General Data Protection Regulation (GDPR) Statement
The GDPR comes into force 25th May 2018 and represents a revision of the data protection regulation enforced across Europe. To comply with this regulation and to be open and transparent this document aims to clarify our data management practices.
Information we hold in relation to GDPR.
Information that falls under GDPR legislation is “any information relating to an identified or identifiable natural person.”. This could include the following data items which we hold in respect to the Pottery courses we provide.
Individuals addresses (if provided).
Contact phone numbers including mobiles.
This information comes directly from individual inquiries about our courses; by telephone, email or through our website. Given the very limited scope of the data we process outlined above in relation to the GDPR we consider the information we carry to be low risk whether you are a student or potential student.
Communicating privacy information.
We communicate our privacy information, the data we hold and how we process it in this document which is made available to students/potential students through our website.
Every individual has a right to know what information we hold on them. We can provide a plain text formatted electronic document identifying information held on an individual subject to a proper request by the individual concerned or authoritative body with sufficient legal authority.
We will remove an individual’s information from our systems within 30 days subject to a proper request by the individual concerned or authoritative body with sufficient legal authority.
We do not profile individuals. We will also comply to any other request covered by an individual’s rights as identified by the GDPR systems within 30 days subject to a proper request by the individual concerned or authoritative body with sufficient legal authority.
Subject access requests
Any request for information or deletion of data held on an individual should be made in writing to email@example.com . It should state clearly your request, we will process requests within 30 days of receipt.
Lawful basis for processing personal data
We email individuals who are students, past students or potential students for the purposes of marketing forthcoming courses or to advise of changes to courses or events and other directly related activities. We do not make names or email addresses available to any other 3rdparty. From time to time we have administrative help who makes contact on our behalf to students. When this occurs you will be notified.
Your personal data will not be retained for longer than is necessary for the purpose it was obtained for. We regularly review the data we hold and if it is no longer necessary it will be deleted.
We do not specifically target children for courses. We do not operate social media or forum based activity targeted at children.
The data we hold we consider low risk, as it does not represent a risk to the rights and freedoms of individuals and as such we are not duty bound to report any such breaches to the ICO (Information Commissionaires Office).
Data Protection Officers
The company does not have a dedicated DPO due its size and the small amount of low risk information held. Please send any enquiries regarding GDPR compliance to firstname.lastname@example.org