1. INTRODUCTION

SMS-HEG is committed to protecting your privacy and security. This policy explains how and why we use your personal data, to ensure you remain informed and in control of your information. SMS-HEG complies with the six principles of the General Data Protection Regulation. Personal data is:

• Processed fairly, lawfully, and transparently.
• Only used for the specified, clearly explained purpose it was collected for.
• Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
• Kept accurate and up-to-date.
• Only kept for as long as it is needed (usually until a project or activity is complete) and is then removed and securely deleted.
• Processed in a manner that ensures appropriate security of the personal data; it is stored in secure systems and only transferred by secure means.

You can decide not to receive communications or change how we contact you at any time. If you wish to do so please contact us by emailing info@smsheg.co.uk telephoning 0207 265 8478.

We will never sell your personal data, and will only ever share it with organizations we work with where necessary and if its privacy and security are guaranteed.

We have appointed a Data Protection Officer who holds primary responsibility for overseeing our data protection strategy and ensuring compliance. 

DPO’s duties include: 

1. Monitoring compliance with data protection policies, procedures, and obligations 
2. Advising management and staff on data protection requirements 
3. Liaising with supervisory authorities such as the Information Commissioner’s Office (ICO) 
4. Providing guidance and oversight on data protection impact assessments (DPIAs)   

Any questions you have in relation to this policy or how we use your personal data should be sent to Mr Shamim (DPO) for the attention of SMS-HEG’s.

2. THE INFORMATION WE COLLECT

Data for carrying out the administrative functions of SMS-HEG

Your personal data (i.e. any information which identifies you, or which can be identified as relating to you personally) will be collected and used by the SMS-HEG

We collect the data you provide to us. This includes information you give when joining as a member or signing up to our newsletter, placing an order or communicating with us. For example:

• personal details (name, job title, organization, and email). This also includes address and telephone when you join as a member or supporter;
• details of SMS-HEG events you have attended.

Sensitive personal data for carrying out the administrative functions of SMS-HEG

We do not normally collect or store sensitive personal data (such as information relating to health, beliefs or political affiliation) about members and those signed up to SMS-HEG’s. However, there are some situations where this will occur (e.g. if you have an accident on one of our events). If this does occur, we’ll take extra care to ensure your privacy rights are protected.

Accidents or incidents

If an accident or incident occurs on our property, at one of our events or involving one of our staff then we’ll keep a record of this (which may include personal data and sensitive personal data).

3. HOW WE USE INFORMATION

We only ever use your personal data with your consent, or where it is necessary in order to:

• enter into, or perform, a contract with you;
• comply with a legal duty;
• protect your vital interests;
• for our own (or a third party’s) lawful interests, provided your rights don’t override these.

In any event, we’ll only use your information for the purpose or purposes it was collected for (or else for closely related purposes)

Legal basis of processing data

SMS HEG processes personal data in accordance with the UK GDPR and other applicable laws. Processing is carried out only when a valid legal basis exists, including: 

• Consent of the data subject  Data subjects provide explicit consent when registering, submitting forms, or agreeing to terms and conditions or employment contract. Consent is recorded and may be withdrawn at any time. 
• Contractual obligation  Data is processed to deliver services and fulfil obligations - such as managing student applications, facilitating consultant support. 
• Legitimate InterestWe process data to improve platform functionality, maintain secure operations, communicate effectively, and provide support to data subjects.
• Legal obligation  SMS HEG may be required to retain or disclose data to meet regulatory, financial, or institutional compliance requirements, including audit trails, fraud prevention, and reporting to universities or authorities.  

Data minimization

SMS HEG adheres to the core principles of data protection by collecting only the information necessary to fulfil specific, clearly defined purposes. All data processing activities are aligned with the intended use, and unnecessary data is not collected. 

1. Collection Justification 

1. Data is collected only when required to deliver services such as student application processing, user support or compliance with university requirements or to manage the employment process efficiently, accurately and fairly. 
2. Each data field captured has a clear and documented purpose linked to service delivery, regulatory compliance, or operational efficiency.  

2. Regular Reviews 

1. SMS HEG conducts annual audits and internal reviews to assess the relevance and necessity of the personal data held. 
2. Redundant or obsolete data fields are removed, and unnecessary processing is discontinued. 
3. SMS HEG staff are informed of any changes to data collection practices, and systems are updated to reflect evolving legal or regulatory needs.

Applicability

Our services are not intended for children under 18 years of age. We do not knowingly collect personal data from minors without parental consent.

Parental Consent

If we become aware that we have collected personal data from a child without appropriate consent, we will take steps to delete such information promptly.

Age Verification

Where applicable, we may implement measures to verify age and obtain parental consent before processing data of minors.

Administration

We use personal data for administrative purposes (i.e. for admission purposes). This includes:

• maintaining databases of our members and those signed up to our newsletter;
• fulfilling orders services (whether placed online, over the phone or in-person)
• helping us respect your choices and preferences (e.g. if you ask not to receive marketing material, we’ll keep a record of this).

4. DISCLOSING AND SHARING DATA

Your personal data that has been collected for the purposes of SMS-HEG’s administrative functions – which include your name, organisation, and email address are held by our mailing list provider. This information is not shared with any other organisation. If you wish to unsubscribe from our mailing list at any time, you can do so by clicking the ‘unsubscribe’ link, found at the bottom of any email we send you – or by sending your name and email info@smsheg.co.uk stating Unsubscribe’ in the email in the subject line or body of the email. Data from third parties that we hold for admission purposes will never be disclosed or shared without the written agreement of the data controller.

5. MARKETING

We use personal data to communicate with people, to promote SMS-HEG products. This includes keeping you up to date with information from SMS-HEG on our events, news other information relating to our work. You can decide not to receive communications or change how we contact you at any time. If you wish to do so please contact us emailing info@smsheg.co.uk telephoning 0207 265 8478

6. HOW WE PROTECT DATA

We employ a variety of physical and technical measures to keep your data safe and to prevent unauthorized access to, or use or disclosure of your personal information. Electronic data and databases are stored on secure computer systems and we control who has access to information (using both physical and electronic means). All staff receive data protection training and we have a set of detailed data protection procedures which personnel is required to follow when handling personal data set out in our policies. Copies of these policies are available on request.

7. STORAGE

Where we store information

SMS-HEG’s operations are based in England and we store our data within the European Union.

How long we store information

We will only use and store information for so long as it is required for the purposes it was collected for. How long information will be stored depends on the information in question and what it is being used for. For example, if you ask us not to send you marketing emails, we will stop storing your emails for marketing purposes (though we’ll keep a record of your preference not to be emailed). We continually review what information we hold and delete what is no longer required.

8. KEEPING YOU IN CONTROL

We want to ensure you remain in control of your personal data. Part of this is making sure you understand your legal rights, which are as follows:

• The right to confirmation as to whether or not we have your personal data and, if we do, to obtain a copy of the personal information we hold (this is known as subject access request);
• The right to have your data erased (though this will not apply where it is necessary for us to continue to use the data for a lawful reason);
• The right to have inaccurate data rectified;
• The right to object to your data being used for marketing or profiling; and
• Where technically feasible, you have the right to personal data you have provided to us which we process automatically on the basis of your consent or the performance of a contract. This information will be provided in a common electronic format.

Please keep in mind that there are exceptions to the rights above and, though we will always try to respond to your satisfaction, there may be situations where we are unable to do so. This is particularly the case where we receive surveys or administrative data from third parties for admission purposes as this will nearly always be in de-identified or anonymized formats. This means that no directly identifying information is shared with us. In these situations, the data collector will have provided you with a privacy notice that informs you how your data will be used but because we do not know who you are, we are not able to directly provide you with a privacy notice ourselves. In any situation, if you would like further information on your rights or wish to exercise them, please write to SMS-HEG’s email to info@smsheg.co.uk for the attention of Mr. Shamim.

Complaints

You can complain to SMS-HEG directly by contacting us using the details set out above. If you are not happy with our response, or you believe that your data protection or privacy rights have been infringed, you can complain to the UK Information Commissioner’s Office which regulates and enforces data protection law in the UK. Details of how to do this can be found at www.ico.org.uk

9. COOKIES AND LINKS TO OTHER SITES

Cookies

We use cookies on our website. Cookies files are downloaded to a device when certain websites are accessed by users, allowing the website to identify that user on subsequent visits. The only cookies in use on our site are for Google Analytics. Google Analytics is a tool employed by organisations to help them understand how visitors engage with their website, so improvements can be made. Google Analytics collects information anonymously – and reports overall trends, without disclosing information on individual visitors. We use Google Analytics to understand website usage and improve user experience. These cookies are non-essential and will only be set after you provide consent. Data collected may include anonymized IP addresses and usage patterns. By using our site you are consenting to saving and sending us this data. You can opt out of Google Analytics – which will not affect how you visit our site. Further information on this can be found here: https://tools.google.com/dlpage/gaoptout Our website uses local storage strictly for system administration to provide you with the best possible experience – used in order to create reports relating to web traffic and user preferences. This includes: your IP address; details of which web browser or operating system was used; and information on how you use the site.

We will obtain your consent before placing any non-essential cookies (such as analytics or advertising cookies) on your device, in compliance with the Privacy and Electronic Communications Regulations (PECR). You can manage your preferences at any time through our cookie settings. Non-essential cookies will only be activated after you have provided explicit consent via our cookie banner or settings.

Links to other sites

Our website contains hyperlinks to many other websites. We are not responsible for the content or the functionality of any of those external websites (but please let us know if a link is not working by using the ‘Contact’ link at the top of the page).

If an external website requests personal information from you (e.g. in connection with an order for goods or services), the information you provide will not be covered by the SMS-HEG’s Privacy Policy. We suggest you read the privacy policy of any website before providing any personal information.

10. MODERN SLAVERY AND HUMAN TRAFFICKING POLICY

This policy and statement is made pursuant to section 54(1) of the Modern Slavery Act (2015) and constitutes SMS Higher Education Group’s formal slavery and human trafficking policy. This policy has been approved by the Director and senior management team of the organisation.

SMS Higher Education Group does not believe there is any place in today’s world for slavery and human trafficking and in making this statement commits to ensuring there is no modern slavery or human trafficking in our staff and student recruitment supply chains or in any part of our businesses.

We are committed to evolving our practices through all our group to combat slavery and human trafficking and to encourage the same principles and standards from our student recruitment and business partners.

No breaches of the Modern Slavery Act 2015 have ever been reported in 2021 or have been previously.

11. OUR COMPANY STRUCTURE

Operating primarily in the London, SMS Higher Education Group employs over 50 people across 2 main locations: London and Bangladesh.

12. OUR SUPPLY CHAIN

SMS Higher Education Group takes its responsibility for ensuring the risk of modern slavery and human trafficking is minimized across both its staff and student recruitment supply chain. It achieves this through a combination of due diligence, transparency and risk mitigation. The SMS Higher Education Group expects its staff to report concerns of non-compliance, no matter how trivial, in line with the established policies and procedures.

13. POLICIES ON MODERN SLAVERY

This policy is regularly updated to reflect best practice methodologies, and subsequently approved at Director level.

Our modern slavery policy reflects the Company’s commitment to acting with maximum integrity and ethical practice in all its relationships and has implemented adequate policies, procedures and systems to ensure that slavery and human trafficking is not taking place.

14. DUE DILIGENCE PROCESSES

In order to identify and mitigate the risks associated with modern slavery and human trafficking, SMS Higher Education Group has adopted the following processes:

1. We conduct internal audits on our recruitment process to ensure that we only engage eligible workers for agency work.
2. We expect the companies we work with to have anti-slavery and human trafficking policies and processes that cover the subsequent relationships with their suppliers as it is not practical for us to influence and have a direct relationship with all levels of the business relationship.

15. RISK ASSESSMENT

With many of the staff on a temporary, contract or permanent basis, we appreciate the importance of robust operational practices. Through the aforementioned due diligence processes, company audits, and internal policies and staff training, we act to minimise the risk of individuals being placed into any form of slavery.

Checks are also undertaken to verify and identify where workers may be sharing bank accounts, addresses and telephone numbers which may be a risk indicator.

SMS Higher Education Group will continue to assess the risks associated with modern slavery and human trafficking and aim to fully understand other indicators of modern slavery.

16. MEASURING EFFECTIVENESS

Through regular monitoring, audits and assessments we measure the effectiveness of our risk control measures to ensure that slavery and human trafficking is not taking place in our business, our subsidiary businesses or our staff and student recruitment supply chains.

Our key performance indicators (KPIs) in this instance are:

• 100% pass rate when reviewing recruitment activities and their compliance with agreed modern slavery processes.

17. TRAINING FOR SMS HIGHER EDUCATION GROUP STAFF

With such a clear focus on maintaining 100% compliance with modern slavery and human trafficking legislation, it is essential that the people within our business receive adequate training and information. We provide information on this legislation and our policies and processes via the SMS Higher Education Group’s induction process and training updates.

Employees, workers, business partners and customers are encouraged to report any concerns that may give rise to a risk of modern slavery or human trafficking.

Employees are advised on how to report any concerns they have associated with modern slavery and trafficking.

18. THIRD PARTY SHARING

Shared with 

Personal data may be shared with carefully selected third-party recipients only when necessary to achieve the purposes outlined in SMS HEG’s privacy notices and when there is a valid legal basis. Categories of recipients may include: 

1. Service providers supporting SMS HEG’s IT systems, hosting, and communication platforms. 
2. Payment processors and financial institutions for transactional purposes. 
3. Professional advisers such as auditors, legal counsel, and consultants. 
4. Partner universities and service providers engaged in the student’s application journey. 
5. Regulatory bodies or government authorities where legally required. 
6. Accreditation or certification organisations in relation to academic or professional recognition. 

In all cases, SMS HEG ensures that the minimum necessary data is shared, consistent with the principle of data minimisation.  

Vendor Due diligence 

Before engaging any third-party vendor that will process personal data passed to them by SMS HEG with consent, a structured due diligence process is conducted to verify the vendor’s capacity to meet GDPR requirements as a data controller and processor. 

1. Process

The due diligence process must be completed and documented prior to onboarding any new vendor. This process comprises of:

1. An assessment of the vendor’s technical and organisational security measures. 
2. Verification of the vendor’s compliance history with data protection regulations. 
3. Evaluation of relevant certifications (e.g., ISO 27001, SOC 2) or adherence to recognised codes of conduct. 
4. Review of sub-processing arrangements and any cross-border data transfer mechanisms.
5. Confirmation of the vendor’s procedures for assisting SMS HEG in fulfilling data subject rights and breach notification obligations.  

2. Vendor Due Diligence Checklist 

The due diligence checklist includes, but is not limited to:

1. Evidence of appropriate data security policies and procedures.
2. Information about staff training on data protection.
3. Details of data encryption and storage practices.
4. Copies of relevant certifications and audit reports.
5. Description of incident response and breach notification processes.
6. Identification of all sub-processors and relevant safeguards.
7. Clarification of data retention and deletion practices.
8. Confirmation of measures to assist SMS HEG in responding to data subject rights requests.

Vendors who fail to meet minimum standards will not be authorised to process personal data on behalf of SMS HEG. 

Cross Border Transfers

SMS HEG recognises that in the course of its operations, personal data may occasionally be transferred to organisations located in countries outside the European Economic Area (EEA). To ensure such transfers uphold the level of protection required by applicable data protection laws, SMS HEG has adopted the following measures: 

1. Standard contractual Clauses 

Where personal data is transferred to a country that does not benefit from an adequacy decision by the European Commission, SMS HEG will enter into the European Commission’s Standard Contractual Clauses (SCCs) with the receiving organisation. These contractual clauses:

1. Establish legally binding obligations on the data importer to apply appropriate safeguards.
2. Require that personal data be processed only for the specified purposes and in accordance with applicable data protection legislation.
3. Mandate robust security measures to protect personal data from unauthorised access, loss, or disclosure.
4. Include obligations to support data subject rights and cooperate with supervisory authorities.  

2. Adequacy decision by EU 

Where personal data is transferred to a country, territory, or sector that the European Commission has formally recognised as providing an adequate level of protection, SMS HEG will rely on the adequacy decision as the legal basis for the transfer. Examples of such destinations include Switzerland, and other jurisdictions listed by the European Commission.  

3. Informing Data Subjects 

Prior to transferring personal data outside the EEA, SMS HEG will:

1. Clearly inform data subjects of the intention to transfer their data internationally.
2. Specify the legal mechanism relied upon to safeguard the transfer (e.g., adequacy decision or SCCs).

This transparency enables data subjects to understand where their information will be processed and how their rights are protected.  

19. CHANGES TO THIS PRIVACY POLICY

We’ll amend this Privacy Policy from time to time to ensure it remains up-to-date and accurately reflects how and why we use your personal data. The current version of our Privacy Policy will always be posted on our website.

(This Privacy Policy was last updated on 01 December, 2025)