General Data Protection Regulation (GDPR) – Policy Statement
HFE stored information about staff, learners, suppliers and partners to enable it to operate as a successful provider of teaching and learning services and to meet its legal obligations.
We will comply with the principles of data protection (the Principles) enumerated in the EU General Data Protection Regulation. We will make every effort possible in everything we do to comply with these Principles.
Data collection must be fair, for a legal purpose and we must be open and transparent as to how the data will be used.
1. Lawfullness, fairness and transparency:
- Inform you what data we hold, match the data to how it has been described and meet the requirements of article 5, clause 1(a) of GDPR.
2. Limited for its purpose:
- Data can only be collected for a specific purpose.
3. Data minimisation:
- Any data collected must be necessary and not excessive for its purpose.
- The data we hold must be accurate and kept up to date.
- We cannot store data longer than necessary.
6. Integrity and confidentiality:
- The data we hold must be kept safe and secure.
Compliance with The General Data Protection Regulation (GDPR)
Staff, learners or other parties (e.g. contractors, consultants, partners) who process personal data collected in our name must ensure that they follow the above Principles.
All Data Processors (people who handle personal data on our behalf) are contractually required to comply with our full Data protection Policy, the above Principles and the terms and conditions set out in our Data Processing Agreement.
Compliance with the Regulation is the responsibility of all staff and learners who have access to personal data. A breach of this Policy may lead to disciplinary action and/or access to our facilities and services being withdrawn, or criminal prosecution.
Questions and concerns about the interpretation or operation of this policy should be taken up with the Company’s Data Protection Officer (DPO (see below).
Staff, learners or other parties who believe that the Policy has not been followed in respect of their own personal data or that of others should first raise the matter with the Company’s Data protection Officer (see below).
Rights of Individuals
Individuals have rights to their data which we must respect and comply with to the best of our ability. We must ensure individuals can exercise their rights in the following ways:
1. Right to be informed
- Providing privacy notices which are concise, transparent, intelligible and easily accessible, free of charge, that are written in clear and plain language, particularly if aimed at children.
- Keeping a record of how we use personal data to demonstrate compliance with the need for accountability and transparency.
2. Right of access
- Enabling individuals to access their personal data and supplementary information
- Allowing individuals to be aware of and verify the lawfulness of the processing activities
3. Right to rectification
- We must rectify or amend the personal data of the individual if requested because it is inaccurate or incomplete.
- This must be done without delay, and no later than one month. This can be extended to two months with permission from the DPO.
4. Right to erasure
- We must delete or remove an individual’s data if requested and there is no compelling reason for its continued processing.
5. Right to restrict processing
- We must comply with any request to restrict, block, or otherwise suppress the processing of personal data.
- We are permitted to store personal data if it has been restricted, but not process it further. We must retain enough data to ensure the right to restriction is respected in the future.
6. Right to data portability
- We must provide individuals with their data so that they can reuse it for their own purposes or across different services.
- We must provide it in a commonly used, machine-readable format, and send it directly to another controller if requested.
7. Right to object
- We must respect the right of an individual to object to data processing based on legitimate interest or the performance of a public interest task.
- We must respect the right of an individual to object to direct marketing, including profiling.
- We must respect the right of an individual to object to processing their data for scientific and historical research and statistics.
8. Rights in relation to automated decision making and profiling
- We must respect the rights of individuals in relation to automated decision making and profiling.
Anyone persons wishing the exercise any of the above rights in respect of their personal data should do so in writing to the Data Protection Officer (see below).
For all applications from customers and staff, the Company reserves the right to charge up to £15.00 for each occasion that formal access is requested, although the Data Protection Officer has the discretion to waive this charge on a case-by-case basis.
For applications from other parties, the Company may make an additional reasonable charge, as decided by the Data protection Officer (see below), if this is required to cover administrative costs.
The Company aims to comply with requests for access to personal information within 21 working days of the date of receipt of the request by the designated Data Controller. If this timescale cannot be met, justification will be provided to the applicant in advance.
HFE is a Registered ‘Data Controller’ with the Information Commissioners Office (ICO) (Z2238970) and as such conforms to all standards of professional practice with matters of handling, protection and use.
The Company’s Data Protection Officer (DPO) has overall responsibility for the day-to-day implementation of our Data Protection Policy. The DPO is:
Lee Cain (Managing Director) – Health and Fitness Education, 7-8 Roundhouse Court, Barnes Wallis Way, Buckshaw Village, Chorley, Lancashire, PR7 7JN.
- You should contact the DPO for further information about this Policy if necessary using the above details.