Setting the Scene with GDPR
Dear Teachers, Party Leaders & Customers
General Data Protection Regulation (Regulation (EU) 2016/679), known as the GDPR, is a new regulation which, from May 25th, 2018, replaces the Data Protection Regulation (Directive 95/46/EC).
This regulation, which applies to all EU member states and their citizens, enhances privacy rights for individuals and provides a strict framework within which commercial organisations can legally operate.
The UK government has indicated its intention for the GDPR to remain part of UK law after the country leaves the EU in March 2019 and has accordingly introduced a Data Protection Bill to replace the current Data Protection Act.
Your rights under the GDPR are as follows:
Our policy sets out how Select School Travel Limited (“Select”, “we”, “us”, “our”), as “Data Controller” in respect of the personal data detailed below, obtain and use your personal data as well as your rights regarding our possession and processing of such data under GDPR-POL-001.
Defining Who We Are:
Select School Travel Limited is a tour operator specialising in bespoke school and group tours in the UK and abroad. It is important to note that GDPR has further reach/credence outside of the EU with its core guidelines linking with the USA, under ‘Privacy Shield’.
Finally, we would stress that is advisable that teachers/party-leaders seek in their launch letters explicit consent for data sharing with a ‘Data Controller’ that your operator has permission to transmit in the EU and beyond utilising an encrypted process.
Should you have any queries please email: email@example.com
Managing Director, Select School Travel Limited
GENERAL EXAMPLE CORRESPONDENCE FROM A SCHOOL/ESTABLISHMENT WITH RESPECT TO THE GENERAL DATA PROTECTION REGULATION
Like many organisations, we are currently reviewing our policies and practices in readiness for the General Data Protection Regulation that comes into effect on 25th May 2018. As the recognised Data Controller with respect to personal information relating
to staff, pupils, parents, governors, volunteers, and other persons past, present and prospective with an association with the school. We have identified you, Select School Travel Ltd, as a Data Processor on our behalf in respect of our planned residential/trip with you where it will be necessary to share personal information for staff and pupils with you.
Data Processors can be any person, company or body that processes personal data on behalf of the Data Controller. While it is in the Data Processor’s hands, the personal data in question remains, in broad terms, the responsibility of the Data Controller. However, under GDPR, Data Processors will have certain liabilities and obligations in addition
to the liability that remains with the Data Controller. This relationship is reflected -and indeed, as a legal requirement, must be accurately captured -in a written contract between the two parties. We are currently collating extant data processing agreements that exist between School x and Data Processors. In many circumstances these will be embedded into wider contracts. Please forward details to me at the address or email below as soon as possible.
Where there is no appropriate documentation in place, we propose using our own Data Processing Agreement. The data processing agreement will, as a legal requirement under GDPR, cover issues like the security of the data, record keeping obligations, breach reporting, returning or destroying the data on command, and limitations on sub-contracting (or rather “sub-processing”) -meaning that a sub-contractor cannot be appointed to process the personal data without the ultimate Data Controller’s knowledge and permission.
SELECT RESPONSE: The most advisable course of action is to re-sign the booking form which attaches to the revised terms and conditions, policies. This update is then dated and formally recorded in line with the new regulation.
Please direct queries to the firstname.lastname@example.org