This Privacy Notice explains types of personal information we may collect about you when you
interact with us. It also explains how we will store and handle that information, as well as keep it
safe and secure.
We will keep our privacy notice under regular review and will advise you of any updates on our
This Notice was last reviewed in March 2021.
2. Who we are
EFBS Ltd is incorporated in England (company registration number SC588185). Our
registered office is: Saint Stephen’s Theatre, 105 St. Stephen Street, EDINBURGH, United Kingdom, EH3 5AB.
For the purposes of Data Protection legislation EFBS Ltd is the Data Controller.
As Data Controller we must:
▪ use your personal information fairly and lawfully
▪ only use your personal information for the purposes it has been provided for, unless
required to by law
▪ only collect as much personal information as needed for the services you require
▪ keep your personal information accurate and up to date
▪ only keep your information for as long as necessary
▪ use your personal information in accordance with your rights
▪ keep your personal information safe and secure
▪ not transfer your personal information outside the European Economic Area unless
adequate levels of protection are in place
3. What is personal information?
Personal information is defined as any information which relates to a living individual who can be
▪ from the information we hold, or
▪ from the information combined with any other information which is already in the possession
of, or likely to come into the possession of, the person or organisation holding the
Personal information also includes any expression of opinions about an individual, and any
indication of the intentions of the data controller (i.e. the Company) or any other person in
respect of the individual.
4. What type of personal information do we collect?
We collect a range of personal information depending upon whether you are, for example, a
student or a prospective candidate for a job. Set out below are some examples of the types of
personal information that we may collect:
▪ Personal details such as names, addresses, telephone numbers, date of birth
▪ Bank details
▪ Dietary information
▪ Personality and character references
▪ Education and training details
▪ Employment details
▪ Financial details
▪ Pension details
▪ Racial or ethnic origin
▪ Physical health or mental condition
▪ Information relating to health and safety
▪ Medical information
▪ Complaints, accidents, incident details
▪ Sounds and visual images (such as CCTV images)
If we need to collect personal information not covered in this list you will be informed by us.
5. How do we collect personal information?
We may collect your personal information in a number of ways, for example:
▪ Forms you have completed and given to us
▪ Contact you have made with us through our website, telephone, emails or letters you have
sent to us, as well as contact made through social media sites operated by the Company
▪ CCTV images
▪ When you apply for a job vacancy
▪ Referrals made to us from outside organisations
▪ We may also take photographs at our events, our properties and in our communities to use
for general marketing and publicity. However, photographs of individuals will only be used
for these purposes with consent.
6. Why do we collect your personal information?
EFBS Ltd holds and uses personal information for the following purposes:
▪ To be able to deliver the services that you have asked for
▪ To provide services tailored to your requirements and to treat you in a more personal way
▪ Advertising, marketing and public relations
▪ Staff administration
▪ Accounts and records
▪ Property management
▪ Other commercial activities
▪ Information and administration
▪ Pensions administration
7. Who might we share your personal information with?
We obtain and share personal information with a wide variety of sources, which include but are
not limited to:
▪ Third party suppliers necessary to perform our functions
▪ Individuals themselves or professionals appointed by the individual to act on their behalf
▪ Data processors that work on behalf of the Company
▪ Advertisers, ad servers and ad networks (but this will not include any information that
directly identifies you)
8. How long will we keep your personal information?
We will only keep your personal information for as long as necessary. At the end of the retention
period, or the life of a particular record, it will be reviewed and deleted, unless there is any
special reason for keeping it.
9. What is our legal basis for using your personal information?
To use your personal information there must be a lawful basis to do this. These are, consent,
contract, legal obligation, vital interest, public tasks and legitimate interest. In most case the
processing must also be necessary.
The legal bases upon which we hold your information include consent, contract and legitimate
interest. The specific legal basis will depend upon the reason or reasons why we collected and
need to use your information.
The GDPR sets a high standard for consent to use people's information. Consent requires a
positive opt-in. Pre-ticked boxes or any other consent method by default is no longer allowed. We
will not generally rely on consent as a basis for processing personal data. In the limited
circumstances where we may rely upon consent, we will specifically obtain this in the course of
collecting the data.
If consent is the only legal basis used to process your personal information, you can withdraw
your consent at any time. Consent can be withdrawn online, by email, telephone or face-to-face.
Our contact details are set out in Section 14. Alternatively, you can follow the opt- out or
unsubscribe instructions in the relevant communication.
This is when we need to process your personal data to fulfil a contractual obligation to you, for
example, to provide the tuition instruction and training that we have agreed to provide
This is the most flexible lawful basis and it can be our interests or interests of third parties. It can
include commercial interests, which is what we rely on in our case. We need to process your
personal data in order to effectively run our business and we have a legitimate interest as a
theatrical dance college to use your personal information to operate and improve our business.
10. Direct Marketing
The Company may occasionally want to use your name and contact details to inform you of
special courses or events. If the Company wishes to use your personal information for these
purposes we will always ask for your explicit consent before doing so.
Unless you are told otherwise, this information will not be shared with third parties and you can
unsubscribe at any time by phoning +44 (0) 131 5562261 or emailing email@example.com, or clicking the 'unsubscribe' button on our marketing emails.
You will always be asked to opt-in to direct marketing and this should always be a clear,
affirmative action, such as ticking an opt-in box.
Any information you provide us for marketing purposes will be kept with us until you notify us that
you no longer wish to receive this information.
11. How do we keep your personal information secure?
We recognise the professional responsibility we have to safeguard the information of individuals.
The security of your personal information is important to us and we follow a range of security
policies and procedures to ensure that access to and use of your information is controlled and
Some examples of our security measures include:
▪ Controlling access to Company systems and networks preventing any unauthorised access
to your personal information
▪ Using encryption methods such as passwords so that only people with specific access
rights can view it
▪ Pseudonymisation, meaning that we will change some personal details such as name, date
of birth etc. so that someone with access to the data will not know whose personal
information it belongs to
▪ Our staff are regularly trained in data protection to make them aware of their responsibilities
when using personal information and how and when to report if something goes wrong
▪ We regularly test our technology and working practices to keep up to date on the latest
12. Is your personal information used overseas?
In some cases the Company will process your personal information outside of the European
Economic Area (EEA). In instances where your personal information needs to be transferred to a
country or territory outside the EEA that country or country or territory must ensure an adequate
level of protection for the rights and freedoms of data subjects in relation to the processing of
13. What are your rights?
Your individual rights are set out in law. Subject to some legal exemptions, you have the
Right to be informed
You have the right to know about the collection and use of your personal information, including:
▪ Why it is collected
▪ How it is used
▪ Who it is shared with
▪ How long it is kept for
Right of access
You have the right to obtain a copy of your personal information and supplementary information
to understand how and why we are your information and that we are using it lawfully. This is
commonly known as a Subject Access Request (SAR). This should be made in writing to the
Data Protection Officer (DPO) whose contact details are set out in section 14. You should give
details of your name and postal address and details of your request and any details which would
help us to locate the information, for example, reference number. In addition you will need to
provide us with proof of identity, e.g. copy of your birth certificate, passport or driving licence.
Right to rectification
You have the right to have inaccurate personal information rectified. You also have the right to
have incomplete personal information completed - although this may depend on the reasons for
using your personal information.
Right to erasure
In certain circumstances you have the right to have your personal information erased. This is
also known as the 'right to be forgotten'. The right to erasure does not apply to all cases such as
complying with a legal obligation, performing a task set out in the public interest or for the
establishment, exercise or defence of legal rights.
Right to restrict processing
You have the right to request the Company to restrict using your personal information in some
circumstances. This may be because you are challenging the accuracy of the information and we
are verifying the accuracy of the data. In most cases we will not need to restrict using your
personal information indefinitely but will need to have the restriction in place for a certain period
Right to data portability
You have the right to receive personal data you have provided to us in a structured, commonly
used and machine-readable format. Individuals also have the right to request that a controller
transmits this data directly to another controller - this is commonly used for banking and
insurance purposes when wanting to switch providers.
Right to object
You have the right to object to the Company using your personal information. The right to object
only applies in certain circumstances and requests to object using personal information will be
considered on an individual basis. The Company will be unable to stop using personal
information if it is needed to carry out a statutory function.
Rights in relating to automated decision making and profiling
Automated individual decision-making is a decision made by automated means without any
human involvement. An example of this would be an online decision to award a loan. Profiling
can be used to find out about individuals' preferences, predict behaviour or make decisions about
people. The Company will not make any solely automated decisions on you that have any legal
or similarly significant event on you.
14. Contact us
If you would like to exercise your rights in relation to your personal information, or you feel that
something has gone wrong with your personal information, you can contact our Data Protection
Officer (DPO) in either of the following ways:
By email: firstname.lastname@example.org
By telephone: +44 (0) 131 5562261.
Saint Stephen's Edinburgh,
105 St Stephen Street, Edinburgh,
If you feel that the Company has not handled your information correctly you can contact the Data
Protection Officer at the above contact details or the Information Commissioner's Office (ICO).
The ICO is the Government's Independent Body responsible for overseeing data protection. In
most cases the ICO will only review cases that have exhausted the Company's internal
The ICO's contact details are as follows: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF. More information can be found on the ICO's website at www.ico.org.uk