Privacy Policy

The UK General Data Protection Regulation (GDPR) with EU/EEA Representation

Lawful processing

Vacational Studies (VS) must identify and document the lawful basis for any processing of personal data. The lawful bases are:

  • Direct consent from the individual (Parents have agreed on application that VS may store personal data)
  • The necessity to perform a contract (VS needs information on its students to look after them and their interests)
  • Protecting the vital interests of the individual (Only VS holds personal data on its system and does not allow any other entity access to it)
  • The legal obligations of the organisation (VS needs to know with whom it is dealing)
  • Necessity for the public interest (VS needs data to know whose interests it is responsible for)
  • The legitimate interests of the organisation (In that VS is able to provide references and information on student performance, it needs to retain this data)

Personal data that can be held

  • Name
  • Address
  • Email address
  • Photo
  • IP address
  • Location data
  • Online behaviour (cookies) (Not held by VS)
  • Profiling and analytics data (Not held by VS)

Special categories of personal data

  • Race (Not held by VS)
  • Religion (Needed in case special provision has to be made))
  • Political opinions (Not held by VS)
  • Trade union membership (Not held by VS)
  • Sexual orientation (Not held by VS)
  • Health information (Needed as VS assumes responsibility for students' health needs)
  • Biometric data (Not held by VS)
  • Genetic data (Not held by VS)

Wider scope

The GDPR applies to all EU organisations – whether commercial business, charity or public authority – that collect, store or process the personal data of individuals residing in the EU, even if they're not EU citizens.

Organisations based outside the EU that offer goods or services to EU residents, monitor their behaviour or process their personal data will be subject to the GDPR. (VS has an EU-based GDPR representative)

Service providers (data processors) that process data on behalf of an organisation come under the remit of the GDPR and will have specific compliance obligations. An example might be a company that processes your payroll or a Cloud provider that offers data storage.

Data protection principles

Personal data must be processed according to the six data protection principles:

  1. Processed lawfully, fairly and transparently.
  2. Collected only for specific legitimate purposes.
  3. Adequate, relevant and limited to what is necessary.
  4. Must be accurate and kept up to date.
  5. Stored only as long as is necessary.
  6. Ensure appropriate security, integrity and confidentiality.

(VS confirms it complies with the above)

Accountability and governance

  • The establishment of a governance structure with roles and responsibilities
  • Keeping a detailed record of all data processing operations.
  • The documentation of data protection policies and procedures.
  • Data protection impact assessments (DPIAs) for high-risk processing operations.
  • Implementing appropriate measures to secure personal data.
  • Staff training and awareness.
  • Where necessary, appoint a data protection officer.

(IGM is the sole holder of data and is the data protection officer)

(VS can demonstrate compliance with the GDPR)

Data protection by design and by default

There is a requirement to build effective data protection practices and safeguards from the very beginning of all processing:

  • Data protection is considered at the design stage of any new process, system or technology.
  • A DPIA is an integral part of privacy by design.
  • The default collection mode must be to gather only the personal data that is necessary for a specific purpose.

Valid consent

There are strict rules for obtaining consent:

  • Consent must be freely given, specific, informed and unambiguous.
  • A request for consent must be intelligible and in clear, plain language.
  • Silence, pre-ticked boxes and inactivity will no longer suffice as consent.
  • Consent can be withdrawn at any time.
  • Consent for online services from a child under 13 is only valid with parental authorisation.
  • Organisations must be able to evidence consent.

(VS confirms it complies with the above)

Privacy rights of individuals

Individuals' rights are enhanced and extended in a number of important areas:

  • The right of access to personal data through subject access requests.
  • The right to correct inaccurate personal data.
  • The right in certain cases to have personal data erased.
  • The right to object.
  • The right to move personal data from one service provider to another (data portability).

(VS confirms it complies with the above. A request to remove data will result in the removal of all data including academic performance which cannot be retrieved for later reference purposes)

Transparency and privacy notices

  • Organisations must be clear and transparent about how personal data is going to be processed, by whom and why.
  • Privacy notices must be provided in a concise, transparent and easily accessible form, using clear and plain language.

(VS confirms it complies with the above)

Data transfers outside the EU

The transfer of personal data outside the EU is only allowed:

  • Where the EU has designated a country as providing an adequate level of data protection;
  • Through model contracts or binding corporate rules; or
  • By complying with an approved certification mechanism, e.g. EU-US Privacy Shield.

(VS confirms it complies with the above)

Data security and breach reporting

  • Personal data needs to be secured against unauthorised processing and against accidental loss, destruction or damage.
  • Data breaches must be reported to the data protection authority within 72 hours of discovery.
  • Individuals impacted should be told where there exists a high risk to their rights and freedoms, e.g. identity theft, personal safety.

(VS confirms it complies with the above)

Data protection officer (DPO)

The appointment of a DPO is mandatory for:

  • Public authorities;
  • Organisations involved in high-risk processing; and
  • Organisations processing special categories of data.
  • A DPO has set tasks:
  • Inform and advise the organisation of its obligations.
  • Monitor compliance, including awareness raising, staff training and audits.
  • Cooperate with data protection authorities and act as a contact point.

(VS confirms it complies with the above and that the DPO is Ian Mucklejohn, Director Vacational Studies)

GDPR does not apply over issues relating to Child Safeguarding.

Ian Mucklejohn - 14 June 2023

Your acceptance of these terms

By using this Site, you signify your acceptance of this policy. If you do not agree to this policy, please do not use our site. Your continued use of the site following the posting of changes to this policy will be deemed as your acceptance of those changes.

Registration at the Information Commissioner's Office

Vacational Studies is registered at Reference ZB000148.  Certification is here.

Contacting us in the UK

If you have any questions about this Privacy Policy, the practices of this site, or your dealings with this site, please contact us at:

Ian Mucklejohn, Vacational Studies, Pepys' Oak, Tydehams, Newbury, Berkshire RG14 6JT, United Kingdom.  Telephone: (+44) (0)1635 523 333

Contacting us in the EU/EEA

Adriaan de Vries, Burgmeesterlaan 6, 3971 CS Driebergen, Netherlands.  Telephone: +31 71 5177037  adriaan (at)

This document was last updated on 14 June 2023

Accredited by the British Council
Offers Trinity
Accredited by English UK