Privacy Notice
School Yearbooks
Scope
All data subjects whose data is processed by TEPE Holdings Group. TEPE Holdings Group includes Clarkeprint Ltd, Clarkeprint FM Ltd and Waveney Publishing Ltd trading as Wave Ed.
Responsibilities
The Data Protection Officer and GDPR Owner are responsible for ensuring that this notice is placed in front of potential data subjects prior to TEPE Holdings Group collecting/processing their personal data.
All Employees/Staff of TEPE Holdings Group who interact with data subjects are responsible for ensuring that this notice is drawn to the data subject’s attention and their consent to the processing of their data is secured.
Procedure Statement
In this context we are operating under instruction from and processing your data as a Data Processor on behalf of the school who remain the Data Controller.
The personal data we collect from will be used for the following purposes:
To collate and publish in print the school yearbook
When sharing your data with us the data may be processed by third parties
If your school chooses to share via Wave Ed’s ShareFile service your data will be processed by Citrix Systems, Inc; all data shared via Wave Ed’s ShareFile system will remain within the EU. Citrix Systems, Inc is a US company registered with the EU-US Privacy Shield Framework, you can read Citrix’s privacy policy at https://www.sharefile.com/privacy and their Privacy Shield information at https://www.sharefile.com/privacy-shield
If your school chooses to share via Wave Ed’s Google Drive/G Suite service your data will be processed and stored by Google, you can ready Google’s privacy policy at https://policies.google.com/privacy?hl=en-GB&gl=uk; Google are registered with the EU-US Privacy Shield Framework
If your school chooses to share via Wave Ed’s Microsoft OneDrive service your data will be processed and stored by Microsoft on UK servers, you can read Microsoft’s privacy policy at https://privacy.microsoft.com/en-gb/privacystatement, Microsoft are registered with the EU-US Privacy Shield Framework
If your school chooses to share via Wave Ed’s WeTransfer service your data will be processed and stored by WeTransfer on servers in the EU, you can read WeTransfer’s privacy policy at https://waveprint.wetransfer.com/legal/privacy
Yearbook profile entries made using the Wufoo platform will be processed by SurveyMonkey Inc, trading as Wufoo. In processing your data Wufoo may transfer your data outside of the EU, you can find details of their Privacy Shield Policy here https://www.surveymonkey.com/mp/policy/privacy-policy/
Yearbook profile entries made using the Typeform platform will be processed by TYPEFORM, SL. In processing your data Typeform may transfer your data outside of the EU, you can find details of their Privacy Policy here https://admin.typeform.com/to/dwk6gt
We will only supply copies of the printed yearbook via the school, or to individuals with the schools permission. It is important that customers understand that once published and delivered the physical books which contain personal data will be in the public domain and no longer under the control of TEPE Holdings Group.
By providing your personal data you are giving us consent to perform these actions.
What Is Personal Data?
Under the EU’s General Data Protection Regulation Personal Data is defined as “any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
Special Categories Of Personal Data
Certain data are classified under the Regulation as "special categories":
Racial
Ethnic origin
Political Opinions
Religious Beliefs
Trade-union membership
Genetic Data
Biometric Data
Health Data
Data concerning a natural person's sex life
Sexual orientation
Other
Consent is required for TEPE Holdings Group to process both types of personal data, but it must be explicitly given. Where we are asking you for sensitive personal data we will always tell you why and how the information will be used.
Why Does TEPE Holdings Group Need To Collect And Store Personal Data?
In order for us to provide you with the information and services that you have requested we need to collect personal data for correspondence purposes and/or service provision. In any event, we are committed to ensuring that the information we collect and use is appropriate for this purpose, and does not constitute an invasion of your privacy.
How TEPE Holdings Group Uses Your Information
TEPE Holdings Group will process - that means collect, store and use - the information you provide in a manner that is compatible with the EU’s General Data Protection Regulation (GDPR). We will endeavour to keep your information accurate and up to date and not keep it for longer than is necessary. In some instances, the law sets the length of time information has to be kept, but in most cases TEPE Holdings Group will use its discretion to ensure that we do not keep records outside of our normal business requirements.
We may pass your personal data on to our service providers who are contracted to TEPE Holdings Group during dealing with you. Our contractors are obliged to keep your details securely, and use them only to fulfil the service they provide you on our behalf. Once your service need has been satisfied or the case has been closed, they will dispose of the details in line with TEPE Holdings Group’s procedures. If we wish to pass your sensitive personal data onto a third party we will only do so once we have obtained your consent, unless we are legally required to do so.
Our aim is not to be intrusive, and we undertake not to ask irrelevant or unnecessary questions. Moreover, the information you provide will be subject to rigorous measures and procedures to minimise the risk of unauthorised access or disclosure.
Your Rights As A Data Subject
Data subjects have the following rights regarding data processing, and the data that is recorded about them:
To make subject access requests regarding the nature of information held and to whom it has been disclosed
To prevent processing likely to cause damage or distress
To prevent processing for purposes of direct marketing
To be informed about the mechanics of automated decision-taking process that will significantly affect them
Not to have significant decisions that will affect them taken solely by automated process
To sue for compensation if they suffer damage by any contravention of the GDPR
To take action to rectify, block, erase, including the right to be forgotten, or destroy inaccurate data
To request the ICO to assess whether any provision of the GDPR has been contravened
The right for personal data to be provided to them in a structured, commonly used and machine-readable format, and the right to have that data transmitted to another controller
The right to object to any automated profiling without consent
You may make a subject access request, or withdraw consent for processing at any time by writing to the Data Protection Officer at dpo@clarkeprint.co.uk or TEPE Holdings Ltd, 45-47 Stour Street, Birmingham, B18 7AJ.
Complaints
If you have concerns about how TEPE Holdings Group is processing your personal data and haven't received a satisfactory response from the Data Protection Officer you can make a complaint directly to the Information Commissioners Office, you can find further details about how to go about this at https://ico.org.uk
Document Management
This document is valid as of 01/03/2018.
This document is reviewed periodically and at least annually to ensure compliance with the following prescribed criteria.
General Data Protection Regulation
Legislative requirements defined by law, where appropriate