Privacy Policy

Here at Arrival, our priority is the relationship we build with you and an integral part of that is trust. As we are sure you’re aware, there have been recent changes to Data Protection in the EU and the aim of this document is to highlight why we require certain data from you, how and where we store it, and your rights in obtaining or requesting deletion of this data.

Introduction

The introduction of the General Data Protection Act (GDPR) in May 2018 replaces the Data Protection Act 1995. Its purpose is to protect the “rights and freedoms” of natural persons and ensure their data is not processed without their knowledge or consent.

Personal Data is any information (including opinions and intentions) which relates to an identified or Identifiable Natural Person. Personal Data is subject to certain legal safeguards and other regulations, which impose restrictions on how organisations may process Personal Data. An organisation that handles Personal Data and makes decisions about its use is known as a Data Controller. Arrival Education, as a Data Controller, is responsible for ensuring compliance with the Data Protection requirements outlined in this policy.

Scope

This policy applies to all entities where a Data Subject’s Personal Data is processed:

• In the context of the business activities.
• For the provision or offer of goods or services to individuals (including those provided or offered free-of-charge).
• To actively monitor the behaviour of individuals.
• Monitoring the behaviour of individuals includes using data processing techniques such as persistent web browser cookies or dynamic IP address tracking to profile an individual with a view to:
  • Taking a decision about them.
  • Analysing or predicting their personal preferences , behaviours and attitudes.

This policy applies to all Processing of Personal Data in electronic form (including electronic mail and documents created with word processing software) or where it is held in manual files that are structured in a way that allows ready access to information about individuals.
‍

Definitions

Data Subject: The identified or Identifiable Natural Person to which the data refers.

Process, Processed, Processing: Any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means. Operations performed may include collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data Protection: The process of safeguarding Personal Data from unauthorised or unlawful disclosure, access, alteration, processing, transfer or destruction.

Data Protection Authority: An independent Public Authority responsible for monitoring the application of the relevant Data Protection regulation set forth in national law.

Data Processors: A natural or legal person, Public Authority, Agency or other body which Processes Personal Data on behalf of a Data Controller

Consent: Any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to him or her.

Special Categories of Data: Personal Data pertaining to or revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data.

Profiling: Any form of automated processing of Personal Data where Personal Data is used to evaluate specific or general characteristics relating to an Identifiable Natural Person. In particular to analyse or predict certain aspects concerning that natural person’s performance at work, economic situations, health, personal preferences, interests, reliability, behaviour, location or movement.

Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.

Encryption: The process of converting information or data into code, to prevent unauthorised access.

Pseudonymisation: Data amended in such a way that no individuals can be identified from the data (whether directly or indirectly) without a “key” that allows the data to be re-identified.

Anonymisation: Data amended in such a way that no individuals can be identified from the data (whether directly or indirectly) by any means or by any person.
‍

Policy

Data Protection Principles

Arrival Education has adopted the following principles to govern its collection, use, retention, transfer, disclosure and destruction of Personal Data:

Lawfulness, Fairness and Transparency

1. Personal Data shall be processed lawfully, fairly and in a transparent manner in relation to the Data Subject. This means, Arrival Education must tell the Data Subject what Processing will occur (transparency), the Processing must match the description given to the Data Subject (fairness), and it must be for one of the purposes specified in the applicable Data Protection regulation (lawfulness).
   ‍

Purpose Limitation

1. Personal Data shall be collected for specified, explicit and legitimate purposes and not further Processed in a manner that is incompatible with those purposes.
   ‍

Data Minimisation

1. Personal Data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are Processed.
   ‍

Accuracy

1. Personal Data shall be accurate and kept up to date.
   ‍

Storage Limitation

1. Personal Data shall be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data is Processed.
   ‍

Integrity & Confidentiality

1. Personal Data shall be Processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful Processing, and against accidental loss, destruction or damage.
   ‍

Accountability

1. The Data Controller shall be responsible for, and be able to demonstrate compliance. This means Arrival Education must demonstrate that the six Data Protection Principles (outlined above) are met for all Personal Data for which it is responsible.
   ‍

Data collection & Data Subject Consent

1. Arrival Education will obtain Personal Data only by lawful and fair means and, where appropriate with the knowledge and Consent of the individual concerned. Where a need exists to request and receive the Consent of an individual prior to the collection, use or disclosure of their Personal Data, Arrival Education is committed to seeking such Consent.
   ‍

Data Subject Notification

1. Arrival Education, when required by applicable law, contract, or where it considers that it is reasonably appropriate to do so, provide Data Subjects with information as to the purpose of the Processing of their Personal Data. This may be given electronically or in writing.
   ‍

Data use & Data Processing
‍Arrival Education uses the Personal Data of its Contacts for the following broad purposes:Arrival Education will not share Personal Data with third parties.
‍

1. The general running and business administration of Arrival Education.
2. To provide services to Arrival Education clients.
3. The ongoing administration and management of our programmes.
   ‍

Special Categories of Data

1. Arrival Education will only Process Special Categories of Data (also known as sensitive data) where the Data Subject expressly consents to such Processing. Where Special Categories of Data are being Processed, Arrival Education will adopt additional protection measures.
   ‍

Data Quality

1. Arrival Education will adopt all necessary measures to ensure that the Personal Data it collects and Processes is complete and accurate in the first instance, and is updated to reflect the current situation of the Data Subject.
   ‍

Profiling

1. Arrival Education will only engage in Profiling where it is necessary to enter into, or to perform, a contract with the Data Subject or where it is authorised by law. Profiling used for data measurement purposes will be anonymised.
   ‍

Digital Marketing

1. Arrival Education will not send promotional or direct marketing material to a Contact through digital channels such as mobile phones, email and the Internet, without first obtaining their Consent.
2. It should be noted that where digital marketing is carried out in a ‘business to business’ context, there is no legal requirement to obtain an indication of Consent to carry out digital marketing to individuals provided that they are given the opportunity to opt-out.

Data Retention

The length of time for which Arrival Education need to retain Personal Data is for the duration of the programme you embark on with us and up to 6 years after its completion to comply with the law, unless requested to be deleted by the Data Subject. All Personal Data should be deleted or destroyed as soon as possible where it has been confirmed that there is no longer a need to retain it.
‍

Data Protection

To prevent unauthorised access, maintain data accuracy and ensure the correct use of information, we have put in place appropriate physical, electronic and managerial procedures designed to safeguard and secure the information we collect online.
‍

Data Subject Rights

Data Subjects are entitled to obtain, based upon a request made in writing and upon successful verification of their identity, the following information about their own Personal Data:

• The purposes of the collection, Processing, use and storage of their Personal Data.
• The source(s) of the Personal Data, if it was not obtained from the Data Subject.
• The categories of Personal Data stored for the Data Subject.
• The recipients or categories of recipients to whom the Personal Data has been or may be transmitted, along with the location of those recipients.
• The envisaged period of storage for the Personal Data or the rationale for determining the storage period.
• The use of any Profiling.
  ‍

The Data Subject then has the right to:

• Object to the Processing of their Personal Data;
• Lodge a complaint with the Data Protection Authority;
• Request rectification or erasure of their Personal Data and/or
• Request restriction of Processing of their Personal Data.
  ‍

Once a request has been made Arrival Education is responsible for actioning it within the 30 day timeline specified by the Data Protection Authority.
‍

Law Enforcement Requests and Disclosure

In certain circumstances, it is permitted that Personal Data be shared without the knowledge or Consent of a Data Subject. This is the case where the disclosure of the Personal Data is necessary for any of the following purposes:

• The prevention or detection of crime.
• The apprehension or prosecution of offenders.
• The assessment or collection of a tax or duty.
• By the order of a court or by any rule of law.
  ‍

Publication

This policy is effective as of May 2018 and is reviewed annually.

Revision

Changes to this policy will come into force when requested by the Data Protection Authority