Note to customers regarding the General Data Protection Regulation (GDPR)
What does the GDPR apply to?
The GDPR applies to Personal Data which is any information relating to an identifiable person who can be directly or indirectly identified and applies to both automated or manual filing systems.
Business to business transactions, in general, are not covered by the GDPR and this includes schools. The only data in these transactions that is personal, is where a person is identifiable – i.e. by First Name, Last name and Email address.
As a company we commit to the following:
- Recognising our responsibilities as both a Controller and Processor of Personal Data
- Any Personal Data which is collected will be for specified explicit and legitimate purposes and will not be processed further in any way incompatible with the initial purposes
- We will not hold more information than is needed for the purpose(s) notified
- Personal Data held by the company will be accurate and where necessary, kept up to date
- The company will only keep Personal Data for as long as necessary for the purposes collected
- All data will be processed in a manner that ensures appropriate security of the Personal Data including protection against unauthorised or unlawful processing and against accidental loss destruction or damage, using appropriate technical or organisational measures
- Personal Data will not be processed outside the European Union apart from when appropriate measures have been taken to ensure its security – for example, a US company who is part of Privacy Shield
Reasons for processing Personal Data
We will only process Personal Data when one of the following applies:
- Consent has been obtained
- A contractual obligation
- A legal obligation
- A vital interest
- A public task
- A legitimate interest
As a company, we recognise that Data Subjects have the right to:
- Be supplied with the data held on them for no fee within 1 month (with some exceptions)
- Have inaccurate data rectified without undue delay
- Erasure (‘Right to be Forgotten’)
- Restriction of Processing
- Data Portability (obtaining a copy of their Personal Data from the company in a commonly used format for transfer to another controller
- Object to Processing
The company takes all appropriate measures to prevent a data breach. In the unlikely event of a breach we will take the following steps:
- Notify the appropriate Supervisory Authority within 72 hours where feasible unless a breach is unlikely to result in a risk to individuals
- Notify individuals if the breach is likely to result in high risk to the individuals affected
Data Protection Officer (DPO)
The company has assessed the need for a DPO and have concluded that there is no need to appoint such person, however for any enquiries relating to GDPR please contact firstname.lastname@example.org.