Malvern College Enterprises Ltd.
WHO WE ARE
Malvern College Events is a trading name of Malvern College Enterprises Ltd, registered in England no. 2706656, which is a wholly-owned subsidiary of Malvern College, registered charity no. 527578.
WHY WE NEED TO PROCESS PERSONAL DATA
In order to carry out its ordinary duties to clients, Malvern College Events may process a range of personal data about past, current and prospective customers as part of its daily operation. Some examples are:
• For the purposes of enrolling new clients with Malvern College Events’ range of services (and to confirm the identity of prospective clients);
• To provide event and facility hire services, including room hire, catering functions and conferences;
• Maintaining relationships with the Malvern College Events community, including direct marketing activity;
• For the purposes of management planning and forecasting, research and statistical analysis, including that imposed or provided for by law;
• To enable relevant authorities to monitor Malvern College Events’ performance and to intervene or assist with incidents as appropriate;
• To safeguard clients’ welfare whilst using our facilities and provide an appropriate level of care;
• To monitor (as appropriate) use Malvern College’s IT and communications systems in accordance with the College’s Policy one the Acceptable use of ICT and e-Safety;
• To make use of photographic images of users in Malvern College Events publications, on the Malvern College Events website and (where appropriate) on Malvern College Events’ social media channels;
• For security purposes, including CCTV in accordance with Malvern College’s CCTV policy; and
• Where otherwise reasonably necessary for Malvern College Events’ purposes, including to obtain appropriate professional advice and insurance for Malvern College Events.
TYPES OF PERSONAL DATA PROCESSED BY MALVERN COLLEGE EVENTS
• names, addresses, telephone numbers, email addresses and other contact details
• communication record (letter, email or SMS)
• credit/debit card details in the case of customers asking to pay invoices by this means;
• images of customers and clients attending Malvern College Events activities, and images captured by Malvern College’s CCTV system (in accordance with the Malvern College’s policy on taking, storing and using images of children);
LEGAL BASIS FOR PROCESSING DATA
Malvern College Events expects that much of its data processing may fall within the category of its (or its community’s) “legitimate interests” provided that these are not outweighed by the impact on individuals and provided it does not involve special or sensitive types of data.
Some activity Malvern College Events will need to carry out in order to fulfil its “legal rights, duties or obligations” for example where clients are in a contractual relationship with Malvern College Events.
There may be occasions when Malvern College Events will act in the “vital interests” of preventing someone from being seriously harmed or killed.
HOW MALVERN COLLEGE EVENTS COLLECTS DATA
Generally, Malvern College Events receives personal data from the individual directly, or sometimes through a third party such as the individual’s employer or a nominated individual co-ordinating a group booking. This may be via a form, or simply in the ordinary course of interaction or communication (such as email or telephone conversations). In some cases personal data may be supplied by third parties or collected from publicly available resources.
WHO HAS ACCESS TO PERSONAL DATA AND WHO MALVERN COLLEGE EVENTS SHARES IT WITH
Occasionally, Malvern College Events will need to share personal information relating to its community with third parties, such as professional advisers (lawyers and accountants) or relevant authorities (HMRC, police or the local authority).
For the most part, personal data collected by Malvern College Events will remain within Malvern College Events, Malvern College Enterprises and Malvern College, and will be processed by appropriate individuals only in accordance with access protocols (i.e. on a ‘need to know’ basis).
In accordance with Data Protection Law (including GDPR – the General Data Protection Regulation), some of Malvern College Events’ processing activity is carried out on its behalf by third parties (our trusted and contracted suppliers), such as IT systems, web developers (Williams & Crosby) or cloud storage providers. This is always subject to contractual assurances that personal data will be kept securely and only in accordance with the Malvern College Events’ specific directions, i.e. your data will never be used by these suppliers for their own benefit or marketing purposes.
HOW LONG WE KEEP PERSONAL DATA
Malvern College Events will retain personal data securely and only in line with how long it is necessary to keep for a legitimate and lawful reason. Any sensitive personal data relating to customers of Malvern College Events will be deleted 12 months after the event has passed. Credit/debit card details are only taken at the request of users, generally by telephone call, and are destroyed immediately if submitted on a form. They are never recorded on any Malvern College Events system.
Incident reports and files relating to the safeguarding of children will need to be kept much longer, in accordance with specific legal requirements. It should also be noted that fully-selective deletion of data from the Malvern College Events Management Information Systems may not always be possible for technical reasons.
If you have any specific queries about how this policy is applied, or wish to request that personal data that you no longer believe to be relevant is considered for erasure, please contact Malvern College’s Commercial Director, Mr Allan Walker, email@example.com. However, please bear in mind that Malvern College Events, Malvern College Enterprises Ltd and Malvern College may have lawful and necessary reasons to hold on to some data.
Individuals have various rights under Data Protection Law to access and understand personal data about them held by Malvern College Events, and in some cases ask for it to be erased or amended or for Malvern College Events to stop processing it, but subject to certain exemptions and limitations.
If you wish to exercise any of these rights you should put your request in writing to Malvern College’s Commercial Director, Mr Allan Walker, firstname.lastname@example.org.
Malvern College Events will endeavour to respond to any such written requests as soon as is reasonably practicable and in any event within statutory time-limits, which is one month in the case of requests for access to information. The School will be better able to respond quickly to smaller, targeted requests for information. If the request is manifestly excessive or similar to previous requests, Malvern College Events may ask you to reconsider or charge a proportionate fee, but only where Data Protection Law allows it.
You should be aware that certain data is exempt from the right of access. This may include information which identifies other individuals, or information which is subject to legal professional privilege.
Data Protection Law provides you with the following rights:
The right of access
Your right to obtain confirmation as to whether or not personal data are being processed, and, where that is the case, access to the personal data along with details regarding the nature of processing.
The right of rectification
Your right to obtain the rectification of inaccurate personal data.
The right of portability
Your right to receive the personal data concerning provided to us, in a structured, commonly used and machine-readable format.
The right to be forgotten
Your right to erase your personal data.
The right to restrict processing
your right for your data to be effectively ‘frozen’; stored and not further processed.
The right to object
ACCESS REQUESTS – YOUNGER USERS
Children whose personal data is held by Malvern College Events (e.g. attendees on courses operated by Malvern College Events clients) can make subject access requests for their own personal data, provided that, in the reasonable opinion of Malvern College Events, they have sufficient maturity to understand the request they are making (see section Whose Rights below). Indeed, while a person with parental responsibility will generally be entitled to make a subject access request on behalf of younger children, the information in question is always considered to be the child’s at law.
A child of any age may ask a parent or other representative to make a subject access request on his/her behalf. Moreover (if of sufficient age) their consent or authority may need to be sought by the parent making such a request. This will depend on both the individual child and the personal data requested, including any relevant circumstances at home. All information requests from, or on behalf of, children – whether made under subject access or simply as an incidental request – will therefore be considered on a case by case basis.
Where Malvern College Events is relying on consent as a means to process personal data (for the example the use of images for marketing purposes), any person may withdraw this consent at any time (subject to similar age considerations as above). Please be aware however that Malvern College Events may have another lawful reason to process the personal data in question even without your consent.
That reason will usually have been asserted under this Privacy Notice, or may otherwise exist under some form of contract or agreement with the individual or because a purchase of goods, services or membership has been requested.
The rights under Data Protection Law belong to the individual to whom the data relates. However, Malvern College Events will often rely on parental consent to process personal data relating to children (if consent is required) unless, given the nature of the processing in question, and the child’s age and understanding, it is more appropriate to rely on the child’s consent.
Parents should be aware that in such situations they may not be consulted, depending on the interests of the child, the parents’ rights at law or under their contract, and all the circumstances.
In general, Malvern College Events will assume that children’s consent is not required for ordinary disclosure of their personal data to their parents, e.g. for the purposes of keeping parents informed about the child’s progress in swimming lessons, and in the interests of the child’s welfare, unless, in Malvern College Events’ opinion, there is a good reason to do otherwise.
However, where a child seeks to raise concerns confidentially with a member of staff and expressly withholds their agreement to their personal data being disclosed to their parents, Malvern College Events may be under an obligation to maintain confidentiality unless, in Malvern College Events’ opinion, there is a good reason to do otherwise; for example where Malvern College Events believes disclosure will be in the best interests of the child or other children, or if required by law.
DATA ACCURACY AND SECURITY
Malvern College Events will endeavour to ensure that all personal data held in relation to an individual is as up to date and accurate as possible. Individuals must please notify email@example.com of any significant changes to important information, such as contact details, held about them.
An individual has the right to request that any out-of-date, irrelevant or inaccurate or information about them is erased or corrected (subject to certain exemptions and limitations under Data Protection Law): please see above for details of why Malvern College Events may need to process your data, of whom you may contact if you disagree.
Malvern College Events will take appropriate technical and organizational steps to ensure the security of personal data about individuals, including policies around use of technology and devices, and access to Malvern College Events systems. All staff will be made aware of this policy and their duties under Data Protection Law and receive relevant training.
Malvern College Events will update this Privacy Notice from time to time. Any substantial changes that affect your rights will be provided to you directly as far as is reasonably practicable.
QUERIES AND COMPLAINTS
Any comments or queries on this policy should be directed to Mrs Nicky Cullity, the Events Manager, at firstname.lastname@example.org.
If you believe that Malvern College Events has not complied with this policy or acted otherwise than in accordance with Data Protection Law, you should notify the Commercial Director (Mr Allan Walker, email@example.com). You can lodge a complaint with the Information Commissioner’s Office (ICO), although the ICO recommends that steps are taken to resolve the matter with Malvern Active before involving the regulator.
Updated May 2018