PRIVACY POLICY
Data Privacy Notice
Personal data we collect and why we collect it
1. Your personal data – what is it?
Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller's possession or likely to come into such possession. The processing of personal data is governed by the General Data Protection Regulation 2018 (the "GDPR").
The privacy and security of our customers personal data is important to us. This privacy notice explains how we use the information we collect about you, how you can instruct us if you prefer to limit the use of that information, and the procedures that we have in place to safeguard your privacy.
Our privacy policy relates only to information that we obtain from you, primarily through our event websites 13valleysultra.com and through our online entry platform (referred to as the "Websites"). If you visit a website operated by a third party through a link included on the Websites, your information might be used differently by the operator of the linked website.
2. Who we are and contact details
Nova International Ltd (trading as The Great Run Company) is the data controller and responsible for deciding how your personal data is processed and for what purposes (collectively referred to as "Nova", "we", "us", or "our" in this privacy notice).
Our full details are:
Full name of legal entity: Nova International Limited Role: Data Protection Manager Email address: dataprotection@greatrun.org Postal address:Newcastle House, Monarch Road, Newcastle upon Tyne, NE4 7YB
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO). We would however appreciate the chance to deal with your concerns before you approach the ICO so please get in touch with us in the first instance.
3. How we process your personal data
Nova complies with its obligations under the GDPR by keeping your personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access, and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.
Any information that we collect about you is stored electronically on our database. It may also be printed and stored in our filing system.
4. The information we collect
We may collect personal information about you via our own entry system when we use it to take your event entry.
We may also receive personal information about you (your entry details) from Let's Do This with whom we have entered into an agreement to provide online entry management services on our behalf. Let's Do This has its own privacy policy and you should refer to it for any questions you may have about how your personal information is used by Let's Do This when you enter our events via the Let's Do This entry platform.
We may collect and use different kinds of personal data about you which we have grouped together as follows:
- Identity Data e.g. your name, gender, date of birth, video and photography;
- Contact Data e.g. your address, phone number, e-mail address; also details of a next of kin contact for use in the event of an emergency;
- Transaction Data e.g. details about the events you enter, services you specifically request and/or products or merchandise you purchase from us;
- Health Data e.g. whether or not you have a medical condition (although we do not usually ask what type of condition), whether or not you are a wheelchair user;
- Profile Data e.g. a username and password for your online account; a security question and answer for your online account;
- Financial Data We do not hold your payment data. We use Cardnet Merchant Services to process all payments. When you pay for an event or product you enter your details directly onto an online form hosted by Cardnet Merchant Services.
- Child Data e.g. if you have entered a child/minor into our events we will hold details about the child/minor as well as the parent/guardian.
- Marketing Data e.g. your preferences in relation to whether or not you want to receive marketing information from us
- about our events and services, or
- about our partners products and services
In nearly all cases, we collect your personal data directly from you when you enter and event or purchase merchandise from us, by completing an online form.
We will not collect or store any other sensitive information about you without your explicit consent.
Where we need to collect personal information from you in order to fulfil your event entry or to fulfil a purchase of merchandise, if you do not provide us with the data requested, we may not be able to provide the goods or services you are attempting to purchase.
5. How we protect your information
We will keep your personal information confidential except to the extent that we are compelled to disclose it by law (for example where fraud or other crime is involved) or to comply with an instruction of a regulatory body of competent jurisdiction. To comply with the GDPR we follow strict security procedures for storing data.
The personal information that we hold will be held securely to ensure no unauthorised disclosure or access. The internet is not a secure medium. We have put in place various security measures but you are advised to treat the internet as an insecure medium in all of your communications with us.
6. Purposes for which we will use your personal data
We will only use your personal details where we are allowed to by law. There are three main circumstances where we use your data:
- Where we have entered (or are about to enter) into a contract with you most usually related to your entry into an event, and sometimes when you buy merchandise from us.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and rights do not override our legitimate interests.
- Where we need to comply with a regulatory obligation.
Generally, we do not rely on consent as a legal basis for processing your personal data other than in relation to sending certain forms of marketing communications. You can ask us to stop sending you marketing communications at any time.
We have set out below a description of all the ways we plan to use your personal data, and which of the lawful bases under GDPR that we rely on to do so. We have also identified what our legitimate interests are where appropriate.
Purpose/Activity | Type of data | Lawful basis for processing including basis of legitimateinterest |
To register you as a new customer | i) Identity | i) Performance of a contract with you |
To allocate your entry into an event and to record and publish yourfinish time alongside you name, gender and age group on our website | i) Identity | i) Performance of a contract with you |
To process any products or services that we may provide to you as part ofyour entry and fulfil any merchandise orders you may have placed with us | i) Identity | i) Performance of a contract with you |
To contact your next of kin in the event of an emergency | i) Contact | i) Necessary to protect your vital interests |
To personalise your online experience across our websites | i) Identity | i) Necessary for our legitimate interests (to develop our events/services and grow our business) |
To send you health and safety and other relevant event information forany Great Run Company event that you are participating in | i) Identity | i) Performance of a contract with you |
To process any request for advice or information supplied by us or tocontact you should there be any changes to the event which are likely to affect you | i) Identity | i)Performance of a contract with you |
To send you our e-newsletter and make suggestions and recommendations toyou about our events and services that may be of interest to you | i) Identity | i) Where you have given consent for us to do so – for customersbetween Jan 9, 2018 and April 17, 2023 |
To monitor, develop and improve our events, products and services and/or your experience | i) Identity | i) Necessary for our legitimate interests (to develop our events/services and grow our business) |
To make suggestions and recommendations to you about our partners’products and services that may be of interest to you | i) Identity | i) Where you have given consent for us to do so |
To send you reminders about the opening of an event | i) Identity | i) Where you have given consent for us to do so |
To comply with our statutory and regulatory obligations | i) Identity | i) Necessary to comply with a legal obligation |
To register you as a volunteer for an event and send you informationrelated to your role | i) Identity | i) Necessary for out legitmate interests (to communicate with you regarding your application to volunteer) |
7. Special Category Data
Special category data is personal data which the GDPR says is more sensitive, and so needs more protection. We collect this information for some of our events only.
We have set out below a description of the ways we plan to use your special category personal data, if applicable to you, and which of the lawful bases under the GDPR that we rely on to do so.
Purpose/Activity | Type of Special Category data | Lawful basis for processing including basis of legitimate interest (Article 6) | Condition for processing special category data under Article 9 |
To process your event entry | Health (e.g. wheelchair or visually impaired participant) | Necessary for our legitimate interests (to keep our records updated and to ensure your safe participation in the event) | Where you have given us explicit consent to do so |
To gather statistical information in the public interest | Ethnic Origin | Where you have given consent for us to do so | For archiving purposes in the public interest |
To process your application to volunteer for an event | Health | Necessary for our legitimate interests (to keep our records updated and to ensure your safe participation in the event) | Where you have given us explicit consent to do so |
8. Sharing your personal data
We keep your personal information confidential, but may disclose it to our personnel, suppliers or subcontractors as is reasonably necessary for the purposes set out in this privacy policy and for which you might reasonably expect. We make sure that these third parties do not make independent use of the information and that they have agreed to adhere to the rules set out in this privacy policy.
Categories of third parties are listed below
- Event-related services fulfilment (e.g. timing company, runner services, mailing house)
- Results (e.g. local and specialist media, participant photography services company)
- Charities (Individual charities as selected by you on the entry form)
- Merchandising fulfilment
- Television / Media broadcast (e.g. BBC)
From time to time we pass your personal information to carefully selected media partners for the purposes of information and publicity, but we will only do this if you have provided your information on the entry form in the Interesting Stories section which clearly states that you are providing your information for this purpose.
We never pass your personal information on to any third parties for marketing purposes.
9. International data transfers
Our servers are located in the European Union and the information that we collect directly from you will be stored in these servers. We may also transfer parts of your personal data, where reasonably necessary, to our third-party service providers who may be located outside of the EU or who may engage sub-processors located outside of the EU.
There are agreements in place to ensure that all of our third-party suppliers or service providers process personal information using appropriate safeguards that meet the requirements of EU data protection laws.
If you would like to find out more about these safeguards or if you have any other queries or comments in relation to this policy, please let us know by emailing dataprotection@greatrun.org .
10. How long we keep your personal data
In accordance with the GDPR and good commercial practice we keep data in a form that permits identification of the person to whom it relates for no longer than reasonably necessary.
Where you have taken part in an event, we are obligated by law to keep certain personal details for a minimum of three years so that we can maintain sufficient records. After this period we will either permanently delete your personal information or remove all identifiers within it so that it is no longer personal data. We may use such anonymised data for research and/or business analysis purpose.
Where you have given us your consent to send you marketing communications we will hold this consent as valid for two years. You can ask us to stop contacting you at any time.
11. Automated decision making
Where you have consented for us to do so, or where we have a legitimate interest to send you communications about our events and services, we may from time to time use automated decision making in order to minimize the chance of emailing you with information about our events and services that may less relevant or not relevant to you. For example if you have entered and event but subsequently did not take part, we will not email you with a post event results email. Another example is that we will use your postcode to ensure that you are emailed about Great Run Company events closer to where you live, rather than events that are far away.
12. Targeted marketing
Where you have consented for us to do so, or where we have a legitimate interest to send you marketing communications about our events and services, we may from time to time use the information we collect about you to serve you targeted advertisements in order to provide you with more relevant advertising content. This targeted marketing may be accomplished via our own channels (e.g. our website) and third party channels, including across multiple devices or browsers, using some or all of the following platforms:
- YouTube
13. Your rights and your personal data
Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data:
- The right to request a copy of your personal data which we hold;
- The right to request that we correct any personal data if it is found to be inaccurate or out of date;
- The right to request your personal data is erased where it is no longer necessary for us to retain such data;
- The right to withdraw your consent to the processing of your personal information for the purposes of sending marketing communications at any time;
- The right to request that the we provide you with your personal data and where possible, to transmit that data directly to another data controller, (known as the right to data portability);
- The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
- The right to object to the processing of personal data, where applicable
- The right to lodge a complaint with the Information Commissioners Office.
If you wish to exercise any of the rights set out above please contact us at dataprotection@greatrun.org
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data. This is a security measure to ensure that personal data is not disclosed to any person who does not have right to receive it.
14. Updating Your Details and Marketing Preferences
If any of the information that you have provided to us when you enter an event changes, for example if you change your email address, please update your Profile section on our website.
You can also update your marketing preferences by logging into your Profile section on our website, or by clicking on the unsubscribe link at the bottom of all our marketing emails.
15. Further processing
If we wish to use your personal data for a new purpose, not covered by this data privacy notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.
16. Cookies and Website Analytics
Our website uses cookies and other mechanisms to collect analytical information, to help us analyse how visitors use the site and to compile statistical reports on website activity. To find out more please view our Cookies Policy.
17. Your Consent
By submitting your information to us on the account registration form, you consent to the use of that information as set out in this policy. If we change this privacy policy we will post the changes on this page, and may place notices on other pages of the Websites, so that you may be aware of the information we collect and how we use it at all times. We may also email you should we make any changes so that you may consent to our use of your information in that way. Continued use of our Websites will signify that you agree to any such changes.
Owing to the global nature of the internet's infrastructure the information you provide may be temporarily transferred to and stored in countries outside the European Economic Area, for example if the location of the Internet service provider hosting our Websites is outside of this area. By agreeing to our terms and conditions of use of our Websites you consent to any transfer of your personal information outside the European Economic Area.
18. Contact Details
To exercise all relevant rights, queries or complaints please in the first instance contact our customer services team at dataprotection@greatrun.org.
If we cannot able to resolve your query or complaint satisfactorily you can contact the Information Commissioners Office on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.
This privacy notice was updated on 21 April 2023.