of the incident and submit it to the Systems and Technology Director and the CEO. The report will include any recommendations which the DPO believes should be considered. Such recommendations could include, but are not limited to the following:
• Creation of new policies or the review and amendment of existing policies and practices
• Review of training programmes where existing policies have not been properly followed
• Disciplinary action against any individuals who have acted carelessly or maliciously
Any Énergie Global Brand Management personnel found in violation of this policy may be subject to disciplinary action, up to and including termination of employment. Any third-party partner company found in violation may have their network connection terminated.
Version Date Of Revision Author Description Of Changes
1.0 10th August 2017 David Waugh Initial Version
We welcome any queries, comments or requests you may have regarding this policy please do not hesitate to contact us via the website www.energiefranchise.com
If you would prefer to write to us then our contact address is:
Data Protection Enquiries
Internet Privacy & Cookies Policy
énergie Direct Franchising
énergie Fitness Clubs
énergie Fitness for Women
This policy covers all data that is shared by a visitor with us whether directly via energiegroup.com, effw.co.uk,energiefitness.com, energiefitnessclubs.com, f4l.com or via email.
This policy provides an explanation as to what happens to any personal data that you share with us, or that we collect from you either directly via this Website or via email.
Certain businesses are required under the Data Protection Act to have a data controller. For the purpose of the Data Protection Act 1998 and updates in 2018 our data controller is Dom Greenwood and can be contacted via email at email@example.com
Information we collect
We may collect the following information:
Contact information including telephone number and email address
Demographic business information
Other information relevant to customer surveys and/or offers
What we do with the information we gather
In operating our Website we may collect and process the following data about you:
Details of your visits to our Website and the resources that you access including, but not limited to, traffic data, location data, weblog statistics and other communication data.
Information that you provide by filling in forms on our Website, such as when you register to receive information such as a newsletter or contact us via the contact us page.
Information provided to us when you communicate with us for any reason.
On occasion, we may gather information about your computer for our services, and to provide statistical information regarding the use of our Website to our advertisers. Such information will not identify you personally, it is statistical data about our visitors and their use of our site. This statistical data does not identify any personal details whatsoever. It is used by us to analyse how visitors interact with our websites so that we can continue to develop and improve our websites.
We may gather information about your general internet use by using a cookie file that is downloaded to your computer. Where used, these cookies are downloaded to your computer automatically. This cookie file is stored on the hard drive of your computer. They help us to improve our website and the service that we provide to you.
All computers have the ability to decline cookies. This can be done by activating the setting on your browser which enables you to decline the cookies. Please note that should you choose to decline cookies, you may be unable to access particular areas of our Website.
Any advertisement featured on this website or link to a website controlled by a third party may also incorporate cookies over which we have no control. Such cookies (if used) would be downloaded once you click on the advertisement or link to the third party website.
For more information on cookies you can read the guidance at www.allaboutcookies.org
Third Party Cookies: Google Analytics:
We may use Google Analytics for SEO purposes and to improve their online marketing efforts. For a detailed explanation of how Google Analytics cookies work and what data it gathers, please visit: https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage
Sharing Your Information With Our Partners
We partner with certain organisations to carry out certain aspects of our operation. For example, we use a company called Harlands to make direct debit collections on our behalf for members of our clubs in the UK. We share with Harlands all of the information which is necessary to make these collections and in order for them to be able to meet their obligations under the Direct Debit Guarantee Scheme.
Storing your personal data
Data that is provided to us is stored on our secure servers. Details relating to any transactions entered into via our site will be encrypted to ensure its safety.
The transmission of information via the internet is not completely secure and therefore we cannot guarantee the security of data sent to us electronically and the transmission of such data is entirely at your own risk. Where we have given you (or where you have chosen) a password so that you can access certain areas of our site, you are responsible for keeping this password confidential.
Policy for use of CCTV in énergie Clubs
The énergie group operates a health and fitness franchise business in the United Kingdom as well as in several other countries.
This is the policy for the use of CCTV in clubs operating under the following brands in England and Wales:
• énergie Fitness
• énergie Fitness Clubs
• énergie Fitness for Women
2. Purpose of the Policy
The purpose of this policy is to make a clear statement of the way in which énergie, and the clubs operating under its various brands in the United Kingdom, make use of CCTV.
The policy describes the following:
• The rationale for using CCTV
• The areas in which we use CCTV and the areas in which we do not use CCTV
• How we make members of the public, staff who work in the clubs and any other visitors aware of the fact that CCTV is in operation
• How we store the recorded images and how long we keep them for before destroying them
• The circumstances under which we would consider releasing the images to a third party such as the police or other law enforcement agencies
• Request from individuals who believe they have appeared images captured on CCTV – Data Access Requests
• Our use of security companies
3. Rationale for the Use of CCTV
CCTV allows us to monitor activity in and around our clubs. It can be used to help us investigate the actions of individuals in connection with specific events such as an accident, theft or assault.
The main reasons we use CCTV include, but are not limited to, the following:
• To protect the health and safety of visitors and staff
• To help us to ensure that club rules are respected
• To help with training and giving feedback to our staff
• To assist the law enforcement authorities in a bid to deter and detect crime
• To protect our buildings, equipment and other resources by deterring those who might damage or steal them
• To monitor the behaviour of our staff while they are at work
• To investigate whether there is any fraudulent use of our clubs, for example, when a membership card or fob is used by an individual other than the one to whom it was issued
4. The Areas in which we Use CCTV
The layout of our clubs varies from site to site. However, in general terms, we would use CCTV in the following areas:
• In the reception area
• On the main gym floor
• In the studio if there is one
• In the free weights area
• In the corridors and stairwells
• In the areas around the outside of the building including the car park if there is one – this could include areas such as the pavement or a road which were used by members of the public who have no connection with énergie or any of it franchises or clubs
• In areas used by staff which ae not normally accessible to the public, such as an office or staff room
• Any other areas not specifically mentioned in the exclusions below
We would never install CCTV in the following areas:
• Changing rooms
• Sauna/steam room
5. How we Publicise our Use of CCTV
We make members of the public, staff who work in the clubs and any other visitors aware of the fact that CCTV is in operation by displaying prominent signage such as the example shown below:
A sign such as the above would be displayed in each area in which a camera was located. We will also publicise the reasons why we are making recordings as well as the contact details for the data controller. For example, by display information such as the following:
WARNING CCTV cameras in operation
Images are being monitored and recorded for the purpose of crime-prevention, for the safety of our staff and visitors and for the protection of énergie fitness, its franchisees and their property. This system will be in operation 24 hours a day, every day. These images may be passed to the police or any law enforcement authority
This scheme is controlled by énergie Global Brand Management and operated by The Control Group
For more information contact 0845 363 1020
We do not conceal our cameras. They are clearly visible and would be recognisable by the overwhelming majority of the public. We are very happy to point out the location of all cameras in areas normally accessible to the public to any person who makes a request to have this happen.
6. Storing of Recorded Images
We store the images we record in two main ways:
• In a small and reducing number of clubs, we store images on a hard drive located in a secure area of the club
• In the majority of clubs, and in all new clubs, we store images on a secure server in the cloud
In all cases, these stored images are accessible only by properly authorised individuals. Access to them is protected by passwords and other security. Supervising access to the images and maintenance of the CCTV systems are the responsibility of the franchisee or club manager.
Images are normally stored for 30 days before being automatically deleted. Images of specific events or incidents might be kept much longer than this, particularly, although not exclusively, if they were connected with an accident or were the subject of a police investigation.
7. Release of Images to Third Parties
We would release images to third parties outside of the énergie group under very limited circumstances which would include the following:
• Requests from the police and other law enforcement authorities for images taken at a specific time or over a specific period
• To data subjects (or their legal representatives), pursuant to an access request where the time, date and location of the recordings is furnished to énergie Global Brand Management or one of its franchisees – see Access requests below
• Any other circumstances where we were legally obliged to do so, for example in connection with legal proceedings resulting from an accident
• To an agent we had appointed to act on our behalf, for example, to a lawyer or barrister we had appointed to act for us or one of our franchisees following an assault.
8. Data Access Requests
Any person whose image has been recorded has a right, on written request, to be given a copy of the information recorded which relates to them, provided always that such an image/recording exists i.e. has not been deleted and provided also that an exemption/prohibition does not apply to the release. Where the image/recording identifies other individuals, those images may only be released where they can be redacted/anonymised so that no other individual is identifiable. To exercise their right of access, a data subject must make an application in writing to énergie Global Brand Management or the franchisee which owns the club in qeuestion.
An applicant should provide all the necessary information to assist énergie Global Brand Management or its franchisee in locating the CCTV recorded data, such as the date, time and location of the recording. If the image is of such poor quality as not to clearly identify an individual, that image may not be considered to be personal data and may not be handed over.
In giving a person a copy of their data, the énergie Global Brand Management or its franchisee may provide a still/series of still pictures, a tape or a disk with relevant images. However, other images of other individuals will be obscured before the data is released.
Our franchisees are responsible for the operation of the clubs which they own, except in the case the clubs are owned directly by énergie Global Brand Managament or one of its subsidiaries. Compliance to this policy is part of the operation of each club and will be scrutinised as part of the audit process to which every club is periodically subjected. 10. Security Companies
The CCTV systems in use in énergie’s clubs are controlled by a security company contracted by énergie Global Brand Management and its franchisees.
The contract with the security company details the areas to be monitored, how long data is to be stored, what the security company may do with the data, what security standards should be in place and what verification procedures apply. The contract also states that the security company will give the fitness club all reasonable assistance to deal with any subject access requests made under section 4 of the Data Protection Acts 1988 and 2003 which may be received by the club.
Security companies that place and operate cameras on behalf of clients are considered to be “Data Processors.” As data processors, they operate under the instruction of data controllers (their clients). Sections 2(2) and 2C of the Data Protection Acts place a number of obligations on data processors. These include having appropriate security measures in place to prevent unauthorised access to, or unauthorised alteration, disclosure or destruction of, the data, in particular where the processing involves the transmission of data over a network and against all unlawful forms of processing. This obligation is met by having appropriate access controls to image storage or having robust encryption where remote access to live recording is permitted. Staff of the security company have been made aware of their obligations relating to the security of data.
11. Contacting us
We welcome any queries, comments or requests you may have regarding this policy please do not hesitate to contact us via the website www.energiefitness.com
If you would prefer to write to us, then our contact address is:
CCTV Use Enquiries
12. Revision History
Version Date Of Revision Author Description Of Changes
1.0 28th May 2017 David Waugh Initial Version
APPENDIX 1 – DEFINITIONS
Definitions of words/phrases used in relation to the protection of personal data and referred to in the text of the policy;
CCTV – Closed-circuit television is the use of video cameras to transmit a signal to a specific place on a limited set of monitors. The images may then be recorded on video tape or DVD or other digital recording mechanism.
The Data Protection Acts – The Data Protection Acts 1988 and 2003 confer rights on individuals as well as responsibilities on those persons handling, processing, managing and controlling personal data. All staff must comply with the provisions of the Data Protection Acts when collecting and storing personal information. This applies to personal information relating both to employees of the organisation and individuals who interact with the organisation
Data – information in a form that can be processed. It includes automated or electronic data (any information on computer or information recorded with the intention of putting it on computer) and manual data (information that is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system).
Personal Data – Data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller.
Access Request – this is where a person makes a request to the organisation for the disclosure of their personal data under Section 3 and/or section 4 of the Data Protection Acts.
Data Processing – performing any operation or set of operations on data, including:
– Obtaining, recording or keeping the data,
– Collecting, organising, storing, altering or adapting the data,
– Retrieving, consulting or using the data,
– Disclosing the data by transmitting, disseminating or otherwise making it available,
– Aligning, combining, blocking, erasing or destroying the data.
Data Subject – an individual who is the subject of personal data.
Data Controller – a person who (either alone or with others) controls the contents and use of personal data.
Data Processor – a person who processes personal information on behalf of a data controller, but does not include an employee of a data controller who processes such data in the course of their employment, for example, this might mean an employee of an organisation to which the data controller out-sources work. The Data Protection Acts place responsibilities on such entities in relation to their processing of the data.
APPENDIX 2 – PRIVACY IMPACT ASSESSMENT
In deciding that we will routinely install CCTV in our clubs we undertaken a privacy impact assessment which considered the points listed below and the outcomes of this assessment have informed this policy:
• What is the club’s purpose for using CCTV images? What are the issues/problems it is meant to address?
• Is the system necessary to address a pressing need, such as staff and visitor safety or crime prevention?
• Is it justified under the circumstances?
• Is it proportionate to the problem it is designed to deal with?
• What are the benefits to be gained from its use?
• Can CCTV systems realistically deliver these benefits? Can less privacy-intrusive solutions, such as improved lighting, achieve the same objectives?
• Does the club need images of identifiable individuals, or could the system use other images which are not capable of identifying the individual?
• Will the system being considered deliver the desired benefits now and remain suitable in the future?
• What are the views of those who will be under CCTV surveillance?
• What could be done to minimise intrusion for those whose images may be captured?
• How have staff, members and visitors been assured by the club that they will not be monitored and that the CCTV system will be used only for the stated purposes?
• Does the clubs policy on the use of CCTV make it clear that staff will be monitored for performance or conduct purposes?
• Have the views of staff & members regarding the location of cameras been taken into account?
• Can the location of each internal camera be justified in accordance with the overall purpose for the use of the CCTV system?