Beauty Expert Academy

Data Protection Policy – UK-GDPR

1. General Statement of Beauty Expert Academy Duties and Scope 

 

Beauty Expert Academy is required to process relevant personal data regarding members of staff, Learners, applicants, emergency contacts, volunteers, clients, and employers and shall take all reasonable steps to do so in accordance with this policy. Beauty Expert Academy does not sell personal data and only purchases data for legitimate business reasons. 

2.  Definitions 

 

· “Beauty Expert Academy” is the training Beauty Expert Academy. It includes Beauty Expert Academy and additionally covers any contracted subcontractors. 

· “Learners” is all persons studying and training with Beauty Expert Academy.

· “All Staff” is all staff or employees of the Beauty Expert Academy, including those on temporary or part-time contracts and volunteers.

· “Emergency contacts”, includes the contact details of a parent, carer, or custodian to be contacted in case of an emergency situation with a relevant learner or staff member.

· “employers” is all partner employers who engage in the delivery of Beauty Expert Academy programmes inclusive of work experience placements. 

· “clients” is all persons who attend a Beauty Expert Academy for training courses as part of a learner's training programme

· “All Staff” is all staff or employees of the Beauty Expert Academy, including those on temporary or part-time contracts and volunteers.

· “Data Subject”, is a living natural individual who is the subject of the personal data

 

3. Accessibility of this document. 

 

This policy is written using clear and plain language and is considered age-appropriate (Age 16 and above) for the accessibility of all data subjects of Beauty Expert Academy. A copy of this document will be posted on the Beauty Expert Academy Website.

 

 

Beauty Expert Academy has appointed the Centre Manager as the Data Protection Controller (DPC), and Our course co-ordinator as Data Protection Officer (DPO), who will endeavour to ensure that all personal data is processed in compliance with this Policy and the Principles of current Data Protection Legislation, currently the Data Protection Act 1998 and (EU) General Data Protection Regulation 2016/679 (GDPR). The Protection of Freedoms Act 2012 is also relevant to parts of this policy. The Academy is exempt from requests made under the Freedom of Information Act 2000.
 

 

Beauty Expert Academy shall comply with the Data Protection Principles contained in the legislation to ensure all data is: - 

 

· Fairly and lawfully processed in a transparent manner. 

· Processed for a legitimate purpose. 

· Adequate, relevant, and not excessive. 

· Accurate and up to date. 

· Not kept for longer than necessary. 

· Processed in accordance with the data subject's rights. 

· Processed securely.

 

6. Personal Data 

 

Personal data covers both facts and opinions about an individual where that data identifies an individual. For example, it includes information necessary for employment such as the member of staff’s name and address and details for payment of salary or a learner’s attendance records and programme progress. Personal data may also include sensitive personal data as defined in the legislation. The data collected is explained in greater detail within the relevant division privacy policy

 

 

The organisation will take appropriate technical and organisational steps to ensure the security of personal data. All staff will be made aware of this policy and their duties under the legislation. Beauty Expert Academy and, therefore all staff, learners, employers and any other stakeholders are required to respect the personal data and privacy of others and must ensure that appropriate protection and security measures are followed to ensure the unlawful or unauthorised processing of personal data and against the accidental loss of, or damage to all personal data. Violations of this policy by staff may be treated as misconduct or gross misconduct in line with the Beauty Expert Academy disciplinary procedure. An appropriate level of data security must be deployed for the type of data and the data processing being performed. Personal data must be stored in appropriate company-approved systems and should be encrypted when transported offsite. Some personal data, however, may be appropriate for publication or limited publication within the company, therefore having a lower requirement for data security, for example, learner successes and awards, learner work, and salon news articles. 

 

 

UK-GDPR expands the rights of the data subject over previous legislation, specifically data subjects have: 

 

1. The right to be informed. 

2. The right of access. 

3. The right to rectification. 

4. The right to erasure. 

5. The right to restrict processing. 

6. The right to data portability. 

7. The right to object. 

8. Rights in relation to automated decision-making and profiling. 

 

This policy and the published Privacy policy are part of these rights. If you wish to exercise or receive a request to exercise any of these rights, with the exception of the right to access, please contact the company department processing that information in the first case or email Beauty Expert Academy. Information on the right of access and how to exercise that are specifically detailed in this policy. Not all rights are applicable to all personal data and may depend on the lawful basis that personal data is being processed. 

 

 

The Academy maintains a Privacy Policy which details personal information processed and the legal basis for processing that data. The current version can be viewed on all company websites; a copy can also be requested to be viewed at the relevant business building. Beauty Expert Academy processes some personal data for purposes considered direct marketing. Data subjects have the right to withdraw consent to these activities; these requests should be via a SAR request to [email protected].

 

 

Beauty Expert Academy may, from time to time, be required to process sensitive personal data, especially in HR and training functions. Sensitive personal data includes data relating to medical information, age, gender, religion, race, sexual orientation, and safeguarding information. This information is gathered and processed as a legal obligation within the company’s function.

 

11. Criminal Convictions and Offences. 

 

Beauty Expert Academy does not maintain registers of or process data on Criminal Convictions and offences other than is required for safeguarding purposes within its training divisions. Specifically, Enhanced DBS checks are required for all regulated activity staff within the training division. Where convictions or adverse findings are present, that data is used as part of a staff recruitment risk assessment and recorded within the central register system Sentry. 

 

12. Rights of Access to Information (Subject Access Request or ‘SAR’) 

 

Data subjects have the right to access and remove their Personal Data held by Beauty Expert Academy, subject to the provisions of current Data Protection legislation. Any data subject wishing to access their personal data should put their request in writing to the DPC or DPO via [email protected]. Beauty Expert Academy will endeavour to respond to any such written requests as soon as is reasonably practicable and, in any event, no longer than one month for access to personal data. The information will be made available to the data subject as soon as is reasonably possible after it has come to the Academy's attention and in compliance with the relevant legislation. Proof of identity is required before any information will be made available. Only the DPC or DPO can authorise a Subject Access Request. Any other staff receiving such a request MUST immediately pass it to the DPC / DPO for processing or refer the person making the request to the DPC / DPO. 

 

 

Certain personal data or obligations are exempted from some of the provisions of the Data Protection legislation, which includes matters such as processing for National Security and Public Security, and the prevention or detection and prosecution of criminal offences. The above are examples only of some of the exemptions under the legislation. Any further information on exemptions should be sought from the DPC or DPO or via the Information Officers website https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/

 

 

Beauty Expert Academy will endeavour to ensure as far as reasonably practical that all personal data held in relation to all data subjects is accurate. Data subjects must notify the relevant salon or academy of any changes to information held about them. 

 

 

If an individual believes that Beauty Expert Academy has not complied with this policy or acted otherwise than in accordance with data protection legislation, notify the DPC or DPO via Beauty Expert Academy.

 

 

Beauty Expert Academy will ensure that data processed by external processors, for example, service providers and Cloud services, including storage, web sites are compliant with this policy and the relevant legislation. All external processors and controllers must be listed in the data processing register. 

 

 

When data held in accordance with this policy is destroyed, it will be destroyed securely in accordance with best practice at the time of destruction. 

 

 

Beauty Expert Academy may retain data for differing periods of time for different purposes as required by statute or best practice. Statutory obligations, legal processes and enquiries may also direct the retention of certain data. Beauty Expert Academy may store some data for predetermined periods as set out by contractual government requirements, such as registers, photographs, exam results, and achievements indefinitely in its archives 

 

Contacts and Representatives. 

 

The DPC and DPO can be contacted in writing via the published main Academy address. The DPO can be contacted via email at [email protected]