top of page

Data Protection


The General Data Protection Regulation 2016 replaces the EU Data Protection Directive of 1995 and supersedes the laws of individual Member States that were developed in compliance with the Data Protection Directive 95/46/EC. Its purpose is to protect the “rights and freedoms” of natural persons (i.e. living individuals) and to ensure that personal data is not processed without their knowledge, and, wherever possible, that it is processed with their consent.

Waves Swim School are fully compliant with GDPR and would like to reassure all of our customers that we only collect the necessary information that is needed for our enrolment process and facilitating your swimming classes.


Waves Swim School is a data controller and data processor under the GDPR. All those in managerial or supervisory roles throughout our swim school are responsible for developing and encouraging good information handling practices. The Swim School owners are responsible for ensuring that compliance with data protection legislation and good practice can be demonstrated. This accountability includes:

  • Development and implementation of the GDPR as required by this policy; and

  • Risk management and security in relation to compliance with the policy.

Employees of Waves Swim School are responsible for ensuring that any personal data about them and supplied by them to Waves Swim School is accurate and up-to-date.

All processing of personal data must be conducted in accordance with the data protection principles as set out in Article 5 of the GDPR.

Personal data must be processed lawfully, fairly and transparently

Lawful – identify a lawful basis before you can process personal data. These are often referred to as the “conditions for processing”, for example consent.

Fairly – in order for processing to be fair, the data controller has to make certain information available to the data subjects as practicable. This applies whether the personal data was obtained directly from the data subjects or from other sources.

Transparently – the GDPR includes rules on giving privacy information to data subjects in Articles 12, 13 and 14. These are detailed and specific, placing an emphasis on making privacy notices understandable and accessible. Information must be communicated to the data subject in an intelligible form using clear and plain language.

Employees and customers are required to notify Waves Swim School of any changes in circumstance to enable personal records to be updated accordingly. It is our responsibility to ensure that any notification regarding change of circumstances is recorded and acted upon.

Waves Swim School will demonstrate compliance with the data protection principles by implementing data protection policies, adhering to codes of conduct, implementing technical and organisational measures, as well as adopting techniques such as breach notification procedures and incident response plans.


Data subjects have the following rights regarding data processing, and the data that is recorded about them:

  • To make subject access requests regarding the nature of information held and to whom it has been disclosed.

  • To prevent processing likely to cause damage or distress.

  • To prevent processing for purposes of direct marketing.

  • To be informed about the mechanics of automated decision-taking process that will significantly affect them.

  • To not have significant decisions that will affect them taken solely by automated process.

  • To sue for compensation if they suffer damage by any contravention of the GDPR.

  • To take action to rectify, block, erased, including the right to be forgotten, or destroy inaccurate data.

  • To request the supervisory authority to assess whether any provision of the GDPR has been contravened.

  • To have personal data provided to them in a structured, commonly used and machine-readable format, and the right to have that data transmitted to another controller.

  • To object to any automated profiling that is occurring without consent.

However, without consent to hold information data subjects are not able to continue their custom with Waves Swim School.

Waves Swim School understands ‘consent’ to mean that the data subject has been fully informed of the intended processing and has signified their agreement, while in a state of mind to do so and without pressure being exerted upon them. Consent obtained under duress or on the basis of misleading information will not be a valid basis for processing. There must be some active communication between the parties to demonstrate active consent.


Waves Swim School ensure that personal data is not disclosed to unauthorised third parties which includes family members, friends, government bodies, and in certain circumstances, the Police. All employees should exercise caution when asked to disclose personal data held on another individual to a third party.


Your enrolment information is held for tax purposes for a period of 7 years and is only shared within our swim school for the period of your enrolment. We do not pass your information onto any third party. At no time will you receive any marketing or junk mail from your enrolment with us. We are committed to ensuring confidentiality and safe storage of personal or sensitive data. Any breach of the GDPR will be dealt with under Wave Swim School’s disciplinary policy.

Medical details are not kept electronically, we ask our swimmers or their guardians to complete a paper form before their first lesson if there is any medical information we require that will impact the swimming class. Information is only shared with the swim instructor (if necessary) and kept locked and secure, then will be destroyed upon the participant leaving the swim school. 

Personal data that Waves Swim School processes will be treated with the highest security and will be kept either

  • in a lockable room with controlled access; and/or

  • in a locked drawer or filling cabinet.

Manual records will not be left where they can be accessed by unauthorised personnel. As soon as manual records are no longer required for day-to-day client support, they will be destroyed. Personal data will be disposed of securely in accordance with the sixth principle of the GDPR – processed in an appropriate manner to maintain security, thereby protecting the “rights and freedoms” of data subjects. Waves Swim School will review the retention dates of all the personal data processed on an annual basis, and will identify any data that is no longer required in the context of the registered purpose. Once its retention date is passed, it will be securely destroyed.

bottom of page