GDPR Policy


This document includes the following information:

  • Definitions relating to the data protection law which was activated in May 2018
  • How and why CMC Adventure process your personal data
  • How CMC Adventure keeps your personal data secure
  • Your rights in relation to your personal data

Please do make sure you take the time to read this document carefully so that you are fully informed of the GDPR regulations and CMC Adventure’s GDPR Policy.


Here are some important definitions relating to the new data protection law:

  • GDPR – General Data Protection Regulation (the new legislation which comes into law in May 2018)
  • Data Protection – The process of protecting personal data from unauthorised or unlawful disclosure, access, alteration, processing, transfer or deletion
  • Personal Data – Any information relating to an identified or identifiable natural person
  • Identifiable Natural Person – A living individual who can be identified from one or more pieces of data which is in possession of the data controller, is likely to come into the possession of the data controller or could be obtained by without too much effort
  • Data Controller – An organisation or individual which is responsible for determining the purposes and means of processing personal data
  • Data Processor – An organisation or individual which processes data on behalf of a data controller
  • Data Subject – The natural person to whom the data relates
  • Supervisory Authority – The Information Commissioner’s Office (ICO) is the data protection supervisory authority in the UK
  • Consent – Any freely given, specific, informed and unambiguous indication that the data subject agrees to the processing of his or her personal data by means of clear, affirmative action
  • Subject Access Request – Request to access personal data held by data controller if the data subject has any doubts concerning the accuracy or lawfulness of the processing of that personal data

Purposes of Data Processing

CMC Adventure will ensure that all personal data is processed lawfully, fairly and in a transparent manner. We only collect and store contact details provided by yourself for our own records, and for sending out news updates, upcoming events and direct marketing campaigns. This means that only personal data which is relevant for these purposes will be processed, and we will not collect or store any personal data which is not strictly required. All data will be given freely and with your expressed consent, and will be accurate to our knowledge.

Data Security

CMC Adventure will do everything in our power to ensure that personal data is appropriately secure and protected from unauthorised or unlawful processing, and against accidental loss, damage or deletion. Your personal data is stored on a password protected database which will only be accessible by the centre director, centre administrator and finance officer. This database is also backed up on another password protected external hard drive which is kept in a locked cupboard and is only accessible by the aforementioned authorised CMC Adventure staff. We will continue to review and upgrade our security measures in accordance with technological development.
The personal data you provide will be stored in this manner indefinitely, unless you instruct us otherwise.

Transfer of Data to Third Parties

CMC Adventure will never pass your personal data on to any third party except in the case of medical emergency when under the supervision of CMC Adventure staff, when we may need to pass information from your medical form on to a medical professional. Medical forms will be destroyed 4 weeks after staying at CMC Adventure, unless there has been a reportable accident, in which case medical forms may again have to be passed on to the relevant authorities and then archived.

Your Rights

Under Article 15 of GDPR (2018), the data subject has the right to:

  • Be informed how and why personal data is being processed
  • To access any personal data relating to you which is stored by the data controller
  • To rectify any personal data which is found to be inaccurate or incomplete
  • To request deletion or removal of personal data
  • To restrict the processing of your personal data if inaccurate or in certain other circumstances
  • To data portability (to move, copy or transfer personal data easily from one IT environment to another)
  • To object to the processing of personal data for direct marketing purposes
  • Not to be subjected to automated decision making/profiling (not used at all by CMC Adventure)

Subject Access Requests

Following any subject access request, CMC Adventure shall provide, without charge and without undue delay, the following: confirmation that personal data is being processed, a copy of the personal data that is being processed, and all information essentially equivalent to our Privacy Policy.

For further copies, or if the request is manifestly unfounded or excessive, a reasonable fee may be charged to cover administrative costs.

When the subject access request is made electronically, this information will be provided in a commonly used electronic format, unless otherwise requested by the data subject.

CMC Adventure Data Controller

The data controller is, in the first instance, the Centre Administrator and can be contacted using the following:

Telephone: 01341 241 646


Postal Address: CMC Adventure, Pensarn Harbour, Llanbedr, Gwynedd, LL45 2HP