Data

**The Kinderhub @ Cottam Ltd.

Data Protection Policy**

**1. Introduction**

*The Kinderhub @ Cottam Ltd.* (hereinafter referred to as “the Play Centre”) is committed to protecting the privacy and security of personal data. This Data Protection Policy outlines our approach to managing personal data in compliance with applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

**2. Scope**

This policy applies to all employees, contractors, vendors, and partners who handle personal data on behalf of the Play Centre. It covers all data subjects whose personal data is processed by the Play Centre, including children, parents, guardians, employees, and other visitors.

**3. Definitions**

– **Personal Data:** Any information relating to an identified or identifiable natural person (data subject), such as names, contact details, payment information, and health details.
– **Data Subject:** The individual to whom the personal data relates, including children attending the Play Centre, their parents/guardians, visitors, and staff.
– **Data Processing:** Any operation performed on personal data, including collection, recording, storage, retrieval, and sharing.
– **Data Controller:** The Play Centre, which determines the purposes and means of processing personal data.
– **Data Processor:** Any third party that processes personal data on behalf of the Play Centre.

**4. Data Collection and Use**

The Play Centre collects and processes personal data for legitimate business and operational purposes, including:

– Managing bookings and attendance records for children and visitors.
– Ensuring the safety and well-being of children during their time at the Play Centre.
– Communicating with parents, guardians, and visitors regarding services, events, and activities.
– Processing payments for services rendered.
– Complying with legal and regulatory obligations.

**4.1 Legal Basis for Processing**

Personal data will be processed only if there is a lawful basis for doing so, including:

– The data subject has given consent.
– The processing is necessary for the performance of a contract with the data subject.
– The processing is required to comply with legal obligations.
– The processing is necessary to protect the vital interests of the data subject or another person.
– The processing is necessary for the legitimate interests of the Play Centre, provided that these interests are not overridden by the rights of the data subject.

**5. Data Retention**

The Play Centre will retain personal data only as long as necessary to fulfill the purposes for which it was collected or to comply with legal requirements. After this period, personal data will be securely deleted or anonymized.

**6. Data Security**

The Play Centre implements appropriate technical and organizational measures to protect personal data against unauthorized access, loss, destruction, or alteration. These measures include:

– Access controls to limit data access to authorized personnel only.
– Encryption of sensitive data both at rest and in transit.
– Regular security audits and vulnerability assessments.
– Employee training on data protection and security practices.

**7. Data Subject Rights**

Data subjects have the following rights regarding their personal data:

– **Right to Access:** Data subjects can request access to their personal data and information about how it is being processed.
– **Right to Rectification:** Data subjects can request corrections to inaccurate or incomplete data.
– **Right to Erasure (Right to be Forgotten):** Data subjects can request the deletion of their personal data under certain conditions.
– **Right to Restrict Processing:** Data subjects can request the restriction of processing under specific circumstances.
– **Right to Data Portability:** Data subjects can request to receive their personal data in a structured, commonly used format.
– **Right to Object:** Data subjects can object to the processing of their personal data based on legitimate interests or direct marketing.

**8. Data Breach Response**

In the event of a data breach, the Play Centre will:

– Notify the relevant supervisory authority within 72 hours, if required by law.
– Inform affected data subjects if the breach is likely to result in a high risk to their rights and freedoms.
– Investigate the breach, take corrective actions, and document the incident and response.

**9. Data Sharing and Transfers**

Personal data will only be shared with third parties when necessary for business operations or when required by law. Data transfers to third parties will be governed by data processing agreements to ensure the protection of personal data.

If personal data is transferred outside the UK, the Play Centre will ensure that adequate safeguards are in place, such as Standard Contractual Clauses or other legal mechanisms approved under UK GDPR.

**10. Accountability and Governance**

The Play Centre will maintain records of data processing activities, conduct regular audits, and ensure compliance with this policy. A designated Data Protection Officer (DPO) or equivalent role will oversee data protection efforts and serve as a point of contact for data protection inquiries.

**11. Policy Review**

This policy will be reviewed annually and updated as necessary to reflect changes in legal requirements or business practices.

**12. Contact Information**

For any questions or concerns regarding this policy or data protection practices, please contact:

[Data Protection Officer Name]
*The Kinderhub @ Cottam Ltd. Play Centre*
[Contact Information: info@thekinderhub.co.uk,]

**13. Effective Date**

This policy is effective as of [18/6/2019].

—

Please customize this policy further with specific details, such as the contact information for the Data Protection Officer, and review it with legal counsel to ensure compliance with applicable laws and regulations.