Customer Data Protection Policy
Effective date: 30 June 2021

                                           

This Customer Protection Policy (‘Policy’) applies to all the entities within the Strike Zone House of Fun, as well as the websites, portals, and booking systems services provided by Strike Zone of Fun.

In this document, we are collectively referred to as “The Zone” (or “us”, “we”, “our”).

 INTRODUCTION

This Policy sets out the obligations of The Zone, regarding data protection and the rights of customers and business contacts (“data subjects”) in respect of their personal data under EU Regulation 2016/679 General Data Protection Regulation 

The GDPR defines “personal data” as any information relating to an identified or identifiable natural person (a “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

This Policy sets The Zone’s obligations regarding the collection, processing, transfer, storage, and disposal of personal data. The procedures and principles set out herein must be followed at all times by The Zone, its employees, agents, contractors, or other parties working on behalf of The Zone.

The Zone is committed not only to the letter of the law, but also to the spirit of the law and places high importance on the correct, lawful, and fair handling of all personal data, respecting the legal rights, privacy, and trust of all individuals with whom it deals.

 

LAWFUL, FAIR, TRANSPARENT DATA PROCESSING

The GDPR seeks to ensure that personal data is processed lawfully, fairly, and transparently, without adversely affecting the rights of the data subject.

The GDPR states that processing of personal data shall be lawful if at least one of the following applies:

  • The data subject has given consent to the processing of their personal data for one or more specific purposes

  • The processing of temperature testing is necessary because of our business model to ensure that we do not foster anyone with higher body temperature than is normal in the attempt to do our part in our community to minimize the spread of SARS COVID-19.

  • The processing is necessary for our business and this data is not stored, however if one does not wish to provide this data the subject cannot be allowed to participate in our activities

  • The processing is necessary to protect the vital interests of the data subject or of another natural person

  • The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller; or

  • The processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

 

  • Temperature is tested with TEMPstation K3 Wall Mount Digital Infrared Forehead Thermometer hits the sweet spot in terms of features when compared against IR thermometer guns systems but does not record nor store information. When someone approaches the scanner, it automatically checks their skin temperature and will trigger an audible and visual alarm if the reading is too high.

  

ERASURE OF PERSONAL DATA

Data subjects have the right to request that The Zone erases the personal data it holds about them in the following circumstances:

  • It is no longer necessary for The Zone to hold that personal data with respect to the purpose(s) for which it was originally collected or processed;

  • The data subject wishes to withdraw their consent to The Zone holding and processing their personal data;

  • The data subject objects to The Zone holding and processing their personal data (and there is no overriding legitimate interest to allow The Zone to continue doing so,  call for further details concerning the right to object);

  • The personal data has been processed unlawfully;

  • The personal data needs to be erased in order for The Zone to comply with a particular legal obligation.

  •  

Unless The Zone has reasonable grounds to refuse to erase personal data, all requests for erasure shall be complied with, and the data subject informed of the erasure, within one month of receipt of the data subject’s request. The period can be extended by up to two months in the case of complex requests. If such additional time is required, the data subject shall be informed.

In the event that any personal data that is to be erased in response to a data subject’s request has been disclosed to third parties, those parties shall be informed of the erasure (unless it is impossible or would require disproportionate effort to do so).

  

TRANSFERRING PERSONAL DATA AND COMMUNICATIONS

The Zone shall ensure that the following measures are taken with respect to all communications and other transfers involving personal data:

  • All emails containing sensitive personal data must be encrypted.

  • All emails containing sensitive personal data must be marked “confidential”;

  • Personal data may be transmitted over secure networks only; transmission over unsecured networks is not permitted in any circumstances;

  • Personal data may not be transmitted over a wireless network if there is a wired alternative that is reasonably practicable;

  • Personal data contained in the body of an email, whether sent or received, should be copied from the body of that email and stored securely. The email itself should be deleted.

  • Where personal data is to be sent by facsimile transmission the recipient should be informed in advance of the transmission and should be waiting by the fax machine to receive the data;

  • Where personal data is to be transferred in hardcopy form it should be passed directly to the recipient or sent using DHL/UPS/Royal Mail.

  • All personal data to be transferred physically, whether in hardcopy form or on removable electronic media shall be transferred in a suitable container marked “confidential”.

 DATA SECURITY – STORAGE

Zone shall ensure that the following measures are taken with respect to the storage of personal data:

  • All electronic copies of personal data should be stored securely using passwords and data encryption;

  • All hardcopies of personal data, along with any electronic copies stored on physical, removable media should be stored securely in a locked box, drawer, cabinet, or similar;

  • All personal data stored electronically should be backed up weekly with backups stored onsite. All backups should be encrypted.

  • No personal data should be transferred to any device personally belonging to an employee and personal data may only be transferred to devices belonging to agents, contractors, or other parties working on behalf of The Zone where the party in question has agreed to comply fully with the letter and spirit of this Policy and of the GDPR (which may include demonstrating to The Zone that all suitable technical and organizational measures have been taken.

 

 DATA BREACH NOTIFICATION

All personal data breaches must be reported immediately to Wayne Clarke.

If a personal data breach occurs and that breach is likely to result in a risk to the rights and freedoms of data subjects (e.g. financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), the Data Protection Officer must ensure that the Information Commissioner’s Office is informed of the breach without delay, and in any event, within 72 hours after having become aware of it.

Data breach notifications shall include the following information:

  • The categories and approximate number of data subjects concerned;

  • The categories and approximate number of personal data records concerned;

  • The name and contact details of The Zone’s data protection officer (or other contact point where more information can be obtained);

  • The likely consequences of the breach;

  • Details of the measures taken, or proposed to be taken, by The Zone to address the breach including, where appropriate, measures to mitigate its possible adverse effects.