Part I: Policy details

What does this policy cover and who is covered?

MY LANGUAGE HUB LTD. takes the protection of Personal Data seriously. Personal Data means any information from which a living individual (called a Data Subject) can be identified. It does not include information which has been anonymised. Personal Data can come in many forms: at its simplest it may be a name, address, and telephone number, but it can include a wide range of matters such as an individual’s opinion or their preferences. Under GDPR an IP address is also considered to be Personal Data.

As a business, we are required to comply with the UK’s Data Protection Laws and we are fully committed to ensuring that compliance. The protection of Personal Data also has a big impact on our reputation as a business. As you are covered by this policy and your contract with us requires you to comply with it, you are also obliged to ensure that all Personal Data that you may handle, or to which you may have access as you carry out your contracted duties, is properly protected.

This is an internal policy that sets out how we handle the Personal Data of any individuals we deal with. It applies to all Personal Data held about our customers and potential customers, suppliers, business contacts and any other individuals who we deal with in the course of our business. It also applies to how we handle the Personal Data of our staff and other workers and to the Personal Data of our shareholders.

MY LANGUAGE HUB LTD. keeps this data protection policy under regular review, so it may be updated from time to time. This version was last updated on 20th February 2025.

Key terms and definitions

Data protection law contains a lot of technical terms. To make life easy, we’ve defined them upfront here so that you can get used to them.

Automated Decision-making: a decision made by automated means, without any human involvement.

Consent: the freely-given, specific, informed, and unambiguous consent of a living individual to whom the Personal Data relates (a Data Subject) to the Processing of their Personal Data. This consent must have been indicated by clear and affirmative action.

Data Controller: the organisation or person responsible for deciding how Personal Data is collected, stored, and Processed.

Data Processor: a Data Controller may appoint another organisation or person to carry out certain tasks in relation to the Personal Data on behalf of, and on the written instructions of, the Data Controller. These tasks might include, for example, hosting of a website, running of marketing mailshots, and providing payroll services.

Data Protection Laws: the Data Protection Act 2018 and the General Data Protection Regulation ((EU) 2016/679) (the GDPR) and such other laws as may be applicable from time to time, including any replacements.

Data Subject: a living individual to whom the Personal Data relates.

EEA: the European Economic Area (and the countries comprised in it).

GDPR: the General Data Protection Regulation ((EU) 2016/679).

ICO: the Information Commissioner’s Office.

Personal Data: any information from which a living individual (a Data Subject) can be identified. It does not apply to information that has been anonymised. Personal Data can come in many forms: at is simplest it may be a name, address, and telephone number, but it can include a wide range of matters such as an individual’s opinion or their preferences. Under GDPR, an IP address is also considered to be Personal Data.

Process (or similar words): any activity (or series of activities) in relation to Personal Data, which can include collection, recording, retrieval, storage, consultation, use, alteration or amendment, transmission, disclosure, or deletion or destruction of the Personal Data.

Profiling: automated Processing of Personal Data to evaluate certain things about a Data Subject (such as to analyse or predict aspects of that Data Subject’s personal preferences, behaviour, or location).

Special Categories of Personal Data: under GDPR, these are certain more sensitive types of Personal Data. This is any information that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sex life or sexual orientation, or anything which is health, genetic, or biometric information.

Part II: Data protection responsibility

Compliance and compliance officers

MY LANGUAGE HUB LTD. is required to comply with Data Protection Laws. Our directors, employees, workers, contractors, and others in similar capacities are also required to comply with these laws. You must ensure that you read and understand this policy so that you know what you must and must not do, and what is required from you in relation to the handling and use of any Personal Data, in order for you and MY LANGUAGE HUB LTD. to comply with the Data Protection Laws.

If you do not comply with this policy, we may take disciplinary action against you.

We have appointed the Managing Director as our Data Protection Officer (referred to in this policy as the DPO ) who has overall responsibility for overseeing the MY LANGUAGE HUB LTD.’s compliance with Data Protection Laws. You can contact them in the following ways:

  1. admin@mylanguagehub.com
  2. +44 (0)1462 656577

You should contact the DPO if you have any questions or concerns about data protection, Data Protection Laws, this policy, and any breach of the laws or this policy.

This policy also indicates specific situations when you must contact the DPO , for example, when there is a Personal Data breach, before you use or handle data in a new way, or when you receive any request from an individual exercising any of their rights under the Data Protection Laws.

The Accountability Principle

MY LANGUAGE HUB LTD. is required to comply with the Data Protection Laws and to demonstrate its compliance with the Data Protection Laws (this is referred to in Data Protection Laws as the Accountability Principle).

Required measures

We are required to put in place measures to meet the requirements of the Accountability Principle and these measures include:

  1. adopting this Data Protection Policy;
  2. providing regular training to staff on Data Protection Laws and this Data Protection Policy (and other related policies, as relevant);
  3. implementing a ‘data protection by design and default’ approach (see Part VI, Section 1);
  4. having in place written contracts with any third parties who Process Personal Data on our behalf (see Part IV, Section 3.4);
  5. recording and maintaining documentation that sets out in full MY LANGUAGE HUB LTD.’s Processing activities (see below in this Part);
  6. implementing appropriate security measures (see Part IV, Section 1);
  7. recording and, where necessary, reporting Personal Data breaches (see Part V, );
  8. conducting data protection impact assessments for uses of Personal Data that are likely to result in high risk to Data Subjects’ interests and where required by Data Protection Laws (see Part VI, Section 2);
  9. conducting regular reviews and, where necessary, implementing updates to the above measures.

Record-keeping

The DPO has in place a central written record that explains in full all of the company’s Processing activities.

Where we are a Data Controller, these records must include (as a minimum):

  1. our name and contact details and those of any joint Controllers;
  2. (where applicable) the name and contact details of any DPO appointed;
  3. why the Personal Data is being processed;
  4. a description of the categories of people covered (the Data Subjects);
  5. a description of the categories of Personal Data involved;
  6. a description of the categories of recipients to whom the Personal Data will be disclosed (including details of transfers of Personal Data outside of the EEA, the details of the third country or organisation, and the safeguards in place);
  7. details of retention periods – i.e. for how long the data will be kept; and
  8. a description of the technical and organisational security measures that MY LANGUAGE HUB LTD. has put in place to protect the Personal Data.

Where we also act as a Data Processor, these records must include (as a minimum):

  1. our name and contact details;
  2. (where applicable) the name and contact details of any DPO appointed;
  3. the name and contact details of each Data Controller (including details of any DPO appointed by the Data Controller);
  4. the categories of Processing carried out on behalf of each Data Controller;
  5. details of transfers of Personal Data outside of the EEA and the safeguards in place (including the name of the third countries or organisation); and
  6. a description of the technical and organisational security measures that MY LANGUAGE HUB LTD. has put in place to protect the Personal Data.

These records can only be kept up to date if the DPO is kept fully informed about our Processing activities. So, where you or your team/department intend to carry out any new Processing, disclose Personal Data to a new third party, transfer Personal Data abroad, or do any of the other matters that may affect the records or other documentation that MY LANGUAGE HUB LTD. has in place, you should contact the DPO before carrying out these activities, to ensure that all documentation can be updated and also that, as a business, we remain compliant with Data Protection Laws.

Part III: Data protection principles

Overview

The GDPR has six main principles for the Processing of Personal Data. These are:

  1. Personal Data must be Processed lawfully, fairly, and transparently (Principle 1);
  2. Personal Data must only be collected and Processed for specified, explicit, and legitimate purposes (Principle 2);
  3. Personal Data must be adequate, relevant, and limited to what is necessary for the purpose(s) for which it is Processed (Principle 3);
  4. Personal Data must be accurate and where necessary, kept up to date (Principle 4);
  5. Personal Data must not be kept for longer than is necessary for the purposes for which it is Processed (Principle 5);
  6. Personal Data must be Processed securely, and appropriate measures must be taken to protect against unauthorised or unlawful Processing and against all accidental loss, destruction, or damage to the Personal Data (Principle 6).

We have set out below more detail about each of the above principles and how they apply to you and MY LANGUAGE HUB LTD..

Lawfulness, fairness, and transparency (Principle 1)

Personal Data must be Processed lawfully, fairly, and transparently.

MY LANGUAGE HUB LTD. must only collect and Process Personal Data where it has a ‘lawful reason’ for doing so. Those lawful reasons are set out in the GDPR and include:

  1. MY LANGUAGE HUB LTD. has the Consent of the Data Subject to Process their data for specific purpose(s);
  2. Processing is necessary in order for MY LANGUAGE HUB LTD. to perform its obligations in relation to an existing contract or a contract it is about to enter into with the Data Subject;
  3. Processing is necessary for a legal obligation that MY LANGUAGE HUB LTD. is subject to;
  4. Processing is necessary to protect the vital interests of the Data Subject or another person;
  5. Processing is necessary in MY LANGUAGE HUB LTD.’s or a third party’s legitimate interests, but only so long as those legitimate interests do not override the fundamental rights and freedoms of the Data Subject.

Where MY LANGUAGE HUB LTD. is relying on Consent as the lawful reason, there are specific requirements that must be complied with:

  1. the Consent itself must provide the Data Subject with sufficient information to ensure that they are informed and understand what they are being asked to consent to;
  2. the Consent must be by way of positive action – that is the Data Subject must positively agree. Silence and pre-ticked boxes do not count as Consent;
  3. any request for Consent must be separate to any other matters (for example, it should not be a condition of a contract or terms and conditions);
  4. records of Consent must be kept (for example, you must record when and how the Data Subject consented and what they were told).

The GDPR requires MY LANGUAGE HUB LTD. to keep a record of the lawful reason(s) it relies on to Process Personal Data. If you plan on carrying out Processing for a new purpose, if you are not sure which lawful reason applies to the Processing, or if you need help with ensuring that any Consent is GDPR-compliant, contact the DPO .

If MY LANGUAGE HUB LTD. Processes any Special Categories of Personal Data, it must identify the relevant lawful reason for Processing (as set out above) and it must also identify a separate condition for Processing those Special Categories of Personal Data. Those separate conditions include (among others):

  1. the Data Subject has provided their explicit Consent;
  2. Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of MY LANGUAGE HUB LTD. or of the Data Subject, under employment and social security and social protection law;
  3. Processing is necessary to protect the vital interests of the Data Subject or of another natural person where the Data Subject is physically or legally incapable of giving Consent;
  4. Processing relates to Personal Data that are manifestly made public by the Data Subject;
  5. Processing is necessary for the establishment, exercise, or defence of legal claims; and
  6. Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services.

If you are intending to collect any Special Categories of Personal Data, are not sure which of the separate conditions applies, or if you need help with ensuring that any Processing of Personal Data is GDPR-compliant, contact the DPO .

As part of the fairness element of Principle 1, MY LANGUAGE HUB LTD. should only Process Personal Data in ways that a Data Subject would reasonably expect.

As part of the transparency element of Principle 1, where MY LANGUAGE HUB LTD. is acting as Data Controller, it must provide Data Subjects with certain information about its use of their Personal Data. This is usually done via a ‘privacy notice’. MY LANGUAGE HUB LTD. is required to comply with the following:

  1. the privacy notice must be in writing, clear, concise, transparent, and intelligible using clear and plain language (i.e. no jargon);
  2. the privacy notice must cover all the requirements required by the Data Protection Laws;
  3. where we collect the Personal Data directly from the Data Subject we must provide the privacy notice to the Data Subject at the point of first collection of the Personal Data;
  4. where we receive Personal Data indirectly (for example, from a third party or from a public source), we must provide the privacy notice to the Data Subject within a reasonable time of receiving the Personal Data (and no later than one month after receiving it) or, if earlier than that month deadline, at the point of first communication with the Data Subject or before the Personal Data is disclosed to a third party.

MY LANGUAGE HUB LTD. already has in place a privacy notice to cover its current activities. These are available from our website. You should check these very carefully to see if they are suitable; and, if they are not or you are not sure if they are suitable or if you have any questions in relation to them, you should contact the DPO for assistance and advice.

Purpose limitation (Principle 2)

Personal Data must only be collected and Processed for specified, explicit, and legitimate purposes.

You must not Process any Personal Data for any purposes that are incompatible with the original purposes that were disclosed (via a privacy notice) to the Data Subject when the Personal Data was first collected.

If you do intend to Process the Personal Data for further purposes, prior to taking any actions you must first speak to the DPO, who will be able to advise you whether it is possible and, if so, what steps need to be taken to comply with Data Protection Laws. The DPO will also need to update the documentation that MY LANGUAGE HUB LTD. has in place relating to the Processing of Personal Data to cover the new purposes.

Data minimisation (Principle 3)

Personal Data must be adequate, relevant, and limited to what is necessary for the purpose(s) for which it is Processed.

You should only collect the Personal Data you actually require to carry out your work. You should not collect anything beyond this.

You must not Process Personal Data for any reason other than to carry out your work.

Accuracy (Principle 4)

Personal Data must be accurate and, where necessary, kept up to date.

You must ensure that when Personal Data is collected that it is accurate. You should check the accuracy of the Personal Data regulary occasions. If Personal Data is not up to date or is inaccurate, you must update the Personal Data or erase it without delay, after taking into consideration the purposes for which the Personal Data was collected.

Storage limitation (Principle 5)

Personal Data must not be kept for longer than is necessary for the purposes for which it is Processed.

You must not keep Personal Data from which a Data Subject is identifiable for longer than is necessary for the purpose(s) for which the Personal Data was originally collected. Those purposes would also include any legal, accounting, regulatory, or similar obligations we have to retain the Personal Data.

MY LANGUAGE HUB LTD. has in place retention policies that set out retention periods for different types of data and information (including Personal Data) with which you must comply. These retention policies are available from our policy notice.

Where Personal Data is no longer required it should be deleted or destroyed from our systems and all paper copies of the Personal Data should also be securely destroyed.

Security, integrity, and confidentiality (Principle 6)

See Part IV, Section 1 immediately below for more details about Principle 6.

Part IV: Rights and obligations

Security

Principle 6 requires that Personal Data must be Processed securely, and appropriate measures must be taken to protect against unauthorised or unlawful Processing and against all accidental loss, destruction, or damage to the Personal Data.

Security, integrity, and confidentiality of Personal Data is of paramount importance. MY LANGUAGE HUB LTD. has implemented, and keeps under review, technical and organisational measures and safeguards to ensure the security of Personal Data. Security of Personal Data involves protecting the Personal Data against unauthorised or unlawful Processing and against all accidental loss, destruction, or damage to the Personal Data. MY LANGUAGE HUB LTD. regularly tests the effectiveness of the measures and safeguards it has in place and implements updates where necessary.

Although measures must be implemented and adhered to in relation to all Personal Data, extra measures and precautions must be considered in order to protect Special Categories of Personal Data and Personal Data that relates to criminal allegations, proceedings, convictions, and offences, given the highly sensitive nature of such data.

The Data Subject’s rights

The GDPR provides individuals with lots of rights in relation to their Personal Data. All staff should familiarise themselves with these rights so that they can recognise any requests that may be sent to them by Data Subjects. Those rights include:

  1. the right for the Data Subject to have access to their Personal Data (also known as subject access requests, and sometimes incorrectly referred to as ‘freedom of information requests’);
  2. the right for the Data Subject to have inaccurate personal data rectified, or completed if it is incomplete;
  3. the right for the Data Subject to have their Personal Data erased (also known as ‘the right to be forgotten’) (only certain circumstances);
  4. the right for the Data Subject to request the restriction or suppression of their Personal Data (only in certain circumstances);
  5. the right for the Data Subject to receive or ask for the Personal Data to be transferred to a third party in a structured, commonly used and machine-readable format (only in certain circumstances);
  6. the right for the Data Subject to object to Processing of their Personal Data for direct marketing purposes;
  7. the right for the Data Subject to object to Processing of their Personal Data (in certain circumstances);
  8. the right for the Data Subject to object to decisions based solely on Automated Decision-making, including Profiling;
  9. the right for the Data Subject to withdraw their Consent to Processing of Personal Data;
  10. the right for the Data Subject to be informed about the Processing of their Personal Data; and
  11. the right to complain to the ICO.

If you receive any of the above requests from a Data Subject, you should immediately contact the DPO. The DPO will either take responsibility for the request and respond to it accordingly or will advise you what to do.

It is extremely important that before responding to any request or taking any action in respect of it, that the identity of the person making the request is verified as the Data Subject in order to ensure that Personal Data is not disclosed to any third party or in any way altered or rights exercised by someone other than the Data Subject.

Disclosure of/sharing Personal Data

MY LANGUAGE HUB LTD. must only disclose or share Personal Data where it is permitted to do so by Data Protection Laws. As a general rule, this means we must not share or disclose Personal Data to third parties.

Sharing/disclosing Personal Data can cover many scenarios. In its simplest form, it could be sending Personal Data to a third party by email. However, it can also cover upload (and therefore disclosure) of Personal Data on to systems that MY LANGUAGE HUB LTD. uses but that are run by third parties (e.g. our suppliers and service providers).

In addition to the above, there are specific rules around the transfer of Personal Data outside of the EEA. The transfer of Personal Data to a country outside of the EEA occurs when that Personal Data is sent or transferred to or viewed or accessed in a country outside of the EEA.

Where you do need to share or disclose Personal Data to a third party, MY LANGUAGE HUB LTD. must ensure that the following conditions have first been met/are in place:

  1. that the third party has a business need to have access to that Personal Data (for example, if they can carry out the services required without the Personal Data or with information that has been anonymised the Personal Data should not be disclosed to them);
  2. that the disclosure of the Personal Data was explained in the privacy notice given to the relevant Data Subject; and, if their Consent is required, this has been obtained;
  3. the third party has entered into a contract with MY LANGUAGE HUB LTD. that contains GDPR-compliant clauses in relation to the sharing/disclosure of Personal Data;
  4. to the extent not covered in a written contract with the third party, MY LANGUAGE HUB LTD. must have received assurances from the third party surrounding the security measures it has in place to protect the Personal Data shared with/disclosed to it; and
  5. where the sharing/disclosure will result in a transfer of Personal Data outside of the EEA, that this complies with such safeguards and measures as are required by GDPR.

If you have any questions relating to the sharing or disclosure of Personal Data, including whether the sharing/disclosure complies with the above requirements, please contact the DPO . Before disclosing Personal Data to a new third party or entering into a contract with a new supplier/service provider that involves the disclosure of Personal Data, contact the DPO. They can then assist with ensuring compliance with Data Protection Laws and can ensure that all internal policies, procedures, documents, and records are updated (where required).

Part V: Personal Data breaches

A personal data breach is where a breach of security occurs that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.

Although it is impossible to provide an exhaustive list of what constitutes a personal data breach, examples include:

  1. an email containing Personal Data being sent to the wrong person;
  2. papers or records containing Personal Data being stolen or left in a public place;
  3. access to Personal Data by an unauthorised staff member or by a third party;
  4. access to our systems by a hacker or similar authorised access;

A personal data breach can be accidental or deliberate.

If you become aware of a personal data breach, or if you suspect a personal data breach has occurred or is occurring, you must immediately inform the DPO as a matter of urgency. This is especially important because MY LANGUAGE HUB LTD. has limited timescales to investigate the personal data breach and, if required, to report it to the ICO. If you have any records, information, or documentation relating to the personal data breach, you should also provide these to the DPO .

The DPO will be responsible for investigating and dealing with the personal data breach. The DPO will decide whether the personal data breach needs to be reported to the ICO and/or relevant Data Subjects. If the DPO decides that the personal data breach needs to be reported to the ICO, they will do so within 72 hours after MY LANGUAGE HUB LTD. became aware of the breach.

The DPO will maintain a register of all data protection breaches (whether or not such breaches are reported to the ICO).

Part VI: Data-protection-related matters

Data protection by design and default

Data Protection Laws require MY LANGUAGE HUB LTD. to ensure that data protection is integrated into all our Processing activities and practices.

This means that MY LANGUAGE HUB LTD. must implement technical and organisational measures at the very beginning of a project and throughout its lifecycle of its Processing activities, systems, programs and practices. For example, data protection should be at the heart of any new IT systems, services, practices, or policies that involve Personal Data.

It also means that MY LANGUAGE HUB LTD. must have a data-protection-first approach, such as ensuring that Personal Data is automatically protected by our systems, that only those staff with a business need-to-know have access to the Personal Data, and by ensuring that we only Process Personal Data that is necessary to the purposes for which it is Processed. It is linked to Principle 2 (Purpose limitation) and Principle 3 (Data minimisation).

Data protection impact assessments

MY LANGUAGE HUB LTD. must carry out a data protection impact assessment (DPIA) for any Processing that is likely to result in a high risk to Data Subjects. A DPIA must also be carried out for:

  1. any Automated Decision-making (including Profiling) with legal or similar effects (see this Part, Section 3);
  2. large-scale Processing of Special Categories of Personal Data or data relating to criminal convictions or offences;
  3. large-scale systematic monitoring of publicly accessible places;
  4. use of new technologies;
  5. use of Profiling or Special Categories of Personal Data to decide on access to services;
  6. large-scale Profiling of Data Subjects;
  7. Processing of any biometric or genetic data;
  8. matching or combining datasets from different sources;
  9. collecting Personal Data from someone other than the Data Subject without providing the Data Subject with a privacy notice;
  10. tracking the Data Subject’s location or behaviour;
  11. carrying out Profiling on children or targeting marketing or online services to them; or
  12. Processing any Personal Data that might endanger the Data Subject’s physical health or safety in the event of a personal data breach.

It is also good practice for DPIAs to be carried out for any major projects that involve the Processing of Personal Data or where Processing is large scale, involves Profiling or monitoring, involves Special Categories of Personal Data, or relates to vulnerable individuals.

If you think that a DPIA is required, or if you are not sure if one is required, you should contact the DPO who will be able to assist you.

A DPIA must:

  1. describe the nature, scope, context, and purposes of Processing;
  2. assess necessity, proportionality, and compliance measures;
  3. identify and assess the risks to Data Subjects; and
  4. identify any additional measures that may reduce those risks.

Automated Decision-making and Profiling

Under Data Protection Laws, Automated Decision-making (including Profiling) that has a legal or similar effect on the Data Subject is prohibited unless MY LANGUAGE HUB LTD. meets one of three specific grounds that lifts the restriction.

Examples of Automated Decision-making include an online decision to make a loan or a recruitment test that uses algorithms and other criteria, and it must be solely automated with no human involvement in the decision.

Before undertaking any Automated Decision-making, including Profiling, you must contact the DPO who will be able to assist you in ensuring compliance with the Data Protection Laws.

If MY LANGUAGE HUB LTD. carries out Automated Decision-making that does not produce legal or similar effects, it is not prohibited from doing this. However, we must still comply with the Data Protection Laws.

MY LANGUAGE HUB LTD. must carry out a DPIA if it intends to use Automated Decision-making that produces a legal or similar effect on the Data Subject, but it is good practice to carry out a DPIA for any Automated Decision-making, even if it does not produce legal or similar effects.

Direct marketing

Any marketing to customers and other business contacts must be carried out strictly in compliance with Data Protection Laws and laws relating to marketing.

The marketing laws are complex and depend on how the marketing is to be conducted (e.g. letter, telephone, or email) and who the intended recipients are (e.g. individuals (including sole traders and partners of partnerships) or companies).

Before undertaking any direct marketing, you must contact the DPO who will be able to assist you in ensuring compliance with the marketing laws and the Data Protection Laws.

Data Subjects have the right to opt out of receiving direct marketing at any time. If you receive a request objecting to direct marketing or a Data Subject opts out/unsubscribes from receiving it, you should promptly ensure that this is noted on our database. Under Data Protection Laws, rather than deleting their details from our database, we are allowed to retain just enough information to record their marketing preferences so we can ensure that no further marketing is sent to them in the future.

If you have any questions about this data protection policy or other matters relating to data protection, please contact the DPO using the contact details set out in this policy (Part II, Section 1.3).