1 Reason for Policy
The White Horse Federation is committed to safeguarding the privacy of all visitors to The White Horse Federation website, or the websites of schools within the Trust.
2 Policy Statement
The purpose of this Policy is to describe how personal data is collected and used while visiting the website, and your rights in relation to this.
3 Policy Scope
This Policy applies in instances where The White Horse Federation is acting as a data controller with respect to the personal information of those visiting one of our websites.
4 Policy Definitions
4.1 The Website
Throughout this Policy, “the website” refers to any of the websites owned and controlled by The White Horse Federation and its member academies.
4.2 The White Horse Federation
Throughout this Policy, “we”, “us”, and “our” refer to The White Horse Federation.
4.3 Cookies
A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.
Cookies may either be “persistent” cookies or “session” cookies. A persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.
Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies.
For more information about the cookies we use and how, please refer to The White Horse Federation’s Cookie Policy.
4.4 Personal Data
Personal data refers to any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
5 Procedures
5.1 How We Use Your Personal Data
Article 13(1) of the GDPR provides that:
"(1) Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information: ... (c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing; (d) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party".
Article 6(1)(f) of the GDPR provides that:
"(1) Processing shall be lawful only if and to the extent that at least one of the following applies: ... (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child."
In the following sections, we describe the categories of personal data that The White Horse Federation may process as a result of your use of the website. We have also described the purpose for processing that personal data, and the legal basis of the processing.
5.1.1 Usage Data
The White Horse Federation may process data about your usage of the website. This usage data could include:
- › Your IP address.
- › Your geographical location.
- › Your web browser type and version.
- › Your operating system and version.
- › Your referral source, and the length of your visit.
- › Your page views and website navigation paths.
- › Information about the timing, frequency, and pattern of your website usage.
The source of this data is our analytics tracking system, Google Analytics. This usage data may be processed for the purposes of analysing the use of the website so we can continue to improve the user experience for all visitors. The legal basis for this processing is our legitimate interests, which include monitoring and improving our website for all visitors.
5.1.2 Enquiry Data
The White Horse Federation may process information contained in any enquiry you submit to us via the website, or online form e.g. Google form, Microsoft form. The enquiry data may be processed for the purposes of providing a service to you. The legal basis for this processing is your consent.
5.1.3 Transaction Data
The White Horse Federation may process information relating to transactions that you enter into with us or facilitate through our website. In such cases the data may include your contact details, your payment card details, and the transaction details. The transaction data may be processed for the purpose of fulfilling the purchased order or service and keeping accurate records of those transactions. The legal basis for this processing is the proper administration of the website and the performance of a transaction between The White Horse Federation and you.
5.1.4 Notification Data
The White Horse Federation may process information that you provide to us for the purpose of subscribing to our email notifications and newsletters. The notification data may be processed for the purposes of sending you the relevant notifications you have requested. The legal basis for this processing is your consent.
5.1.5 Correspondence Data
The White Horse Federation may process information contained in, or related to, any communication that you send to us. The correspondence data may include the content of any message sent, and data associated with communications made using the website’s contact forms. The legal basis for this processing is the proper administration of our website and organisation-level communications with users, and your consent.
5.1.6 Additional Processing
The White Horse Federation may also process any of the personal data identified in this policy where necessary, for the purpose of:
- Establishing, exercising, or defending legal claims, in court proceedings or in an administrative or out-of-court procedure. The legal basis for this processing is our legitimate interests, namely the protection and assertion of our legal rights, your legal rights, and the legal rights of others.
- Obtaining or maintaining insurance coverage, managing risks, or obtaining professional advice. The legal basis for this processing is our legitimate interests, namely the proper protection of our business against risks.
- Compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another person.
5.1.7 Providing the Personal Data of Others
Please do not provide The White Horse Federation with any other person’s personal data, unless you are otherwise prompted to do so by us.
5.2 Providing Others with Your Personal Data
5.2.1 The White Horse Federation may disclose your personal data to any member of our group of companies, insofar as reasonably necessary for the purposes and legal bases established in this policy.
5.2.2 The White Horse Federation may disclose your personal data to our insurers and/or professional advisers, insofar as reasonably necessary for the purposes of obtaining or maintaining insurance coverage, managing risks, obtaining professional advice, or the establishment, exercise, or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.
5.2.3 Financial transactions related to our websites and services may be handled by our payment services providers. We will share transaction data with our payment services providers only to the extent necessary for the purposes of processing your payment, refunding payments, and dealing with complaints or queries related to transactions.
5.2.4 The White Horse Federation may disclose your enquiry data to one or more selected third party suppliers of goods and services, as identified on the website, for the purpose of enabling them to contact you so they can offer, market, or sell to you relevant goods and services. Each third party will act as a data controller in relation to the enquiry data that we supply to it. Upon contacting you, each third party will supply to you a copy of its own privacy policy, which will govern that third party’s use of your personal data.
5.2.5 In addition to the disclosures specifically set out in this Policy, we may also disclose your personal data where such disclosure is needed for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another person.
5.3 International Transfer of Your Personal Data
In this section, we provide information about the circumstances in which your personal data may be transferred to countries outside the European Economic Area.
5.3.1 The hosting facilities for our website are operated by Afterburst and are situated in Germany. The privacy policy of this third party can be found at: https://afterburst.com/privacy-policy.
5.3.2 Google Analytics is used to facilitate the analytics of our website. To facilitate this, Google utilises a range of international data-transfer mechanisms that are certified under the EU - US and Swiss - U.S Privacy Shield Frameworks, which are a legal mechanism to enable the transfer of personal data from the EEA and Switzerland to the US, where certified organisations guarantee to provide a level of protection in line with EU data protection law. For more information about Google’s compliance with data protection law, visit: https://privacy.google.com/businesses/compliance.
5.3.3 MailChimp is used to facilitate certain functions of the website, including contact forms and newsletter mailing lists. MailChimp’s servers and offices are located in the United States, so your information may be transferred to, stored, and processed in the United States. MailChimp participates in and has certified its compliance with the EU - US Privacy Shield Framework and the Swiss - US Privacy Shield Framework. The privacy policy of this third party can be found at: https://mailchimp.com/legal/privacy/.
5.3.4 You acknowledge that the personal data you submit for publication through our website may be available, via the internet, around the world. The White Horse Federation cannot prevent the use (or misuse) of such personal data by others.
5.4 Retaining and Deleting Personal Data
The White Horse Federation’s personal data retention policies are designed to help ensure that we comply with our legal obligations in relation to the storage and deletion of personal data.
5.4.1 The personal data we process for any purpose will not be kept for longer than is necessary for that purpose.
5.4.2 In some cases, it may not be possible for The White Horse Federation to specify in advance the periods over which your personal data will be retained.
5.4.3 The White Horse Federation may retain your personal data where doing so is necessary for compliance with a legal obligation to which we are subject, or to protect your vital interests or the vital interests of another natural person.
5.4.4 The categories personal data collected, and the process of storing, processing, and retaining that data may differ depending on your relationship to The White Horse Federation. For more information, refer to the TWHF - Privacy Notice section of The White Horse Federation’s GDPR portal, found at https://thewhitehorsefederation.org.uk/about-our-trust/gdpr.
5.5 Amendments
5.5.1 The White Horse Federation may update this policy from time to time by publishing a new version on our website.
5.5.2 You should check the website occasionally to ensure you are happy with any changes to this policy.
5.5.3 We may notify you of significant changes to this policy by email.
5.6 Your Rights
In this section, we have summarised the rights that you have under data protection law. Some of the rights are complex, and not all of the details have been included in our summaries.
Accordingly, you should read the relevant laws and guidance from the regulatory authorities for a full explanation of these rights.
5.6.1 Your principal rights under data protection law are:
- The right to access personal information.
- The right to rectification of personal information.
- The right to erasure of personal information.
- The right to restrict the processing of personal information.
- The right to object to the processing of personal information.
- The right to data portability.
- The right to complain to a supervisory authority.
- The right to withdraw consent.
5.6.2 You have the right to confirmation as to whether or not we process your personal data and, where we do, access to the personal data, together with certain additional information. That additional information includes details of the purposes of the processing, the categories of personal data concerned, and the recipients of the personal data. Providing the rights and freedoms of others are not affected, we will supply to you a copy of your personal data. The first copy will be provided free of charge, but additional copies may be subject to a reasonable fee. You can submit a request to access your data by visiting https://thewhitehorsefederation.org.uk/about-our-trust/gdpr.
5.6.3 You have the right to have any inaccurate personal data about you rectified and, taking into account the purposes of the processing, to have any incomplete personal data about you completed.
5.6.4 In some circumstances you have the right to the erasure of your personal data without undue delay. Those circumstances include:
- The personal data are no longer necessary in relation to the purposes for which they were collected or processed.
- You withdraw consent to consent-based processing.
- You object to the processing under certain rules of applicable data protection law.
- The processing is for direct marketing purposes.
- The personal data has been unlawfully processed.
However, there are exclusions to the right to erasure. The general exclusions include where processing is necessary, such as for exercising the right of freedom of expression and information, for compliance with a legal obligation, or for the establishment, exercise, or defence of legal claims.
5.6.5 You have the right to object to our processing of your personal data on grounds relating to your particular situation, but only to the extent that the legal basis for the processing is that the processing is necessary for: the performance of a task carried out in the public interest or in the exercise of any official authority vested in us; or the purposes of the legitimate interests pursued by us or by a third party. If you make such an objection, we will cease to process the personal information unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or the processing is for the establishment, exercise, or defence of legal claims.
5.6.6 You have the right to object to our processing of your personal data for direct marketing purposes (including profiling for direct marketing purposes). If you make such an objection, we will cease to process your personal data for this purpose.
5.6.7 You have the right to object to our processing of your personal data for scientific or historical research purposes or statistical purposes on grounds relating to your particular situation, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
5.6.8 To the extent that the legal basis for our processing of your personal data is:
- Consent; or
- That the processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract;
and such processing is carried out by automated means, you have the right to receive your personal data from us in a structured, commonly used, and machine-readable format. However, this right does not apply where it would adversely affect the rights and freedoms of others.
If you consider that our processing of your personal information infringes data protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection. You may do so in the EU member state of your habitual residence, your place of work, or the place of alleged infringement.
5.6.9 To the extent that the legal basis for our processing of your personal information is consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal.
5.6.10 You may exercise any of your rights in relation to your personal data by written notice to us, or by contacting The White Horse Federation via the instructions found at; https://thewhitehorsefederation.org.uk/about-our-trust/gdpr
5.7 Data Protection Officer
5.6.1 Our Data Protection Officer contact details are:
Lyn Rouse