Privacy Policy

General Data Protection Regulation (GDPR)


We are informing you with this information due to a new data privacy law that’s being introduced in the UK later this year, we’ll be providing you with details about how we collect and use your personal information.

However, this doesn’t mean we’re changing the way we collect or use your information. It is simply to make it easier for you to find out what we do, we’ve created a new ‘Privacy Notice’ which includes details surrounding;

  • Your rights relating to the information we hold about you
  • How we keep your personal information safe
  • The types of personal information we at E.L.M Academy collect and use
  • The legal basis we rely on to use your information

Our Privacy Notice covers any products or services you have with us including training, treatments, student loans, payments, credit cards. If you are training with one of our sub-contractors, you may also get a similar note from them.

Where you can find it?

Our new Privacy Notice will be effective from 25 May 2018 and you’ll be able to find it by visiting If you prefer paper, give us a call on the number below and we’ll send you a copy in the post.

We’re here to help!

If you have any questions about anything covered above, please give us a call on 0777 222 6673 and we’ll be happy to help.

This privacy notice has been written to inform parents and pupils of E.L.M. Academy about what we do with your personal information. This notice may be subject to change as the Data Protection bill progresses.

Who are we?

E.L.M. Academy is a processor; this means that we determine how and why we collect the data. We are responsible for processing your personal data on behalf of a controller. The GDPR places specific legal obligations on us; we have a responsibility to you and your personal data and will only collect and use this in ways which are compliant with data protection legislation.

We have appointed Luke Mitchell to be our Data Protection Officer (DPO). The role of the DPO is to assist us in monitoring internal compliance, inform and advise us on Data Protection obligations and to ensure that we are compliant with GDPR policies and procedures.

Please find below Luke Mitchell contact details if you have any questions in regards to Data Protection;

E :

What information do we collect?

  • Personal information of pupils and their family members (name, contact details, DOB and address)
  • Educational attainment
  • Attendance information
  • Assessment information
  • Behavioural information
  • Safeguarding information
  • Relevant medical information
  • Special educational needs and disabilities information
  • Race, ethnicity and religion

Why do we collect your personal data?

  • To support pupil learning
  • To monitor and report on pupil progress
  • To provide appropriate care and to ensure safeguarding is executed correctly
  • To assess the quality of our services
  • To comply with the law regarding data sharing

Personal data that we process about our pupils and parents/guardians is done so in accordance with Article 6 and Article 9 of GDPR.

Who do we obtain your personal information from?

Yourselves (pupils and parents/guardians) on commencement of the course and also enquiries e.g. careers fairs, emails and telephone calls, forms completed on our website, enquiries received through social media

Department for Education (DfE)

Previous Schools attended

Who do we share your personal data with?

  • Salon employers
  • Tutors
  • ELM Academy staff
  • ICT programme providers e.g. PICS
  • Yorkshire College of Beauty

We will not share any of your information about you outside the college without your consent unless we have a lawful basis for doing so.

How long do we keep your personal data for?

We will keep your personal data in line to fulfil organisational regulatory and funding body requirements. Any personal information which is not required by law to retain will only be kept for as long as is necessary.

What rights do you have over your data?

The right of access – so individuals can access their personal data and can verify the lawfulness of the processing.

The right to rectification – individual has the right to update it if incorrect or needs updating.

The right to erasure – also known as right to be forgotten. Request can be made verbally or in writing and should be carried out within 1 month.

The right to restrict processing – where the individual doesn’t want their data erasing but restricting.

The right to data portability – individuals can obtain and reuse their personal data for their own purposes across different services.

The right to object – to the processing of their personal data. The right to object must be communicated at the point of collection, clearly and on its own.


If you believe that your data protection rights may have been breached, and we have been unable to resolve your concern, you may lodge a complaint the applicable supervisory authority.