GDPR Policy
Introduction
Oxford College of Business and Management (https://www.ocbm.uk/) (“OCBM”, “we”, “us”, or “our”), including the sub-brands eConsultancy (https://econsultancy.ocbm.uk/) and eLearning (https://elearning.ocbm.uk/) (collectively referred to as the “Websites”), are committed to protecting the privacy and personal data of all users. This GDPR policy outlines how we collect, use, retain, and share personal data in compliance with the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. It details users’ rights, consent management, and how we ensure user access regardless of consent decisions.
1. Purpose
This policy aims to:
- Inform Consumers: At or before data collection, users are informed about:
- How Data is Collected: Through user interactions and automated means such as cookies.
- Retention of Data: Data is retained only for as long as necessary or required by law.
- Categories of Personal Data: Personal identification, contact information, financial details, academic data, and sensitive information.
- Purposes for Data Collection: Service delivery, communication, improvement of services, legal compliance, and marketing (with consent).
- Data Sharing: Personal data may be shared with third parties as required, and we disclose these parties.
- Data Sales: OCBM does not sell personal data.
- Inform Website Visitors of Their Rights: Users are clearly informed about their GDPR rights and how to exercise them.
- Ensure Clarity and Accessibility: Privacy policies and cookie banners are written clearly, with geolocation features to tailor language for users in different regions.
- Implement Privacy Notice: A comprehensive privacy notice is provided detailing data use, consumer rights, and consent management options.
2. Data Protection Principles
OCBM adheres to the principles of data protection as specified in Article 5 of the GDPR:
a. Lawful, Fair, and Transparent Processing: We process personal data in a lawful, fair, and transparent manner. Individuals are informed about how their data is collected and used.
b. Purpose Limitation: Personal data is collected for specific, explicit, and legitimate purposes and is not processed further in a way that is incompatible with those purposes.
c. Data Minimization: We collect only the data necessary for the purposes for which it is processed. Data is adequate, relevant, and limited to what is necessary.
d. Accuracy: Personal data is accurate and kept up to date. We take steps to correct or erase inaccurate data promptly.
e. Storage Limitation: Data is kept in a form that permits identification of data subjects for no longer than necessary for the purposes for which it was collected.
f. Security: We implement appropriate measures to ensure data security, protecting against unauthorized access and processing, and accidental loss, destruction, or damage.
3. Data Protection Officer
OCBM has appointed a Data Protection Officer (DPO) responsible for overseeing GDPR compliance. The DPO can be contacted for any queries or concerns regarding data protection.
Contact Details:
- Name: [Oxford College of Business and Management]
- Email: [info@ocbm.uk]
- Address: [MC 101, 3 HQ, The Quadrant, Warwick Road, Coventry UK, Postcode: CV1 2DY]
4. Data Collection and Processing
a. How Data is Collected
- Direct Collection: Through forms, registrations, and subscriptions.
- Automated Collection: Via cookies, web beacons, and tracking technologies.
- Third-Party Sources: Data received from partners and service providers.
b. Categories of Personal Data Collected
- Personal Identification Information: Name, date of birth, identification numbers.
- Contact Information: Email addresses, phone numbers, postal addresses.
- Financial Information: Payment details, billing information.
- Academic and Professional Information: Educational background, qualifications and professional experiences.
- Sensitive Personal Data: Health information, racial or ethnic origin, religious beliefs.
c. Purposes for Which Data is Collected
- Service Delivery: Managing educational services, consultancy, and customer support.
- Communication: Sending updates, newsletters, and relevant information.
- Service Improvement: Analyzing user behaviour for service enhancement.
- Legal Compliance: Fulfilling legal obligations and regulatory requirements.
- Marketing: Informing users about services, promotions, and events with their consent.
d. Data Retention
Data is retained only for as long as necessary for the purposes for which it was collected or as required by law. Our data retention schedule is documented and available upon request.
e. Data Sharing and Third Parties
- Data Sharing: Personal data may be shared with third-party service providers who adhere to GDPR compliance.
- Third-Party Sales: OCBM does not sell personal data. Data sharing is conducted with explicit consent and in accordance with legal requirements.
f. Obtaining Valid Consent from Users
OCBM ensures compliance with GDPR consent requirements through the following practices:
- Explicit Consent: Users must actively give consent by ticking a box or clicking a link. Consent cannot be assumed from pre-ticked boxes or passive behaviour.
- Informed Consent: Users receive clear information about who is collecting data, what data is being collected, the purpose of collection, and how long it will be retained.
- Documented Consent: Records of consent, including details about the information provided to users and the method of consent, are maintained for audit purposes.
- Prior Consent: Data collection begins only after consent is obtained. Nonessential cookies and tracking technologies are not activated until consent is provided.
- Granular Consent: Consent is obtained for specific purposes, not bundled with other activities. Our consent management platform (CMP) allows users to make detailed consent choices for cookies and tracking technologies.
- Freely Given Consent: Users have easy and equal access to “Accept” or “Deny” consent options, prominently displayed.
- Easy Withdrawal of Consent: Users can withdraw consent as easily as it was given, with options available on the same layer of the CMP.
g. User Access and Cookie Management
- Access Despite Consent Refusal: Users can access our website, app, or services even if they refuse consent for nonessential cookies or tracking technologies. Essential cookies necessary for website functionality are set without requiring consent.
- Notification of Non-Consent Impacts: Users who decline consent for certain cookies or tracking technologies will be notified that some functions or services may not work correctly, affecting their experience.
- Opt-In Option After Refusal: If a user has opted out of data processing, we will present the option to opt-in again after 12 months.
5. Data Subject Rights
Under GDPR, users have the following rights:
- Right of Access: Users can request information on whether their personal data is processed, what data is held, and details about processing purposes. They can also access their data.
- Right to Rectification: Users can request corrections or updates to inaccuracies in their personal data and will be notified when the corrections are made.
- Right to Erasure (Right to be Forgotten): Users can request the deletion of their personal data, subject to legal exceptions, and will be notified upon completion.
- Right to Restriction of Processing: Users can request a halt to the processing of their personal data, either temporarily or permanently.
- Right to Data Portability: Users have the right to receive their personal data in a portable format that can be readily transferred to another service provider.
- Right to Object: Users can object to the processing of their personal data for specific purposes, including marketing and profiling.
- Right to Know About Automated Decision-Making: Users can request information about automated decision-making processes, including profiling, and their potential outcomes.
- Right to Opt-Out of Automated Decision-Making: Users can refuse the use of automated decision-making technologies, including profiling, with respect to their personal data.
- Right to Non-Discrimination: Users will not face discrimination for exercising their GDPR privacy rights.
6. Compliance and Record-Keeping
- Secure Data Recording and Storage: We take reasonable measures to securely record and store all user data, including consent preferences.
- Audit Readiness: In the event of an audit by data protection authorities (DPA), we must be able to verify users’ consent for all data collected and the purposes of processing.
- Data Subject Access Requests (DSAR): We will provide users with the data specified by GDPR’s “Rights of the Data Subject” in a timely manner, including consent preferences.
7. Review and Updates
- Regular Reviews: We review our operations and potential changes in the law every 12 months to ensure our GDPR policy remains compliant and effective.
- Policy Updates: We update our Privacy Policy information, and its effective date annually or as needed, even if no other changes are made. The date of the last update is clearly visible.
- Transparency: We ensure that the information users need is clear, comprehensive, and up-to-date. The date of the last update is prominently displayed.
- Data Sold: OCBM does not sell personal data. If applicable, we would list all categories of personal information sold in the past 12 months, but currently, no personal data has been sold.
8. Implementation and User Interaction
- Privacy Notice: A detailed privacy notice is available on our websites, explaining data use, consumer rights, and consent management.
- Cookie Banner and CMP: A cookie banner with a consent management platform (CMP) allows users to manage their consent preferences, including opting out of nonessential data collection.
- Geolocation Features: Geolocation features customize the privacy notice and cookie banner language based on user location to enhance clarity and user experience.
9. International Data Transfers
Transfers of personal data outside the European Economic Area (EEA) are conducted in accordance with GDPR requirements, ensuring that data protection standards are maintained.
10. Breach Notification
In the event of a data breach, OCBM will notify the relevant supervisory authority and affected data subjects as required by GDPR, ensuring prompt and transparent communication.
11. Data Security and Record-Keeping
- Secure Data Storage: We securely record and store all user data, including consent preferences.
- Audit Compliance: We can verify user consent and processing purposes during audits.
- DSAR Compliance: We provide requested data promptly in response to data subject access requests (DSAR).
12. Policy Review and Updates
- Regular Reviews: This policy is reviewed annually and updated as necessary to reflect changes in legal requirements and operational practices.
- Policy Updates: The effective date of this policy is updated with each review, regardless of other changes.
- Transparency: We ensure that the policy is clear, comprehensive, and up to date. Categories of personal data sold, if applicable, are listed.
Contact Information
For questions or concerns regarding this GDPR policy or personal data handling, please contact:
Oxford College of Business and Management
Address: [MC 101, 3 HQ, The Quadrant, Warwick Road Coventry UK, Postcode: CV1 2DY]
Email: [info@ocbm.uk]
———————————————————————————————————————————————
This GDPR policy is effective as of 1st August 2024.
———————————————————————————————————————————————
Thank you for your trust in Oxford College of Business and Management. We are committed to providing the best education and consultancy services.