GDPR Processing Personal Data Policy

2. DATA PROTECTION PRINCIPLES

Under GDPR, all personal data obtained and held by us must be processed according to a set of core principles. In accordance with these principles, we will ensure that:

• processing is fair, lawful and transparent
• data is collected for specific, explicit, and legitimate purposes
• data collected is adequate, relevant and limited to what is necessary for the purposes of processing
• data is kept accurate and up to date. Data which is found to be inaccurate will be rectified or erased without delay
• data is not kept for longer than is necessary for its given purpose
• data is processed in a manner that ensures appropriate security of personal data including protection against unauthorised or unlawful processing, accidental loss, destruction or damage by using appropriate technical or organisation measures
• we comply with the relevant GDPR procedures for international transferring of personal data

Students opt in to having data stored and processed by us. We have a published privacy policy and this data policy is available to all upon request. LIYSF has an appointed Data Protection Officer that oversees and audits our data policies. This officer is Jessica Scopel.

3. TYPES OF DATA & PROCESSING

3.1 LIYSF will only process personal data when we:

• have been given the consent of the individual concerned
• need the personal data to fulfil a contractual obligation with the individual
• need the personal data to satisfy a legal obligation
• need the personal data to protect the vital interests of the individual
• process personal data to carry out the task in the interest of the public

3.2 We keep several categories of personal data in order to carry out effective and efficient processes, these are:

• student personal data (submitted by email and through our secured online platform, stored in SharePoint excel files and WP profiles).
• staff personal data (submitted by email and stored in SharePoint excel files). This includes copies of passport, criminal record checks.
• guest speaker personal data (submitted by mail and stored in SharePoint excel files).
• payment portal, this stores contact details, addresses and takes payments by card. This is a third-party platform that is GDPR compliant and card details are partially hidden and deleted after transaction complete.
• third party personal data (submitted contracts).
• Personal data is kept in files or within the Company’s and IT systems.
• All files saved to individual devices have to be deleted immediately and download folders have to be cleared right after download completion.

During the LIYSF event, physical lists are created with essential data only – Names, Country, gender. Hall lists include medical and special needs. These lists are created for operational use and only given to senior staff. These physical lists are collected after use and shredded, as supervised by our Data Protection Officer.

4. DURATION PERSONAL DATA KEPT & PURPOSE

4.1 STUDENT DATA HELD

Students have given consent to be updated about future developments of LIYSF. Student personal data is kept for a maximum of 6 years.

• 1 year
  • Name
  • Email
  • Country
  • School
  • LIYSF details
  • Address
  • Phone
  • Emergency Contact
  • Medical
  • Diet
  • Date of Birth
  • Gender

We keep this data to operate the programme and need the personal data to protect the vital interests of the individual.

• 6 years
  • Name
  • Email
  • Country
  • School
  • LIYSF details

4.2 STAFF DATA HELD

We need the personal data of our staff:

• to fulfil a contractual obligation with the individual.
• to comply with legal obligations including bookkeeping and tax administration.
• to process complaints.

Staff data types stored:

• Name
• Email
• Address
• Country
• Phone
• Emergency Contact
• Medical
• Diet
• Date of Birth
• Gender
• Curriculum Vitae
• Passport copy
• Criminal Records Check
• LIYSF details

Staff personal data is kept for a maximum of 6 years to meet above obligations. We keep the name and e-mail of our staff longer than 6 years only for those that have opted in to receive updates about LIYSF programme by means of e-mail newsletters.

5. RIGHTS OF THE DATA SUBJECTS

The data subject shall have the rights:

• Right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed.
  • Right to obtain from the controller information, such as the purposes of the processing; the recipients or categories of recipient to whom the personal data have been or will be disclosed.
• Right to access the personal data
  • The data subject shall have the right to get the following information: the categories of the personal data concerned, the purposes of the processing.
  • The controller shall provide the information to the data subject in 30 days after the data subject written request.
• Right to request from the controller rectification of personal data.
  • The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
• Right to erasure (‘right to be forgotten’).
  • The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
  • the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing.
  • the personal data have been unlawfully processed.
• Right to restriction of processing.
  • The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies: the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.
• Right to data portability.
  • The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.
• Right to object.
  • The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
    You can access the personal information we hold on you by writing to us using the contact details listed at the start of this document. You can also contact us by email at [email protected].
    We will ask you to provide proof of identity (2 forms, 1 to be a passport) before we show you your personal information – this is so we can prevent unauthorised access. Proof of identity must be provided via a personal appointment at our offices.
    After 25 May 2018, in the event that an access request is unfounded, excessive or especially repetitive, we may charge a ‘reasonable fee’ for meeting that request. Similarly, we may charge a reasonable fee to comply with requests for further copies of the same information. (That fee will be based upon the administrative costs of providing the information).
    In accordance with Article 77 of the General Data Protection Regulation, you also have the right to lodge a complaint with a supervisory authority. For the purposes of the UK, the supervisory authority is the Information Commissioner’s Office (ICO).

6. CONFIDENTIALITY AND SECURITY PROVISIONS

• The employees must observe the principle of confidentiality and keep confidential any information relating to personal data with which they have become aware. The obligation to keep confidential any information applies also after the change of the position or leaving the Institution.
• The Institution shall appoint, by order of the director, employees who can work with personal data. Employees can only access and use documents and data files that they have been authorized to access and manage.
• Employees must prevent personal data from any accidental or unlawful destruction, alteration or disclosure, also take care of the proper and safe storage of documents and data files avoiding unnecessary duplication. If the employee doubts the reliability of the security measures installed, he must contact his supervisor to assess the security measures available and, if necessary, initiate the purchase and installation of additional measures.
• Employees who can access personal data or from whom computers virtual file storage can be accessed, must use passwords. Passwords must be changed periodically, at least once every three months, as well as in certain circumstances (for example, when the password might become known to third parties, etc.). The employee can only know his computer password.
• Computers that store personal data cannot be freely accessible from other network computers. The antivirus program for these computers must be kept up to date.

7. RIGHT TO ACCESS

We ensure that individuals can access their personal data, free of charge, when requested. If we receive such a request, we will:

• tell them if you’re processing their personal data
• tell them about the processing (the purpose of the processing, categories of personal data concerned, recipients of their data, etc.)
• give them a copy of the personal data being processed (in an accessible format)

If LIYSF receives a request from an individual who wants to exercise their rights, we will respond to this request without undue delay and in any case within 1 month of receiving the request. This response time may be extended by 2 months for complex or multiple requests, as long as the individual is informed about the extension. Requests are dealt with free of charge.

If a request is rejected, we will inform the individual of the reasons for doing so and of their right to file a complaint with the Data Protection Authority.

8. SECURITY OF PERSONAL DATA

We take appropriate technical and organisational measures to secure personal information and to protect it against unauthorised or unlawful use and accidental loss or destruction, including:

• only sharing and providing access to personal information to the minimum extent necessary, subject to confidentiality restrictions where appropriate, and on an anonymised basis wherever possible.
• using secure servers to store your information.
• verifying the identity of any individual who requests access to information prior to granting them access to information.
• using Secure Sockets Layer (SSL) software or other similar encryption technologies to encrypt any payment transactions you make on or via our website.
• An extra password for verification is used for personal data files for the current year and staff data
• A log is kept status of personal data processing in files according to rule sheet timelines. This ensures all data handling and storage meets our data policy and is audited. This process is overseen by the DPO, sign off from Director.

9. DATA BREACHES

A data breach is when the personal data you are responsible for is disclosed, either accidentally or unlawfully, to unauthorised recipients or is made temporarily unavailable or is altered.

If a data breach does occur and the breach poses a risk to individual rights and freedoms, we will notify our Data Protection Authority within 72 hours after becoming aware of the breach.

Depending on whether or not the data breach poses a high risk to those affected, LIYSF may also be required to inform all individuals affected.

All SPAM incidents will be reported here: https://ico.org.uk/make-a-complaint/nuisance-calls-and-messages/spam-emails/report-spam-emails/

This policy is in good faith as of February 2024.