PRIVACY POLICY

DATA PROTECTION POLICY
1 Introduction

1.1 Masterclass Training Ltd (the “Company”) holds personal data about job applicants, employees, consultants, clients, suppliers and other individuals for a variety of business purposes.
1.2 This policy sets out how the Company seeks to protect personal data and ensure staff understand the rules governing their use of personal data.
1.3 In particular, this policy requires staff to ensure that the Company’s Data Privacy Manager should be consulted before any significant new data processing activity is initiated to ensure that relevant compliance steps are addressed, including carrying out a privacy impact assessment and security review.
1.4 The Company’s Data Privacy Manager is responsible for the monitoring and implementation of this policy. If you have any questions about the content of this policy or other comments you should contact the Company’s Data Protection Officer.

2 Scope
2.1 This policy applies to all staff, which for these purposes includes employees, consultants, temporary and agency workers, other contractors, interns and volunteers.
2.2 All staff must be familiar with this policy and comply with its terms.
2.3 This policy supplements any other Company policies from time to time in force relating to information security, document management and retention, deletion, procurement and communications.
2.4 This policy does not form part of any terms and conditions of employment Company may supplement, amend or withdraw this policy at any time.

3 Definitions
3.1 In this policy:
business purposes means the purposes for which personal data may be used by the Company, eg personnel, administrative, financial, regulatory, payroll and business development purposes;
personal data means information relating to identifiable individuals, such as job applicants, current and former employees, consultants, agency, contract and other staff, clients, suppliers and marketing contacts. This includes expression of opinion about the individual and any indication of someone else’s intentions towards the individual, and unique identifier such as IP addresses;
(Special category) sensitive personal data means personal data about an individual’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership (or non-membership), physical or mental health or condition, sexual life. It includes genetic and biometric data.
Criminal offences, or related proceedings are treated in a similar way to sensitive data. Any use of sensitive personal data must be strictly controlled in accordance with this policy;
processing data means obtaining, recording, holding or doing anything with data, such as organising, using, altering, retrieving, disclosing or deleting it.

4 General principles
4.1 The Company’s policy is to process personal data in accordance with the applicable data protection laws and rights of individuals as set out below. All staff have personal responsibility for the practical application of the Company’s data protection policy.
4.2 The Company will observe the following principles in respect of the processing of personal data:
4.2.1 to process personal data fairly, lawfully, transparently and in line with individuals’ rights;
4.2.2 to make sure that any personal data processed for a specific, explicit and legitimate purpose are only processed for that purpose and as per instructions from the employer. The data processed should be adequate, relevant and limited to what is needed for that purpose; records to be maintained of the purpose and legal grounds of processing;
4.2.3 to keep personal data accurate and where needed up to date; reasonable steps to be taken to delete or rectify personal data that is inaccurate for its purpose;
4.2.4 to keep personal data for no longer than is necessary;
4.2.5 to process data in a way that ensure that we maintain security of the data against unauthorised or unlawful processing and against accidental loss, destruction or damage;
4.2.6 not to transfer personal data outside the EEA (which includes the EU countries, Norway, Iceland and Liechtenstein) without adequate protection, or such arrangements as required as a result of withdrawal from the European Union;
4.2.7 to co-operate with investigations, audits and assisting the Data Privacy Manager with carrying out data subject rights requests;
4.2.8 when appropriate to your role, assist with the maintenance of data inventories.

5 Security
5.1 Staff must keep personal data secure against loss, destruction or misuse in accordance with this policy. Where the Company uses external organisations to process personal data on its behalf additional security arrangements should be implemented in contracts with those organisations to safeguard the security of personal data. Staff should consult the Company’s Data Privacy Manager to discuss the necessary steps to ensure compliance when setting up any new agreement or altering any existing agreement.
5.2 Staff must ensure any data transferred within the organisation or to third parties is done so securely and in accordance with this policy.

6 Data retention and Management
6.1 Personal data should not be retained for any longer than necessary. The length of time over which data should be retained will depend upon the circumstances including the reasons why the personal data was obtained. It is also important to label and store personal data in accordance with any applicable data management procedures for security and compliance with deletion policies and subject rights.

7 International transfer
7.1 Staff should not transfer personal data internationally without first consulting the Company’s Data Privacy Manager. Transfer includes hosting. There are restrictions on international transfers of personal data to other countries because of the need to ensure adequate safeguards are in place to protect the personal data. Staff unsure of what arrangements have been or need to be put in place to address this requirement should contact the Company’s Data Privacy Manager.

8 Rights of individuals
8.1 Individuals have a number of rights, such as to request access to information held about them, right to be forgotten and objecting to direct marketing. All such requests or complaints should be referred immediately to the Company’s Data Privacy Manager. This is particularly important because the Company must respond to a valid request within the legally prescribed time limits. You should also assist with any requests made of you in relation to your job role by the Company’s Data Privacy Manager to comply with data subject rights such as if you are asked to carry out a search for personal data.
8.2 Any member of staff who would like to correct or request information that the Company holds relating to them should contact the Company’s Data Privacy Manager. It should be noted that there are certain restrictions on the information to which individuals are entitled under applicable law.
8.3 Staff should not send direct marketing material to someone electronically (eg by email or SMS) unless there is an existing business relationship with them in relation to the services being marketed. Staff should abide by any request from an individual not to use their personal data for direct marketing purposes and should notify the Data Protection Officer about any such request. Staff should contact the Company’s DPO for advice on direct marketing before starting any new direct marketing activity.

9 Reporting breaches
9.1 Staff have an obligation to report actual or potential data protection compliance failures to the Company’s Data Protection Officer as soon as possible. This allows the Company to:
9.1.1 investigate the failure and take remedial steps if necessary; and
9.1.2 make any applicable notifications.

10 Consequences of failing to comply
10.1 The Company takes compliance with this policy very seriously. Failure to comply puts both staff and the Company at risk. The importance of this policy means that failure to comply with any requirement may lead to disciplinary action, which may result in dismissal.
10.2 Staff with any questions or concerns about anything in this policy should not hesitate to discuss these with the Company’s Data Protection Officer.