Privacy and Data Protection Policy
Date Created: September 2020
Last Reviewed: December 2024
Next Review: December 2025
1. Introduction
This policy outlines the data protection obligations of London School of Business & Education Ltd. (LSBE), a company registered in England & Wales (Company Number: 12838732). It explains how LSBE manages personal data under the EU General Data Protection Regulation (GDPR) and other applicable laws.
Personal data refers to any information relating to an identifiable individual, such as a name, email address, IP address, or location data. LSBE is committed to the lawful, fair, and transparent processing of personal data, ensuring privacy and trust in all interactions.
2. Data Protection Principles
LSBE ensures compliance with GDPR by following these principles:
-
Process data lawfully, fairly, and transparently.
-
Collect data for specific, legitimate purposes.
-
Limit data to what is necessary and relevant.
-
Maintain accurate, up-to-date data.
-
Retain data only as long as necessary.
-
Secure data against unauthorised access or breaches.
3. Data Subject Rights
Under GDPR, data subjects (customers, students, and employees) have the following rights:
-
Right to be informed: Transparency about how personal data is collected and used.
-
Right of access: Request and obtain copies of personal data.
-
Right to rectification: Correct inaccurate or incomplete data.
-
Right to erasure: Request deletion of data under certain conditions.
-
Right to restrict processing: Limit how data is processed.
-
Right to data portability: Transfer data to another organisation.
-
Right to object: Opt out of data processing for specific purposes.
-
Rights related to automated decision-making: Challenge decisions made solely through automated processes.
4. Why and How We Process Data
LSBE collects personal data to:
-
Provide and improve services.
-
Offer customer and technical support.
-
Communicate updates, promotions, or service-related notices.
-
Fulfil legal and contractual obligations.
-
Conduct research and analytics.
Processing is lawful under GDPR if it meets at least one of these criteria:
-
Consent from the data subject.
-
Necessary for contract performance.
-
Compliance with legal obligations.
-
Protection of vital interests.
-
Legitimate business interests, unless overridden by the subject's rights.
5. Data Storage and Security
-
Hosting Platform: Data is stored securely on Wix.com’s servers, with access restricted by firewalls.
-
Payment Processing: All payment data complies with PCI-DSS standards to ensure security.
-
Retention Policy: Data is retained only as long as necessary for legal, academic, or business purposes, typically for up to 6 years following completion of studies.
6. Data Subject Access Requests (SARs)
Individuals can request details about their data by contacting LSBE's Data Protection Officer (DPO):
-
Dr. Anne Walder: anne@londonsbe.com
LSBE will respond to SARs within one month unless additional time is needed for complex requests.
7. Data Breaches and Security Measures
LSBE implements technical and organisational measures to protect personal data, including encryption, access controls, and secure data transfers. In case of a data breach, affected individuals will be notified promptly, as required by GDPR.
8. Consent and Updates
-
Consent Withdrawal: You can withdraw consent at any time by contacting admin@londonsbe.com.
-
Policy Updates: This policy is reviewed annually and updated to reflect changes in regulations or operations. Material updates will be communicated to all data subjects.
-
The following personal data is collected, held, and processed by LSBE. For details regarding retention periods, please refer to LSBE’s Data Retention Policy:
-
Data TypePurpose
-
First name(s) for identification and certification purposes.
-
Last Name for identification and certification purposes.
-
GenderFor identity verification and awarding body registration.
-
Date of Birth (DOB) for identity verification and awarding body registration.
-
Unique Learner Number (ULN) for government loan application and regulatory requirements.
-
Ethnicity (Optional) for equality and diversity monitoring.
-
Phone/Mobile Number For course-related communication (e.g., payment, tutor support).
-
Address for certificate delivery and mailing purposes.
-
CountryFor monitoring market reach and certificate delivery.
-
Email Address for accessing online systems and ongoing communication.
21. Data Security: Transferring Personal Data and Communications
-
LSBE ensures secure data transfer and communications through the following measures:
-
Emails containing personal data are encrypted using TLS/S/MIME encryption and marked as confidential.
-
Personal data is transmitted only over secure networks; transmission via unsecured networks is strictly prohibited.
-
Personal data in emails is securely copied and stored, and the email itself is deleted after processing.
-
Hard copy transfers are securely managed and marked as confidential.
-
No personal data is transmitted wirelessly unless no reasonable wired alternative exists.
22. Data Security—Storage
-
To protect personal data during storage:
-
Electronic Data: Stored with password protection and HTTPS/TLS encryption.
-
Physical Data: Secured in locked cabinets or similar containers.
-
Backups: Offsite backups are encrypted for additional security.
-
No personal data is stored on mobile devices unless explicitly approved in writing by the Data Protection Officer (DPO).
23. Data Security—Disposal
-
All personal data is securely erased or destroyed when no longer needed. For full disposal processes, refer to LSBE’s Data Retention Policy.
24. Data Security: Use of Personal Data
-
Personal data access requires formal authorisation from the DPO.
-
No data is shared informally or accessed by unauthorised parties.
-
Data used for marketing purposes requires prior consent, ensuring no data subjects have opted out.
25. Data Security—IT Security
-
Passwords: Regularly updated, containing complex character combinations.
-
Software Updates: All software, including security-related updates, is applied promptly.
-
Access Restrictions: No software installations or external access without DPO approval.
26. Organisational Measures
Staff, contractors, and third parties handling data must undergo GDPR training and comply with LSBE’s policies.
-
Regular reviews of data collection, processing, and retention practices are conducted.
-
Data processing roles and responsibilities are clearly communicated to all relevant parties.
27. Transferring Personal Data Outside the EEA
-
LSBE may transfer data outside the EEA only under the following conditions:
-
The transfer is to countries deemed adequate by the European Commission.
-
Appropriate safeguards (e.g., binding corporate rules, contractual clauses) are in place.
-
The data subject has provided informed consent.
28. Data Breach Notification
-
All breaches must be reported immediately to the DPO.
-
The Information Commissioner’s Office (ICO) will be notified within 72 hours if the breach poses a risk to individuals.
-
Affected individuals will be informed promptly if a breach significantly impacts their rights and freedoms.
-
This policy is published on Moodle and is accessible to all staff and students.
For any concerns or questions regarding this policy, please contact:
London School of Business & Education Ltd
Kemp House, 152-160 City Road,
London EC1V 2NX,
United Kingdom
Email: admin@londonsbe.com
End of Policy