At Edenfield we take your privacy extremely seriously, and are fully committed to ensuring that any information that we hold is processed securely, and in a way that you can reasonably expect. This policy provides more detail on the information that you provide or that we collect from you, how we use it, and your rights in relation to our processing of your information.
This policy is written in accordance with the following legal instruments…
- The Data Protection Act 1998, which will be replaced by the General Data Protection Regulation (EU) 2016/679 from 25 May 2018 (“GDPR”)
- The Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”)
- Directive 2009/136/EC of 25 November 2009 (“The European Union Cookie Directive”)
To make finding the information that is important to you easier, we have divided this policy into the following sections…
- About Edenfield
- Why do we collect information?
- The information we collect from you
- How we collect information
- How we use your information
- Third parties
- How we protect your information
- Your rights
- Questions and further information
1. About Edenfield
Edenfield H&S Training and Osteopathy Limited (“Edenfield”, “we”, “us”, “our”) is a company registered in England and Wales with registration number 08806644. Our registered office is The Bridge Centre, Birches Head Road, Stoke-on-Trent ST2 8DD.
2. Why do we collect information?
We will always ensure that there is a legal basis for collecting and processing data. The main reasons for processing your data will be…
- Because you have given us consent to process your data for a specific reason/s;
- To ensure that we are able to perform or fulfil a contract with you (or a contract made with someone else on your behalf that requires us to collect data from you, such as attending or completing a training course);
- To comply with our legal obligations and regulatory requirements; or
- For our legitimate interests, including:
- being able to effectively administer our business;
- to provide information to our clients; and
- to promote our business, products or services.
When processing data using the ‘legitimate interests’ condition, we will carry out a balancing test of our interest to ensure that our interest is not overridden by your rights, interests or freedoms.
3. The information we collect from you
On occasion, we need to collect both ‘Personal Data’ and ‘Special Category Data’ as defined by the GDPR. This may include:
Name, address and postcode, email address, telephone number, date of birth, gender, payment details (for online purchases or BACS payments) and employment information (employer and/or job role). Location data and online identifiers via cookies (see section 8 – ‘cookies’) may also be used when you visit our website.
Special Category Data
Information on medical conditions, disabilities and learning needs will also be collected and processed in relation to osteopathy treatments, or where there is a request for reasonable adjustments or special considerations.
4. How we collect information
There are several ways that we use to collect and obtain data. These include…
- Our website (online forms, cookies)
- Paper-based documents (workbooks, contracts, registration forms)
- Social media
- Via third parties (see section 6 – ‘third parties’)
5. How we use your information
Provision of goods and services
We will use the information that is provided to us to ensure that we are offering the best possible service to our customers and clients. This may include generic uses, such as acting upon customer feedback to change elements of our offer or developing a new product, or specific uses, such as using information provided as part of a client brief to ensure that we are providing a solution that is fit for purpose.
Award of qualifications and certification
We will use data to support the development, delivery, assessment and renewal of qualifications, the provision of training and the issue of certificates. For regulated qualifications, this will include sharing your data with an Awarding Organisation (see section 6 – ‘third parties’).
We will send clients and customers updates relating to our products and services, industry news, updates and changes to legislation. This information will be relevant to the products or services that have been provided previously, and we hope will be useful. If you would rather not receive these updates, you can either opt-out from any email communications and/or object to your data being used in this way (see section 8 – ‘your rights’).
From time to time, we may send you marketing information (unless you object) by email, post, telephone, social media or SMS. We will always be careful to contact you in a way which is non-intrusive, and can be reasonably expected for the message being conveyed. Our marketing communications will be compliant with the PECR, and will always give you the opportunity to opt-out from receiving future communication.
6. Third parties
Providing data to third parties
To enable us to perform or fulfil our contract with you (or a contract made with someone else on your behalf), we sometimes need to pass your data to third parties. Examples of this include passing your information to Awarding Organisations in order to award a regulated qualification, or storing data on cloud-based systems (i.e. online bookings or eCommerce).
Where data needs to be passed to third parties, we will always ensure that due diligence checks have been conducted prior to commissioning / entering into a contract with the third party, and any data transferred will be done so securely (see section 7 – ‘how we protect your information’). If data is transferred or stored outside the EU, we will ensure that appropriate safeguards are in place and that data security standards are comparable to those of the EU.
We will never sell your data to third parties. If we use your data to develop or market our products and services (i.e. case studies, testimonials or statistics), we will always ask for your content, or ensure that data is anonymised pseudonymised prior to publication.
Obtaining data from third parties
We may process data that has been collected by a third party. Sources of this data may include…
- Someone who has personally provided us with your details (referrals);
- Social media platforms;
- Data brokers from who we purchase or access information for marketing and business development purposes;
- Partners with whom we are engaged with joint campaigns or we offer joint services; or
- Business-to-business information that is available in the public domain, such as company / organisation websites, public registers and databases (e.g. Companies House).
Where data is obtained from third parties, it is the responsibility of the third party to ensure that is has obtained your consent to share your personal information with us. Where possible, we will ask a third party to confirm that it has the right to pass this information to us.
When contacting you using information obtained via third parties, we will always ensure that any communications compliant with the PECR, and that you have the opportunity to opt-out from receiving future communication.
From time-to-time, we enter into contracts with associate / freelance providers to deliver training and services on our behalf. Individuals and organisations working with us in this way will be familiar with this policy and will have agreed to process data only for our purposes.
7. How we protect your information
Physical storage and transfer
We will store and transfer all paper-based records securely and ensure that it is only accessible by authorised individuals. We will also ensure that records are promptly and securely transported by either authorised individuals or through a secure carrier, and are not left unattended at any time.
Digital storage and transfer
We will ensure that any data stored electronically is protected by suitable security measures and can only be accessed by authorised individuals. Computers will be located in secure locations and mobile devices will have suitable protection (passwords, PIN numbers, encryption etc).
Any websites that we use to collect and process data will utilise appropriate security measures and will operate via a Hyper Text Transfer Protocol Secure (HTTPS) certificate.
We store and retain data for a reasonable period of time in relation to our business activities, or in accordance with our regulatory or contractual obligations. Training and assessment documentation will be retained for three years and six months following assessment.
Any paper-based records will be disposed of securely. They will either be shredded on site by an authorised individual or collected by a specialist confidential waste provider, with a certificate of disposal provided.
Electronic records will be permanently deleted (including secondary and cloud based backups).
The GDPR define a data breach as the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. In the highly unlikely event of a breach, we are legally obliged to notify the Information Commissioner’s Office and any data subjects who may be adversely affected.
Cookies are small text files which are downloaded to and stored on your device when you visit a website. Cookies are widely used by website owners to provide you with a good experience while you browse, and also to provide information which can help website owners to improve websites.
- Make our site work;
- Collect anonymous data on how users navigate our site, which helps us to improve it;
- Allow you to share content on social networks; and
- To help us provide relevant advertising to those who may be interested in it.
- Collect any personally identifiable information; or
- Pass personal identifiable data to third parties.
9. Your rights
Legally, you have rights in relation to the personal information that we hold about you, and can…
- Request a copy of the information being held;
- Request that we correct any personal information that is inaccurate or out of date;
- Withdraw your consent to processing (if we have relied on your consent to process your personal information);
- Request that we transmit your data so that you can use it for your own purposes (data portability);
- Object to us processing your personal information. If you do this, we will stop processing your personal information if we are doing so for our legitimate interests, processing it for direct marketing or research purposes (unless such processing is necessary for the performance of a contract); and
- Restrict the processing of your personal information if you contest the accuracy of the personal information that we hold about you. In this instance, we will stop any processing whilst verifying the accuracy of the personal information.
10. Questions and further information
If you would like any further information on this policy, you would like to make any changes to the data that we hold or you object to us processing your data, please contact us as soon as possible in one of the following ways…
By email… email@example.com
By phone… 0844 335 0492 (calls cost 7p per minute plus your phone company’s access charge)
By post… Edenfield, The Bridge Centre, Birches Head Road, Stoke-on-Trent ST2 8DD
This policy may change from time to time, so please check back regularly to for updates.