Data Privacy Policy

(This Policy is replaced by The EU General Data Protection Regulation (GDPR) from 25 May 2018)

Privacy


This Privacy Policy governs the manner in which Vacational Studies collects, uses, maintains and discloses information collected from users (each, a "User") of the vacstuds.com website ("Site"). This privacy policy applies to the Site and all products and services offered by Vacational Studies.

Personal identification information

We may collect personal identification information from Users in a variety of ways in connection with activities, services, features or resources we make available on our Site. We will collect personal identification information from Users only if they voluntarily submit such information to us. Users can always refuse to supply personally identification information, except that it may prevent them from engaging in certain Site related activities or confirming bookings.

Non-personal identification information

We may collect non-personal identification information about Users whenever they interact with our Site. Non-personal identification information may include the browser name, the type of computer and technical information about Users means of connection to our Site, such as the operating system and the Internet service providers utilised and other similar information.

Web browser cookies


Our Site may use "cookies" to enhance User experience. User's web browser places cookies on their hard drive for record-keeping purposes and sometimes to track information about them. User may choose to set their web browser to refuse cookies, or to alert you when cookies are being sent. If they do so, note that some parts of the Site may not function properly.

How we use collected information

Vacational Studies collects and uses Users personal information for the following purposes:

– To improve our Site We continually strive to improve our website offerings based on the information and feedback we receive from you.
– To improve customer service Your information helps us to more effectively respond to your customer service requests and support needs.
– To send periodic emails

How we protect your information

We adopt appropriate data collection, storage and processing practices and security measures to protect against unauthorised access, alteration, disclosure or destruction of your personal information, username, password, transaction information and data stored on our Site. E-mail address will be removed on request. This will also include removal of all that student's records which will be irretrievable.

Sharing your personal information

We do not share any information.

Changes to this privacy policy

Vacational Studies has the discretion to update this privacy policy at any time. When we do, we will revise the updated date at the bottom of this page. We encourage Users to frequently check this page for any changes to stay informed about how we are helping to protect the personal information we collect. You acknowledge and agree that it is your responsibility to review this privacy policy periodically and become aware of modifications.

Your acceptance of these terms

By using this Site, you signify your acceptance of this policy. If you do not agree to this policy, please do not use our Site. Your continued use of the Site following the posting of changes to this policy will be deemed your acceptance of those changes.

Contacting us

If you have any questions about this Privacy Policy, the practices of this site, or your dealings with this site, please contact us at:

Vacational Studies
Pepys' Oak
Tydehams
Newbury
Berkshire
RG14 6JT
United Kingdom
01635 523 333
vacstuds@vacstuds.com

This document was last updated on 23 February 2018.
The above Policy is replaced by The EU General Data Protection Regulation (GDPR) from 25 May 2018:

The EU General Data Protection Regulation (GDPR)

(This applies from 25 May 2018)

Lawful processing

Vacational Studies (VS) must identify and document the lawful basis for any processing of personal data. The lawful bases are:

Direct consent from the individual (Parents have agreed on application that VS may store personal data)

The necessity to perform a contract (VS needs information on its students to look after them and their interests)

Protecting the vital interests of the individual (Only VS holds personal data on its system and does not allow any other entity access to it)

The legal obligations of the organisation (VS needs to know with whom it is dealing)

Necessity for the public interest (VS needs data to know whose interests it is responsible for)

The legitimate interests of the organisation (In that VS is able to provide references and information on student performance, it needs to retain this data)



Personal data that can be held

Name

Address

Email address

Photo

IP address

Location data

Online behaviour (cookies) (Not held by VS)

Profiling and analytics data (Not held by VS)



Special categories of personal data

Race (Not held by VS)

Religion (Needed in case special provision needs to be made))

Political opinions (Not held by VS)

Trade union membership (Not held by VS)

Sexual orientation (Not held by VS)

Health information (Needed as VS assumes responsibility for students' health needs)

Biometric data (Not held by VS)

Genetic data (Not held by VS)



Wider scope

The GDPR applies to all EU organisations – whether commercial business, charity or public authority – that collect, store or process the personal data of individuals residing in the EU, even if they're not EU citizens.

Organisations based outside the EU that offer goods or services to EU residents, monitor their behaviour or process their personal data will be subject to the GDPR. VS is based in the EU)

Service providers (data processors) that process data on behalf of an organisation come under the remit of the GDPR and will have specific compliance obligations. An example might be a company that processes your payroll or a Cloud provider that offers data storage.



Data protection principles

Personal data must be processed according to the six data protection principles:

Processed lawfully, fairly and transparently.

Collected only for specific legitimate purposes.

Adequate, relevant and limited to what is necessary.

Must be accurate and kept up to date.

Stored only as long as is necessary.

Ensure appropriate security, integrity and confidentiality.

(VS confirms it complies with the above)



Accountability and governance

The establishment of a governance structure with roles and responsibilities

Keeping a detailed record of all data processing operations.

The documentation of data protection policies and procedures.

Data protection impact assessments (DPIAs) for high-risk processing operations.

Implementing appropriate measures to secure personal data.

Staff training and awareness.

Where necessary, appoint a data protection officer.

(IGM is the sole holder of data and is the data protection officer)

(VS can demonstrate compliance with the GDPR)



Data protection by design and by default

There is a requirement to build effective data protection practices and safeguards from the very beginning of all processing:

Data protection is considered at the design stage of any new process, system or technology.

A DPIA is an integral part of privacy by design.

The default collection mode must be to gather only the personal data that is necessary for a specific purpose.



Valid consent

There are strict rules for obtaining consent:

Consent must be freely given, specific, informed and unambiguous.

A request for consent must be intelligible and in clear, plain language.

Silence, pre-ticked boxes and inactivity will no longer suffice as consent.

Consent can be withdrawn at any time.

Consent for online services from a child under 13 is only valid with parental authorisation.

Organisations must be able to evidence consent.

(VS conforms it complies with the above)



Privacy rights of individuals

Individuals' rights are enhanced and extended in a number of important areas:

The right of access to personal data through subject access requests.

The right to correct inaccurate personal data.

The right in certain cases to have personal data erased.

The right to object.

The right to move personal data from one service provider to another (data portability).

(VS confirms it complies with the above. A request to remove data will result in the removal of all data including academic performance which cannot be retrieved for later reference purposes)



Transparency and privacy notices

Organisations must be clear and transparent about how personal data is going to be processed, by whom and why.

Privacy notices must be provided in a concise, transparent and easily accessible form, using clear and plain language.

(VS conforms it complies with the above)



Data transfers outside the EU

The transfer of personal data outside the EU is only allowed:

Where the EU has designated a country as providing an adequate level of data protection;

Through model contracts or binding corporate rules; or

By complying with an approved certification mechanism, e.g. EU-US Privacy Shield.

(VS conforms it complies with the above)



Data security and breach reporting

Personal data needs to be secured against unauthorised processing and against accidental loss, destruction or damage.

Data breaches must be reported to the data protection authority within 72 hours of discovery.

Individuals impacted should be told where there exists a high risk to their rights and freedoms, e.g. identity theft, personal safety.

(VS conforms it complies with the above)



Data protection officer (DPO)

The appointment of a DPO is mandatory for:

Public authorities;

Organisations involved in high-risk processing; and

Organisations processing special categories of data.

A DPO has set tasks:

Inform and advise the organisation of its obligations.

Monitor compliance, including awareness raising, staff training and audits.

Cooperate with data protection authorities and act as a contact point.

(VS conforms it complies with the above and that the DPO is Ian Mucklejohn, Director Vacational Studies)



Ian Mucklejohn - 16 March 2018