Revland College of London is committed to protecting the privacy and security of personal information. In compliance with the General Data Protection Regulation (GDPR), this privacy notice (“this Notice”) outlines how we obtain and use personal information during and after your relationship with us. It applies to all students.

Revland College of London is a “data controller”. This means that we are in charge of determining how personal data is stored and used. Under data protection legislation, we are required to provide you with the information contained in this Notice.

This Notice applies to current and former students. This Notice does not form part of any offer made by Revland College of London. We reserve the right to change this Notice at any time and will notify you if any changes have a major impact on your rights.

It is important that you read this Notice, as well as any other policies we can include on specific occasions when we collect or process personal information, so that you understand how and why we use that data.

We will comply with data protection law. This mandates that the personal data we keep about you must be:

• Used lawfully, fairly and in a transparent way.
• Collected only for valid purposes that we have clearly explained and not used in any way that is incompatible with those purposes.
• Relevant to the purposes we have told you about and limited only to those purposes.
• Accurate and kept up to date.
• Kept only as long as necessary for the purposes we have told you about.
• Kept securely.

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

There are “special categories” of more sensitive personal data which require a higher level of protection.

We will collect, store, and use the following categories of personal information:

• Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses
• Date of birth
• Gender
• Next of kin and emergency contact information
• Parent/Guardian contact Information
• Visa, Nationality, Police Registration and Identification Documents
• Bank account details
• Course Information (duration, location and Study Plans)
• Educational information (including copies of right to study documentation, certificates and other information included as part of the application process)
• Information about your use of our information and communications systems
• Photographs

We may also collect, store and use the following “special categories” of more sensitive personal information:

• Information about your race, ethnicity and religious beliefs
• Information about your health, including any medical condition, health and sickness records.
• Information about criminal convictions and offences.

Personal information about students is collected during the application process, either directly from students or indirectly from Agents or Sponsors on occasion. We may obtain additional information from third parties, such as former educational institutions, on occasion. During your time with us, we will obtain additional personal details from you.

• Making a decision about your application or appointment to an educational establishment;
• Determining the terms on which you study with us;
• Checking you are legally entitled to study within an educational establishment;
• Providing you with the necessary study material required;
• Administering the agreement we have entered into with you;
• Education, training and development requirements;
• Complying with health and safety obligations;
• To prevent fraud;
• To monitor your use of our information and communication systems to ensure compliance with our IT policies;
• To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution;
• To conduct data analytics studies to review and better understand student progression rates;

We need all of the categories of details mentioned above in order to fulfil our contract and to comply with legal requirements. If your interests and constitutional rights do not outweigh those interests, we can use your personal information to pursue legitimate interests of our own or those of third parties. We can ask for your permission to process your data in limited circumstances, such as for the purposes of photographs and videos. You would not be placed in a disadvantageous position as a result of your rejection. The following are the circumstances under which we can process personal data:

We will only use personal details to the extent that the law permits. We would most certainly use your personal information in the following situations:

• Where we need to enter into the agreement with you to provide the study programme according to Revland College of London Terms and Conditions, and to perform such an agreement once we have entered into it with you.
• Where we need to comply with a legal obligation.
• Where it is necessary for Revland College of London’s legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. Such instances may include the prevention of fraud, error, harassment or child abuse.
• Equal opportunities monitoring;
• Our social media profile;
• Communications and marketing purposes.
• Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.

We may not be able to fulfil the arrangement (such as providing a place at an educational establishment) if you refuse to provide certain details when requested, or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our students).

Unless we reasonably believe that we need to use it for some reason that is consistent with the original intent, we will only use your personal information for the purposes for which it was obtained. If we need to use your personal details for a different purpose, we will let you know and clarify the legal justification for doing so.

Please note that we may process personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

”Special categories” of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the following circumstances:

• In limited circumstances, with your explicit written consent.
• Where we need to carry out our legal obligations and in line with our Data Protection policy.
• Where it is needed in the public interest, such as for equal opportunities monitoring and in line with our data protection policy.
• Where it is needed to assess your studying capacity on health grounds and to act with a duty of care, subject to appropriate confidentiality safeguards.

We will use particularly sensitive personal information in the following ways:

• We will use information relating to admissions and promotional marketing.

Please note that if we use special categories of personal details in compliance with our written policy to carry out legal obligations or exercise specific rights, we do not need your permission. We may approach you for written consent to process such highly sensitive data in limited circumstances. If we do, we will provide you with full details about the information we need and why we need it, so you can decide whether or not you want to agree. You should be informed that agreeing to any request for consent from us is not a condition of your agreement with us.

We can only use details about criminal convictions if the law permits it. This would typically be the case when such processing is required to fulfil our obligations, and we do so in accordance with our data protection policy.

Less commonly, we may use information relating to criminal convictions where it is necessary in relation to legal claims, where it is necessary to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.

In the course of legitimate business practises, we can also process certain information about students or former students with the necessary safeguards.

We may hold information about criminal convictions.

We can only gather information about criminal records if the nature of your place of study requires it and we are legally permitted to do so. We will collect information about criminal records as part of the Application process where applicable, or we may be informed of such information directly by you.

We will use information about criminal convictions and offences to provide the educational establishment you have applied to with the relevant information requested.

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We can use automated decision-making in the following circumstances:

• Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights.
• In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights, provided we have notified you of the decision and given you 21 days to request a reconsideration.
• If we make an automated decision on the basis of any special categories of data (sensitive personal data), this will have to be based on explicit consent.

Unless we have a lawful justification for doing so and you have been informed, you will not be subjected to decisions that have a direct effect on you based solely on automatic decision-making.

We do not intend to make any decisions about you using automated means, but if our stance changes, we will inform you.

With your permission, we may be required to share your data with third parties, such as universities and colleges for the purpose of admission.

Third parties must respect the security of your data and treat it in accordance with the law, as required by us.

If we do share data, you can expect your personal information to be protected to the same extent.

We will share personal information with third parties if we are required to do so by law, if it is necessary to manage our working relationship with you, or if we have another legitimate reason to do so.

”Third parties” includes third-party service providers (including contractors and designated agents) and other entities within our group. The following third-party service providers process personal information for the following purposes:

• United Kingdom Visa and Immigration (UKVI) – Legal requirement to share information on attendance, immigration status and police registration
• National Health Service – Legal requirements to share information
• Child Protection Services – Legal requirements to share information
• College Guardians (UK) and Godsil Education Dublin – Under 18s Guardian services providers
• Homestay Families – Accommodation providers
• Landlords – Accommodation providers.

All of our third-party service providers and other partners are required to follow our policies and take appropriate security measures to protect your personal information. Our third-party service providers are not permitted to use your personal information for their own purposes. We only give them permission to use your personal data for the purposes we specify and in accordance with our instructions.

We will share your personal information with other entities in our group as part of our regular reporting activities on company performance, in the context of a business reorganisation or group restructuring exercise, for system maintenance support and hosting of data.

We may share your personal information with other third parties, such as in the event of a potential business sale or restructuring. We may also be required to exchange personal information with a regulator or comply with the law in any other way.

Personal information can also be shared with Agents, Parents/Guardians, Sponsors, and educational institutions in other circumstances.

In order to perform the contract with you and to comply with their legitimate interests, data about enrolment, attendance, and grades may be exchanged with parents or another holder of parental responsibility and/or designated sponsors. It's also possible to exchange information with a designated agent. Other forms of data may be exchanged for the purpose of executing the contract or for a valid interest, and the data listed is not an exhaustive list.

In order to fulfil our contract, we can transfer personal information to the following countries outside of the EU:

• Australia
• Canada
• New Zealand
• Republic of Ireland
• USA

There is an adequacy decision by the European Commission in respect of the following countries; Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (limited to the Privacy Shield framework) as providing adequate protection. This means that these countries to which we transfer your data are deemed to provide an adequate level of protection for your personal information.

However, to ensure that your personal information is adequately protected wherever it is transferred inside Revland College of London, we have put in place effective measures to ensure that those third parties handle your personal information in a manner that is compliant with and respects EU and UK data protection laws. If you require further information about these protective measures, you can request it from the DPO.

We have put in place measures to protect the security of information. Details of these measures are available upon request.

Third parties will only process personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.

We have put in place appropriate security measures to prevent personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process personal information on our instructions and they are subject to a duty of confidentiality. Details of these measures may be obtained from the DPO or by reference to the Data Protection Policy.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

We consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and any applicable legal requirements when determining the appropriate retention period for personal data. After this period we will use our best endeavours to securely destroy your personal information.

In some circumstances we may anonymise personal information so that it can no longer be associated with you, in which case we may use such information without further notice.

Your rights in connection with personal information

Under certain circumstances, by law you have the right to:

• Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
• Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
• Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
• Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
• Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
• Request the transfer of your personal information to another party.
• If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact the DPO in writing.

No fee usually required.

You will not be charged a fee to gain access to your personal data (or to exercise any of the other rights). If your request for access is obviously unreasonable or unfair, we can charge a fair fee. Alternatively, in certain cases, we can refuse to comply with the order.

In order to fulfil our contract, we can transfer personal information to the following countries outside of the EU:

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

You may have given your consent to the collection, processing, and transfer of your personal information for a purpose under restricted circumstances. At any time, you have the right to withdraw your consent to the processing. A protocol will be followed to revoke your consent that is similar to the procedure for giving consent. In any case, you should contact the DPO to revoke your consent. We can no longer process your information for the intent or purposes you originally agreed to until we receive notice that you have withdrawn your consent, unless we have some legal reason for doing so.

You have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's data security supervisory body, at any time.

We reserve the right to update this privacy notice at any time, and if we make any significant changes, we will send you a new privacy notice. We can also alert you about the processing of your personal information in other ways from time to time.