General Data Protection Regulation (GDPR) - Statement of Operation
The General Data Protection Regulation (GDPR) came into force within the EU on 25th May 2018. The aim of the GDPR is to give greater protection to the data (information) relating to any individual.
The EU GDPR does not apply in the UK since the Brexit transition period ended, on 31st December 2020. However, the GDPR has been incorporated into UK data protection law as the UK GDPR. This means that, in practice, there is little change to the core data protection principles, rights and obligations under the new regime of the UK GDPR. Furthermore, since my services are offered to individuals in the European Economic Area (EEA), the EU GDPR still applies directly to me. The following GDPR Statement of Operation therefore remains unchanged post-Brexit.
How do I operate?
I operate as a sole trader running a small business called James Orpwood Mountaineering (“JOM”). JOM provides year-round guided hill walking and mountain skills courses for individuals and small groups in the Highlands of Scotland. Your booking with JOM for a particular activity on a particular day or days (“an event”) is made directly with me.
I also work as a freelance outdoor instructor (“freelancer”) delivering activities for a number of different providers. In these cases, your booking for an event is made with the provider, and they employ me to deliver that event on their behalf.
What information do I hold?
When booking an event directly with JOM, I will ask you for certain information. This typically includes (but may not be limited to, and may change from time to time without prior notification) your contact details (e.g. a mobile telephone number and an email address), contact details for someone of your choosing in the event of an emergency (e.g. a telephone number), and medical information.
When working as a freelancer, the provider with whom you made your booking will ask you for certain information. At least some of this information will be passed on to me. Such information will typically include (but may not be limited to, and may change from time to time without prior notification) that as outlined above.
How is this information stored?
Prior to an event taking place, information will typically be held in an electronic format e.g. on a spreadsheet and / or in an email, accessible via my secure business laptop and smartphone.
It is often necessary to carry a copy of the information “on the hill” to assist with the delivery of an event on the day. This would typically be a copy of the electronic material (stored on my secure business smartphone), and / or a printed paper “hard copy” of the material generated prior to an event taking place, and stored on my person throughout the event.
My wife, Ellen Thornell, has access to my electronic equipment, digital and paper files, in case of emergency.
Why is this information needed?
Primarily, this information is required so that an event can be delivered safely, efficiently, and with an awareness of any factors which might affect your ability to take part. For example, your mobile telephone number may be needed to confirm any last minute arrangements such as meeting place and time, particularly if these are different to that which was advertised originally. It is also important that I am able to contact you in case you do not arrive at the meeting place at the expected time, for example if you have been delayed. An emergency contact is required in case an emergency situation arises. Medical information is required for awareness purposes. Disclosure of medical information will not necessarily affect whether or not you can take part in an event, but it is important that I am aware of any medical conditions so that these can be taken into account and if necessary, passed on, for example to Mountain Rescue personnel in an emergency.
What happens to the information after an event is completed?
JOM will keep your information for a minimum of six years (indefinitely if a legal claim may be made), after which all personal information relating to individual clients will be destroyed.
When working as a freelancer, information supplied to me by the provider is intended for single event use only, to assist with the delivery of that event. When directed by the provider, all personal information relating to individual clients is destroyed as soon as practically possible after the completion of that event.
Destruction of personal information includes permanent deletion of electronic material (e.g. spreadsheets and emails) and appropriate disposal (shredding) of printed paper material.
James Orpwood
Date of last revision: 20th June 2023
Registered with the Information Commissioner’s Office, Reference: ZA430364; Expiry date: 19th June 2025.