GDPR Policy

402 Club LTD GDPR
Policy

1. Introduction

402 Club LTD (“we”, “our”, “us”, “the Company”) is committed to protecting the privacy and security of personal data. This policy describes how we collect, use, and handle personal information in accordance with the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018.

2. Scope

This policy applies to all personal data processed by 402 Club LTD, including data of children aged 8-11 years and their parents or guardians.

3. Data Protection Principles

We adhere to the principles set out in the GDPR, which require that personal data shall be:
a) Processed lawfully, fairly, and transparently
b) Collected for specified, explicit, and legitimate purposes
c) Adequate, relevant, and limited to what is necessary
d) Accurate and, where necessary, kept up to date
e) Kept in a form which permits identification for no longer than necessary
f) Processed in a manner that ensures appropriate security

4. Types of Data We Collect

We collect and process the following types of personal data:

4.1 Children’s Data (ages 8-11):
– Full name
– Date of birth
– Gender
– School information
– Academic performance data
– Attendance records

4.2 Parent/Guardian Data:
– Full name
– Contact information (address, email, phone number)
– Relationship to child
– Payment information

5. Lawful Basis for Processing

We process personal data on the following lawful bases:

a) Consent: Where explicit consent has been given for the processing of personal data.
b) Contract: Where processing is necessary for the performance of a contract.
c) Legal obligation: Where processing is necessary for compliance with a legal obligation.
d) Vital interests: Where processing is necessary to protect someone’s life.
e) Public task: Where processing is necessary for the performance of a task carried out in the public interest.
f) Legitimate interests: Where processing is necessary for the legitimate interests pursued by 402 Club LTD or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.

6. Consent

Where we rely on consent as the lawful basis for processing:

a) We will obtain consent from parents/guardians for processing children’s data.
b) Consent will be freely given, specific, informed, and unambiguous.
c) We will keep records of when and how we obtained consent.
d) We will regularly review consents to ensure they are still appropriate.
e) We will make it easy for consent to be withdrawn at any time.

7. Children’s Data

We take additional precautions when processing children’s data:

a) We use clear and plain language in all communications directed at children.
b) We obtain parental consent for all processing of personal data for children under 13.
c) We do not make decisions based solely on automated processing, including profiling, that have legal or similarly significant effects on children.
d) We carry out Data Protection Impact Assessments for any processing that is likely to result in a high risk to children’s rights and freedoms.

8. Data Subject Rights

We respect and uphold the rights of data subjects, including children and their parents/guardians:

a) The right to be informed
b) The right of access
c) The right to rectification
d) The right to erasure
e) The right to restrict processing
f) The right to data portability
g) The right to object
h) Rights in relation to automated decision making and profiling

We will respond to all requests within one month of receipt.

9. Data Security

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

a) Encryption of personal data where appropriate
b) Regular testing and evaluation of the effectiveness of security measures
c) Staff training on data protection and security
d) Access controls and logging mechanisms
e) Secure disposal of data when no longer required

10. Data Breaches

In the event of a personal data breach:

a) We will notify the DPO within 72 hours of becoming aware of the breach, where feasible.
b) If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, we will inform those individuals without undue delay.
c) We will keep a record of any personal data breaches, regardless of whether we are required to notify.

11. Data Protection Impact Assessments (DPIA)

We will carry out DPIAs for any new technologies or processing activities that are likely to result in a high risk to individuals.

12. International Transfers

We do not transfer personal data outside the UK and European Economic Area (EEA) unless such transfer is covered by an adequacy decision or appropriate safeguards as defined in GDPR.

13. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

14. Third-Party Processors

Where we engage third parties to process personal data on our behalf, we require them to:

a) Process the data only on our instructions
b) Implement appropriate technical and organisational measures
c) Assist us in fulfilling our obligations under GDPR
d) Delete or return all personal data at the end of the contract

15. Data Protection Officer

Our designated Data Protection Officer is:

Mr Jody Ivie

info@the402.club
07949924507

16. Complaints

If you have any concerns about our use of your personal data, please contact our Data Protection Officer. You also have the right to complain to the Information Commissioner’s Office (ICO).

17. Policy Review

This policy will be reviewed annually or in light of any legislative or regulatory changes.

Last updated: 09/10/2024

Signed: Jody Ivie
Position: DPO
Date: 09/10/2024