Skip to main content

traffic lights statusWear sunscreen beware the heat

Data Protection

Contents

  1. Overview
  2. Who we are and how to contact us
  3. What data we process
  4. Special category data
  5. CCTV and video surveillance
  6. The purpose of our processing
  7. Our processing standards
  8. Squads, squad leads and coaches
  9. Cardinal Crew — alumni and parents group
  10. How long we keep your data
  11. British Rowing and affiliated bodies
  12. International data transfers
  13. Third-party websites
  14. Cookies
  15. How to access your information and other rights

1. Overview

The UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), and the Data (Use and Access) Act 2025 (DUAA) together form the framework governing how organisations must handle personal data. Marlow Rowing Club and its subsidiary, Marlow Rowing Club Trading Limited, are committed to protecting your personal data and your right to privacy. We will always keep your personal data safe and comply with applicable data protection legislation.

2. Who we are and how to contact us

The Club (Marlow Rowing Club, Registered in England 7954383 and Registered Charity in England 1148327) is the Data Controller of personal data relating to its members (including juniors and their parents or guardians), those on rowing courses (and their parents or carers, if the participant is a junior or a disabled adult rower), those involved in fundraising and competition entrants, club staff and volunteers, third-party partners or suppliers, and anyone visiting or engaging with the club, in person or online.

Marlow Rowing Club Trading Limited (Registered in England 8181167) [MaRCT] is a wholly owned subsidiary of Marlow Rowing Club. MaRCT trades in part as RedBlade Rowing, its commercial rowing services business. MaRCT is a Data Controller of staff, employees, contractors and casual workers who work in the bar, at other events, and within RedBlade Rowing. It is also a Data Controller of those who book events through the bar and those who use RedBlade Rowing services.

RedBlade Rowing is a trading name of MaRCT and is not a separate legal entity. When launched, RedBlade Rowing will operate under its own privacy policy and consent structure governing the personal data it collects and processes directly in connection with its commercial rowing services. You should read that policy carefully when using RedBlade Rowing services. MaRCT remains the Data Controller for all personal data processed under the RedBlade Rowing trading name.

Because RedBlade Rowing is part of MaRCT, personal data collected through RedBlade Rowing is held within MaRCT’s systems. The Club may maintain linkages between MaRCT’s RedBlade Rowing records and the central Club membership record, so that updates made to either may be reflected in the other. Linked data may include, but is not limited to: contact and payment information; and safety, coaching, first aid, launch driving and other relevant qualifications. The legal basis for this linking is our legitimate interests in maintaining consistent, accurate and up-to-date records for the purposes of safety, service delivery, and Club administration, and — where applicable — our legal obligations in relation to safety-critical qualifications and incident reporting.

You should read through this Privacy Notice to fully understand the basis upon which we collect your personal data, how we use it, where we store it, and to whom it is disclosed.

If you have any questions about this Notice or want to exercise your rights, please contact us by email at secretary@marlowrowingclub.org.uk.

3. What data we process

We may process the following categories of personal data:

  • Contact information such as your name, email address, telephone number, postal address, date of birth, and gender.
  • Health and medical information you declare to us, or information arising from an incident or accident on our premises, including disability details, row and swim ratings. Members and course participants may update their health and emergency contact information at any time through their online member account, or by contacting the Honorary Secretary at secretary@marlowrowingclub.org.uk or the Membership Secretary at membership@marlowrowingclub.org.uk.
  • Emergency contact details provided by members and course participants, including the name, relationship and contact information of the nominated individual.
  • Payment information — payments are taken through Stripe or PayPal (website), Square (members’ kitchen, minor events, bar), GoCardless (specific payments), payroll (staff), and direct bank transfer (some suppliers). The scope of data processed varies by payment type and is mostly handled through secure specialist third-party providers.
  • Site safety and security information, including CCTV footage. See Section 5 for full details.
  • Digital information such as user ID, device ID or IP address, website cookies, and social media posts.
  • Club engagement information such as rowing records, membership login details, racking allocation, competition and club hire records, donations and fundraising records, marketing preferences, events and regattas, and images and videos (taken by us or shared by you).
  • Qualifications and certifications, including safety, coaching, first aid, launch driving, and other relevant qualifications held by members, staff, volunteers, and those using Club or RedBlade Rowing commercial services, where these are relevant to the safe operation of activities on or near the water.
  • For tours, training camps or club travel, we may collect additional information required to facilitate these activities, such as passport details, travel insurance information, dietary requirements, and medical information relevant to the trip.

As Club staff (including volunteers), we will process information required as an employer or volunteer manager, such as professional experience and references, training and development records, time and attendance, identity documents, remuneration and banking data, Disclosure and Barring Service (DBS) or other child/vulnerable adult checks, sickness records, and any grievance-related matters.

As a Club partner or MaRCT customer, we will process information required to uphold our arrangements, such as contracts and payment records.

We also hold details of parents and guardians of junior members, and of carers or parents of disabled adult members where the member has indicated that we may need to contact them. We may hold contact details, consent records and relevant health or welfare information in respect of these individuals.

Generally, we process information provided directly by you. However, we may also process information about others that you provide to us, such as emergency contacts or next of kin, booking leads, or referrals.

Where we need to collect personal data by law, or under the terms of a contract with you, and you fail to provide that data when requested, we may be unable to perform the contract or provide the service in question. We will notify you if this is the case.

Squad leads and coaches: The Club organises its members into squads. Squad leads (who are members of the Club, not employees, workers or agents) may be given limited contact information about squad members (such as names and contact numbers) to help them manage and communicate with their squads. This is described further in Section 8 below. In addition, members may from time to time give personal data directly to coaches. Except in the case of the lead senior squad coach and lead junior coach, coaches are not employed by the Club. The Club does not receive, hold or control personal data that members give directly to coaches, and cannot be responsible for how coaches handle such data. Coaches who receive personal data directly from members do so as independent data controllers in their own right.

4. Special category data

Some of the personal data we process falls within the UK GDPR’s definition of ‘special category data’, which requires a higher standard of protection. This includes:

  • Health and medical data — including details of any disability, medical condition, or health incident you disclose to us, or information arising from an accident or incident at the club, or details required for tours, camps or travel.
  • Criminal records information — obtained through DBS checks for staff, coaches, and volunteers working with children or vulnerable adults.

We process such data only where:

  • You have given your explicit consent (for example, health declarations on membership or course forms, or information provided for club tours or travel);
  • It is necessary to protect your vital interests or those of another person;
  • It is necessary for the purposes of carrying out obligations in the field of employment law (for example, DBS checks); or
  • It is necessary for reasons of substantial public interest, including safeguarding children and vulnerable adults.

We will always apply appropriate safeguards when processing special category data and will not use it for purposes incompatible with those for which it was collected.

5. CCTV and video surveillance

The Club operates a CCTV system on and around its premises, including the boathouse, grounds, landing stages, car park, and areas accessible from the public towpath. The system is in continuous operation and may capture the images of members, visitors, staff, and members of the public passing through or near the site.

Purpose and legal basis

We use CCTV for the following purposes, on the basis of our legitimate interests:

  • The security of Club premises, equipment, and assets.
  • The prevention and detection of crime, theft, vandalism, and trespass.
  • The safety of members, staff, visitors, and members of the public on or near our site.
  • Supporting investigations into accidents, incidents, or safety-related events on the water or on Club premises.
  • Supporting the review and improvement of safety practices and coaching, where footage is used in a training or debrief context with appropriate controls.

We have assessed that these purposes are legitimate and proportionate, and that the use of CCTV does not unduly infringe on the privacy rights of those who may be captured. Appropriate signage is in place at the entrances to the Club’s premises to inform visitors that CCTV is in operation.

Who may be captured

Because parts of our site are visible from or adjacent to the public towpath and river, individuals who are not members or visitors may be captured incidentally. We do not use CCTV to monitor individuals without reasonable justification, and footage is only reviewed where there is a legitimate reason to do so.

Access and disclosure

Access to live and recorded CCTV footage is restricted to authorised Club officers. Footage may be disclosed to the following parties where there is a legitimate reason to do so:

  • Suppliers and service providers — organisations contracted to manage, maintain or operate the CCTV system on our behalf, acting as our data processors.
  • The police and other law enforcement agencies — to carry out policing, assist investigations, trace missing people, and investigate alleged criminal activities.
  • Individuals who have been injured, attacked, or had property damaged or stolen, and their insurers — to assist them with any criminal or civil investigation or legal proceedings arising from an incident on or near our premises.
  • Individuals involved in road traffic accidents, and their insurers — where an incident occurred in or near the Club’s car park or access roads, to assist with insurance claims, legal claims, and investigations.
  • The Club, for internal investigations and disciplinary processes — where footage is relevant to a club investigation, safety investigation or report, or disciplinary process.
  • The Club, for safety training purposes — following an incident, where footage is used to review what occurred and to improve safety practices, with appropriate access controls in place.
  • Private investigators and other investigators — where there is a legitimate and lawful basis for disclosure to aid their investigations.
  • Relevant regulators — where we are required to do so by law or to assist with their investigations or initiatives, including but not limited to the Information Commissioner’s Office (ICO).

Retention

CCTV footage is retained for a maximum of 31 days, after which it is automatically overwritten unless it is required to be preserved in connection with an active investigation, a legal claim, a safeguarding matter, or a request from law enforcement.

Your rights in relation to CCTV

If you believe you have been captured on our CCTV system and wish to make a subject access request, please contact the Club Secretary at secretary@marlowrowingclub.org.uk. Where a request relates to footage that also captures third parties, we will take appropriate steps to protect those individuals’ privacy (for example, by redacting or blurring other individuals) before providing access.

6. The purpose of our processing

We use information about you for the following purposes:

  • Manage Club membership, events and bookings
  • Organise members into squads and share limited contact information with squad leads to enable squads to be managed and communicated with effectively
  • Manage MaRCT events and bookings, staffing and suppliers, including RedBlade Rowing commercial services
  • Maintain racking allocations and associated membership records
  • Hold emergency contacts for members and course participants
  • Support enquiries, complaints and feedback
  • Uphold our legal obligations and manage legal claims
  • Manage on-site operations, safety, services and facilities
  • Manage our welfare system, including child and vulnerable adult protection
  • Pursue charitable and commercial activities, including marketing, donations, fundraising and Gift Aid administration
  • Carry third-party commercial advertising and promotional content in our communications, where members have consented to receive it
  • Facilitate tours, training camps and club travel
  • Operate our website and social media
  • Manage club staffing and supplier arrangements

We rely on the following legal bases to process your personal data:

  • Fulfilment of a contract — where processing is necessary to perform our membership agreement or other contract with you.
  • Consent — where you have given your consent to receive marketing or promotional communications (including Club updates, commercial offers, fundraising requests, or third-party advertising), on behalf of a child or vulnerable adult, or to our use of your image.
  • Legal obligation — where processing is necessary to comply with a legal obligation, such as DBS checks or financial record-keeping.
  • Legitimate interests — where we have a legitimate interest in processing your data (for example, club management, CCTV, fundraising, or safeguarding), and that interest is not overridden by your rights.
  • Recognised legitimate interests — introduced by the DUAA, this basis applies to certain processing activities for which the law presumes legitimacy without requiring a separate balancing test. Relevant examples for the Club include: safeguarding children and vulnerable adults; preventing and detecting crime; and emergency response. Where we rely on this basis, we will still assess whether processing is necessary for the purpose pursued.

7. Our processing standards

From the moment we collect your data through to its deletion, we uphold the following processing standards:

  • Limiting the collection of data to only that which is necessary and using it only for the purposes described in this Notice.
  • Maintaining appropriate technical and organisational controls to support confidentiality and security, including nominated access protocols, database security, secure document storage, and password management.
  • Having in place contractual data processing arrangements with carefully selected third-party processors who help us deliver our services.
  • Keeping data only for as long as is necessary (which may include a period after your engagement with us has ended) and securely deleting data when it is no longer required.
  • Requesting parental or guardian consent for anyone under the age of 16, or for disabled adult members where a carer or parent is involved in their membership.
  • Never selling your data.

Where possible, we may anonymise personal data so that it can continue to be used for analytical purposes without identifying individuals.

We have appropriate procedures in place to identify and respond to suspected personal data breaches. Where we are legally required to do so, we will notify affected individuals and the Information Commission (formerly the Information Commissioner’s Office) without undue delay.

8. Squads, squad leads and coaches

Squad structure and squad leads

The Club organises its members into squads. Each squad has a squad lead who is a member of the Club. Squad leads are not employees, workers or agents of the Club; they are members who take on a voluntary coordination role within their squad.

To enable squad leads to manage and communicate with their squads effectively, the Club will share limited contact information about squad members (typically names and contact telephone numbers) with the relevant squad lead. The Club does this on the basis of its legitimate interests in the effective operation of its squads and the delivery of its sporting activities. We have assessed that this sharing is proportionate and that squad members would reasonably expect their contact details to be available to the person coordinating their squad.

You have the right to object to your contact details being shared with your squad lead. If you wish to do so, please contact the Membership Secretary at

membership@marlowrowingclub.org.uk. We will consider your objection and, where we are able to accommodate it, will discuss with you how squad communications can be managed in a way that respects your preferences. Please note that in some cases it may not be possible to fully accommodate an objection while maintaining full participation in squad activities.

How squad leads handle your data

Once contact details are shared with a squad lead, that individual handles them in a personal capacity. UK data protection law (UK GDPR Article 2(2)(c)) does not apply to processing carried out by a natural person for purely personal or household activities. Where a squad lead uses your contact information solely to coordinate squad activities (for example, sending a group message about a training session), this may fall within that personal/domestic exemption, meaning the squad lead is not themselves acting as a regulated data controller for that activity.

However, the Club encourages squad leads to handle member contact information with care and to use it only for the purpose for which it was shared. Squad leads should not share contact details with third parties, use them for purposes unrelated to the squad, or retain them beyond their time as squad lead. If you have a concern about how a squad lead has handled your information, please contact the Club Secretary in the first instance.

Information shared directly between squad members

Members may also choose to share personal data directly with other members of their squad (for example, by exchanging phone numbers, joining a group chat, or sharing information in training sessions). The Club does not control or hold this data. Where members share information with one another in a personal capacity, that exchange is outside the scope of this Notice and the Club cannot be responsible for it. Members should exercise their own judgment about what personal data they share directly with others.

Coaches

Members may give personal data directly to coaches in the course of their training and development. The Club employs its lead senior squad coach and lead junior coach; personal data that members provide to those individuals in the course of their employment with the Club is handled in accordance with this Notice.

All other coaches at the Club are not employed, engaged as workers, or acting as agents of the Club. When members give personal data directly to those coaches, the coaches receive and handle that data as independent data controllers in their own right. The Club does not receive, hold, or control personal data given directly by members to non-employed coaches, and cannot be responsible for how those coaches handle it. We encourage members to satisfy themselves that any coach to whom they provide personal data handles it appropriately. If you have a concern about a coach’s handling of your personal data, you should raise it directly with that coach or, if appropriate, with the Club’s welfare officer or the Club Secretary.

9. Cardinal Crew — alumni and parents group

Cardinal Crew is Marlow Rowing Club’s alumni and parents group, operated directly by the Club under that name. It is open to former members and rowers, and to parents of current or former junior members. Cardinal Crew is not a separate legal entity; personal data collected through Cardinal Crew is held by Marlow Rowing Club as Data Controller and is subject to this Privacy Notice.

Data collected

When you sign up to Cardinal Crew, we will ask you to provide:

  • Your name, email address, and telephone number.
  • Details of your years of rowing and other involvement with the Club (for alumni), or your connection to the Club as a parent or guardian.

Club news and events updates — a condition of membership

The core purpose of Cardinal Crew is to keep alumni and parents connected with the Club through news and event communications. Accordingly, receiving Club news and events updates will be included automatically on the basis of legitimate interests, but if you wish to opt out of the mailing list you can do so. However, if you do, you may receive no communications from us at all, and miss out on the whole purpose of Cardinal Crew.

Optional communications — consents we seek

In addition to Club news and events updates, we will ask you to indicate separately whether you agree to the following optional categories. You are not required to consent to any of them as a condition of joining Cardinal Crew:

  • (b) Club merchandise and fundraising — receiving information about Club merchandise, commercial opportunities and fundraising / donation requests. This may include third party offers that the club is passing on to you, but we will not give your data to third parties.
  • (c) Sharing your details with other Cardinal Crew members — having your contact details and rowing history passed to other Cardinal Crew members who may have known you during your time at the Club. Please note: once your details have been shared with another individual, the Club cannot control how that person stores or uses them. You should consider this carefully before consenting.
  • (d) Being identified in alumni and parent group communications — being named or otherwise identified in Cardinal Crew newsletters, group emails, or other communications that may be seen by other members of the group.

Service communications

As part of managing Cardinal Crew, we may from time to time send communications that are necessary for the administration of the group and cannot be opted out of while you remain a member. These include:

  • Periodic checks to confirm that your details are up to date and that you wish to remain a member of Cardinal Crew.
  • For parents of junior members: where a child has left the Club, we may contact the parent to confirm whether they wish to continue as a Cardinal Crew member in their own right. This contact is a service activity to ensure our records remain accurate and up to date.

These communications are processed on the basis of our legitimate interests in maintaining accurate and current membership records for Cardinal Crew.

Withdrawing optional consents

You may withdraw any of the optional consents (b)–(d) at any time, without giving a reason. Withdrawing a consent does not affect the lawfulness of any processing carried out before withdrawal, and each consent can be withdrawn independently without affecting the others. To withdraw a consent or update your preferences:

  • Update your communication preferences through your online member account; or
  • Contact Cardinal Crew at cardinalcrew@marlowrowingclub.org.uk, or the Club Secretary at secretary@marlowrowingclub.org.uk, specifying which consent(s) you wish to withdraw.
  • Use the unsubscribe or preference link included in any Cardinal Crew email (this will apply to that mailing list.

Please note that consent category in relation to (c) — sharing your details with other members — cannot be fully reversed in respect of details already shared. If you withdraw this consent, we will not share your details with any further members going forward, but we are unable to recover information already passed to individuals prior to your withdrawal. You will be informed of this limitation at the point of sign-up.

Linked accounts — Club membership and Cardinal Crew records

Where an individual holds both a Club membership record (or other existing Club record, such as a former member record) and a Cardinal Crew profile, we may merge or link those records so that the two are treated as a single account. This means that updates made to either record — whether through your online member account, through Cardinal Crew, or by contacting us directly — will be reflected across both. We do this to maintain accurate and consistent information and to avoid holding duplicate or conflicting records about the same individual.

Where records are merged, personal data held in both will be combined and will be processed in accordance with this Privacy Notice as a whole. If you have any questions about how your linked records are held, please contact us at the details given in Section 2.

Leaving Cardinal Crew

You may leave Cardinal Crew at any time by contacting us via your online member account, by emailing cardinalcrew@marlowrowingclub.org.uk, or by contacting the Club Secretary at secretary@marlowrowingclub.org.uk. We will remove you from all Cardinal Crew communications and delete your Cardinal Crew profile data, subject to any overriding retention obligations. Where your Cardinal Crew record is linked to a Club membership record, your Club membership data will be retained separately in accordance with Section 9 of this Notice.

Donations and Gift Aid

Where you make a donation to the Club or any of the Club’s funds — whether as a Cardinal Crew member, a Club member, or otherwise — we will retain a record of that donation as part of our financial records.

Where you have indicated that you are a UK taxpayer and have signed a Gift Aid declaration, we will process your name, address, and donation details for the purposes of claiming Gift Aid from His Majesty’s Revenue and Customs (HMRC). This processing is carried out on the basis of our legal obligation as a registered charity to administer Gift Aid in accordance with HMRC requirements.

Gift Aid records, including any declarations you have signed, may be disclosed to HMRC as part of a Gift Aid claim or in response to any questions or enquiries raised by HMRC in connection with such a claim. We are legally required to retain Gift Aid records for a minimum of 6 years from the date of the claim to which they relate, and we will do so regardless of whether you subsequently leave Cardinal Crew, cancel your Club membership, or withdraw any other consents.

If you wish to cancel a Gift Aid declaration you have previously signed, please contact us at the details given in Section 2. Cancellation will apply to future donations; it does not affect Gift Aid already claimed on previous donations.

10. How long we keep your data

We retain personal data only for as long as is necessary for the purposes for which it was collected, or as required by law. The following are indicative retention periods:

  • Membership records — retained for 6 years following the expiry or termination of membership.
  • Financial records (including donation and Gift Aid records) — retained for 6 years in accordance with HMRC requirements. Gift Aid declarations and associated donation records must be retained for a minimum of 6 years from the date of the claim to which they relate, and will be kept regardless of any subsequent withdrawal of consent or cancellation of membership.
  • DBS and safeguarding records — retained in accordance with our Safeguarding Policy and any applicable statutory requirements.
  • CCTV footage — retained for a maximum of 31 days unless needed for the prevention or detection of crime, a legal claim, or an active investigation (see Section 5).
  • Accident and incident records — retained for a minimum of 3 years, or longer where a claim is anticipated or ongoing.
  • Tour, camp and travel records — retained for 6 years following the activity, or longer where required by insurance or legal obligations.
  • Cardinal Crew records — retained for as long as you remain a member of Cardinal Crew and have not withdrawn all consents, plus a period of up to 2 years thereafter to enable re-engagement if you choose to return. Where you leave Cardinal Crew and request deletion, data will be removed subject to any overriding retention obligations.

Data that is no longer required is securely deleted or anonymised in accordance with our retention schedule.

11. British Rowing and affiliated bodies

Marlow Rowing Club is affiliated with British Rowing, the national governing body for the sport. Membership details and relevant personal data are shared with British Rowing as necessary for the following purposes:

  • British Rowing membership registration, renewal and administration, managed through British Rowing’s ClubHub system.
  • Competition entries — race entries to Marlow Rowing Club regattas and to third-party regattas are submitted via British Rowing’s Online Entry system (BROE2). Data submitted through BROE2 is processed by British Rowing as a separate Data Controller.
  • Incident and welfare reporting — incidents and welfare concerns may be reported to British Rowing through its incident reporting system, in accordance with the British Rowing Rules and Regulations and British Rowing safeguarding policies.

British Rowing is an independent Data Controller in respect of personal data it holds about members. You can review British Rowing’s privacy practices at:

Note that some British Rowing communications relating to rowing safety, welfare, governance, licensing and regulatory matters are not subject to opt-out. These are sent because they are a necessary and integral part of Club membership and affiliated sporting activity, processed on the basis of legitimate interests and, where applicable, legal obligation. They are distinct from the commercial and promotional content covered by the optional consent categories above.

12. International data transfers

Some of our third-party service providers process personal data outside the United Kingdom. Where this occurs, we ensure that appropriate safeguards are in place to protect your data in accordance with the UK GDPR and the Data (Use and Access) Act 2025. The DUAA introduces a ‘data protection test’ for international transfers, replacing the previous requirement for essential equivalence with a standard that the third country must offer a level of protection not materially lower than UK standards. We apply this framework when assessing the safeguards in place for any international transfers we undertake. The main instances are:

  • Stripe (payment processing) — Stripe, Inc. is certified under the UK Extension to the EU-U.S. Data Privacy Framework (DPF), which has been recognised by the UK as providing an adequate level of data protection for transfers from the UK to the United States. Further details are available at com/legal/data-privacy-framework.
  • PayPal (payment processing) — PayPal transfers data from the UK to the United States and other countries. For UK transfers, PayPal relies on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, approved by the UK Information Commissioner. Further details are available in PayPal’s Privacy Statement.

We do not transfer personal data internationally beyond what is necessary for the delivery of our services, and we will not transfer data to countries without an adequacy decision or appropriate safeguards, unless we are legally required to do so.

13. Third-party websites

Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. We encourage you to read the privacy notice of every website you visit.

14. Cookies

Cookies are small files stored on your device when you visit a website. They help us provide you with a better online experience — for example, by enabling you to navigate between pages efficiently and remembering your preferences.

We use cookies for the following general purposes:

  • Strictly necessary cookies — essential for the website to function and cannot be disabled.
  • Analytics cookies — help us understand how visitors use our website so we can improve it.
  • Functional cookies — remember your preferences to improve your experience.

For more information about cookies and how to manage them on your device, please visit www.allaboutcookies.org.

15. How to access your information and your other rights

UK data protection law provides individuals with the following rights in respect of their personal data:

  • Right to be informed — to be told how your personal data is processed (which this Notice sets out).
  • Right of access (subject access request) — to request a copy of the personal data we hold about you. Under the DUAA, we are required to carry out a reasonable and proportionate search in responding to your request. Where we need clarification from you to respond effectively, we may ask for it — and the one-month response period will be paused until we receive it.
  • Right to rectification — to request correction of inaccurate or incomplete personal data.
  • Right to erasure — to request deletion of your personal data in certain circumstances.
  • Right to restriction — to request that we restrict our processing of your personal data in certain circumstances.
  • Right to object — to object to our processing of your personal data where we rely on legitimate interests or recognised legitimate interests as our legal basis, including for direct marketing purposes.
  • Right to data portability — to receive your personal data in a portable format, where applicable.
  • Right to withdraw consent — where we process your data on the basis of consent, you may withdraw that consent at any time. This does not affect the lawfulness of processing carried out before withdrawal.
  • Right to complain to us — introduced by the DUAA, you have a statutory right to raise a data protection complaint directly with us before escalating to the Information Commission. See ‘Our data protection complaints procedure’ below.
  • Right to complain to the Information Commission — if you remain dissatisfied after raising a complaint with us, or if you prefer, you may lodge a complaint directly with the Information Commission (the UK’s data protection regulator, formerly the ICO) at ico.org.uk.

Updating your personal data

Members and course participants can update contact details, emergency contacts and health information at any time through their online member account. Alternatively, please contact the Honorary Secretary at secretary@marlowrowingclub.org.uk or the Membership Secretary at membership@marlowrowingclub.org.uk.

Marketing and communications opt-out

We send a range of communications on a consent basis. The categories vary depending on your relationship with the Club:

  • Club members may opt out of: Club news and events update mailings; Club merchandise and commercial offer mailings; fundraising and donation request communications; and third-party commercial advertising carried in our communications.
  • Cardinal Crew members may opt out of consents (b)–(f) as described in Section 9. Club news and events updates (category (a)) are a condition of Cardinal Crew membership and cannot be opted out of while remaining a member.

For all consent categories, you can withdraw your consent at any time by updating your preferences through your online member profile, using an unsubscribe or preference link in any of our emails, or by contacting us directly:

Please note that certain communications cannot be opted out of regardless of your preferences. These include: administrative and service communications necessary for managing your membership or Cardinal Crew participation; and British Rowing communications relating to rowing safety, welfare, governance, licensing and regulatory matters, which are a necessary part of Club membership and affiliated sporting activity.

Safeguarding and child protection

As a club with a significant number of junior and disabled members, we take our safeguarding responsibilities seriously. We process personal data relating to child protection and welfare in accordance with our Safeguarding Policy and the British Rowing safeguarding framework.

The DUAA introduces an explicit duty on organisations to take into account ‘children’s higher protection matters’ when processing personal data in connection with services likely to be accessed by children. This includes recognising that children merit specific protection because they may be less aware of the risks involved in data processing, and that children have different needs at different ages and stages of development. We take these considerations into account in the design and operation of our membership systems, communications, and any online services used by junior members or their parents.

Where a safeguarding concern arises, personal data may be shared without consent with statutory authorities (including the police, local authority children’s services, or social services) or with British Rowing’s safeguarding team, where we are legally required to do so or where it is necessary to protect the vital interests of a child or vulnerable adult. In such cases, the obligation to protect the individual will take precedence over data protection considerations. Where applicable, we may rely on the recognised legitimate interests basis under the DUAA for such disclosures.

Information about our safeguarding obligations and British Rowing’s safeguarding framework can be found at https://www.britishrowing.org/about-us/policies-guidance/.

Automated decision-making and profiling

We use membership management systems that may profile members for the purposes of club administration — for example, grouping members by membership type, squad, or activity level. The DUAA has relaxed the rules on automated decision-making (ADM) for processing that does not involve special category personal data, enabling controllers to rely on legitimate interests as a lawful basis for such activities. Where we use profiling or ADM, we do not make decisions that produce legal or similarly significant effects on individual members without human involvement. Any profiling we conduct is for administrative convenience only. Where you have the right to object to profiling, you may do so by contacting us at the details in Section 2.

Our data protection complaints procedure

Under the Data (Use and Access) Act 2025 (Section 103, in force from 19 June 2026), you have a statutory right to raise a data protection complaint directly with us. If you believe we have infringed your rights or mishandled your personal data, please contact us in the first instance at secretary@marlowrowingclub.org.uk.

When we receive a complaint, we will:

  • Acknowledge receipt of your complaint within 30 days of receiving it.
  • Investigate the matter and keep you informed of progress.
  • Respond to your complaint without undue delay, setting out our findings and any steps we have taken or propose to take.
  • Clearly explain our decision and, where your complaint is not upheld, the reasons for that outcome.

If you are not satisfied with our response, or if you prefer to go directly to the regulator, you may raise your complaint with the Information Commission (the UK’s data protection regulator, formerly the Information Commissioner’s Office) at www.ico.org.uk. We encourage you to contact us first, as many concerns can be resolved more quickly through direct dialogue.

How to exercise your rights

To exercise any of the rights listed above, please submit a written request to the Club Secretary at secretary@marlowrowingclub.org.uk. We will carry out a reasonable and proportionate search for the personal data you have requested and will respond within one calendar month. Where we need to verify your identity or seek further clarification to respond effectively, we will contact you — and the response period will be paused until we receive what we need. If any rights are subject to an exemption, we will explain this to you.

[v2.2 24 Jun 2026]