Data Processing Policy – Service Data

CL Consortium Limited (trading as Charity Learning Consortium)

1. Introduction

We process personal data on behalf of customers when they license and use our LMS. We act as a data processor, with customers as data controllers, under:

  • UK General Data Protection Regulation (UK GDPR)
  • Data Protection Act 2018
  • Privacy and Electronic Communications Regulations (PECR)
  • Data (Use and Access) Act 2025 (DUAA) if and when in force

2. Lawful Basis and Purpose

We process data under lawful bases such as:

  • Contractual necessity – to deliver LMS services.
  • Consent for PECR-controlled electronic communications (e.g., email updates).

3. Categories of Data Processed

  • User information: names, email addresses, organisational roles.
  • Usage logs: course progress, completion records, quiz results.
  • Support communications: support tickets, feedback, optional profile data.

4. Data Handling and Storage

  • Stored securely in UK/EU-located hosting, protecting data via encryption at rest and in transit.
  • Access is limited to authorised staff and subprocessors under NDA.
  • Retention is per customer agreement: default retention is no longer than 3 months after termination / 12 months of no response, unless otherwise requested.

5. Third‑Party Access & International Transfers

  • We do not disclose data except to sub-processors engaged under contract.
  • If data is transferred outside the UK/EU, we rely on adequacy, standard contractual clauses, or approvals under DUAA if and when in force, which relaxes adequacy thresholds to “not materially lower” standards.

6. Data Subject Rights

  • We support customers in fulfilling DSARs (e.g., data access, rectification).
  • We apply a “reasonable and proportionate” search standard and can pause the response clock when verifying identity or clarifying scope.
  • Subject rights such as erasure, portability, and objection are upheld, with processes tailored to LMS-hosted customer data.

7. Cookies & Electronic Communications

  • LMS cookies follow PECR rules; consent is obtained for nonessential cookies.
  • We clarify PECR exceptions and consent mechanisms.
  • Marketing or service emails are sent based on explicit consent, with unsubscribe options.

8. Automated Decision‑Making

  • LMS does not make automated decisions based on personal data.
  • DUAA, if and when in force, has relaxed ADM restrictions for nonspecial-category data, but we apply caution and document any algorithmic profiling.

9. Security Measures

We implement technical and organisational safeguards aligned with UK GDPR, including:

  • Encryption, pseudonymisation
  • Access controls, audit logs
  • Regular security testing
  • Data processing impact assessments for high‑risk activities (e.g., new features)

10. Data Breach Response

In case of a breach impacting customer data we will:

  • Contain and evaluate incident severity
  • Notify affected charities and the Information Commissioner within 72 hours if required
  • Issue external communications transparently to affected individuals and regulators
  • Conduct a post‑incident review and document improvements

11. Data Retention, Transfer, and Company Closure

  • On contract termination, data is deleted or returned per customer preference (default: secure deletion within 90 days).
  • If CL Consortium Limited is sold or winds up, all customer-controlled data will either be transferred under confidentiality terms to:
    • the new owner (if customer consents), or
    • returned to the customer, or
    • securely deleted if no instruction is received within 60 days.

12. Sub‑processors

  • We maintain an updated list of sub‑processors available on request.
  • Their contracts include commitments to UK GDPR, DUAA if and when in force, PECR, security standards, and data breach obligations.

13. Governance & Accountability

  • We maintain records of processing under UK GDPR, as required by DPA 2018.
  • We conduct regular internal audits to ensure compliance with evolving DUAA and PECR rules.
  • We provide support and guidance to customers exercising data rights.
  • We are committed to complying with the UK GDPR and the Data Protection Act 2018. For further details about how we use personal data, please also see our Privacy Notice

14. Policy Review

This policy is reviewed at least annually and upon major regulatory updates—especially as DUAA provisions from June 2025 to mid-2026 come into effect.

Summary

This updated policy ensures that CL Consortium Limited processes customer data lawfully and securely under current UK data protection laws, including any successor or supplementary legislation such as the Data Use and Access Act 2025 (if and when in force), and PECR. We prioritise transparency and accountability, and provide clear processes for data subject rights, breach response, and data handling in the event of business changes.

Contact & Data Subject Requests

If you have any questions about this policy or wish to exercise your data subject rights, please contact:

  • Data Protection Officer: Martin Baker
  • Email address:  dataprotection@charitylearning.org
  • Postal address: Data Protection Officer, Charity Learning Consortium, Vine House, Selsley Road, North Woodchester, Stroud, Gloucestershire GL5 5NN
  • Telephone number: 0203 974 1511
  • Website: https://charitylearning.org

Date: 18 July 2025