Personal Data Protection Policy
Ashorne Hill Management College (‘AHMC’) takes the protection of personal data extremely seriously and has taken a ‘data protection by design and default’ approach. The following policy details how AHMC adheres to the General Data Protection Regulation (‘GDPR’).
1.0 Principles
AHMC adheres to the following principles as set out by the GDPR, data will be:
a) processed lawfully, fairly and in a transparent manner
b) collected for specified, explicit and legitimate purposes – i.e. it is necessary
c) adequate, relevant and limited to what is necessary
d) accurate and, where necessary, kept up to date
e) kept in a form which permits identification of subjects for no longer than is necessary
f) processed in a manner that ensures appropriate security of the personal data.
2.0 Lawful Basis
AHMC will only process personal data if it has one of the following lawful bases to do so:
a) Consent
b) Contract
c) Legal obligation
d) Vital interest
e) Public task
f) Legitimate interest
AHMC will determine & document our lawful basis before we begin processing personal data.
3.0 Rights of the Individual
AHMC will uphold the rights of the individual as follows:
a) The right to be informed
b) The right of access
c) The right to rectification
d) The right to erasure
e) The right to restrict processing
f) The right to data portability
g) The right to object
Privacy Information & Notices
AHMC will notify individuals for whom we hold personal data of the following:
– our purposes for processing their personal data
– our lawful basis for processing their personal data
– our personal data retention periods
– who their personal data will be shared with, if at all
Access
AHMC will allow access to a subject’s personal data upon request by the individual.
Rectification
AHMC will consider any request to rectify personal data if a request is made either verbally or in writing. AHMC will respond to any request within one calendar month.
Erasure
AHMC will consider any request to erase personal data if a request is made either verbally or in writing. This is ‘the right to be forgotten’. AHMC will respond to any request within one calendar month.
Processing Restriction
AHMC will consider any request to restrict the processing of personal data if a request is made either verbally or in writing. AHMC will respond to any request within one calendar month.
Data Portability
AHMC will consider any request to port personal data if a request is made either verbally or in writing. AHMC will respond to any request within one calendar month.
Objection
If AHMC hold personal data on the basis of Legitimate Interest, AHMC will consider not processing that personal data if an objection is made either verbally or in writing. AHMC will respond to any request within one calendar month.
4.0
As a data controller, AHMC will only appoint data processors who can provide sufficient guarantees that the requirements of the GDPR will be met. Processors must only act on the documented instructions of AHMC and there will be contractual agreements in place to ensure that both parties understand their respective responsibilities and liabilities.
AHMC will maintain documentation of our processing activities, to include:
– The purposes of our data processing.
– Descriptions of the categories of personal data held.
– The categories of recipients of personal data.
– Transfers to other countries including the transfer mechanism safeguards in place.
– Retention schedules.
– Information required for privacy notices – Records of consent;
– Location of personal data
AHMC will implement appropriate security measures to ensure confidentiality, integrity and availability of personal data.
AHMC will record and, where necessary, report personal data breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible.
AHMCwillconductdataprotectionimpactassessments(DPIA)forusesofpersonal data that are likely to result in high risk to individuals’ interests.
AHMC will not be appointing a Data Protection Officer (DPO) as we are neither a public authority nor have core activities that require large scale, regular and systematic monitoring of individuals. However, AHMC does have sufficient staff and resources to discharge our obligations under the GDPR.
