PRIVACY & GENERAL PRINCIPLES
Please read the following policy carefully to understand what information we may collect from you, how we may use it, and your rights in respect of our use.
We will be guided by the following principles when processing data:
- We will only collect data for specific and specified purposes; we will make it clear at the point when we request your information, what we are collecting it for and how we are going to use it.
- We will not collect data beyond what is necessary to accomplish those purposes; we will minimise the amount of information we collect from you to what we need to deliver the services required.
- We will collect and use your personal information only if we have sensible business reasons for doing so, such as managing a booking or gathering necessary information about a new member of staff.
- We will not use data for purposes other than that for which the data was collected, except as stated herein, or with prior consent.
- We will seek to verify and/or update data periodically, and we will accept requests for amendments of personal data.
- We will apply high technical standards to make our processing of data secure.
- Except when stated herein, we will not store data in identifiable form longer than is necessary to accomplish its purpose, or as is required by law.
We collect information on you:
- When you apply to join a course or programme at the school.
- When you contact us for information, via our website, by email, by phone, in person or via social media channels.
- When you work with us in a commercial capacity.
- When you apply for a coaching session.
- When you apply to work at smarL, and when you are subsequently employed by smartL.
- When you sign up for lessons or a newsletter or subscribe to other services.
- When you give us feedback about your experience of smartL.
- When you use our website or download our app.
- If you post on our social media channels or on our website or blog.
LEGAL BASES FOR PROCESSING YOUR DATA
The General Data Protection Regulation (GDPR) establishes 6 legal bases on which we can process your data: these are Consent, Contract, Legal Obligation, Vital Interests, Public Task and Legitimate Interests. For further information about these legal bases and fuller definitions, please refer to the ICO website.
We use different legal bases for processing your data depending on the purpose for collecting your data in the first instance:
- For all data collected as part of the process of enquiring about, applying for and booking a course or for any other related service (e.g. coaching session, language course), or where you give us feedback about aspects of this provision, we process using Contract or Legitimate Interests, namely the fulfilment of the booking. This may include sending of your data to our teachers. Where required by law to do so, we may also process your data under Legal Obligation.
- Any processing of customer data not directly related to the fulfilment of a booking or related services, such as signing up for newsletters or free lessons on our website, or sending messages to you on behalf of third parties, is managed under Consent. From time to time, we may use elements of the data you supply to target the messages we send to you. For example, we may use your location to send you information about an event or opportunity happening in your area. During your stay, we may take photographs or videos of you, and the use and processing of these is also managed through Consent.
- For all data collected as part of the process of employing and managing staff, we process using Contract, Legal Obligation and Legitimate Interests, namely the employment of the employee. This will include data required for contracts between the parties as well as newsletters to our staff are an important part of how we communicate with them, these are managed under Legitimate Interest.
- For all data collected as part of the process of recruiting and managing services provided, we process using Contract, Legal Obligation and Legitimate Interests, namely the maintenance of the relationship with the steakholders. As newsletters to them are an important part of how we communicate with them, these are managed under Legitimate Interest.
- We may process any of your personal data identified in this policy where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure. The legal basis for this processing is Legitimate Interest, namely the protection and assertion of our legal rights, your legal rights and the legal rights of others.
- We may process any of your personal data identified in this policy where necessary for the purposes of obtaining or maintaining insurance coverage, managing risks, or obtaining professional advice. The legal basis for this processing is Legitimate Interest, namely the proper protection of our business against risks.
We will make it as easy as we can for you to opt out of unwanted processing under Consent, providing it does not restrict our ability to provide you with the primary service you have requested.
We collect data for a wide range of purposes. Data is managed to ensure that it is either erased from our system when it is no longer required for the purpose for which it was collected, retained for legal reasons, or pseudonymised and/or minimised and retained.
We are co-processors of information relating to marketing and booking courses and coaching sessions. As such, we may transfer some data outside of the EU, but this will be limited to data necessary for the performance of a contract made in the interests of the individual (which is an exemption to the 8th principle of the GDPR legislation). We remain responsible for the data held, processed or sent via our systems. We are not responsible for the security and processing of data which is held, processed or sent via our partners’ systems or teachers. However, we require all of our partners overseas to confirm that they will process data securely in line with the requirements of GDPR or the equivalent in their country. We do not sell your data at any time.
SPECIAL CATEGORY DATA/CRIMINAL RECORD DATA
We may request health data from potential students and employees. This data has special protection under the GDPR under the specific conditions listed in Article 9 (2) of the GDPR that processing is necessary either to protect the vital interests of the data subject, (or of another natural person where the data subject is physically or legally incapable of giving consent), or where processing is necessary for the purposes of preventive or occupational medicine or the assessment of the working capacity of an employee.
The school has safeguarding responsibilities and carries out DBS checks on all staff and other people who are likely to be have direct supervisory responsibility for or unsupervised contact with young people under the age of 18. We may process and record securely risk assessments of these DBS checks where the disclosure is not clear. These risk assessments will be disposed of securely when that person no longer has supervisory responsibility or unsupervised contact with young people under the age of 18 on behalf of the school.
CHILDREN UNDER 18
We collect or store personal information about children under the age of 18 in the context of managing bookings and directly related products, and for safeguarding purposes. Permission is obtained directly from a legal adult guardian to collect this information through our Parental Consent Form. As part of this process, we request special category data relating to the health of the child, which we manage through Vital Interest.
How we will use information collected by our website
We may use information held about you in the following ways:
- To process a booking for one of our courses or products.
- To manage an application to work for the school.
- To create a profile for you to help us provide a more personalised service which is suited to meet your preferences.
- To ensure that content from our site is presented in the most effective manner for you and your computer.
- To send you our newsletters or provide you with information, products or services that you request from us or which we feel may interest you, where you have consented to be contacted for such purposes.
- To allow you to participate in interactive features of our service, when you choose to do so.
- To notify you about changes to our service.
Links from our website
PERSONAL INFORMATION AND YOUR RIGHTS
You have the right to rectify, erase or restrict the processing of your data subject to the exceptions outlined in this policy. You also have the right to withdraw consent to the processing of information for which you have previously given consent. You can contact us at any time to have these details removed from our database or to update this information, subject to satisfactory proof of your identity. You can read more about your individual rights on the ICO website.
You may also request access to the data we hold on you. Provision of such information will be subject to:
a) The payment of a fee (currently fixed at £10)
b) The supply of appropriate evidence of your identity.
We may withhold personal information that you request to the extent permitted by the law.
STAFF AND PRIVACY
Any wilful breach of this policy by staff will be regarded as a disciplinary offence and will be dealt with under the school’s formal disciplinary procedures.
LEGAL INFORMATION AND HOW TO CONTACT US
Any request for information (personal information, requesting a correction, or to make a complaint) should be addressed in the first place to our Data Manager, who is our Finance and Operations Manager. He can be contacted at: …..