DATA PROTECTION & RETENTION

DATA PROTECTION & RETENTION

At Paddle Cymru, we are committed to protecting your personal data and handling it with transparency, care, and respect.
We collect and use personal information only when necessary, store it securely within approved systems, and retain it for the minimum time required by law, our safeguarding responsibilities, and national governing body standards. Our Data Protection and Retention practices are designed to meet UK GDPR and wider UK data legislation, ensuring your information is managed responsibly, fairly, and safely at every stage of its lifecycle.

What data we collect

We only collect the personal information we genuinely need to deliver our services, support our members, and meet our legal responsibilities. This may include:

  • Contact details: name, email address, phone number, postal address
  • Membership information: activity history, qualifications, certificates, renewals
  • Coaching and provider information: licence details, safeguarding checks, training records
  • Participation data: course bookings, events, assessments, consent forms
  • Safeguarding information: only where appropriate, necessary, and securely recorded
  • Technical data: website usage analytics and cookies (where consented)


We do not collect more information than required, and we avoid holding duplicate or unnecessary copies across platforms.

How we use your information

Your personal information is used to help us run Paddle Cymru safely, effectively and in line with national standards. This includes:

  • Managing your membership, bookings, and paddlesport activities
  • Supporting clubs, coaches, centres, and providers
  • Meeting safeguarding and welfare responsibilities
  • Issuing qualifications, licences, and accreditation
  • Sending essential service updates and operational communications
  • Ensuring compliance with UK GDPR, Data Protection legislation and sector‑wide policies
  • Improving our systems, training, and services


We never sell your data, and we only share it with trusted partners where it is essential and legally permitted.

How long we keep data

We follow a strict Data Retention Schedule based on UK GDPR, safeguarding requirements, national governing body rules, and insurance guidelines. Examples include:

  • General enquiries and routine emails: deleted once processed or moved to secure storage
  • Membership and activity records: kept only for the period required for operational, legal or insurance purposes
  • Under‑18 safeguarding records: kept up to age 30 (as legally required)
  • Staff and HR records: retained for set periods such as 6 years after employment ends
  • Qualifications and training records: retained for longer where required for insurance or verification
  • Systems such as JustGo or Spond: data is cleared at season‑end or as required by policy


We delete or anonymise information as soon as it is no longer needed, and we record any failures to delete in line with our accountability obligations.


Your rights as an individual

You have rights over your personal data, and we are committed to supporting them. These include:

  • Right to access – request a copy of the information we hold about you
  • Right to rectification – ask us to correct or update inaccurate details
  • Right to erasure – request deletion of your data where legally appropriate
  • Right to restrict processing – limit how your data is used
  • Right to object – particularly to direct marketing or unnecessary processing
  • Right to data portability – receive your data in a reusable format where applicable
  • Right to raise concerns – directly with us or the UK Information Commissioner’s Office (ICO)


We aim to respond to all valid requests within one calendar month.


Subject Access Requests (SARs)

Under UK GDPR, you have the right to request access to the personal information we hold about you. This is known as a Subject Access Request (SAR). You do not need to use specific wording or reference legislation for your request to be valid.


What we do when you submit a SAR

When we receive a request, we will:

  • Confirm whether we process your personal data
  • Gather all relevant records across our secure systems
  • Review the material carefully to remove third‑party information, safeguarding details, or sensitive data that cannot legally be disclosed (as outlined in our internal SAR policy)
  • Provide your information in a secure, accessible format
  • Respond within the statutory timeframe (usually one calendar month), unless an extension is justified by the volume or complexity of the request


When a SAR may be refused or charged

In line with ICO guidance, we may refuse or charge a reasonable fee for requests that are manifestly unfounded or excessive, including repeated or overlapping requests that place a disproportionate burden on the organisation. This aligns with our internal approach to managing resource‑intensive SARs and repeated communications.


How to make a SAR

To request access to your personal data, please email: Bonnie Ireland, Data Protection Lead Officer

Email: Bonnie.Ireland@paddlecymru.org.uk


Please include:

  • Your full name
  • The information you are requesting
  • Any relevant dates, departments, or context to help us locate your data efficiently
  • If necessary, we may ask for proof of identity to ensure data is released securely.


Contact details for data queries

If you have questions about how your data is collected, used, stored, or deleted, you can contact us at:

Email: admin@paddlecymru.org.uk
Address: Paddle Cymru / Canoe Wales, The National White Water Centre, Frongoch, Bala, Gwynedd, LL23 7NU
ICO: You can contact the UK Information Commissioner’s Office at www.ico.org.uk if you are unhappy with how your data has been handled.

Still have a question?

Contact