General Data Protection Regulation (GDPR) Policy
Last updated: 31/01/2022
General Data Protection Regulation (GDPR) Policy
1. POLICY STATEMENT
2. REASON FOR THE POLICY
3. POLICY OBJECTIVES
4.1 Core Principles – The principles set out in the GDPR must be adhered to when processing
personal data. The principles are as follows:
i. Personal Data shall be processed fairly and lawfully.
ii. Personal Data shall be obtained only for specified and lawful purposes and shall not be
processed in a way that is incompatible with those purposes or in contradiction to the GDPR.
iii. Personal Data shall be adequate, relevant and limited to what is necessary to fulfil the
purposes for which it is processed.
iv. Personal Data shall be accurate and kept up to date.
v. Personal Data shall be processed in accordance with the data subjects’ rights.
vi. Appropriate technical and organisational measures shall be taken against unauthorised or
unlawful processing of personal data and against the accidental loss or destruction of, or
damage to personal data.
vii. Personal Data shall not be transferred outside of the EU except in circumstances defined
in the Act and with approval from the Exalt Training Ltd Data Protection Officer.
i. Confidentiality means that only people who have a need to know and are authorised to use personal data can access it.
ii. Integrity means that personal data is accurate and suitable for the purpose for which it is
iii. Availability means that authorised users can access personal data when they need it for authorised purposes. Staff must comply with and not attempt to circumvent the administrative, physical and
technical safeguards that Exalt Training Ltd has implemented and maintains in accordance with the GDPR and DPA18 regulations. Where Exalt Training uses external organisations
to process personal information on its behalf, additional security arrangements need to be
implemented in contracts with those organisations to safeguard the security of personal information.
Contracts with external organisations must provide that:
i. the organisation may only act on Exalt Training Ltd.’s written instructions;
ii. those processing data are subject to the duty of confidence;
iii. appropriate measures are taken to ensure the security of processing;
iv. the organisation will assist Exalt Training Ltd in providing subject access and allowing
individuals to exercise their rights in relation to data protection
v. the organisation will delete or return all personal information to Exalt Training Ltd as requested at the end of the contract
vi. the organisation will submit to audits and inspections, provide Exalt Training Ltd with
whatever information it needs to ensure that they are both meeting their data protection obligations, and tell Exalt Training Ltd immediately if it does something infringing data
protection law. Before any new agreement involving the processing of personal information by an external
organisation is entered into, or an existing agreement is altered, the relevant staff must seek approval from Caroline Sharp and the CEO.
4.4 Collecting Personal Data – Lawfulness, Fairness and Transparency –
We will only process personal data where we have one of six ‘lawful bases’ (legal reasons) to do so under data protection law:
i. The data needs to be processed so that Exalt Training Ltd can fulfil a contract with the
individual, or the individual has asked Exalt Training Ltd to take specific steps before entering into a contract;
ii. The data needs to be processed so that Exalt Training Ltd can comply with a legal obligation;
iii. The data needs to be processed to ensure the vital interests of the individual e.g. to protect
iv. The data needs to be processed so that Exalt Training Ltd, as a private limited company,
can perform a task in the public interest, and carry out its official functions;
v. The data needs to be processed for the legitimate interests of Exalt Training Ltd or a third
party (provided the individual’s rights and freedoms are not overridden);
vi. The individual (or their parent/carer when appropriate in the case of a learner under 18)
has freely given clear consent;
vii. Where we offer online services to learners, such as classroom apps, and we intend to rely
on consent as a basis for processing personal data, we will obtain parental consent where the
learner is under 16. Whenever we first collect personal data directly from individuals, we will
provide them with the relevant information required by data protection law.
ix. Subject access requests must be submitted in writing, by either letter, email or fax to
Caroline Sharp. They should include:
i. name of individual
ii. correspondence address;
iii. contact number and email address;
iv. details of the information requested.
iii. will respond without delay and within 1 month of receipt of the request;
iv. Challenge processing which has been justified on the basis of public interest.
i. Personal data should not be retained for any longer than is necessary. The length of
time data should be retained will depend on a number of circumstances including
the reasons why personal data was obtained.
ii. Paper-based records and portable electronic devices, such as laptops and hard
drives that contain personal data are kept securely when not in use. Papers
containing confidential personal data must not be left on office and classroom desks,
on staffroom tables, pinned to notice/display boards, or left anywhere else where
there is general access.
iii. Passwords are used to access Exalt Training Ltd computers, laptops and other
electronic devices. Staff and learners are reminded to change their passwords at
iv. Access to USB storage is not allowed unless appropriate encryption software is
approved and used to protect the device and its content.
v. Where we need to share personal data with a third party, we will carry out due
diligence and take reasonable steps to ensure it is stored securely and adequately
4.13 Monitoring and Review – Caroline Sharp, DPO is responsible, with support from HR, for monitoring and reviewing this Policy. This Policy will be reviewed, as a minimum, every three years and updated, as applicable, to ensure that it remains fit for purpose in the light of any relevant changes to the law, organisational policies or contractual obligations.
4.13 Monitoring and Review – Caroline Sharp, DPO is responsible, with support from HR, for
monitoring and reviewing this Policy. This Policy will be reviewed, as a minimum, every three
years and updated, as applicable, to ensure that it remains fit for purpose in the light of any
relevant changes to the law, organisational policies, or contractual obligations.
5.3 Processing– anything done to personal data, such as collecting, recording, organising, structuring, storing, adapting, altering, retrieving, using, disseminating, erasing or destroying. Processing can be automated or manual.
6. RELATED POLICIES
6.1 Safeguarding Policy
7. WHO WILL NEED TO KNOW ABOUT THIS POLICY
7.2 All Managers
7.3 All Learners
7.3 All Learners
i. With any questions about the operation of this Policy, data protection law,
retaining personal data or keeping personal data secure
ii. If they have any concerns that this Policy is not being followed.
iii. If they are unsure whether they have a lawful basis to use personal data in a particular way.
iv. If they need to rely on or capture consent, deal with data protection rights invoked by an individual, or transfer personal data outside the European Economic Area.
v. If there has been a data breach.
vi. Whenever they are engaging in a new activity that may affect the privacy rights of individuals.
vii. If they need help with any contracts or sharing personal data with third parties.