top of page

GDPR

GDPR Policy – Effective Skills Training Ltd.

Date of Last Review: April 17, 2025

1. Introduction

Effective Skills Training Ltd. (hereinafter referred to as "the Company") is committed to protecting the privacy and security of personal data. This GDPR Policy outlines our obligations and practices regarding the collection, processing, storage, and disposal of personal data in accordance with the General Data Protection Regulation (GDPR) (EU) 2016/679 and any applicable UK data protection legislation.

This policy applies to all employees, contractors, agents, and any other individuals working on behalf of the Company who have access to personal data.

2. Data Protection Principles

The Company adheres to the principles relating to the processing of personal data as set out in the GDPR. Personal data shall be:

  • (a) Lawful, fair and transparent: Processed lawfully, fairly, and in a transparent manner in relation to the data subject.

  • (b) Purpose limitation: Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.   

  • (c) Data minimisation: Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.   

  • (d) Accuracy: Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.   

  • (e) Storage limitation: Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.   

  • (f) Integrity and confidentiality: Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.   

  • (g) Accountability: The controller shall be responsible for and be able to demonstrate compliance with the principles.   

3. Lawful Bases for Processing Personal Data

The Company will only process personal data when we have a lawful basis for doing so. These bases include:

  • Consent: The data subject has given clear consent for the processing of their personal data for a specific purpose.   

  • Contract: The processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.   

  • Legal obligation: The processing is necessary for compliance with a legal obligation to which the Company is subject.

  • Vital interests: The processing is necessary to protect the vital interests of the data subject or of another natural person.   

  • Public interest: The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.   

  • Legitimate interests: The processing is necessary for the legitimate interests pursued by the Company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular where the data subject is a child.   

The specific lawful basis for each processing activity will be documented.

4. Types of Personal Data Processed

The Company may process various types of personal data depending on the context, including but not limited to:

  • Trainee Data: Name, contact details (address, email address, telephone number), date of birth, training records, assessment results, feedback, payment information.

  • Employee Data: Name, contact details, employment history, qualifications, performance reviews, payroll information, bank details, absence records.

  • Supplier/Partner Data: Contact names, business contact details.

  • Website Visitors Data: IP address, browsing activity (through cookies – see our separate Cookie Policy).

  • Marketing Data: Names and contact details of individuals who have expressed interest in our services.

5. Purposes of Processing Personal Data

The Company processes personal data for various purposes, including but not limited to:

  • Delivering and administering training courses.

  • Assessing trainee performance and issuing certifications.

  • Managing employee relationships, including recruitment, payroll, and performance management.

  • Managing relationships with suppliers and partners.

  • Responding to inquiries and providing customer support.

  • Marketing our services (with appropriate consent where required).

  • Maintaining the security and functionality of our website and IT systems.

  • Complying with legal and regulatory obligations.

6. Data Minimisation and Retention

The Company will only collect and process personal data that is necessary for the specified purposes. We will regularly review the personal data we hold and will securely delete or anonymise data that is no longer required.

Specific data retention periods will be defined in our Data Retention Policy, taking into account legal and regulatory requirements and business needs.

7. Data Subject Rights

Data subjects have the following rights under the GDPR:

  • The right to be informed: About the collection and use of their personal data. This policy serves this purpose.   

  • The right of access: To request a copy of the personal data we hold about them.

  • The right to rectification: To request that inaccurate or incomplete personal data be corrected.

  • The right to erasure ('right to be forgotten'): To request the deletion or removal of their personal data where there is no compelling reason for its continued processing.   

  • The right to restrict processing: To request the restriction of the processing of their personal data in certain circumstances.

  • The right to data portability: To receive their personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.   

  • The right to object: To object to the processing of their personal data in certain circumstances, including for direct marketing purposes.   

  • Rights in relation to automated decision making and profiling: To not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.   

Individuals wishing to exercise these rights should contact the Data Protection Officer (details below). We will respond to such requests without undue delay and within one month of receipt.

8. Data Security

The Company takes the security of personal data seriously. We have implemented appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and accidental loss, destruction, or damage. These measures include:   

 

  • Access controls and authentication.

  • Encryption of personal data is appropriate.

  • Regular security assessments and vulnerability testing.

  • Staff training on data protection and security.

  • Secure storage and disposal of personal data.

  • Incident response procedures to address data breaches.

9. Data Transfers

The Company will only transfer personal data outside the UK and the European Economic Area (EEA) where there is an adequate level of protection in place in accordance with the GDPR, or where one of the derogations in Article 49 of the GDPR applies (e.g., with the explicit consent of the data subject, for the performance of a contract, or for the establishment, exercise, or defence of legal claims).

10. Data Breach Notification

In the event of a personal data breach, the Company will notify the relevant supervisory authority and affected data subjects where required to do so under the GDPR, without undue delay and, where feasible, not later than 72 hours after having become aware of it.

11. Roles and Responsibilities

  • The Board of Directors is ultimately responsible for ensuring compliance with the GDPR.

  • The Data Protection Officer (DPO) is responsible for overseeing the Company's data protection strategy and its implementation. The DPO's contact details are provided below.

  • All employees and contractors are responsible for handling personal data in accordance with this policy and relevant procedures.

12. Contact Information

If you have any questions or concerns about this GDPR Policy or the way we handle your personal data, don't hesitate to get in touch with our Data Protection Officer:

Data Protection Officer: John O'Sullivan

Email: info@effectiveskillstraining.com 

Telephone: 03300433808 

13. Monitoring and Review

This GDPR Policy will be regularly reviewed and updated to ensure its ongoing compliance with the GDPR and any relevant legal or regulatory changes.

bottom of page