Privacy Notice | Central YMCA

Privacy Notice

Who we are?

“We” and “us” means Central YMCA. We are a national charity that advances the education, health and wellbeing of our communities. We deliver services through the following brand names: Central YMCA, Central YMCA KX, YMCAfit, Moorgate Fitness Club and YMCA Awards. Our registered address is: 120 Cromer Street, London, England, WC1H 8BS

Your privacy matters

At Central YMCA we are committed to keeping your personal data safe and secure.

This notice sets out in detail the purposes for which we process information about you, who we share it with, what rights you have in relation to that information and everything else we think it’s important for you to know.

If you have any questions about the processing of your personal information, or you would like to exercise any of your rights, please reach out to us in the following ways:

Email us: data.protection@ymca.co.uk

Write to us:

Data Protection Officer

Central YMCA

120 Cromer Street

London

WC1H 8BS

How we process your information:

To understand how we process your personal information, please visit the relevant appendix below:

If you are a job applicant/ employee, trustee or volunteer, please view our HR privacy notice.

Changes to this Privacy Notice

We aim to keep this privacy notice regularly updated.  If we make any significant changes to the way in which we process your information, we will let you know by either reaching out to you or posting a banner on the website.

This notice was last updated in May 2025

Appendix 1: Education and Training

(Learners, Apprentices, Tutors)

How we collect your information:

We collect information on you if you are a learner through our learning management systems, client relationship management system, subcontractors, partners, and local authorities with whom we deliver training, which is: name, date of birth, gender, ethnicity, learning needs, audiovisual recording, financial information, referees, bursary forms and identification documents. We may also collect your information as a tutor, manager, or administrator for any course. We also collect information on you for apprenticeship programmes, Adult Learner Loans, Skills Bootcamps, etc.

How we use this information:

We process your information for the following reasons:

  • To administer learners’ registration
  • To provide assessment and certification for different courses
  • To provide assessment and certification for different courses
  • To link you with different apprenticeship employers
  • To share your information with Department for Education
  • To record attendance, monitoring, performance
  • For research and evaluation during our courses
  • Creating and managing apprenticeship vacancies
  • Shortlisting applicants for apprenticeship vacancies
  • Making referrals when required for all candidates
  • Recording any safeguarding concerns during service delivery

Lawful Basis we use:

We process most of your information on the basis of contractual obligation when you engage with us as a learner for one of our courses , apprenticeship programmes, Adult Learner Loan, Skills Bootcamps etc. For supporting learners with any additional needs, we rely on legitimate interest. For any information of administrators, tutors, we rely on contractual obligation. For processing any special category data such as health information or EDI information, we rely on substantial public interest read with additional conditions from the Data Protection Act 2018.

To share your information with third parties, we rely on contractual obligation, public task or legitimate interest. For sharing it with funding agencies, we rely on legitimate interest.

In situations of safeguarding, we rely on legitimate interest, substantial public interest and conditions from the DPA.

Who we share your information with?

  • We share your information with several organisations involved in providing our services. These organisations act as data processors for us.
  • Additionally, we may also share your information with Ofsted, Local Authorities, Councils. Each party acts as a separate data controller for your information
  • When we work as joint controllers, both parties (Central YMCA) and the other party will process your information.

How we store your information and for how long?

We store your information in line with our retention policy. For any queries, please reach out to us with the details above.

Appendix 2: Award Centres

How we collect and use your information:

We may collect your name, contact details and gender to process your information when you engage with our YMCA Award centres as a learner, tutor, staff member, training provider, apprentice, or a staff member of an organisation applying to become an Awards centre. We process this information to:

  • Organise meetings between apprentices and employers
  • Provide qualifications, end-point assessments and endorsements
  • Provide resources, guidance documents and issue certificates
  • Provide eLearning to centres and learners
  • Supervise assessments, conduct face-to-face invigilation
  • Assess staff’s information for applications to become an Awards centre
  • Carry out evaluation visits or calls with our External Quality Assurers (EQAs)

Lawful Basis we use:

We process this information on the basis of contractual obligation or legitimate interest where applicable. For processing any special category data, we rely on explicit consent or substantial public interest, with conditions from the Data Protection Legislation.

Who we share your information with?

We share your information with several organisations involved in providing our services. These organisations act as data processors for us.

We may also work as joint controllers with our partner organisations.

How we store your information and for how long?

We store your information in line with our retention policy. For any queries, please reach out to us with the details above.

Appendix 3: Health and Wellbeing

(Users of our fitness centres, positive health programs, etc)

How we collect your information:

We collect your personal directly from you, when you engage with us to use our centres at KX, Moorgate  when you participate in our community programs (eg. the positive health program), or when you enquire about any of these services

We may collect several pieces of information in this process through different channels, such as application forms, consent forms, day pass forms, health and safety information, safeguarding information, and information on your child if they are using our services.

The information we collect includes the following: your name, email address, bank details, address, health information, gender, ethnicity, race, employer details.

When you engage with us on a health program, we may collect some information from your GP.

How we use this information:

We use this information to:

  • Effectively provide our services or programs to you
  • Process your payments, cancellations, refunds etc.
  • For any safeguarding concerns
  • To facilitate your enquiries and help you use our centres
  • To facilitate your enquiries and help you use our centres

Lawful Basis we use:

  • To process your membership on any of our sites, we rely on contractual obligation to process your personal information. For any health information or information on your race, ethnicity, gender, we rely on your explicit consent for processing this information.
  • To process any information for our health programs such as our positive health program, we rely on legitimate interest, read with substantial public interest and conditions from the Data Protection Legislation
  • For processing information about your child when they register and use one of our services, we rely on contractual obligation for processing your information and your child’s information
  • For any safeguarding information that we record, we rely on legitimate or vital interest, read with substantial public interest and conditions from the Data Protection Legislation

How we store your information and for how long?

We store your information in line with our retention policy. For any queries, please reach out to us with the details above.

Appendix 4: Events, Fundraising, Donations, and Marketing

Events:

We host many events in a year, and your personal information is collected when you register for an event with us. We may collect basic personal information, such as your name, email, phone number. We rely on legitimate interest to administer your registration for the event. When we collect other information such as dietary information, we rely on your explicit consent.

If you have attended an event with us previously, we may reach out to you to invite you for our future events. We rely on consent (to send you emails) and legitimate interest (to call you on your registered number with us).

Donations:

Your personal Information is provided by you via a donation form on our website or via third party donation platforms (e.g Just Giving). The information gathered may be: name, email address, Gift Aid sign up, company name if donation made by an organisation, donation details, reasons to engage, postal address

This information allows us to process your donation, and deal with any potential enquiry. We rely on our legitimate interest to process this data.  If you agree that we can claim Gift Aid on your donations we are legally required to keep a record of the claim and your Gift Aid declaration.  If you are donating using a third party, please also refer to the privacy notice published on their websites. 

Fundraising and Marketing:

We may reach out to you for fundraising, if you have previously engaged with us in an event, made a donation, or if we believe that you may be interested in engaging with our organisation. We may also send you marketing communications if you have signed up for marketing emails. We rely on texts, email, and calls for marketing.

When we make calls for fundraising and marketing, we make these calls on the basis of legitimate interest. However, we will screen your calls through the telephone preference service (TPS) and Fundraising Preference System (FPS) for fundraising communications. If you would prefer to not receive these calls, please do let us know.

We rely your consent to send your email communications (except where this is a business email address, whereby we rely on legitimate interest).

If you would like to change your marketing preferences, please reach out to us on the email address provided in the first section of this privacy notice, or you can simply unsubscribe with the option on the bottom of the emails.

We may also use post as a mode of sending you marketing communications, relying on legitimate interest. If you would like us to not send such communications, please do reach out to us.

Appendix 5: General Information

(Complaints Procedure, Your rights)

Your rights

You have the following rights:

  • ‘Right to be informed’, which means we will be completely clear and transparent about how we plan to use your personal information.
  • ‘Right of access’, which means you can request details of the personal information we hold about you and how we use it. We will provide this within one month.
  • ‘Right to rectification’, which means you can ask us to update or amend the personal information we hold about you, if it is incorrect.
  • ‘Right to restrict processing’, which means you can ask us to change, restrict or stop the way we are using your personal information.
  • ‘Right to erasure’ (or ‘right to be forgotten’), which means you can ask us to remove your personal information from our records.
  • ‘Right to object’, which means you can object to us using your personal information for marketing purposes.
  • ‘Right to data portability’, which means you can obtain the personal information we hold about you and reuse it for your own purposes.
  • ‘Right to data portability’, which means you can obtain the personal information we hold about you and reuse it for your own purposes.
  • Right to lodge a complaint with a supervisory authority, such as the Fundraising Regulator or the Information Commissioner’s Office (ICO), if you are not satisfied with our response to a request you make to us, or you feel we are not using your information correctly.

International Data Transfer

Where personal data is stored outside of the UK and the EEA, safeguards to protect personal data may include but are not limited to the UK Addendum used in conjunction with the EU Standard Contractual Clauses (SCCs), or UK International Data Transfer Agreement (IDTAs). Such safeguards will be subject to Transfer Risk Assessments (TRAs).

Children’s data

If children under 13 years, we may rely on parent’s consent to process personal information. Since the personal data is of the child, and belongs to the child, the parents may have limited rights that they can exercise on behalf of the child. If you have any concerns, please do reach out to us on the details above.

Complaints procedure 

If you are unhappy with the way we process your data, please get in touch with the Data Protection Officer using one of the contact emails above. You can also make a complaint to the Information Commissioner’s Office (ICO) which regulates the use of information in the UK. They can be contacted by at 0303 123 1113 or you can write to them at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.