Daycare activities

Growth book Every baby has a personal Teddy Kids growth book. In it we keep track of the following:

Latest version November 2021

Quality & Transparency & GDPR

Updated August 2024

To ensure your business is fully compliant with the GDPR and other relevant privacy regulations, especially in the context of running a daycare, there are several steps you should consider with your team:

1. Data Inventory and Mapping

- Review and Document Data Flows: Conduct a thorough audit of all the personal data you collect, process, and store. Document where it comes from, where it is stored, who has access, and where it is shared.

- Classify Data: Identify sensitive personal data, such as children's medical records or biometric data (e.g., fingerprints), and ensure these are given additional protection measures.

2. Data Minimization and Retention Policies

- Minimize Data Collection: Ensure that you only collect personal data necessary for the specific purpose of providing daycare services. Avoid collecting unnecessary information.

- Retention Policies: Establish clear data retention policies, especially for sensitive information. Regularly review the data you hold and securely delete information that is no longer needed.

3. Update Internal Policies and Training

- Staff Training: Regularly train your staff on GDPR compliance, focusing on the importance of data privacy and security. Ensure they understand their responsibilities, especially when handling sensitive data.

- Internal Privacy Policies: Update your internal privacy and data protection policies to reflect the changes in your external privacy policy and GDPR requirements. Make sure all employees are aware of and adhere to these policies.

4. Data Subject Rights Management

- Procedures for Handling Requests: Implement and document procedures to handle requests from individuals exercising their rights under GDPR, such as the right to access, correct, delete, or port their data.

- Communication Protocols: Ensure that there is a clear and efficient process for responding to these requests within the GDPR-mandated timeframe (usually one month).

5. Security Measures

- Technical and Organizational Measures: Implement appropriate security measures, such as encryption, secure access controls, and regular security audits, to protect personal data.

- Incident Response Plan: Develop and maintain a data breach response plan that outlines the steps to take in the event of a data breach, including notification requirements to affected individuals and authorities.

6. Third-Party Management

- Vendor Agreements: Review and, if necessary, update contracts with third-party service providers to ensure they are GDPR-compliant. Make sure they have adequate data protection measures in place.

- Data Processing Agreements (DPAs): Ensure that all third-party processors who handle personal data on your behalf have signed a DPA that outlines their responsibilities and compliance with GDPR.

7. Record-Keeping and Documentation

- Record of Processing Activities: Maintain a detailed record of processing activities (ROPA), as required by GDPR. This should include information on the purpose of processing, categories of data subjects and personal data, and data recipients.

- Legal Basis Documentation: Clearly document the legal basis for processing personal data (e.g., consent, legitimate interest, legal obligation) for each type of processing activity.

8. Data Protection Impact Assessments (DPIA)

- Conduct DPIAs: For any high-risk data processing activities, particularly those involving sensitive information or extensive profiling, conduct a DPIA to assess and mitigate risks to data subjects.

9. Regular Audits and Compliance Checks

- Annual GDPR Audits: Schedule regular audits of your data protection practices to ensure ongoing compliance. This can be internal or through a third-party consultant.

- Monitor Regulatory Updates: Stay informed about changes in data protection laws and regulations, and adjust your policies and practices accordingly.

10. Sharing Information with Schools

- Sharing Information with Schools: In compliance with legal requirements, we may share certain information about your child with schools to ensure the correct functioning of the "overgang" (transition to school). If you do not wish for this information to be shared, please inform us in writing by contacting the manager.

11. Fingerprint Scanners

- Use of Fingerprint Scanners: We use fingerprint scanners for secure access to our facilities. These scanners do not store the fingerprint itself but convert it into a unique number that cannot be reverse-engineered back into a fingerprint. This data is regularly removed when it is no longer needed, such as after your child leaves our care.

12. Transparency and Communication

- Communicate with Parents and Guardians: Ensure clear and transparent communication with parents about how their and their children’s data is being collected, used, and protected. Provide easy-to-understand privacy notices and consent forms.

Taking these steps will help ensure that your business is not only compliant with GDPR but also fosters a culture of data protection and privacy awareness among your team, which is especially critical in a childcare setting.

Quality & Transparency