Data Protection and Security Policy

1. Introduction

1.1 LFG Education Consulting (“LFG”) is committed to protecting the privacy and security of personal data, in line with the EU and UK General Data Protection Regulation (GDPR) and the Spanish Data Protection Act (LOPDGDD).
1.2 This policy explains how we collect, use, store, and protect personal data in the course of providing educational consultancy services.
1.3 As both the sole employee and Data Protection Officer (DPO), the Director of LFG is responsible for ensuring data protection compliance.

2. Scope

2.1 This policy applies to:

  • All personal data processed by LFG.
  • All services involving student or partner information.
  • All data transfers between Spain, the UK, or any third country.

2.2 It covers interactions with clients (students/applicants), universities, and third parties where data is shared for the purpose of service delivery.

3. Data Protection Principles

LFG follows the core principles of GDPR:

  • Lawfulness, fairness & transparency – Data is processed openly and within legal boundaries.
  • Purpose limitation – Data is collected for clearly stated, legitimate purposes.
  • Data minimisation – Only necessary information is collected.
  • Accuracy – Efforts are made to ensure data is up to date.
  • Storage limitation – Data is not kept longer than needed.
  • Integrity and confidentiality – Reasonable measures are in place to secure data against misuse, access, or loss.

LFG processes personal data under the following lawful grounds:

  • Contract – To deliver educational consultancy services as agreed.
  • Legal obligation – To comply with tax or regulatory requirements.
  • Legitimate interest – To operate efficiently while respecting your privacy rights.
  • Consent – When required (e.g. for direct marketing or sharing with partner or non-partner institutions).

5. Data Subject Rights

Individuals have the right to:

  • Be informed about how their data is used
  • Access their data
  • Request correction or deletion
  • Restrict or object to certain processing
  • Receive a copy of their data in a portable format

To exercise any of these rights, email compliance@lfgeducation.com. We respond within 30 calendar days.

Confidentiality Clause:
All requests will be treated with strict confidentiality. Verification of identity may be required before processing any request.

6. Data Security Measures

LFG employs proportionate security measures:

  • Password-protected and encrypted files
  • Secure cloud storage using GDPR-compliant providers
  • Routine data backups
  • Limited access to personal data
  • Secure disposal of data when no longer needed

7. Data Retention

Data is retained only as long as necessary:

  • Students/applicants – 5 years post-service
  • Universities/partners – 7 years (legal/accounting requirement)
  • Marketing lists – Until consent is withdrawn

When retention is no longer required, data is securely deleted or anonymised.

8. Data Breaches

In the event of a breach, LFG will:

  • Assess the scale and impact
  • Inform affected individuals if required
  • Report to the AEPD (Spain) or ICO (UK), if legally necessary
  • Apply corrective measures to prevent recurrence

9. Data Transfers

If data is transferred outside the EU/UK:

  • We will use adequacy decisions, Standard Contractual Clauses (SCCs), or request explicit consent.
  • Transfers are only made when necessary for service delivery.

10. Policy Review

This policy is reviewed annually or following regulatory changes.
Any material updates will be communicated to affected parties.

LFG Education Consulting | Version 1 | Last updated: June 2025

en_GBEnglish (UK)
es_ESEspañol en_GBEnglish (UK)