Our Policies

General Data Protection Regulations (GDPR) Policy

General Data Protection Regulation (GDPR) Policy 

This page on TheLearningWeb.co.uk outlines our GDPR policy, detailing the rights and regulations regarding the use of personal data of registered users, in accordance with EU Regulation 2016/679 General Data Protection Regulation (GDPR). This policy sets out our obligations and the rights of our customers and business contacts (“data subjects”). 

Introduction

The GDPR defines “personal data” as any information relating to an identified or identifiable natural person (a “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to identifiers such as a name, identification number, location data, online identifier, or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity. 

Company Obligations

This policy outlines our obligations regarding the collection, processing, transfer, storage, and disposal of personal data. These procedures and principles must be followed at all times by The Learning Web, its employees, agents, contractors, and other parties working on behalf of the Company. 

We are committed to complying with both the letter and the spirit of the law, ensuring the correct, lawful, and fair handling of all personal data, respecting the legal rights, privacy, and trust of all individuals we deal with. 

Data Protection Principles

Our policy aims to ensure compliance with the GDPR, which mandates that all personal data must be: 

  • Processed lawfully, fairly, and transparently in relation to the data subject.
  • Collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
  • Adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
  • Accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that inaccurate personal data is erased or rectified without delay.
  • Kept in a form that permits identification of data subjects for no longer than necessary for the purposes for which it is processed, unless for public interest archiving, scientific or historical research, or statistical purposes.
  • Processed securely, ensuring protection against unauthorised or unlawful processing, accidental loss, destruction, or damage using appropriate technical or organisational measures. 

Rights of Data Subjects

Under the GDPR, data subjects have the following rights: 

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure (the ‘right to be forgotten’)
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights regarding automated decision-making and profiling 

 Lawful, Fair, and Transparent Data Processing 

We ensure that personal data is processed lawfully, fairly, and transparently without adversely affecting the rights of the data subject. Processing is lawful if at least one of the following applies: 

  • The data subject has given consent for specific purposes.
  • Processing is necessary for the performance of a contract with the data subject.
  • Processing is necessary for compliance with a legal obligation.
  • Processing is necessary to protect the vital interests of the data subject or another person.
  • Processing is necessary for a task carried out in the public interest or official authority.
  • Processing is necessary for legitimate interests pursued by the data controller or a third party, except where overridden by the data subject’s rights. 

If processing involves “special category data” (sensitive data such as health information), additional conditions must be met, such as explicit consent or necessary protection of vital interests. 

 Specified, Explicit, and Legitimate Purposes 

We collect and process personal data only for specific, explicit, and legitimate purposes. Data subjects are always informed of these purposes. 

 Adequate, Relevant, and Limited Data Processing 

We collect and process only the personal data necessary for the specific purposes communicated to data subjects. 

Accuracy and Keeping Data Up-to-Date

We ensure all personal data is accurate and up-to-date. Inaccurate data is corrected or deleted promptly. Regular checks are conducted to maintain data accuracy. 

Data Retention

Personal data is retained only as long as necessary for the purposes it was collected. Once no longer needed, data is securely erased or disposed of promptly. For details, refer to our Data Retention Policy. 

Secure Processing

We ensure all personal data is securely processed, protected against unauthorized or unlawful processing, and accidental loss, destruction, or damage. Specific technical and organisational measures are implemented to maintain data security. 

 Contact Information

For more information about our GDPR policy or to exercise your rights as a data subject, please contact us at: 

  • The Learning Web  
  • Stand Together Network
  • 311 Fore Street, Community House
  • London  
  • N9 0PZ
  • Telephone: 07507614843 

Email: [info@thelearningweb.co.uk](mailto:info@thelearningweb.co.uk) 

This policy ensures we handle personal data in compliance with GDPR, maintaining the highest standards of data protection and privacy for our users. 

 General Data Protection Regulation (GDPR) Policy 

Oversight and Compliance

The Data Protection Officer (DPO) is responsible for overseeing the implementation of this policy, monitoring compliance with GDPR and other applicable data protection legislation, and ensuring adherence to the Company’s data protection-related policies. 

Record Keeping

The Company will maintain detailed internal records of all personal data collection, holding, and processing activities, including: 

  • The name and contact details of the Company, its DPO, and any applicable third-party data processors.
  • The purposes for which the Company collects, holds, and processes personal data.
  • Details of the categories of personal data collected, held, and processed, and the categories of data subjects.
  • Information on any transfers of personal data to non-EEA countries, including the mechanisms and safeguards in place.
  • Data retention periods.
  • Descriptions of the technical and organisational measures in place to ensure data security. 

Data Protection Impact Assessments

The Company will conduct Data Protection Impact Assessments (DPIAs) for all new projects and new uses of personal data. These assessments will be overseen by the DPO and will address: 

  1. The types of personal data to be collected, held, and processed.
  2. The purposes for using personal data.
  3. The Company’s objectives.
  4. Methods for using personal data.
  5. Consultation with internal and/or external parties.
  6. The necessity and proportionality of data processing.
  7. Risks to data subjects.
  8. Risks to the Company.
  9. Measures to minimise and handle identified risks.

Keeping Data Subjects Informed

The Company will inform data subjects of the following when their personal data is collected directly or from a third party: 

  • The identity and contact details of the Company and its DPO.
  • The purposes and legal basis for processing personal data.
  • The legitimate interests pursued by the Company, if applicable.
  • The categories of personal data, if not collected directly from the data subject.
  • Details of third-party recipients of personal data.
  • Transfers of personal data outside the EEA, including safeguards in place.
  • Data retention periods.
  • Data subject rights under GDPR.
  • The right to withdraw consent at any time.
  • The right to lodge a complaint with the Information Commissioner’s Office.
  • Any legal or contractual requirement for providing personal data and consequences of failing to provide it.
  • Information on automated decision-making or profiling. 

Data Subject Access Requests

Data subjects may request access to their personal data at any time. Requests should be made in writing to the DPO at: 

  • The Learning Web  
  • Stand Together Network 
  • 311 Fore Street, Community House, Edmonton N9 0PZ
  • Tel: 02088870155 

Email: [info@thelearningweb.co.uk](mailto:info@thelearningweb.co.uk) 

Responses to requests will be made within one month, extendable by two months for complex requests. No fee will be charged for normal requests, but reasonable fees may apply for excessive or repetitive requests. 

Rectification of Personal Data

Data subjects have the right to request rectification of inaccurate or incomplete personal data. The Company will correct the data and inform the data subject within one month, extendable by two months for complex requests. Third parties will be notified of corrections where applicable. 

Erasure of Personal Data

Data subjects can request the erasure of their personal data under specific circumstances, such as when the data is no longer needed for its original purpose or if the data subject withdraws consent. The Company will comply within one month, extendable by two months for complex requests. Third parties will be informed of the erasure if applicable. 

Restriction of Personal Data Processing

Data subjects can request the restriction of their personal data processing. The Company will retain only the necessary data to ensure no further processing occurs. Third parties will be informed of the restrictions where applicable. 

Objections to Personal Data Processing

Data subjects have the right to object to the processing of their personal data for legitimate interests, direct marketing, and research purposes. The Company will cease processing upon receiving an objection unless overriding legitimate grounds exist. 

 Data Security 

 Transferring Personal Data 

  • Emails containing personal data must be encrypted and marked “confidential”.
  • Personal data should only be transmitted over secure networks.
  • Hardcopy data transfers should be sent via secure methods, such as Royal Mail Registered or Signed For post. 

Storage

  • Electronic copies of personal data should be stored securely with passwords and encryption.
  • Hardcopies and removable media should be stored securely in locked containers.
  • Daily backups of electronic data should be encrypted and stored onsite.
  • Personal data should not be stored on mobile devices without formal approval. 

 Disposal 

  • Personal data should be securely deleted when no longer needed. 

 Use of Personal Data 

  • Access to personal data should be formally requested and authorized by the DPO.
  • Personal data must be handled with care and not left unattended or visible to unauthorised individuals.
  • Marketing use of personal data requires appropriate consent and opt-out verification. 

IT Security

  • Passwords should be changed regularly, be strong, and not shared.
  • Software should be kept up-to-date with security patches.
  • No software should be installed without prior approval. 

Organisational Measures

  • Employees and contractors must be aware of their responsibilities under GDPR and this policy.
  • Access to personal data is limited to those who need it for their duties.
  • Employees and contractors handling personal data will receive appropriate training and supervision.
  • Methods of data collection, holding, and processing will be regularly reviewed.
  • Personal data handling performance will be evaluated regularly.
  • All parties handling personal data on behalf of the Company must comply with GDPR principles and this policy.
  • Non-compliance by third parties will result in indemnification against any related costs, damages, or claims. 

This policy ensures the Company’s compliance with GDPR, protecting the privacy and rights of all data subjects. 

 Transferring Personal Data to a Country Outside the EEA 

The Company may occasionally transfer personal data to countries outside of the European Economic Area (EEA). Such transfers will only occur if one or more of the following conditions are met:  

  • The transfer is to a country, territory, or specific sectors in that country (or to an international organisation) that the European Commission has determined ensures an adequate level of data protection.
  • The transfer is to a country (or international organisation) that provides appropriate safeguards through mechanisms such as a legally binding agreement between public authorities or bodies, binding corporate rules, standard data protection clauses adopted by the European Commission, compliance with an approved code of conduct certified by a supervisory authority, certification under an approved mechanism, contractual clauses agreed and authorized by the competent supervisory authority, or provisions in administrative arrangements between public authorities authorized by the competent supervisory authority.
  • The transfer is made with the informed consent of the relevant data subject(s).
  • The transfer is necessary for the performance of a contract between the data subject and the Company, or for pre-contractual steps taken at the data subject’s request.
  • The transfer is necessary for important public interest reasons.
  • The transfer is necessary for the establishment, exercise, or defence of legal claims.
  • The transfer is necessary to protect the vital interests of the data subject or other individuals when the data subject is physically or legally incapable of giving consent.
  • The transfer is made from a register that, under UK or EU law, is intended to provide information to the public and is open for access by the public in general or to those able to demonstrate a legitimate interest in accessing the register. 

Data Breach Notification

  • All personal data breaches must be reported immediately to the Company’s Data Protection Officer (DPO).
  • If a personal data breach is likely to result in a risk to the rights and freedoms of data subjects (such as financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic harm), the DPO must inform the Information Commissioner’s Office (ICO) without delay and within 72 hours of becoming aware of the breach.
  • If a personal data breach is likely to result in a high risk to the rights and freedoms of data subjects, the DPO must inform all affected data subjects directly and without undue delay. 

Data Breach Notification Content

Notifications of data breaches will include the following information: 

  • The categories and approximate number of data subjects affected.
  • The categories and approximate number of personal data records involved.
  • The name and contact details of the Company’s Data Protection Officer or another contact point for more information.
  • The likely consequences of the breach.
  • The measures taken or proposed by the Company to address the breach, including any steps to mitigate possible adverse effects.