In the education sector, dealing with sensitive data is unavoidable. Your data is safe with us. We only keep contact information for individuals who are our students, agents or staff members and who we expect to be interested in our marketing messages and our systems and workflows are designed to ensure the highest levels of data security are maintained at all points of contact with our language schools.
Global Connections (Scotland) Limited are committed to the EU’s General Data Protection Regulation (GDPR), which came into force on 25 May 2018 to strengthen data protection laws across the EU and to provide new rights for employees and individuals. We are also committed to the UK Data Protection Act 2018, which implements parts of the GDPR into UK law.
Global School of English (hereafter we) is owned and operated by Global Connections (Scotland) Limited, 180 Hope Street, Glasgow, G2 2UE. We can be contacted in respect of personal data processing queries at the above address or by using the school contact email address (firstname.lastname@example.org) or by telephone (+44 (0)131 226 2333)
We are committed to the accurate, safe, lawful and fair handling of all personal data. We fully respecting the legal rights, privacy and trust of everyone with whom we deal.
This policy is for distribution to our students and potential students, agents, host families and employees, and for the Information Commissioners Office, if requested, to demonstrate that we recognise our obligations to comply with the GDPR in handling personal data where it is necessary for the ongoing operation of our business. All our staff, agents and host families are required to comply with our data protection processes at all times.
We are a UK-based English language school providing educational services to a wide, international customer base.
We act as both controller and processor of personal data, including sensitive personal data, in the following main contexts:
Personal Data Audits
We undertake personal data audits within all departments and maintain maps of all data stored. For each process where personal data is handled, the audit captures the following information:
¨ with the consent of the data subject
¨ as part of a contract with the data subject
¨ as part of a contract with the data controller
¨ because there is a legal obligation to process the personal data
¨ where there is a legitimate interest to process the personal data
Personal data audits are reviewed annually and we are committed to maintaining and developing documentation and policies as a result of any issues identified in the annual audits, and as further processes incorporating the handling of personal data are identified.
Legitimate Interests Assessments
We have conducted a Legitimate Interest Assessment where legitimate interest is used as the legal basis for processing personal data.
Processing, transfer and storage of personal data
We ensure that all staff and agents handle personal data securely.
Further information on our policies on the processing, transfer and storage of personal data are detailed in a number of individual documents which govern the relationship between the company and our staff, students, potential students, agents and host families.
We will ensure that each type of personal data will be retained in accordance with its documented retention period. Retention periods are documented in our Documented Information Procedure and also in our personal data audits. Data retention periods are available on request in respect of any data held for individuals or organisations with which we have dealings in the course of operating the school.
Subject Access Requests
We will respond to written Subject Access Requests without undue delay, within one month of receipt, and with no fee chargeable. We will verify the identity of the requester, and that the request is valid and within the rights of the individual under the requirements of the GDPR.
Requests to be Forgotten or Right to Erasure
The GDPR provides a right for individuals to have personal data erased. The right is not absolute and only applies in certain circumstances. We will respond to a verbal or written Request to be Forgotten or Right to Erasure without undue delay, within one month. We will verify the identity of the requester and their right to request erasure before following internal procedures to delete the relevant data and ensure that any third-party processors of the data erase any data we have shared with them.
Where the legal basis of storing personal data is for contractual or legal obligation, the right to be forgotten is outweighed and in such circumstances, personal data will not be deleted.
Breach notification process
We will comply with our duty under the GDPR to report certain types of personal data breach to the Information Commissioner’s Office within 72 hours of becoming aware of the breach. We will keep a record of any personal data breaches, whether or not legally required to do so.
If a breach is likely to result in a high risk to the rights and freedoms of the affected individuals, we will inform those concerned directly and without undue delay.
We will investigate if any breach was a result of human error or a systemic issue and will assess how a recurrence can be prevented – whether this is through improved procedures, additional training or other corrective actions.