top of page

GDPR Compliance Statement

April 2026

 

 

PURPOSE

This statement sets out how 5th Element Jiu Jitsu Academy CIC meets its obligations under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This document is intended as a companion to our Privacy Policy and provides additional detail on our lawful bases for processing, our data protection responsibilities, and our internal compliance procedures.

 

 

DATA CONTROLLER DETAILS

Organisation: 5th Element Jiu Jitsu Academy CIC Address: 1st Floor, 34 Front Street, Framwellgate Moor, Durham, DH1 5EE ICO Registration:  Data Controller: Reece Doran Contact: reece@5thelementjiujitsu.com

 

 

LAWFUL BASES FOR PROCESSING

Under UK GDPR, all processing of personal data must have a lawful basis. The following table sets out the lawful bases we rely on:

Processing activity

Lawful basis

Membership administration and payment

Contract

Health and medical data for safe training

Legitimate interests / Vital interests

Safeguarding records

Legal obligation / Vital interests

Marketing communications to existing members

Legitimate interests

Marketing communications to prospects

Consent

Photography and video for marketing

Consent

DBS and coaching qualification records

Legal obligation / Legitimate interests

Emergency medical information

Vital interests

 

 

SPECIAL CATEGORY DATA

We process health and medical data as special category data under Article 9 UK GDPR. Our lawful basis for processing this data is:

  • Article 9(2)(b) — processing necessary for carrying out obligations in the field of employment, social security, and social protection law

  • Article 9(2)(c) — processing necessary to protect the vital interests of the data subject where they are physically or legally incapable of giving consent

  • Article 9(2)(f) — processing necessary for the establishment, exercise, or defence of legal claims

Special category data is subject to additional controls as set out in our Privacy Policy.

 

 

DATA PROTECTION RESPONSIBILITIES

Data Controller — Reece Doran Responsible for overall compliance with UK GDPR, maintaining ICO registration, ensuring lawful bases are in place for all processing, and responding to data subject requests.

Designated Safeguarding Lead — Danny Blakemore Responsible for the handling of safeguarding-related data in accordance with the Safeguarding Policy and UK GDPR requirements.

All coaching staff Responsible for handling any personal data they access in the course of their role in accordance with this statement and the Privacy Policy. Any data breach or suspected breach must be reported to the Data Controller immediately.

 

 

DATA SUBJECT RIGHTS PROCEDURE

On receipt of a data subject rights request:

  1. Log the request with date received

  2. Verify the identity of the requestor before providing any data

  3. Respond within 30 calendar days

  4. Where a request is complex or numerous, the response period may be extended by a further two months — the requestor must be informed of this within the initial 30 days

  5. Maintain a record of all requests and responses

Requests should be directed to reece@5thelementjiujitsu.com.

 

 

DATA BREACH PROCEDURE

In the event of a suspected or confirmed data breach:

  1. The individual who identifies the breach must report it to the Data Controller immediately

  2. The Data Controller will assess the breach within 24 hours

  3. Where the breach is likely to result in a risk to the rights and freedoms of individuals, it must be reported to the ICO within 72 hours of becoming aware of it

  4. Where the breach is likely to result in a high risk to individuals, those individuals must be notified directly without undue delay

  5. All breaches must be recorded in the Data Breach Log regardless of whether ICO notification is required

ICO breach reporting: ico.org.uk/make-a-complaint / 0303 123 1113

 

 

DATA PROCESSING AGREEMENTS

We use the following third party processors and confirm appropriate data processing agreements or terms are in place:

Processor

Purpose

Location

Mattrack

Membership management, payment processing, digital agreements

UK

Where any new third party processor is introduced, a data processing agreement must be in place before any personal data is shared.

 

 

RETENTION AND DELETION SCHEDULE

Retention periods are set out in the Privacy Policy. The Data Controller is responsible for ensuring data is deleted or anonymised in accordance with these periods. A retention review will be conducted annually.

 

 

STAFF AWARENESS

All coaching staff and volunteers will be made aware of their data protection responsibilities. This includes:

  • Reading and confirming understanding of this statement and the Privacy Policy

  • Understanding what constitutes personal data and special category data

  • Knowing how to handle a data subject request

  • Knowing how to report a suspected data breach

 

 

REVIEW

This statement will be reviewed annually by the Data Controller or following any significant change in processing activities, applicable law, or ICO guidance.

Last reviewed: April 2026 Next review due: April 2027

Good. I have everything I need. Here's the Health & Safety Policy:

bottom of page