Truly Scrumptious E Y Nursery 

General Data Protection Regulations (GDPR) Policy

Truly Scrumptious E Y Nursery

General Data Protection Regulations (GDPR) Policy

The General Data Protection Regulation (GDPR) is a new EU law came into effect on 25th May 2018 replacing the current Data Protection Act 1998. It will give individuals greater control over their own personal data. As a nursery it is necessary for us to collect personal information about the children who attend as well as staff and parents/carers.

Truly scrumptious Nursery is registered with the Information Commissions Office, ICO, under registration reference: Z2390392 and has been registered since 23rd September 2010 the certificate can be viewed on the parent’s display.

GDPR principle

GDPR condenses the Data Protection Principles into 8 areas, which are referred to as the Privacy Principles. They are:

  1. You must have a lawful reason for collecting personal data and must do it in a fair and transparent way.
  2. You must only use the data for the reason it is initially obtained.
  3. You must not collect any more data than is necessary.
  4. It must be accurate and there must be mechanisms in place to keep it up to date.
  5. You cannot keep it any longer than needed.
  6. You must protect the personal data.
  7. You must have appropriate measures against unauthorised or unlawful processing or personal data and against accidental loss or destruction/damage to personal Data.
  8. Personal Data shall not be transferred to any outside agency or country within the EU that does not comply with the new General data protection regulations.


The GDPR provides the following rights for individuals:

  • The right to be informed.
  • The right of access.
  • The right to rectification.
  • The right to erase.
  • The right to restrict processing.
  • The right to data portability.
  • The right to object.
  • Rights in relation to automated decision-making and profiling.


There are two main roles under the GDPR: the data controller and the data processor. As a childcare provider, we are the data controller. The data is our data that we have collected about the children and their families. We have contracts with other companies to process data, which makes them the data processor. The two roles have some differences but the principles of GDPR apply to both. We have a responsibility to ensure that other companies we work with are also GDPR compliant.


Lawful basis for processing personal data

We must have a lawful basis for processing all personal data within our organisation and this is recorded on our Information audit for all the different information we collect. The six reasons as follows:

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

For the majority of data we collect, the lawful basis for doing so falls under the category of ‘legal obligation’ such as names, date of birth and addresses as we have a legal requirement to obtain this data as part of the Statutory Framework for the Early Years Foundation Stage.

Some data we collect, for example, photographs, requires parents to give consent for us to do so. Where this is the case, parents will be required to sign a consent form to ‘opt in’ and are made aware that they have the right to withdraw their consent at any time.

We may also be required to collect data as part of parent’s contract with the setting or local authority, for example, for us to claim government funding.

Data retention

We will hold information about individuals only for as long as the law says and no longer than necessary. After this, we will dispose of it securely. Please see a copy of the Retention periods for records.


We keep data about all individuals secure and aim to protect data against unauthorised change, damage, loss or theft. All data collected is only accessed by authorised individuals. All paper forms are kept locked away and all computers and tablets are password protected.


Privacy notices

All parents and staff are provided with privacy notices which inform them of our procedures around how and why we collect data, information sharing, security, data retention, access to their records and our commitment to compliance with the GDPR act 2018.


Ensuring compliance

The member of staff responsible for ensuring that the setting is compliant is Patricia, Hayley & Brittany. Their main duties are:

  • Ensure that the provision is compliant with GDPR.
  • Audit all personal data held.
  • Ensure all staff are aware of their responsibilities under the law, this may include delivering staff training.
  • Undertake investigations when there is a breach of personal data and report to the Information Commissions Office, ICO.
  • Keep up to date with the legislation.

Legal framework

  • The General Data Protection Regulation (2018)
  • Human Rights Act 1998





Policy Written By Brittany V – May 2018 

Reviewed by Brittany V – 2023