GDPR Compliance

Last updated: April 15, 2026

Our Commitment to Data Protection

Boggl Tkes operates in accordance with the UK General Data Protection Regulation and Data Protection Act 2018. These frameworks establish your rights regarding personal information and our responsibilities as a data controller.

This document explains how we meet those obligations and what rights you can exercise regarding the personal data we hold.

Lawful Basis for Processing

We process personal information only when we have a valid legal basis to do so. The primary grounds we rely on include:

Contractual Necessity

When you enroll for music lessons, we enter into a service agreement. Processing your contact details, scheduling preferences, and payment information is essential to fulfilling this contract.

Legitimate Interest

We have legitimate business interests in maintaining student records, improving our teaching methods, and managing our operations effectively. We process data for these purposes only when your rights and freedoms are not overridden by those interests.

Legal Obligation

Certain data processing is required by law, particularly regarding financial records, safeguarding responsibilities for students under eighteen, and employment regulations for our instructors.

Consent

For activities like sending occasional newsletters or taking photographs at student recitals, we seek your explicit consent. You can withdraw consent at any time without affecting other aspects of our relationship.

Your Rights Under GDPR

Right to Be Informed

You have the right to know what personal data we collect, why we need it, how long we keep it, and who else might see it. Our privacy policy and this document fulfill that obligation.

Right of Access

You can request a copy of the personal information we hold about you. We'll provide this within thirty days at no charge. If you make repeated requests within a short period, we may charge a reasonable administrative fee for subsequent copies.

Right to Rectification

If any personal details we hold are inaccurate or incomplete, you can ask us to correct them. We'll update our records promptly and notify any third parties who received the incorrect information if appropriate.

Right to Erasure

Under certain circumstances, you can request deletion of your personal data. We'll comply unless we have legitimate grounds to retain it, such as legal obligations to maintain financial records or ongoing contractual relationships.

Right to Restrict Processing

You can ask us to limit how we use your data while we resolve disputes about accuracy or legitimate interests. During restriction, we'll store your information but not actively process it except with your consent.

Right to Data Portability

When processing is based on consent or contract and carried out by automated means, you can request your data in a commonly used electronic format. We'll provide it so you can transfer the information to another service provider if desired.

Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes. We'll stop processing unless we can demonstrate compelling legitimate grounds that override your rights.

Rights Related to Automated Decision Making

We do not use automated systems to make significant decisions about individuals without human involvement. All decisions regarding lesson placement, progress assessment, and similar matters involve instructor judgment.

How We Protect Your Data

Data security is not merely a legal requirement but a practical necessity for maintaining trust. We implement several layers of protection:

  • Access to personal data is restricted to staff members who need it for their specific roles
  • Digital records are stored on secure servers with encryption and regular backups
  • Physical documents containing personal information are kept in locked storage
  • Staff receive training on data protection responsibilities and proper handling procedures
  • We regularly review our security measures and update them to address emerging risks

In the unlikely event of a data breach that poses risk to your rights and freedoms, we'll notify you and the Information Commissioner's Office within 72 hours as required by law.

International Data Transfers

Your personal information is stored and processed within the United Kingdom. We do not routinely transfer data to countries outside the UK or European Economic Area.

If exceptional circumstances require international transfer, we'll ensure appropriate safeguards are in place and inform you beforehand.

Children's Data

For students under thirteen, we rely on parental consent for data processing. Parents and guardians can exercise all GDPR rights on behalf of their children.

Students between thirteen and eighteen can exercise some rights independently, though we typically involve parents or guardians in decisions about their child's education and wellbeing.

We collect only data directly relevant to providing music instruction and maintaining appropriate safeguarding measures.

Data Retention Periods

We retain personal information only as long as necessary for the purposes collected:

  • Active student records: maintained for the duration of enrollment plus seven years
  • Financial records: retained for seven years to comply with tax and accounting requirements
  • Inquiry records: kept for two years if you don't enroll, allowing us to follow up appropriately
  • Marketing consent: maintained until withdrawn or after three years of inactivity

After these periods, data is securely deleted or anonymized so it can no longer identify individuals.

Third Party Data Processors

Some operational functions involve third parties who process data on our behalf. These include payment processors, accounting software providers, and communication platforms. All such processors:

  • Are contractually obligated to handle data only as we instruct
  • Must implement appropriate security measures
  • Cannot use your data for their own purposes
  • Must notify us immediately of any data breaches

We conduct due diligence before engaging any data processor and monitor their compliance regularly.

Making a Request

To exercise any of your GDPR rights, contact us at [email protected] with "GDPR Request" in the subject line. Include:

  • Your full name and contact details
  • Which right you wish to exercise
  • Any specific information or time periods relevant to your request

We may ask for identification to confirm your identity before fulfilling the request. This protects your information from unauthorized access.

We'll respond within thirty days. If your request is complex or we receive multiple requests simultaneously, we may extend this by two additional months with explanation.

Right to Lodge a Complaint

If you believe we've mishandled your personal data or failed to respect your rights, you can lodge a complaint with the supervisory authority:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Tel: 0303 123 1113
Website: ico.org.uk

We'd appreciate the opportunity to address your concerns directly first, but you have the right to contact the ICO at any time.

Changes to This Statement

We review our GDPR compliance regularly and update this statement as needed to reflect changes in our practices or legal requirements. The date at the top of this page indicates when it was last revised.

Significant changes will be communicated to current students via email or through notices posted prominently on our premises.