GDPR Basics for Schools and Organisations (Controller vs Processor)

Who is this for?

Tenant Admins

Overview

Understanding your role under the UK General Data Protection Regulation (UK GDPR) is critical for compliance. This guide clarifies the division of responsibility between you (the School/Club) and Oakline.

Roles Explained

Data Controller: You (The Tenant)

As the organization that decides why and how personal data is processed, you are the Data Controller.

You collect data from parents (names, medical info, etc.).
You decide how long to keep it.
You are responsible for obtaining consent (e.g., for photos).

Data Processor: Oakline

Oakline is the Data Processor. We process data on your behalf and strictly according to your instructions (i.e., when you use the software to store a record).

We provide the secure platform for you to store and manage data.
We do not use your customer data for our own marketing purposes.
We assist you in meeting your compliance obligations (e.g., providing export tools).

Responsibilities Table

Responsibility	You (Controller)	Oakline (Processor)
Legal Basis	Establish legal basis (e.g., contract, consent)	Process only as instructed
Transparency	Inform parents via your Privacy Policy	Maintain platform security
Rights	Respond to Subject Access Requests	Provide tools to help you respond
Breaches	Notify ICO if required	Notify you without undue delay

Learning Journey and Transparency

Oakline includes a Learning Journey feature that can help you share attendance records, session notes and tagged photos with families.

This can support transparency with parents and carers, but you remain responsible for deciding what to record, what to publish and how long records should be retained.

Photo sharing should follow your own safeguarding and consent policies.