General Data Protection Regulation (GDPR)

Our Data Protection Policy in line with the General Data Protection Regulation (GDPR):

1) The purpose of the policy:

We recognize how important this information is to our customers so we have outlined how

your academic institution’s data is used by Raising Foundation.

2) Definition of key terms:

Consent – The EU GDPR defines consent as any “freely given, specific, informed and

unambiguous” indication of the individual’s wishes by which the data subject, either by a

a statement or by clear affirmative action signifies agreement to personal data relating to

them being processed for one or more specific purposes. Individuals also have the right to

withdraw consent at any given time.

Data Controller – Any individual, institution, or governing body that determines the

purposes and means of processing personal data. This entity has complete control of the

data and is responsible for it, alone or jointly.

Data Processor – A data processor processes the data on behalf of the data controller.

3) Scope:

Our GDPR is particularly relevant to our UK and EU customers but applies to all

international users. The information in our policy relates to personal information of

students, teachers, parents, and governing bodies. This information has been consented

to process by the data controller who has chosen Raising Foundation as a data

processor.

4) Principles:

The key principles of GDPR, as listed in Article 5 of the UK GDPR (Lawfulness, Purpose

limitation, Data minimisation, Accuracy, Storage limitation, Integrity/confidentiality

(security), and Accountability) is incredibly important to Raising Foundation. We are

committed to being transparent within our data processing methods with data controllers

and the wider community.

5). Data subject rights: Using Raising Foundation for your data processing needs endows

individuals with eight data subject rights. These rights are the following:

I). The right to be informed

We will inform data controllers of what data is being collected, how it’s being used,

how long it will be kept (if we do need to keep any data for any reason) and whether

it will be shared with any third parties. This information will be communicated simply

and concisely.

II). The right of access

Individuals can submit subject access requests when these requests are submitted,

we will provide a copy of any personal data we hold concerning the individual(s).

Organisations have one month to produce this information, although there are

exceptions for requests that are manifestly unfounded, repetitive or excessive.

III). The right to rectification

If an individual discovers that the information we hold on them is inaccurate or

incomplete, they can request that it be updated. As with the right of access, we have

one month to do this, and the same exceptions apply.

IV). The right to erasure

Individuals can request that we erase their data in certain circumstances,

such as when the data is no longer necessary, the data was unlawfully processed or

it no longer meets the lawful ground for which it was collected. This includes

instances where the individual withdraws consent.

V). The right to restrict processing

Individuals can request that we limit the way that we use your institution’s personal

data. This acts as an alternative to requesting the erasure of data and might be

used when an individual contests the accuracy of their personal data or when they

no longer need the information but we require it to establish, exercise or defend a

potential legal claim.

VI). The right to data portability

Individuals are permitted to obtain and reuse their personal data for their own

purposes across different services. This right only applies to personal data that an

individual has provided to data controllers by way of a contract or consent. As data

processors, Raising Foundation is not directly responsible for this data portability

but can assist your organisation with integration when consent is given via your data

controller(s).

VII). The right to object

Individuals can object to the processing of personal data that is collected on the

grounds of legitimate interests or the performance of a task in the interest/exercise

of official authority. We will therefore stop processing information unless we can

demonstrate compelling legitimate grounds for the processing that overrides the

interests, rights and freedoms of the individual or if the processing is for the

establishment or exercise or defence of legal claims.

VIII). Rights related to automated decision making including profiling

The GDPR includes provisions for decisions made with no human involvement,

such as profiling, which uses personal data to make calculated assumptions about

individuals. There are strict rules about this kind of processing, and individuals are

permitted to challenge and request a review of the processing if they believe the

rules aren’t being followed.

6) DPO (data protection officer): You should provide the name and contact details of

your DPO. If you’ve chosen not to appoint one (some organisations are exempt

from this requirement), you should list the senior member of staff responsible for

data protection.

This GDPR was created in line with IT Governance’s list of what a data protection policy

should include.

Our company is compliant with your right to privacy, please see our privacy policy HERE.