Privacy & Data Policy


Privacy & Data Policy

This policy sets out Appleby Cottage C.I.C responsibilities under the Data Protection Act 1998, GDPR, and associated legislation. It details the rules, which Appleby Cottage C.I.C will follow to ensure we are compliant with the requirements, and explains the processes which will be used when collecting and using personal data.


The purpose of this policy is to:

  1. Outline what personal information we hold, why we hold it and what your rights are
  2. Confirm we are compliant with the Data Protection Act 1998, GPDR and associated legislation
  3. How we will prevent breaches


Name, identity and contact details of the Data Controller for Appleby Cottage

Name:                  Sarah Lane / Appleby Cottage CIC

Tel:                       07594 606573


Address:              Appleby Cottage Smallholding , Appleby Street, Cheshunt, EN7 6QY


The purpose of processing client data

In order to give professional tuition and support, we will need to gather and retain potentially sensitive information about you and or your health or wellbeing. We will only use this information for informing the service we supply to you.


Lawful basis for holding client information

The lawful basis under which we hold an use your information is our legitimate interests, i.e our requirement to retain the information in order to provide you with the best possible service, option and advice.


As we may hold special category data (i.e information related to health conditions) the Additional Condition under which we hold and use this information is for us to for fill our role as a provider of respite and or educational activity for those with special or additional needs.


What information do we hold and what do we do with it?

In order to give you the best possible support and advice about the services we offer we will need to ask and keep information about you, including your health and wellbeing. We will only use this information to inform our service to you. The information to be held will be:

  • Your contact details (which will be taken at the point of enquiry)
  • An overview of medical conditions and other relevant health related information, including medication which you will bring with you onto the premises (which will be taken from you at the point of enquiry)
  • Daily notes on your progress as a result of attending our inclusive provision

We will not share your information with anyone else (other than when required for legal process) without explaining why it is necessary, and getting your explicit consent.


How long will we retain your information for?

We will keep your information for the following time periods:

  1. If you are attending our inclusive provision we will keep your information until you advise us that you will no longer be attending our provision.
  2. If you are attending a one day course or experience day we will hold your information until the course is completed or you cancel the booking with us
  3. If you are attending a children’s party we will hold your information until you attend or you cancel the booking with us.
  4. If you have opted into receiving updates on our future services, we will only hold your contact details as disclosed by you at the point of opting into this service. We will contact you using your preferred contact preferences as stipulated by you. You can opt out of receiving updates at any time by contacting the data controller above


Protecting your personal data

We are committed to ensuring your personal data is secure. In order to prevent unauthorized access or disclosure, we have put in place appropriate technical, physical and managerial procedures to safe guard and secure the information we have collected from you. Including the use of password protected documentation and lockable paper storage facilities.


Your Rights

 The Data Protection Act 1998 exists to safeguard personal data. The Act balances an organisation’s need to collect and use personal data for appropriate purposes, against an individual’s right to keep their personal data private. The Act functions in two ways;:

It sets out the principles which must be followed by anyone who is processing (collecting / using) personal data. There are eight principles in the Act:

  1. Personal data shall be processed fairly and lawfully.
  2. Personal data shall be obtained only for one or more specified and lawful purpose, and shall not be further processed in any manner incompatible with those purposes.
  3. Personal data shall be adequate, relevant and not excessive in relation to the purposes for which they are processed.
  4. Personal data shall be accurate and, where necessary, kept up to date.
  5. Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose.
  6. Personal data shall be processed in accordance with the rights of data subjects.
  7. Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

The second function of the Act is to give rights to individuals to find out what personal data is held about them, and how it is being processed. Individuals also have rights to prevent inappropriate processing of their personal data, and to have inaccurate personal data corrected.

The Data Protection Act is enforced by the Information Commissioner’s Office (ICO). The ICO is an independent public body which champions information rights and provides advice and guidance to organizations on best practice and compliance with information legislation. It has legal powers to ensure that organizations meet their obligations under the Data Protection Act. The ICO can issue enforcement notices, carry out audits and prosecute anyone who commits a criminal offence under the Act. The ICO can fine organizations up to £500,000 for serious breaches of the Data Protection Act.



 GDPR sets out that you have the following rights:

    1. The right to be informed: to know how your information will be held and used (which is outlined in this notice)
    2. The right to have access: to see the personal information held by us about you and the right to verify if this is correct
    3. The right to rectification: To tell us to make changes to your personal information if it is incorrect or incomplete
    4. The right to erasure (also called “the right to be forgotten”) for your to request that we erase any information held by us about you
    5. The right to restrict processing of personal data: you have the right to request limints on how we use your personal information
    6. The right to data portability: You can request a copy of your personal information held electronically so you can reuse it on other systems
    7. The right to object: to be able to tell us your don’t want us to use certain parts of your information, or only to use it for certain purposes
    8. Rights in relation to automated decision making and profiling
    9. The right to lodge a complaint with the information commissioner’s office: You are able to complain to the The information commissioner’s Office (ICO) if you feel your details are not correct, if they are not being used in a way that you have given permission for, or they are being stored when they don’t have to be. If you wish to exercise any of these GDPR rights, please contact the data controller named in this policy. Full details of your rights can be found, you can also contact ICO if you are dissatisfied with the response you get from the data controller or you wish to make a complaint.


Our rights

Please note:

  • If you don’t agree for us to use or keep records and information about you, and the time you spend with us, or you don’t allow us to use the information in a way that supports the service you would like us to provide, we may not be able to provide that service to you.
  • We can move our records between Appleby Cottages computers or paper storage as long as your details are protected from being seen by those who do not have permission to review them.



You will be asked to read the information on this policy at the point of making a booking with us. By confirming your booking you are confirming you have read, understood and agreed with this policy