GDPR Compliance Policy
Effective Date: January 1, 2026 · Document ID: BHE-AMB-GDPR-2026
1. Data Protection Commitment
BHE Uni is committed to safeguarding the privacy and personal data of our student ambassadors, alumni, and referred prospective students. This document outlines our technical controls, processes, and guidelines in compliance with the General Data Protection Regulation (GDPR) and UK Data Protection Laws.
2. Security & Encryption Controls
All data collected within the Ambassador and Rewards Programme is secured using industry-standard enterprise controls:
- Encryption at Rest: Secure storage utilizing AES-256 standard encryption keys.
- Encryption in Transit: Secure end-to-end communication channels encrypted via TLS 1.3 protocols.
- Role-Based Access Control (RBAC): Access restricted to authorized Recruitment Officers, Compliance Officers, and Administrators.
- Identity Verification: Mandatory multi-factor authentication (MFA) required for administrative portals.
3. Data Retention Schedule
In alignment with GDPR minimization guidelines, data is retained only as long as necessary for administrative and legal audits:
| Data Category | Retention Period | Expiry Action |
|---|---|---|
| Active Ambassador Profiles | Indefinite | None (During active membership) |
| Inactive Accounts | 3 Years of inactivity | Full Profile Anonymisation |
| Lead Referral Records | 5 Years | Permanent Database Deletion |
| Reward Transactions | 7 Years | HMRC Compliance Archival |
| Security & Audit Logs | 2 Years | Log Rotation & Purge |
4. Consent Management
No student referral can be logged without active consent:
- Ambassadors must obtain explicit, verbal, or digital agreement from the referred candidate before submitting their contact details.
- An automated verification email is immediately dispatched to the referred candidate requesting confirmation and opt-in approval.
- Consent can be withdrawn by any user or lead at any time by contacting our compliance desk.
5. Your Data Rights
Under GDPR regulations, you hold the following rights regarding BHE Uni processing of your personal credentials:
- Right of Access: Request a full export of all personal data held.
- Right of Correction: Update or edit inaccurate details via the Settings module.
- Right of Erasure ("Right to be Forgotten"): Request complete deletion of your account and credentials (subject to transactional ledger requirements).
- Data Portability: Export transfer logs and earning history structures in standard format.
For questions regarding data protection practices, please contact BHE Uni Compliance Desk at compliance@bheuni.uk.