GDPR applies to all EU states from the 25th May 2018. the principles are broadly similar to the principles in the data protection act 1998.
At a glance
The GDPR sets out seven key principles:
1. Lawfulness, fairness and transparency
2. Purpose limitation
3. Data minimisation
5. Storage limitation
6. Integrity and confidentiality (security)
These principles should lie at the heart of edde’s approach to processing personal data.
Article 5 of the GDPR sets out seven key principles which lie at the heart of the general data protection regime.
Article 5(1) requires that personal data shall be:
“(a) processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”
Article 5(2) adds that:
“The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”
edde has always complied with data protection laws and regulations surrounding the use of personal data. However, GDPR means we made several changes to our process’s and policies. This document outlines what we have done at edde to ensure we are fully compliant with GDPR regulation.
1. Transparency – We are open and honest and comply with the transparency obligations of the rights to be informed.
2. Lawfulness We have identified an appropriate lawful basis (or bases) for our processing. If we are processing special category data or criminal offence data, we have identified a condition for processing this type of data. We don’t do anything generally unlawful with personal data.
3. Fairness We have considered how the processing may affect the individuals concerned and can justify any adverse impact. We only handle people’s data in ways they would reasonably expect, or we can explain why any unexpected processing is justified. We do not deceive or mislead people when we collect their personal data.
Data Controllers and Data Processors at edde
Controllers have new data protection obligations under the GDPR. Also, in a change from previous legislation, processors now have statutory obligations under the GDPR.
Individuals and supervisory authorities (such as the ICO) can hold both controllers and processors to account if they fail to comply with their responsibilities under the GDPR.
A Data Controller states how and why personal data is processed. edde has one Data Controllers and we will be more than happy to provide a contact name should you have a valid request. Please email firstname.lastname@example.org asking for the name of your Data Controller.
A Data Processor is the individual at edde who is processing the data. All our team who are in a sales, operations, finance and marketing roles can process data at edde.
The duty of our Data Controller is to ensure that our processors abide by the law and our processors must abide by these rules and maintain records of their processing activates.
Our Data Controllers are the main decision makers, they exercise overall control over the purpose and means of the processing of personal data. They have the highest level of compliance responsibility, they comply with, and demonstrate compliance with, all data protection principles as the other GDPR requirements.
Once this purpose has been fulfilled and the data is no longer required, it then needs to be deleted from our systems.
Who we are and our details?
All our company details on our website, www.edde.education. At the footer of the home page, there is a section called “Corporate Information.” In this section, our details are under the “Company Information” sub section.
What is Lawful?
Firstly, a person has consented for us to have their personal data and to process it.
Secondly, collecting the data is in our legitimate interest, such as preventing fraud.
How do we get consent from you?
Parental consent is gain when entering the code provided by the School. During the order process an Acceptable User Policy is required to be read and approved. Terms and conditions can be viewed at the end of the order process.
To comply with GDPR, edde have to answer the following questions?
When did you give us consent?
The date you have clicked and submitted to the edde parent portal.
What did you give consent for?
edde work with schools, colleges, academy’s and Universities in the UK. You may be an education establishment that is looking for finance or looking to implement a digital learning solution, a supplier into this sector or a parent of a child at a school we work with.
If you are an education establishment or a supplier, you are giving us consent to market to you no more than once per month and to communicate about business opportunities we may be working on.
Data Protection for Parents and Children
We will not market any products or services to you. We will only hold your email address and mobile phone number – to communicate with you about your digital learning scheme.
Data is collected at the time of ordering on the parent portal, and held for the duration of the contribution scheme. At the end of the scheme period, we will delete your personal details assuming you are not in a missed payment position.
How can I withdraw my consent for you to hold my data?
You have the right to withdraw your consent for us to hold your data at any time. You do not have to offer a reason for this.
Once we have received notice from you to withdraw consent to hold your data, your details will be removed from our system and marketing lists within seven working days. (This cannot be done for parents during a scheme as we will need your details to speak to you in event of an issue.)
To remove your consent for us to hold your data, please email email@example.com
Do we have this history by individual person?
Yes, our records will provide history by the individual, not the school or education establishment they represent.
When will the consent expire for education customers?
We expire consent upon completion of the contribution scheme, assuming no missed payments.
What data we hold and why? Profiling and collection of other personal data
Profiling means any form of automated process of personal data to evaluate certain aspects relating to a person to analyse and predict their interest, behaviour, health and location.
Edde do not under any circumstances profile data of individual parent or guardians.
What data we hold on minors/children?
We only hold data on their name. We do not hold their personal email, mobile phone number, gender, age, date of birth or any other sensitive data.
Who do we share our data with, selling or offering of your data to third parties
The only third party companies we share data with are:
Finance companies that offer leasing and finance facilities. Even then, this will only be done at a time when we are looking at a specific business opportunity or when we have been requested this information due to a dispute, default or problem in general. (Suppliers only, not parents)
Companies in our group, defined by where there is a common directorship or shareholding. (Suppliers only, not parents)
Edde do not hold any of the following “Special Personal Data” also known as “Sensitive personal Data.”
This relates to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and health or sex life.
Where information on the data subject/customer is obtained from a source other than the data subject/customer, what that source is.
There will be instances where we obtain data from a third party. Often, this is where a supplier we deal with passes up information on a school prospect they are working with. Never individuals.
We will data load and keep this information to help in obtaining a credit acceptance as long as the information is appropriate to our needs. Should you request it, we will be more than happy to disclose what information we hold and the third party we received it from.
What have we done to comply with the new GDPR ruling?
Board of Directors – Our board of directors have been fully briefed on GDPR and have appointed Data Controllers internally.
Training – All our existing staff – and new recruits – will go through a one-day data protection training course as a minimum, there being a refresher course on a yearly basis.
Company mobile phones – All company mobile phones are password protected.
Company laptops – All laptops are password protected. They are hidden when in a vehicle and locked away if ever stored overnight at an office. Employees are aware on the need to keep them safe in a home environment.
Personal Data – Our CRM system, Word, Excel, Outlook are all stored in the cloud via a Microsoft storage facility as opposed to the computer drive.
Downloading of data – The bulk downloading of data from our CRM system has been changed so that only Data Controllers can undertake this process. Excel spreadsheets are then deleted when not needed.
Printed material – We are a paperless office. All documentation that can hold personal data is stored on our CRM system
CRM system – This is security protected (https://) The data is help offsite in a data centre and backed up every day. All employees have an individual login and a passcode that changes on a daily basis. Only current employees of our company have access to this system.
Your rights as an individual
The GDPR includes the following rights for individuals:
• the right to be informed
• the right of access
• the right to rectification
• the right to erasure
• the right to restrict processing
• the right to data portability
• the right to object
• the right not to be subject to automated decision-making including profiling.
You can remove consent, for any reason at any time by emailing firstname.lastname@example.org
Should you have any questions regarding GDPR and your data at edde, again, please email email@example.com and a edde Data Controller will get back to you within two working days.
In the event of a security breach
We take data security very seriously and use best endeavours to ensure the systems and procedures we follow provide us with a high level of data security. Should a data breach occur, we will analyse the situation and report it to the necessary authorities and communicate with any individuals that may have been affected.
edde look to report this information to the Information Commissioners Office with 48 business hours and communicate with any individual affected within 72 hours.
Filing a Complaint
We hope that you will not find it necessary to file a complaint against our company with reference to Data Protection. Should you feel it appropriate, you will need to contact:
Organisation: Information Commissioners Officer
Website address: www.ico.org.uk
Telephone: You can call their helpline on 0303 123 1113
Who are the ICO?
The ICO are the UK’s independent authority set up to uphold information rights in the public interest promoting openness by public bodies and data privacy for individuals.