Privacy Notice

GDPR in Schools Limited delivers a service to its customers and to the public to help drive and improve data protection in the education sector. 

We take care to protect the privacy of customers and users of We take our obligations under privacy and data protection law very seriously. This privacy notice explains how we collect, store and use your personal data. Please read it carefully. 


  1. In this privacy notice, references to “we”, “us” or “our” mean GDPR in Schools Ltd (“GDPRiS”) (further details of GDPRiS are provided at the bottom of this statement). References to “you” or “your” mean the person using this Website whose personal information we collect, store and use.
  2. This privacy notice applies to you and GDPRiS, the owner and operator of this Website.
  3. References to “the Website” mean (including any relevant sub-domains, unless specific terms and conditions apply to that website or service).
  4. References to “Data” mean all personal information that you submit to GDPRiS via the Website.
  5. GDPRiS may change this privacy notice from time to time. You should check this page periodically to ensure that you are happy with the up-to-date version.

What this Privacy Notice covers

  • Why we use your personal information 
  • The lawful basis for processing 
  • What personal information we capture
  • How we use your personal information 
  • What rights you have under data protection legislation 
  • Sharing personal information with third parties
  • How long we may keep your information 
  • Changes to our privacy notice 
  • Contact details for your queries 

Why we use your information

GDPRiS operate a number of web sites and web applications that facilitate some of the processes that schools are required to undertake to achieve and evidence their compliance with the EU General Data Protection Regulation and the UK Data Protection Act 2018. 

We process your personal data for the following purposes: 

  • to provide you with the service activated and registered for 
  • the verification of your identity, where required 
  • for the prevention and detection of crime, fraud and money laundering 
  • for the ongoing administration of the service 
  • to allow us to improve the products and services we offer to our customers 
  • to manage our relationship with you and offer support 
  • to ask for your opinion about our products and offer surveys 
  • for research and statistical analysis, including payment and usage patterns . We only use the data in an anonymised manner when we use it for this purpose. 
  • to enable us to comply with our legal and regulatory obligations 
  • to offer new products and services to you which are relevant and appropriate, and only to the extent that would be reasonably expected. 

If we plan to introduce further processes for the use of your information, we will provide information about that purpose prior to such processing. 

What information wcollect and how long wkeep it 

When you visit or any other web site under the domains or, we will be logging the following:

We use this information to anonymously analyse how our site is used to give you the best possible experience.  

Some pages on the public web site may ask you to volunteer further information to us, such as:  

You will be asked to give your Consent to us contacting you and sending you information about our services. This does not take away any of your rights under data protection law. See below for more information. 

We collect online payments for some of our services through a 3rd party supplier (see below). Much longer retention requirements apply for financial data (6 years). 

All web sites use cookies to varying degrees: Please refer to our Cookie Policy for details. 

Users of the GDPRiS web application

The GDPRiS web application and training platform is a pay-for-service that your school will have purchased to manage its compliance with current data protection law. A responsible individual at the school will create user accounts for as many staff or associated people as are required and upload their names, email addresses and roles into GDPRiS. 

Users will then be able to generate further data inside the tool, such as responses to self-assessments, contributions to data breach investigations, subject requests and more. 

All of the data capture mentioned above under All users visiting one of our web sites, will continue to be captured and processed for users of the application. 

Application data will be held until the end of the contract, and will be deleted approximately one month after the contract expires. 

Accounts information, such as evidence of payments made to us, will be held for longer in accordance with accountancy practices. 

Lawful bases

GDPR in Schools undertake some of the processing mentioned above independently from a processing instruction by any schools. This is the case for purposes that help us improve the service we can offer. Unless an exception is specifically mentioned in a more specific Privacy Notice, such processing will be carried out to serve our Legitimate Interest. 

Where GDPR in Schools is acting on the instruction of a school, the lawful basis will be determined by the school; because the governance processes for meeting the GDPR have a clear basis in law, schools will usually choose ‘Public Task’ as the lawful basis.   

How we process your personal information 

We use your personal information, and some of our employees have access to such information, only to the extent required to carry out the services for you and on behalf of the school. 

We have introduced appropriate technical and organisational measures to protect the confidentiality, integrity and availability of your personal information during storage, processing and transit. 

Your rights under data protection law

Right to Access 

You have the right of access to your personal information that we process and details about that processing. 

You can usually access that information directly within the GDPRiS Products and Services (self-service). However, should this not be possible, you can raise a Data Subject Access Request (DSAR) to receive this information in another format. 

Right to Rectification 

You have the right to request that information is corrected if it’s inaccurate.  You can usually update your own information using the GDPRiS Products and Services (self-service). However, should this not be possible, you can contact us to make the changes on your behalf. In some circumstances, you may have to contact your school, to correct the data held by them and provided to us for processing. 

Right to Erasure (Right to be Forgotten) 

You have the right to request that your information is removed; depending on the circumstances, we may or may not be obliged to action this request. 

Right to Object 

You have the right to object to the processing of your information; depending on the circumstances, we may or may not be obliged to action this request.

Right to Restriction of Processing 

You have the right to request that we restrict the extent of our processing activities; depending on the circumstances, we may or may not be obliged to action this request. 

Right to Data Portability

You have the right to receive the personal data which you have provided to us in a structured, commonly used and machine readable format suitable for transferring to another controller. 

Right to lodge a complaint with a supervisory authority

If you think we have infringed your privacy rights, you can lodge a complaint with the relevant supervisory authority. You can lodge your complaint in particular in the country where your live, your place of work or place where you believe we infringed your right(s). 

You can exercise your rights be sending an e-mail to 

Please state in the subject that your request concerns a privacy matter, and provide a clear description of your requirements. 

Note: We may need to request additional information to verify your identity before we action your request. 

Sharing data with 3rd parties 

In order to fulfil our service reliably and effectively we make use of 3rd parties. In order to use such 3rd parties it is necessary for us to share information with them. 

These are the parties we may share information with: 

  • Zendesk (US) – Customer Support Portal 
  • Mailchimp (US) – Email delivery and email campaign management 
  • Microsoft Azure (EU) – cloud hosting. This is where the web application and the database are hosted 
  • Microsoft (EU) – Office365 work group suite of tools
  • Thinkific (Canada) – online training 
  • (US, but Azure (EU) data centre) – log file storage 
  • Google (US) – Anonymous Web statistics analysis 
  • EasySpace/IOMart (UK) – WordPress hosting. This is where the public web site is hosted 
  • Stripe (EU) – Payment Processor 
  • Zoom (US)  Telephony and online meetings. Note that we are currently transitioning away from Horizon and GoToMeeting 
  • We may use auditors and security consultancies, who will occasionally come to see samples of personal data 
  • SurveyMonkey – we may from time to time invite you to take part in an online survey 

If we find a need to do so, we may change the suppliers we work with. In that event, we will update this privacy notice and inform you of the change. 

We will only disclose your information to other parties in the following limited circumstances: 

  • where we are legally obliged to do so, e.g. to law enforcement and regulatory authorities 
  • where there is a duty to disclose in the public interest 
  • where disclosure is necessary to protect our interest e.g. to prevent or detect crime and fraud 
  • where you give us permission to do so e.g. by providing consent within the GDPRiS Products and Services or via an online application or consent form. 

Third party web sites 

From time to time, our Website and application may also include links to third parties’ websites for your interest. This privacy notice does not extend to any third party websites that can be accessed from this Website. We do not accept liability or responsibility for any third party’s use of your data or their use of cookies. 

Changes to this Privacy Notice

This privacy notice will be reviewed regularly and updated versions will be posted on our websites as necessary. 

Contact details

GDPR in Schools Ltd is a limited company incorporated in England and Wales under company registration number 10699302, whose registered office address is 11 Kingsley Lodge 13 New Cavendish Street, London, United Kingdom, W1G 9UG.

If you have any questions regarding this privacy notice please contact us. 

Last Updated on 04 January 2021

GDPRiS Merton Case Study