Policy Statement & Introduction 

The In4Wood Project is committed to ensuring that it remains compliant at all times with its legal obligations and responsibilities under the Data Protection Act (DPA) 1998 and the General Data Protection Regulations (GDPR). Data protection concerns personal data, i.e. information from which an individual can be identified. This includes data held on electronic systems and hard copies.

The In4Wood Project is a collaborative project, part funded by the EU Commission’s ErasmusPlus programme.

In order to achieve its project ambitions and deliver the project, In4Wood has to collect and make use of personal information about users of its online system. In4Wood is committed to a policy of protecting the rights and freedoms of individuals with respect to the processing of their personal data.


This policy is applicable to all personal data/information processed by In4Wood or for In4Wood purposes. It will apply to all staff, partner organisations, consultants or agents performing work for or on behalf of the business.


The In4Wood Project’s Project Manager has overall responsibility for ensuring that this policy is implemented. These responsibilities are shown at Annex 1.


From time to time we will make changes to this Privacy Policy, for example, as the result of government regulation, new technologies, or other developments in data protection laws or privacy generally. You should check our website periodically to view the most up-to-date Privacy Policy. This Privacy Policy was last updated on 16th June 2019.


Compliance with the Principles of the GDPR

The In4Wood Project collects the minimum amount of data and processes this fairly and lawfully.

The following candidate data is collected via the database for the purposes of registration, certification and reporting:

Other personal data held, includes:

Data that the platform can gather

- IP Address

- Social Network ID and session token ( if user makes social login )

- Google analytics


For the cookies

- Google analytics

  1. Obtains data only for specified and lawful purposes, and processes this for the purposes for which it was obtained, and for which the individual has agreed.

  1. Collects data that it is relevant, adequate, and of proportionate.

  1. Makes every effort to ensure that data held is kept up-to-date with regularly reviews of data held and cleansing of databases.

  1. Keeps under review the length of time data is kept for, storing data for specific purposes only and not keeping for longer than deemed necessary

  1. Ensures that individuals are aware of the purposes of processing data supplied by them.

  1. Ensures that electronic systems that store data are secure and restricting access to these.

  1. Does not to transfer data to any country or territory outside of the European Economic Area.


Training on data protection aspects will be provided as necessary and as appropriate either using internal or external facilitation. 

Related Information

Within this policy statement there are references to other related policies and procedures which include:


4.2 Privacy Notices

  1. The GDPR includes rules on giving privacy information to data subjects. These are more detailed and specific than in the Data Protection Act (DPA) and place an emphasis on making privacy notices understandable and accessible. The information that The In4Wood Project provides about processing date is therefore:

The In4Wood Project complies with the GDPR requirements by ensuring our privacy statement includes:

See Annex 2. The In4Wood Project identify the legal basis for processing personal data before any processing operations take place by clearly establishing, defining and documenting the specific purpose of processing the personal data and the legal basis to process the data under:

Any special categories of personal data processed and the legal basis to process the data under:


The In4Wood Project record this information in line with its data protection impact assessment.

When personal data is collected from data subjects with consent The In4Wood Project is transparent in its processing of personal data and provides the data subject with the following:

When personal data has been obtained from a source other than the data subject The In4Wood Project makes clear the types of information collected as well as the source of the personal data and provides the data subject with:

Privacy notice for this personal data processing is recorded.

4.2 Data security breach

Every care is taken to protect personal data from incidents (either accidentally or deliberately) to avoid a data protection breach that could compromise security. Notification of a personal data breach will be made by the Project Manager.

Data security breaches include both confirmed and suspected incidents. An incident is an event or action which may compromise the confidentiality, integrity or availability of systems or data, either accidentally or deliberately and has caused or has the potential to cause damage to In4Wood’s information assets and/or reputation. An incident includes but is not restricted to, the following:


Data Corruption; Malware; Corrupt Code; Hacking


Loss or theft of confidential or sensitive data or equipment on which such data is stored (e.g. loss of laptop, USB stick, iPad/tablet device, or paper record); Equipment theft or failure; Unescorted visitors in secure areas; Break-ins to sites; Thefts from secure sites; Loss in transit/post; Website defacement; Unforeseen circumstances such as a fire or flood.

Human Resources

Data Input errors; Non-secure disposal of hardware or paperwork; Inappropriate sharing; Attempts (failed or successful) to gain unauthorised access to information or IT system(s); Unauthorised disclosure of sensitive / confidential data; ‘Blagging’ offences where information is obtained by deceiving the organisation who holds it.

The In4Wood Project will notify data subjects of any breach that may affect them. Notification will include a description of how and when the breach occurred, and the data involved. Clear advice will be given on what they can do to protect themselves and include what action has already been taken to mitigate the risks.

4.3 Data Portability

The In4Wood Project informs data subjects of the existence of the new right to portability at the time where personal data is obtained. Data subjects may exercise their right to data portability and apply to The In4Wood Project to receive their data in order to reuse or transfer it to other data controllers.  Data subjects are entitled to ask:

Within this scope is any personal data concerning the data subject that:

This procedure will most commonly be used when transmitting data directly to another data controller. This procedure also applies to circumstances when The In4Wood Project is the “receiving data controller”.

The In4Wood Project (as data controller/data processor) is responsible for transmitting the data without hindrance and ensure that it is transmitted with the appropriate level of security with encryption.

Any request is forwarded to the Project Manager to ensure that the requested data is provided/transmitted within the timeframe.

Where the data requested concerns a third party(ies), the Project Manager reviews whether or not transmitting data to another data controller would cause harm to the rights and freedoms of other data subjects. The data subject identifies the personal data that is to be transmitted or provided for their own use. The Project Manager maintains a record of requests for data and of its receipt. In4Wood has set safeguards that ensure the personal data transmitted are only those that the data subject has requested to be transmitted.

The In4Wood Project seek to provide the requested information within one month from the request date. If the request is complex, In4Wood can extend this time frame to (maximum) three months. In4Wood inform the data subject of any reasons for the delay.

The In4Wood Project do not by default accept and process personal data received from another data controller following a personal data request nor does it retain all the data received. The In4Wood Project only accept and retains data that is necessary and relevant to the service being provided.

4.3 Requests for information

Individuals are entitled to make requests to In4Wood for copies of any information held about them. This is called a ‘subject access request’. The In4Wood Project will consider the request in accordance with the ICO publication ‘Subject Access Code of Practice’ (2014).

Information will be supplied where:

In4Wood will respond within 40 calendar days.

If In4Wood fails to act on a data subject’s access request within the appropriate timeframe, or refuses the request, it sets out the reasons it took no action/refusal.

4.4 Monitoring

The implementation of this policy is monitored though internal audits as described in In4Wood’s Audit Policy and Audit Procedure. This includes the development of an Audit Plan to include Privacy Audits with the objective to ensure compliance with the General Data Protection Regulations (GPDR).

4.4 Complaints

Data subjects have the right to make a complaint to IN4WOOD relating to the processing of their personal data, In4Wood’s handling of requests from data subjects. Complaints should be directed to In4Wood’s Project Manager whose contact details are published on its website.

The Project Manager logs all complaints relating to data protection matters and is responsible for their resolution.

Data subjects have the right to complain direct to the Information Commissioners Office (ICO).



To drive compliance with the EU General Data Protection Regulation (GDPR) and ensure ongoing compliance of all core activities for In4Wood. May form part of other roles.


The Project Manager also conforms as the Data Protection Officer, note that Article 24(1) states that data protection compliance is a corporate responsibility of the data controller, not of the Data Protection Officer / Project Manager.


The Project Manager will maintain expert knowledge of data protection law and practices to ensure that The In4Wood Project comply with the requirements of the GDPR.

The Project Manager:

Key tasks of the Project Manager:

  1. To inform and advise all members of staff on their obligation to adhere to the GDPR and law(s) when dealing with personal data.

  2. To monitor compliance with the GDPR and law(s).

  3. Advise and inform on the data protection impact assessment (DPIA)

  4. Liaise and cooperate with the supervisory authority

  5. To contribute to the development and maintenance of all IN4WOOD data protection policies, procedures and processes

  6. Ensure training is available and delivered to staff

  7. Regularly monitor compliance with the GDPR and data protection law(s) by ensuring audits of processes relating to personal data

  8. To be the point of contact for data subjects with regard to the processing of their personal data

  9. To develop/advise on formal procedures for reporting incidents and investigations

  10. To contribute to the business continuity and disaster recovery planning process.

  11. Work with information asset owners to ascertain the extent to which personal data is collected, held and/or used in The In4Wood Project and that it is properly controlled and safeguarded from loss of confidentiality, integrity or availability from any cause.

  12. To ensure that records of the processing are kept by The In4Wood Project

  13. To advise the controller of its obligation to issue privacy notices to data subjects at the point of collection of their personal data

  14. To identify and test the controls and, where appropriate, to suggest additional controls, which may be established to maintain the confidentiality, integrity and availability of personal data.

The Project Manager is authorised to have access to all In4Wood systems relating to the collection, processing and storage of personal data for the purpose of assessing the use and security of personal data.



Mandatory requirements for a DPO



Is processing carried out by a public authority or body, (not courts)?

Is processing carried out by a court, but not in relation to the court’s judicial capacity (e.g. courts processing personal data in their capacity as an employer)?




If yes, a DPO is required

Are you a national, regional or local authority?


Do you carry out tasks on behalf of the public that are governed by public or private law in sectors such as:

- public transport services

- water and energy supply

- road infrastructure

- public service broadcasting

- public housing

- disciplinary bodies for regulated professions



Do the core activities of organisation name (controller or processor) consist of data processing operations? Do these activities require regular and systematic monitoring of data subjects on a large scale?



If yes, a DPO is required

Are these activities performed at particular intervals for a particular period?


Do they recur or are they repeated at fixed times?


Do they constantly or periodically take place?


Do they occur according to a systematic approach?


Are they pre-arranged, organised or methodological?


Are they part of a general plan for data collection?


Are they carried our as part of a strategy?


Do you conduct large-scale processing operations of special categories of data, or of personal data relating to criminal convictions and offences or related security measures?


If yes, a DPO is required

How many data subjects are concerned?


What is the volume of data being processed?


What is the range of different data being processed?


How long is the data processing activity?


What is the permanence of the data processing activity?


Does the data processed contain special categories such as:

- Racial or ethnic origin

- Political opinions

- Religious or philosophical beliefs

- Trade-union memberships

- Genetic data

- Biometric data

- Health

- Sexual orientation

- Criminal convictions and offences

- Security measures related to criminal convictions


Voluntary designation of a DPO * in addition to the above requirements



Have you considered the nature and scope of the processing?


Have you considered the context and purposes of the processing?


Have you considered the size, complexity and diversity of the processing against the business operations?


Have these been reviewed and considered in conjunction with the acceptable level of risk to business as to whether appoint a DPO or not?


Business justification for not designating a (DPO):

  • In4Wood are not a public authority, our core activities are not large scale and do not consist of large scale processing of special categories of data or data relating to criminal convictions and offences. Therefore, we are not required to appoint a Data Protection Officer. However, we do take compliance very seriously and conform with the GDPR.



Identity and contact details

If you would like to discuss anything in this privacy notice, please contact the In4Wood Project Manager.

Purpose of the processing

In4Wood take your privacy seriously and will only use your personal information to administer your account, personalise your use of the website, and to provide the products and services you have requested from us. In order for ‘users’ to use some of our online services and to respond to enquiries we need to collect and process various personal data. The personal data we collect is used to process your request for our services. All information provided will be treated as confidential and will only be used for the purpose intended.  Anyone can contact IN4WOOD to correct or update personal information in our records.

What information do we collect?

The sort of information we hold student contact details. If you contact us, we may keep a record of that correspondence.

What do we use personal information for?

We may use the information we hold about you to provide you with products and services requested by you. We use candidate data to issue certificates.


We will endeavour to ensure that all personal data held in relation to all data subjects is accurate. Data subjects must notify In4Wood of any changes to information held about them.

The lawful basis

In4Wood will process data for the specific and lawful purpose for which it is collected and not further process the data in a manner incompatible with this purpose.

We collect and use information for general purposes where:

Categories of personal data

We will ensure that the reason for which it collected the data originally is the only reason for which it processes those data. We will ensure that the data is adequate, relevant and not excessive in relation to the purpose for which it is processed

Personal data

We may collect ‘personal data’ relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. This may include the data subjects name, identification number, location data or online identifier.

Sensitive Personal Data

We may, from time to time, be required to process sensitive personal data. Sensitive personal data include data relating to gender, race, and disability.

Disclosure to third parties

We will not sell or license your personal information to any third party. However, we may disclose your personal information:

Details of transfers to third country  

We will not transfer your personal information to countries outside of the European Economic Area that do not have adequate data security law.

Retention period

In4Wood may retain data for differing periods of time for different purposes.

Data subject’s rights

You have the right to request access to information about you that we hold. You also have the right to:

Any data subject wishing to access their personal data should put their request in writing to the Project Manager who will endeavour to respond to any such written requests as soon as is reasonably practicable and, in any event, within 40 days.

The right to withdraw consent

Withdrawal of consent shall be without effect to the lawfulness of processing based on consent before its withdrawal.

You may withdraw consent at any time by putting your request in writing to the Project Manager who will endeavour to respond to any such written requests as soon as is reasonably practicable and, in any event, within 40 days.

The right to lodge a complaint

If you have a concern about the way we are collecting or using your personal data, we request that you raise your concern with us in the first instance by contacting the Project Manager.

The source the personal data

All personal information provided to us is either stored on our secure servers located in the UK, or on the secure servers of sub-contractors that we have engaged to provide services on our behalf.

Statutory or contractual requirements

We will make you aware if we need to collect data for the purpose of statutory or contractual requirements. We will keep this data and use it to enable us to run our business and manage our relationship with you effectively, lawfully and appropriately.

Websites and cookies

This section applies to anyone accessing In4Wood website. A cookie is a small file downloaded on to your device when you access In4Wood website. Cookies allow the website to recognise your device. Session cookies will remember your selections as you browse the site. These cookies are for the browsing session and not stored long term. No personal information is collected by these cookies.

Google Analytics cookies help us to make the website better for you by providing us with user statistics, for example: which pages are the most visited; how a user navigates the site. No personal information is collected by these cookies.

You may delete or control the use of cookies through your browser settings, but this may limit the functionally of the website. The site and our computer systems have security measures in place with the aim of protecting the loss, misuse or alteration of the information ‘users’ provide to us. To find out more about cookies and what cookies might be stored on your device, visit or