Privacy & Cookie Policy

1. About us

Since 1891, the Royal Life Saving Society UK (RLSS  UK) has been sharing its expertise in water safety, lifesaving, and lifeguarding to educate everyone to enjoy water safely.

Charity Numbers: England and Wales (1046060) and Scotland (SC037912)

1. Our Mission – To be the leader in lifesaving and lifeguarding, sharing our expertise and knowledge to give everyone the skills to save lives and enjoy water safely.
2. Our Vision - Nations free from drowning, where everyone is able to enjoy water safely.
3. Our Purpose - To educate nations so everyone can enjoy water safely – because no one should drown.

RLSS UK’s work is vital in every city, town, community and household, as we are the UK’s leading provider of water safety education and qualifications. RLSS UK is also the National Governing Body, recognised by Sport England, for the sport of Lifesaving.

RLSS UK is the industry leader in water-related safety qualifications and training. We deliver national water safety campaigns, and 47 volunteer branches provide our essential footprint across the UK and Ireland, helping us enhance communities so everyone can enjoy being in, on or near water safely – because no one should drown.

RLSS UK’s website is www.rlss.org.uk.

To help us continue our important Charity work providing water safety education, we often need to collect data, doing so whilst strictly keeping in line with the Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulations (UK GDPR) lawful bases for processing, which we have outlined in this Policy. We do this respecting your privacy and with your continued trust in us as a National Awarding Body and established Charity. If you would like to know more about what data we collect and how we use it, please continue reading this Policy.

---

2. Scope

This RLSS UK Privacy Policy clarifies the different types of personal data that RLSS UK (“RLSS UK”, “we,” and “us”) and its respective 3rd parties and affiliated companies collect, how we use it, when it may be shared and importantly the rights you have for your own data. We will explain the processes we use to communicate with you, helping to achieve our mission to share our expertise and knowledge with as many people as possible. Using the data we collect, we can improve our services and products, helping to enhance everyone’s potential to save lives and enjoy water safely. We thank you for understanding and for helping us to prevent drowning, stop unnecessary loss of life and aid families affected by the tragedies that can occur within water.

This Privacy Policy applies to the RLSS UK websites available at www.rlss.org.uk, www.shop.rlss.org.uk and to any other websites, applications, brands or products owned and operated by RLSS UK that direct the viewer or user to this Privacy Policy.

---

3. Who We Are

RLSS UK is a limited company and has 47 membership branches located across the UK and Ireland. 

• RLSS UK Enterprises Limited has a registered office at Redhill House, London Road, Worcester, WR5 2JG, United Kingdom (Company Number 02559199).
• RLSS UK Enterprises Limited is the lifesaving qualification awarding body, offering OFQUAL CCEA and regulated qualifications and non-regulated vocational training programmes.
• More than 90,000 RLSS UK pool lifeguards are trained in the National Pool Lifeguard Qualification (NPLQ), and around 95 per cent of all pool lifeguards are trained by RLSS UK.
• RLSS UK also sells and fulfils a range of products to help support the delivery of vocational and non-vocational awards and qualifications, mainly via the online RLSS UK Shop https://shop.rlss.org.uk

RLSS UK is the controller of all personal data processed by the charity, the above operating company and the 47 membership branches.

---

4. Registration with the Information Commissioner’s Office

For the purpose of the Data Protection Act (2018) and the UK General Data Protection Regulations (UK GDPR), the Royal Life Saving Society UK (RLSS UK) is registered as a data controller with the Information Commissioners Office, with registration number 2811194.

RLSS UK’s Privacy Officer is:

Privacy Officer
RLSS UK
Redhill House
London Road
WORCESTER
WR5 2JG

Tel: 0300 3230 096
Email: [email protected] 

---

5. Updates to this Privacy Policy  

As times are ever-changing, every so often, this policy will need updating. It is under constant review, so please refer back to it as and when you need it. Any important updates will be communicated to our members.

---

6. Sources of Data We Collect 

All of the personal data RLSS UK collects is provided directly from our Members, Trainer Assessors (TAs), candidates, customers and organisations associated with RLSS UK. We only collect the necessary data to provide the services you require from us, and you only need to provide the data you wish to share with us as long as that data enables us to fulfil your requirements. If you are not happy to share the data RLSS UK requires to carry out administration, this may result in you being unable to access our services.

RLSS UK also collects data through Cookies. More information about this can be found on our Cookie Policy, which can be found by clicking here.  

---

7. Personal Data Processed by RLSS UK

7.1 When We Collect Personal Data

RLSS UK collects, stores, and processes personal data for several purposes, mainly for the administration of the organisation and the Charity, financial accounting and marketing.

We may collect personal information when you:

• donate to us;
• complete one of our qualifications or awards;
• become a Trainer Assessor with us;
• sign up to become a member with us;
• purchase something from our online shop;
• volunteer or fundraise for us;
• support one of our campaigns;
• sign up for our newsletter or Lifesavers magazine;
• contact us regarding a situation you are aware of in or around water;
• when you access our website.

To fulfil these services, we may need to collect your name, email and postal address, contact number, and date of birth. If you donate, purchase something or become a member we may need to collect your bank details or your taxpayer status so we can collect gift aid. Please be assured all of the data we collect has specified retention periods, and we only collect what is absolutely necessary for us to carry out our duties. Our data retention schedules are clarified under section 7.3 of this Policy.

7.1.1 Special Category Data (SCD)

Certain types of personal data are known as Special Category Data (SCD) in accordance with Article 9 of the UK GDPR. Special Category Data clarifies more sensitive data, such as an individual’s racial or ethnic origin, religious beliefs, political opinions, biometric data, medical data or data concerning their sexual orientation.

RLSS UK rarely has the need to collect SCD; however, if there is an occasion we would collect such data, we would only collect this once we have established a legal basis to process such data. An example of when we may need to collect SCD is when we carry out specific surveys it can be valuable for us to know the racial or ethnic origin of the individual, as this helps us as an organisation to become more aware of our inclusivity. To process this data, we would first need to obtain your consent under Article 9 1(a) and Article 6 1(a) of the UK GDPR. In order to lawfully process SCD we need to identify a lawful basis under both Article 6 and Article 9 of the UK GDPR; however, these do not have to be linked.

7.2 Explaining the Legal Bases we rely on

The UK General Data Protection Regulations are there to provide you with peace of mind that your data is only collected when necessary and treated lawfully and fairly whilst we hold it.

RLSS UK relies on the following Legal Bases for our processing:

7.2.1 Consent

In many circumstances, we collect and use your data only when we have obtained your consent. We do this while providing a clear outline of why we are collecting your data, what we propose to do with it and what it will help us to achieve. When you give us your data directly you are giving us your consent to process your data.

We process data with your consent under Article 6 1(a) of the UK GDPR, where the data subject has given consent to the processing of his or her personal data.

Examples of when we collect your data from consent are:

• Donating to us;
• Volunteering on our behalf;
• Signing up to one of our events or competitions;
• Opting into our marketing preferences.

7.2.2 Contract

In some instances, we require you to be part of a contract in order for us to carry out our responsibilities so we can provide you with the best service possible. Contracts are formed so expectations from both sides can be met.

We process data using a contract under Article 6 1(b) of the UK GDPR where processing is necessary for the performance of a contract.

Examples of when we collect your data for contractual reasons are:

• When signing up to become an RLSS UK Member;
• When you become a RLSS UK Trainer Assessor;
• By obtaining one of our awards or qualifications;
• When purchasing a product or service from RLSS UK Shop.

7.2.3 Legitimate Interest 

In certain situations, we have legitimate interest for using your data. We will never do so if it impacts your rights and freedoms, it is only under circumstances that are reasonably expected.

We process data using Legitimate Interest under Article 6 1(f) of the UK GDPR where processing is necessary for the purposes of legitimate interest.

Examples of Legitimate Interest reasons for using your data are:

• To inform RLSS UK Trainers  Assessors of any updates to do with their qualifications, to make sure they are delivering the most up to date information to their candidates;
• To maintain our National Records Database of the competitors who achieve a national record within lifesaving events;
• To maintain the records of Honours recipients who have achieved an Honour for historical purposes.

Please refer to section 7.3 for further information on Contacting you using Legitimate Interest.

7.2.4 Legal Obligation

Sometimes it is the law that requires us to collect and process your data, for example; if you select to provide Gift Aid when donating we process data by submitting a claim to HMRC.

We process data using Legal Obligation under Article 6 1(c) of the UK GDPR where processing is necessary for compliance with a legal obligation.

7.2.5 Vital Interest

In very rare circumstances Vital Interests can be relied on as a lawful basis for processing data, such as during a medical emergency where an individual cannot speak for themselves.

We process data using Vital Interests under Article 6 1(d) of the UK GDPR where processing is necessary in order to protect the vital interests of the data subject or of another natural person.

7.2.6 Public Interest

In very limited circumstances we may need to use data in the public interest, this would occur under safeguarding and wellbeing concerns or to prevent a crime.

We process data using Public Interest under Article 6 1(e) of the UK GDPR where processing is necessary for the performance of a task carried out in the public interest.

7.3 Administrative purposes for which we collect your data

We collect and retain data for the following purposes:

7.3.1 RLSS UK Members 

Type of data:	Purpose of Processing:
Name:	So we know who is signing up for membership
Address:	So we can post your RLSS UK Membership card
Location:	This helps us to place you in the appropriate Branch
Contact number:	This is optional but helps us to contact you about your membership
Email address:	So we can keep you updated with important information to do with your membership and any inform you of the benefits you receive for being an RLSS UK Member
Financial data:	Not retained - 3rd party companies used for taking payments; Stripe: used for payments made through tahdah; Go Cardless: used for direct debit payments; Evo: internally used handheld card machine for card payments.
Legal Basis:	Article 6 1(b):  We collect this data as processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
Retention Period:	7 years after membership expires

7.3.2 RLSS UK Trainer Assessors 

Type of data:	Purpose of Processing:
Name:	So we know who is becoming a Trainer Assessor with us
Address:	So we can post your RLSS UK Membership card
Location:	This helps us when you organise courses through Course Finder
Contact number:	This helps us to contact you about courses you are running and about your qualifications
Email address:	So we can keep you updated with important information about your courses and qualifications
Financial data:	Not retained - 3rd party companies used for taking payments; Stripe: used for payments made through tahdah; also for payments for Continuous Professional Development (CPD) hours.
Legal Basis:	Article 6 1(b):  We collect this data as processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
Retention Period:	7 years from last RLSS UK account log-in date or last achievement date, whichever is most recent

7.3.3 RLSS UK Course Candidates: Community-based, Regulated and Non-Regulated Awards

Type of data:	Purpose of Processing:
Name:	So we know who is taking the award or qualification
Address:	This is optional
Location:	This is optional
Contact number:	This helps us to contact you for any queries about your award or qualification
Email address:	So we can email candidates their certificates and any information to do with your award or qualification
Financial data:	Not collected or retained. Payments for courses are made through our ATC/P’s
Legal Basis:	Article 6 1(b):  We collect this data as processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
Retention Period:	7 years from last RLSS UK account log in date or last achievement date, whichever is most recent

7.3.4 RLSS UK Under 13 Children's Data:

Children from the age of 13+ are able to give consent for their own data. This section refers to Children under the age of 13:

Type of data:	Purpose of Processing:
Name:	So we know who is being awarded a certificate
Address:	So we know where to send certificates
Location:	This helps us to place you in the appropriate Branch
Contact number:	This helps us to contact the responsible parent/legal guardian for any queries about their child’s award or certificate
Email address:	Usually this is a responsible parent/legal guardians email address that is only used for updates on certificates or awards, however a child can enter their own email address if they wish
Financial data:	Not collected or retained. Payments for awards and courses are made to local clubs
Legal Basis:	Legal basis: Article 6 1(a): We collect this data only when the data subjects' parent or legal guardian has given their consent to the processing of their personal data for one or more specific purposes
Retention Period:	7 years from last RLSS UK account log in date or last achievement date, whichever is most recent

7.3.5  Athletes and Officials/Coaches/Team Managers

Type of data:	Purpose of Processing:
Name:	So we know who is attending or entering one of our events or competitions
Address:	This is optional
Location:	So we can inform you of events in your local area
Contact number:	This helps us with any queries about events you have entered or are interested in
Email address:	So we can keep you updated with important information to do with our events and competitions
Financial data:	Not retained – 3rd party company used; Stripe: used for payments for events through the RLSS UK website.
Legal Basis:	Legal basis: Article 6 1(b): We collect this data as processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
Retention Period:	7 years from last RLSS UK account log in date or last achievement date, whichever is most recent

7.3.6  RLSS UK Shop

Type of data:	Purpose of Processing:
Name:	So we know who has made an order with us
Address:	So we know where to post the goods
Location:	Is confirmed through your address
Contact number:	This helps us to contact you over any queries concerning your order with us
Email address:	So we can keep you updated with important information to do with your order such as delivery times and dates
Financial data:	Not retained – 3rd party company used; Shopify: used for payments for online products.
Legal Basis:	Legal basis: Article 6 1(b): We collect this data as processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
Retention Period:	7 years from the date of last order

7.3.7  RLSS UK Volunteers

Type of data:	Purpose of Processing:
Name:	So we know who is volunteering on our behalf
Address:	This is optional
Location:	This helps us to place you in the appropriate Branch
Contact number:	This helps your local branch to contact you about volunteering opportunities
Email address:	So we can keep you updated with volunteering opportunities or provide details on any current volunteering you are taking part in
Financial data:	Not collected or retained
Legal Basis:	Legal basis: Article 6 1(a): We collect this data only when the data subject has given their consent to the processing of their personal data for one or more specific purposes.
Retention Period:	7 years from the date of last contact

7.3.8  Fundraisers

Type of data:	Purpose of Processing:
Name:	So we know who is fundraising for us
Address:	Optional, but helps us to know where you are located
Location:	So we know which areas of the country are convenient for you to travel to
Contact number:	So we can contact you about any fundraising events
Email address:	So we can inform you about any fundraising events
Financial data:	Not collected or retained
Legal Basis:	Legal basis: Article 6 1(a): We collect this data only when the data subject has given their consent to the processing of their personal data for one or more specific purposes.
Retention Period:	7 years from date of last contact

7.3.9  Donations made via post and through www.rlss.org.uk

Type of data:	Purpose of Processing:
Name:	So we know who has donated to us and who to thank
Address:	This is optional
Location:	This is confirmed if you provide your address
Contact number:	Only retained if you hold an RLSS UK Account (powered by tahdah) with us  or have signed up to our 12-month GWYC Membership as members receive 6 emails throughout the year
Email address:	Only retained if you already hold an RLSS Account with us
Financial data:	Postal donations: data not collected or retained, donations usually sent as cash or as a cheque Donations made through RLSS UK website: 3rd party company used; Stripe
Legal Basis:	Legal basis: Article 6 1(a): We collect this data only when the data subject has given their consent to the processing of their personal data for one or more specific purposes
Retention Period:	7 years from date of last contact

7.3.10  Donations via GiveTap

Type of data:	Purpose of Processing:
Name:	Retained if you have signed up to our 12-month GWYC Membership as members receive 6 emails throughout the year
Address:	Not retained
Location:	If a branch has collected the donation on a branch event and the funds need to be transferred to the branch
Contact number:	Not retained
Email address:	Retained if they have signed up to our 12-month GWYC Membership as members receive 6 emails throughout the year
Financial data:	Not retained
Legal Basis:	Legal basis: Article 6 1(a): We collect this data only when the data subject has given their consent to the processing of their personal data for one or more specific purposes. Anonymous data is exempt from the UK GDPR as stated in Article 26 (6), ‘This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes’
Retention Period:	7 years from date of last contact

7.3.11  RLSS UK Honours

Type of data:	Purpose of Processing:
Name:	So we know who has been nominated or who to present an Award to
Address:	So we can send information and certificates to recipients
Location:	This helps us to place you in the appropriate Branch
Contact number:	So we can contact you about nominations
Email address:	So we can invite and contact you about the Honours Ceremony
Financial data:	Not collected or retained
Legal Basis:	Legal basis: Article 6 1(a): We collect this data only when the data subject has given their consent to the processing of their personal data for one or more specific purposes. Anonymous data is exempt from the UK GDPR as stated in Article 26 (6), ‘This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes’
Retention Period:	7 years from date of last contact
Note: Certain candidates may have achieved an RLSS UK Honour and will remain on the system indefinitely as this is classed as data of historical purpose

7.3.12  Marketing

Type of data:	Purpose of Processing:
Name:	So we know how to address you
Address:	Optional
Location:	Optional
Contact number:	Optional
Email address:	To inform you of marketing opportunities
Financial data:	Not collected or retained
Legal Basis:	Legal basis: Article 6 1(a): We collect this data only when the data subject has given their consent to the processing of their personal data for one or more specific purposes
Retention Period:	7 years from date of last contact

7.4  Changing your Marketing preferences 

We will only send you marketing emails when you have confirmed you are happy to hear from us. You can opt out of RLSS UK marketing by:

• updating your Marketing preferences via your RLSS UK Account;
• selecting ‘Unsubscribe’ at the bottom of our emails;
• emailing us on [email protected];
• calling and speaking to our Customer Service team on 0300 323 0096.

To update your Marketing preferences through your RLSS UK Account, on your homepage choose the ‘Settings’ tab and select ‘Email Subscriptions’. If choosing to unsubscribe via an email you have received, please allow around 48 hours for any changes to come into place.

If you have purchased a product from us or have had direct contact with us, we may need to send you a transactional email. These are not promotional like marketing emails but will contain important information such as order delivery updates or a password reminder.

Occasionally, we will undertake a Legitimate Interest Assessment (LIA) in order to gauge whether we have genuine reason to contact you. This will not be for marketing purposes but for surveys, research opportunities or service emails.

Please be mindful, if you hold a current qualification of ours, we may need to contact you with important updates, so be assured opting out of marketing from us won’t impact those emails so we can always keep you up to date.

If you have shown interest in one of our services or have purchased an item from our shop, you may receive marketing associated with that interest, unless you have previously decided to opt out of marketing from us.

One of the benefits RLSS UK Members receive when signing up with us is to receive a quarterly RLSS UK newsletter, which provides news and updates going on within the Charity. The content of our newsletters are targeted towards the type of membership you have joined, for instance the Lifesaving Academy Membership Newsletter’s will have content more relevant and significant to children of that age group.

Members also receive our RLSS UK Lifesavers magazine which is sent out twice a year. Members are given the option to receive this as a printed hardcopy or as an online version.

Both the Member newsletter and the magazine can be unsubscribed from via your RLSS UK Account.

Whatever you decide we will always give you the option to change your mind.

7.5  Contacting you using Legitimate Interest for research purposes

From time to time, we may carry out research projects using feedback collected from individuals who have experience of our organisation. This helps ensure we can continue to provide all our stakeholders with the best possible advice, training, events, products and services. Where relevant, Legitimate Interest Assessments are carried out which help ensure we have a valid reason for contacting you for this purpose.

7.5.1  Research Projects

Examples of when we may contact you to take part in research projects under the UK GDPR Article 6 1(f) may include:

• To take part in a market research survey related to a qualification you have recently undertaken with RLSS UK;
• To take part in a feedback survey about a recent RLSS UK event you have attended;
• To take part in a market research survey to help us understand how we can create a more inclusive society for all;
• To request your participation in academic research into lifesaving techniques, in order to improve the guidance, we include in our lifesaving qualifications and awards.

In all cases you will be provided with full details on all components of the research, it’s objectives and what’s involved, before you are asked to consent to take part.

Most surveys we send out are completely anonymous. This means we will not gather or store any of your personal data. Any data collected is therefore exempt for the UK GDPR as stated in Article 26 (6), ‘This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.

In the unusual circumstance it is not possible for a survey or research project to be anonymous, full details will be provided to the individual asked to take part, including what personal data will be collected and how it will be used and stored.

7.5.2  Use of anonymised research data

Once collected, anonymised research data from individual surveys may be submitted to a data repository to support future projects.

Aggregated, anonymised results from our research may be made available to others within the society, to those in our partner organisations and/or the general public. In all cases, the results are used to support RLSS UK in our mission to be the leader in lifesaving and lifeguarding in the UK and Ireland; sharing our expertise and knowledge with as many people as possible, giving everyone the potential to save lives and safely enjoy water.

Shared survey results may include free text comments provided by respondents, in an anonymised format.

You can at any time opt-out of any further contact regarding research projects by emailing us at [email protected].

7.6  Disposal of data 

RLSS UK shall ensure that we will not retain personal data for any longer than is necessary. Once the retention period of data we hold has ceased, we will remove and permanently delete it from our RLSS UK computers and servers.

Periodically, we will review our retention periods and consider the purpose for originally retaining that data. If it no longer fulfils a function within the organisation, we will consider whether we are able to dispose of that data earlier than anticipated. This helps us fall in line with the UK GDPR’s Storage Limitation Principle, Article 5 1(e), in which personal data must be kept in a form that makes it possible to identify data subjects for no longer than is necessary for the purposes of processing.

Certain data we hold is kept longer for historical purposes, such as recipients of Honours Awards. For such reasons we are permitted to hold this data indefinitely, under the UK GDPR Article 5 1(e), ‘personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest’.

---

8. Children Under 16 and Vulnerable People  

We are happy to support and encourage children who would like to engage with us, either by taking one of our qualifications, competing in one of our events or fundraising on our behalf.

Complying with the Data Protection Act 2018, children aged 13 and over are legally able to provide consent for us to use their data and can take control of how we handle their data.

Candidates under the age of 13 will only qualify for an RLSS UK Account if it is linked to a responsible parent/legal guardian's account. This means the linked individual will have permission to speak on behalf of the child and to make any amendments to the account.

Once a child turns 13 years of age, if they choose to dissolve the link to their parent/guardians account, they will need to actively request this with our Customer Services team. A parent/guardian may remove a linked account through the family button on their RLSS UK Account.

If a parent/guardian of a child aged 13-16 would like their accounts linked, we would be able to do this at the request of both parties.

Children over the age of 16 are no longer legally required to have a parent or guardian consent to the use of their data, so we would always expect to speak with the account holder to discuss anything. If the account holder would prefer for us to speak with their parent or guardian, we can happily do that with their verbal consent over the phone.

Please be assured we take the greatest care in safeguarding when linking accounts, and always do the necessary checks to ensure we are communicating with the correct person.

We work hard to support vulnerable people when they choose to help us by fundraising or whether they would like to take part in an event or complete one of our qualifications. They can decide how much information they are comfortable sharing with us, so we can accommodate any adjustments needed to ensure they feel safe whilst working with us.

---

9. Stories and Experiences 

Stories, experiences and occasions involving lifesaving are a very important part of helping RLSS UK to promote our message, as they reinforce our aims making them more meaningful and significant to the public. They help to demonstrate and support our work, which we couldn’t do without your help. With your permission, we may use these in our newsletters, Lifesavers magazine and on our social media. We will only do this once you have given your consent.

---

10. Data Sharing

In order to provide the best service possible, RLSS UK may share data within our own organisation, such as between your RLSS UK Account and your RLSS UK Shop Account, to help us fulfil a request you have made. For example, if you have made an order through your RLSS UK Shop account and we need to call you in order to fulfil that order, we may use the number you provided us on your RLSS UK Account. Any shared data will fall in line with our data retention and storage policies.

RLSS UK shares personal data with the following organisations:

Organisation name/category of organisation	Purpose of the sharing	Data Storage Location
RLSS UK Trading Subsidiaries: RLSS UK Enterprises and RLSS UK Shop	To help us to offer the best service possible to our customers, sometimes we may be required to share data within our own organisation	RLSS UK Accounts (powered by tahdah) - All personal data is stored in secure UK data centres operated by organisations with ISO 270001 certification.
RLSS Commonwealth	To aid RLSS Commonwealth with data on UK Members	RLSS UK
Digital Service Providers (tahdah Limited, Intercom and Galtec)	We employ specialist companies to host our database and facilitate our IT services meaning that they potentially have access to any personal data collected via the channel they manage for us. These organisations are data processors and governed by legal obligations set out in the UK GDPR	All personal data is stored in secure UK data centres operated by organisations with ISO 270001 certification.
Official Organisations	We share the personal data of some of our membership because of a legal obligation with official authorities such as governing bodies, insurance companies, police and child welfare	All personal data is stored in secure UK data centres operated by organisations with ISO 270001 certification.
Disclosure & Barring Service	To disclose a copy of a person’s criminal record	All personal data is stored in secure UK data centres operated by organisations with ISO 270001 certification.
RLSS UK Branches	We share the personal data of some of our members with members of their local Branch	All personal data is stored securely by members of the RLSS UK Branch in which the data is disclosed
Linn Systems Limited (Linnworks)	Data and Stock Management - Order management system that will talk virtually to Shopify and Walkers to fulfil orders and manage stock levels	All personal data is stored in secure UK data centres operated by organisations with ISO 270001 certification.
Shopify Plus Platform	Website Platform that our e-commerce website is built on	All personal data is stored in secure UK data centres operated by organisations with ISO 270001 certification.
Statement	Agency that manages the build and ongoing maintenance of our e-commerce website hosted on the Shopify Plus Platform	All personal data is stored in secure UK data centres operated by organisations with ISO 270001 certification.
Forever (formally known as Sitel)	Warehouse and Distribution who will be in charge of the warehousing, fulfilment and distribution of orders.	All personal data is stored in secure UK data centres operated by organisations with ISO 270001 certification.
Excelify.io	Export and Import Data	All personal data is stored in secure UK data centres operated by organisations with ISO 270001 certification.
CyberSource on behalf of Total Processing UK	Payment Gateway	All personal data is stored in secure UK data centres operated by organisations with ISO 270001 certification.
Laerdal	For the supply and dispatch of medical therapy and training products	All personal data is stored on secure servers
Access	Website provider, holds data for individuals to access resources. Holds cookies data	All data is storage is Cloud-based
Sage Finance System	Finance Software Platform – all internal finance matters	All data is storage is Cloud-based
Datel	Configured the Sage program for RLSS, used as support team for software	All data is storage is Cloud-based

---

11.  Sub-Contract Processing 

RLSS UK uses sub-contract organisations to process personal data under a written contract which defines that they must comply with stringent data privacy requirements. RLSS UK only employs organisations that comply with the provisions of the UK General Data Protection Regulations. These organisations are audited to ensure compliance.

RLSS UK’s processors include:

Processor Name:	Reason for Processing:
tahdah	For the secure hosting of the database
Intercom	For business messaging services
Galtec	For the IT services helpdesk
MailChimp	To facilitate the sending of group emails
M Leach Jewellers	For engraving medals and trophies
Laerdal	For the supply of medical therapy and training products
Print Waste Recycling Services	For the secure removal of waste and confidential waste materials
Scottish Widows and NEST	For staff pension schemes
Linnworks	For data and stock management
Shopify Plus	For RLSS UK Shop website purchases
Stripe	Card payment service
Worldpay	Online credit card platform
Go Cardless	Direct debit payments through tahdah
Evo	Handheld card machine for card payments
GiveStar	Charity donations platform
Forever (formally known as Sitel)	For warehouse and distribution
io	For the import and export of data
Cybersource	As a payment gateway
Access	Website provider
Sage	Finance Software Platform
Datel	Sage program configurator support team
Iris	Payroll system

---

12. Data Augmentation 

RLSS UK uses augmentation services to satisfy its legal obligation to ensure the accuracy of personal data being processed by using, for example:

• Royal Mail Postal Address File (PAF) to update redirected addresses and to ensure address accuracy and completeness.

---

13.  Profiling

RLSS UK does not carry out any form of automated processing of personal data that could be used for profiling purposes.

---

14. Secure Storage of Data 

All personal data are stored in secure UK data centres operated by organisations with ISO 270001 certification. Our Cloud servers are located in London, UK.

---

15. International Transfers

On July 10th 2023, the European Commission (“EC”) adopted its decision that the EU-U.S. Data Privacy Framework (“DPF”) offers an adequate level of protection for EU personal data (the “Adequacy Decision”), comparable to that provided under the EU General Data Protection Regulation (“GDPR”). With this adequacy decision in place, U.S. companies that are certified under the DPF may lawfully transfer EU personal data to the U.S., without the need for additional safeguards.

To reflect this decision, the UK Government has published the Data Protection (Adequacy) (United States) Regulations 2023 (SI 2023/1028) (the UK-US Data Bridge Regulations) which adopted an adequacy decision for the US (the UK-US Data Bridge) which came into force on the 12th October 2023.

In particular, the UK-U.S. Data Bridge provides that for the purposes of Part 2 of the Data Protection Act 2018 (“the Act”) and the UK General Data Protection Regulation (“UK GDPR”), the Secretary of State designates the U.S. as ensuring an adequate level of personal data protection for data transfers that meet the following criteria:

• the transfer is to a person in the U.S. listed as participating in the UK Extension to the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”); and
• the transfer will be subject to the EU-U.S. DPF Principles upon receipt by the recipient.

You can read the UK-US Data Bridge here, the explanatory note here, the factsheet here, the EU-US DPF Principles here, and the DPF List here.

Organisation	Country	Purpose	Safeguards
MailChimp	USA	To send group emails to members and candidates on our database about things that they have opted in, to hear about.	MailChimp participates in and has certified its compliance with the EU- U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. They are committed to subjecting all Personal Information received from EEA member countries, United Kingdom, and Switzerland, respectively, in reliance on each Privacy Shield Framework, to each Framework’s applicable Principles. MailChimp is responsible for the processing of Personal Information they receive under each Privacy Shield Framework and subsequently transfer to a third party acting as an agent on their behalf. They comply with the Privacy Shield Principles for all onward transfers of Personal Information from the EEA, United Kingdom, and Switzerland, including the onward transfer liability provisions. Members located in Switzerland, United Kingdom and the EEA are subject to their Data Processing Addendum which can be found here, as described in their Standard Terms of Use.
SurveyMonkey	USA	To facilitate the sending of member surveys from time to time.	SurveyMonkey Inc. participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield. SurveyMonkey is committed to subjecting all personal information and data received from European Union (EU) member countries and Switzerland, in reliance on the Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Framework, visit the U.S. Department of Commerce’s Privacy Shield List. https://www.privacyshield.gov/

---

16. Your Rights

If you would like to exercise any of these rights, then please either call us on 0300 3230 096 and ask to speak with the Data Protection Officer or email us on [email protected] with your request.

Right of access	You have the right to obtain confirmation from RLSS UK as to whether personal data concerning you are being processed and, where that is the case, access to that personal data.
Right to rectification	You have the right to ask RLSS UK to rectify inaccurate personal data concerning you.
Right to erasure (right to be forgotten)	You have the right (under certain circumstances, but not all) to request RLSS UK erase personal data concerning you.
Right to restriction of processing	You have the right (under certain circumstances, but not all) to ask RLSS UK to restrict the processing of your personal data. For example, you may request this if you are contesting the accuracy of personal data held about you.
Right to data portability	You have the right (under certaon circumstances, but not all) to request RLSS UK provides you with the personal data about you that have provided to RLSS UK in a structured, commonly used and machine-readable format. You also have the right to ask RLSS UK to transmit those data to another controller.
Right to withdraw consent	If the lawful basis for processing is consent, you have the right to withdraw that consent by contacting [email protected].
Right to object to direct marketing	Where your personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for marketing.
Rights in relation to automated decision-making and profiling	RLSS UK does not perform any automated decision-making based on personal data that produces legal effects or similarly significantly affects you.

---

17. Your right to lodge a complaint with a supervisory authority

If you have any queries about the way we use your personal data, or if you wish to exercise any of your rights concerning your personal data, please contact RLSS UK’s Data Protection Officer using either the email address or our Head Office Address below:

RLSS UK
Redhill House
227 London Road
Worcester
WR2 5JG

Tel: 0300 323  0096
Email: [email protected]

If you are not satisfied with the response you receive, you have the right to lodge a complaint with the supervisory authority. In the UK this is:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF 

Tel: 0303 123 1113
Email: [email protected]

---