The General Data Protection Regulation requires that the data controller in our relationship is clearly stated. Data controller is the legal term used to designate a specific entity which controls personal data and is responsible for keeping it protected. Edskills (we, us, our school) is an independent language school in Birmingham and acts as data controller of all personal information provided by anyone who initiates or maintains a relationship with the school, whether as a user of its services or a commercial partner, employee, collaborator and provider of related services, any member of the general population or public official.
Collecting personal data
We receive your personal data in the initial step of our relationship, when you contact us in person, through email, telephone, social media or on our website. By filling in forms, enrolment or employment applications, pre-course surveys, questionnaires and other types of documents required for establishing our relationship, you directly give your personal information for us to use, process and store. In each case of collecting personal information, it is stated clear whether that information is necessary or optional.
What you share with us
Additionally, the data we collect includes any feedback you give by filling in surveys, questionnaires and any other details you share in the form of posts or emails and send to us, as well as details on how you use our website (which includes web browser type and version, IP address, website navigation and operating system).
Why we need your personal data and how we use it
The purposes for collecting personal information have to do with establishing and maintaining a practical relationship and provide services efficiently and properly. Each time information is collected its purposes are made clear. The general need for basic personal information is for identification and communication; any details that have to do with the process of learning and education are needed so we can efficiently operate in supporting and providing learning and progress; while more specific documentation is required for meeting government regulations and standards, as well as to ensure all conduct is within health, safety and safeguarding policies and regulations. Homestay providers are asked to disclose certificates for safety risk assessments of their property, driving licence, as well as any details on criminal records or DBS, to ensure safety when placing students, while sharing medical records helps us to provide support and adjust to specific needs while administering our services. We are also obligated to obtain some of the above information in compliance with the codes and regulations set by our accrediting body.
Any bank related information, such as account details or records of payments is used for processing fee refunds for students. Bank account information is also needed for commission payments and business operations with agents and commercial partners.
There is a legal basis that justifies each of the ways we use and process your personal information, and for any type of processing of personal data at least one of the following six legal bases must apply:
– Consent – meaning you agree that we use and process your personal information for specified purposes
– Contract – processing of personal information when entering or carrying out a contract between you and our school
– Legal obligation – means that processing of your personal information is necessary because the law requires it
– Vital interests – processing of the data is necessary to protect someone’s life
– Public task – processing is necessary for protecting the public interest or exercising official authority
– Legitimate interest – this is the legal basis for the processing of your personal data for legitimate interests pursued by our school or a third party, as long as the interest is defined and shows the necessity of processing personal information, and fundamental rights and freedoms are not infringed
Some of the data processing can be justified on more than one legal basis.
Class enrolment and booking homestay accommodation requires the processing of information on the bases of the fulfilment of contract and legitimate interests (the latter being carrying out the booking, as part of which we may contact our commercial partners – Educational Tour Operators and send them your information).
When we would like to send newsletters to our customers or use their images for marketing purposes, their consent is needed and there is always the option to opt-out.
Employee personal data collection and processing is based on fulfilling a contract, legitimate interests (employment) and compliance with a legal obligation. Processing personal information of next of kin is based on vital interests as it is used in cases of emergency. Many instances of processing the data, as already stated above are made to meet the regulations of the accrediting body, which is carried out based on our legitimate interest.
Furthermore, the principles under which we collect, process and use your data are outlined by the General Data Protection Regulation:
– Proper and fair use of personal information, which means we only use the collected information for purposes that you fully understand, agree to and are aware of. (Principle of lawfulness, fairness and transparency)
– The use of your personal information is limited to what is clearly stated as necessary, which means we only use your information for what we say we do, and you agree to, and none of the details you provide are used in any way that does not match our purposes. (Principle of limitation of purpose)
– The information we require is limited only to details that are necessary for fulfilling our purposes, and nothing more than what is necessary will be asked from you to share with us. (Data minimisation)
– Accuracy of the personal information we collect is an essential principle when it comes to protecting it, which requires periodical verification and rectification, by carrying out checks and updates where it might be necessary.
– Personal data will not be stored any longer than it is necessary to fulfil our purposes, and we will remove and delete any records after the period of retention in accordance with our retention regulations. (Principle of storage limitation)
– Keeping your personal information safe is of paramount importance to us, and we take all the appropriate and high standard measures to ensure that it remains protected from any unlawful or unauthorised use. (Principle of integrity and confidentiality)
Who has access to your personal data
Within the limits of our school, your personal data is made available to our staff in varying degrees depending on their role in the school. This includes the school director, members of our administrative offices and course instructors.
Outside of our school, your personal data is shared with third parties as part of fulfilling our contractual obligation, and within strict applicable law. We only share limited information necessary to carry out the services that those third parties provide for us. Student personal data is shared with external accommodation and travel services: educational travel operators, homestay providers, hotels, transportation providers such as taxi services, our accountants, accreditation and regulatory bodies as well as relevant government departments, law enforcement and executive agencies (Home Office, Immigration, Health Department, Health and Safety Executive).
Personal information collected from our homestay providers is shared with limited school personnel, including the school director and administration department. Outside of our school, the data is shared with our students and their parents, relevant government departments, law enforcement and executive agencies, educational travel operators, our accountants/auditors when administering quality standard checks, Civil & Corporate for carrying out Disclosure and Barring Service checks, as well when we arrange transportation services.
All personal data provided by our education agents are available to our school director and administrative staff, while externally we may share it with our accountants/auditors, quality standard inspectorate – the British Council, as well as any relevant government departments, law enforcement and executive agencies.
Children under 18
We collect or store personal information about children under the age of 18 in the context of managing bookings and directly related products, and for safeguarding purposes. Permission is obtained directly from a legal adult guardian to collect this information through our Parental Consent Form. As part of this process, we request special category data relating to the health of the child, which we manage through Vital Interest.
We also gain consent from parents for the use of photos or video taken during their child’s stay at Edskills Langauge School through the Parental Consent Form.
Data retention periods and storage
All data is stored securely in an organized way, in electronic and in some instances physical format. The school uses email and cloud storage with Microsoft for Education, Sharepoint.
All personal data collected by the school will not be retained longer than necessary; as soon as the purposes for processing it are fulfilled and the period of retention regulated by our legal obligation passes, all data will be erased and removed.
In the case of students, the data will be retained during the entire duration of their studies, and a further period of 2 years before it is deleted.
The personal information records of our homestay providers will be retained for the duration of their contract and then for a further 2 years to enable us to meet our regulatory and legal obligations. After 2 years all records will be deleted.
As for data collected from our Educational Agents, we keep it for the duration of the period of our collaboration and will continue to retain it for an extended period of 5 years as per our legal requirements, after which we will erase all personal data records.
Regarding the personal data you have shared with us, under the General Data Protection Regulation you can exercise the following rights:
-You have the right to be informed about the processing of your data in a transparent manner
-You have the right to access, which means you may request and obtain a copy of your personal data that we have in our possession
-You have the right to rectify any incomplete or inaccurate personal information from you that we store
-You have the “right to be forgotten” which means you can ask for erasure of your personal data in the following specific circumstances: once your personal information no longer serves the purpose for which it was collected; if you withdraw consent when collecting and processing your information was based on consent; if you object to the way we process your data and the legitimate interest legal basis allows removal of the data; in the event of unlawful handling of your information; if there is a legal obligation for erasure, or if we have processed personal information in connection to offering information social services to a child
-You have the right to restrict processing of your data under certain conditions defined by the GDPR policy
-You have the right of portability, which allows you to request that your data is transferred to another organisation, ensuring a safe and fast reuse of the data
-You have the right to object to the processing of your data based on our legitimate interests, such as direct marketing
-You have the right to object to the processing of your data related to automated decision making, including profiling
Data collected through our website and cookies
Cookies are small text files placed in your web browser by our website when you visit it. Their purpose is to collect information on the patterns of how you and others behave and navigate throughout our website. This standard log information is statistically analysed and is used for improvement of the content and services offered on the website. Cookies are used for our website functionality and improving your experience while you are there, however, you may choose not to accept them and block them in your browser.
Our website uses different types of cookies from different services: site monitoring cookies by Google Analytics, which are used for traffic monitoring and generating statistical information on visitor behaviour, location, browser information among other data which is not personally identifiable. Our website’s Twitter and Facebook feeds set cookies that are used to build a profile of interests to use this information for targeted advertisement. Our live chat tawk.to makes us available and keeps us in touch with our users at all times, and this tool sets cookies that are used for its proper functioning as well as generating geographical and browser information.
Third party websites
The website contains links to other websites. We are not responsible for the privacy policies or practices of third party websites.
Staff and privacy
Any wilful breach of this policy by staff will be regarded as a disciplinary offence and will be dealt with under the school’s formal disciplinary procedures.
Feel free to contact us if you have any concern, request or complaint regarding our use of your data. You may also contact us via email: firstname.lastname@example.org or call us at +44 (0)121 366 8953
You may send formal requests to our office at the following address: Edskill, 162-164 High Street, Birmingham, B12-0LD
Making a complaint
If you are not satisfied with the way your request is handled, you have the right to lodge a complaint with the supervisory authority, the Information Commissioner’s Office on 03031231113.