This Policy set outs the basis on which any personal data provided to us by you, or received by us from third parties, will be used by us. Please read this Policy carefully and ensure that you understand our rights and responsibilities under it.
We are Tennyson Learning Community a registered charity and company registered in the United Kingdom:
Company Number: 12028640
Registered Address: Tennyson Road, Luton, Bedfordshire, United Kingdom, LU1 3RS
Incorporated: 3 June 2019
Company Type: Private Limited Company by guarantee without share capital
Nature of Business: 85200 - Primary education
We are the data controller of personal data provided to us and are registered as a data controller with the ICO under registration number ZA547241
We have appointed a Data Protection Officer who is responsible for addressing data protection matters, including any questions you may have in relation to this Policy. You can contact our Data Protection Officer is Paula Creighton (29 Willow Way, Ampthill, Bedford MK45 2SL t. 07523 021121).
Our use of personal data
The section of our Policy describes:
(a) the kinds of personal data that we may collect, use, store and transfer. We have grouped that data together into different categories based on its subject matter;
(b) our purposes in processing that data; and
(c) in each case, the legal basis of our processing. The legal basis means one of the permitted bases for processing set out in Article 6 of the General Data Protection Regulation (GDPR). We are required by law to identify this legal basis to you.
Personal data we obtain from you
If you correspond or communicate with us, whether through the Site, by email, by telephone or otherwise, then we may process personal data which is contained in the relevant communication (e.g. the contents of correspondence, or notes of the subject matter of telephone calls) or which relates to the communication (e.g. your contact details or job title). All of this together is communications data. We process communications data for the purposes of communicating with you. If you have indicated your interest in our educational services or in our operations, then we may also process communications data for the purposes of addressing your enquiry and providing you with occasional news about our services (although you will be free to unsubscribe at any time). Finally, we may use conversion tracking in relation to some of our email communications (such as newsletters and promotional emails) – this will record whether a recipient has opened an email sent by us, or whether they have clicked through to any of the links in it.
If we deal with you or your organisation, for example as a supplier, customer, collaborator or commercial partner, then we may process personal data such as your contact details for the purposes of setting up an account in our systems or otherwise administering our relationship with you. We may also process personal data within all related correspondence and documents such as proposals or contracts, whether created by us or provided to us. We call all of this account data, and we process it for the purposes of purchasing products and services and administering our dealings with others.
We may process personal data relating to transactions, such as bank account details, contact details or transaction data in relation to payments made by us to you or by you to us (transaction data). This may include your contact details, any bank account or sort code information provided for the purposes of making or receiving payment, and the transaction details (such as POs or invoices). We process transaction data for the purpose of making and receiving payments.
We may process personal data relating to any visit you make to our premises, such as your vehicle registration number, contact details, role, the purpose of your visit or your movements around our site. We might also ask you to sign certain waivers or acknowledgements in order to access certain areas of our premises. We call all of this visitor data and we will process it for the purposes of ensuring your visit is properly recorded and is safe.
We have installed CCTV systems in some of our premises. We may process stills or footage which contain images of individuals (CCTV data). CCTV data may be processed by us for the purposes of security, safety and the prevention and detection of crime.
We may process technical data about your use of the Site, such as your browser type and version, operating system, time zone setting and location, referral source, length of visit, or navigation around the Site (for instance, which pages are viewed and how long for). This data is aggregated and anonymised in such a way that it contains no information relating to any identifiable individual at all : it’s not actually personal data but we mention it in this Policy for the sake of completeness. We process technical data for the purpose of improving our Site.
Personal data we obtain from others
Your personal data may be provided to us by someone other than you: for example, by your employer, by an organisation with whom you and we are both dealing. Normally this data will be communications data or account data as described above and will be processed by us for the purposes described above.
Our other processing
We may also process any of the data described above:
(a) for the purposes of record-keeping and back-up and restoration of our systems;
(b) as required by law or in connection with legal claims.
Our legal basis of processing
We will process personal data only on lawful bases. In particular, we will process personal data on the following lawful bases identified in Article 6 GDPR:
for the performance of a contract with you, or to take steps at your request prior to entering into a contract with you (Article 6(1)(b) GDPR). This may be our basis for processing communications data, account data, transaction data or visitor data;
for our legitimate interests (Article 6(1)(f) GDPR). This may be our basis for processing:
i) correspondence, account and visitor data (as we have an interest in properly administering our business and communications, and in developing our relationships with interested parties);
ii) transaction data (as we have an interest in making and receiving payments promptly and in recovering debts);
iii) any personal data identified in this Policy where necessary in connection with legal claims (as we have an interest in being able to conduct and defend legal claims to preserve our rights); and
iv) CCTV data (as we have an interest in the security of our premises);
v) any personal data identified in this Policy in connection with backups of any element of our IT systems or databases containing that personal data (as we have an interest in ensuring the resilience of our IT systems and the integrity and recoverability of our data).
[in performing our public functions (Article 6(1)(e). This may be our basis for processing any of the personal data identified above if we do so in connection with carrying out specific tasks in the public interest (for example, in our teaching or governance activities). If we process personal data in carrying out activities unrelated to our public functions then we do so on one of the bases set out above.]
Disclosures of your personal data
We may disclose your personal data to our suppliers or contractors in connection with the uses described above. For example, we may disclose:
(a) any personal data in our possession to suppliers which host the servers on which our data is stored;
(b) transaction data to our accountants; and
(c) account data to contractors who help us administer our operations.
- We do not allow our suppliers or contractors to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions and applicable law.
- We may disclose your personal data as necessary to comply with law (e.g. to Government or law enforcement).
- We may disclose your personal data to our legal or professional advisors in order to take advice, but will do so under obligations of confidentiality.
- If any part of our operations is sold to, transferred to, or integrated with, another organisation (or if we enter into negotiations for those purposes), your personal data may be disclosed to that organisation.
Transfers outside the EEA
Some of the third parties to whom we may transfer your personal data, discussed above, may be located outside the EEA or may transfer your personal data to their own service providers located outside the EEA. If so, then we will ensure that transfers by our appointed data processors will only be made lawfully (e.g. to countries in respect of which the European Commission has made an "adequacy decision”, or with appropriate safeguards such as the use of standard clauses approved by the European Commission or the use of the EU-US Privacy Shield . You may contact us if you would like further information about these safeguards.
We take appropriate technical and organisational security measures to prevent your personal data from being lost, used, accessed, altered or disclosed by accident or without authorisation. If we become aware of any personal data breach then we will notify you and the ICO as required by law.
Retention and deletion of your data
We will only process your personal data as long as is needed for the purposes for which we process it, and will be deleted afterwards. In particular:
(a) technical data which is anonymised (and therefore not personal data) may be retained by us indefinitely (but is typically deleted within a few months);
(b) communications data which relates only to enquiries and not to a business relationship will be retained for the period of the enquiry or chain of correspondence and then deleted after approximately twelve months;
(c) account and transaction data, and communications data relating to our business relationship with you, will be retained for approximately six years after the end of the relevant business relationship.
We may retain your personal data longer where necessary to comply with law.
Your legal rights under GDPR
We have summarized below the rights that you have under data protection law. You can read guidance from the Information Commissioner’s Office at www.ico.gov.uk for more information. You have:
(a) the right to access: if requested, we must confirm what personal data of yours we process, and must provide you with access to that data and further information about our processing;
(b) the right to rectification: if requested, we must correct or complete any inaccurate or incomplete personal data of yours;
(c) the right to erasure: you can request that we erase your personal data in limited circumstances (for instance, if we use it for marketing or no longer need it for our other purposes). This is not an absolute right and we may be entitled to retain your data where necessary (e.g. to comply with law);
(d) the right to restrict processing: you can request that we restrict the processing of your personal data in limited circumstances. Where processing has been restricted, we may continue to store your personal data and will observe the restrictions on processing except in the case of processing permitted by applicable law (for example, in connection with legal claims or for reasons of public interest);
(e) the right to object to processing: you can object to our processing of your personal data on the basis of our legitimate interests. We may be entitled to continue processing in certain circumstances (e.g. if we have compelling grounds to do so, or to comply with law);
(f) the right to data portability: you have a right to receive your data from us in an easily-portable format in limited circumstances: i.e. if we process that data on the basis of a contract with you and by automated means. This is unlikely to apply in most circumstances; and
(g) the right to complain: if you believe we are in breach of applicable law, you can complain to the Information Commissioner’s Office. For more information, see https://ico.org.uk/concerns/
You may exercise any of your rights in relation to your personal data by written notice to us. The Trust DPO is Paula Creighton: firstname.lastname@example.org