GDPR Policy

Every Student is a trading name of Boudica One Limited and Boudicca Two Limited, First Names House, Victoria Road, Douglas, IM2 4DF, Isle Of Man. Every Student is a student accommodation management company set-up in 2018.

Statement of commitment:

We understand the importance of ensuring that personal data, including sensitive personal data is always treated lawfully and appropriately and that the rights of individuals are upheld.

We are required to collect, use and hold personal data about individuals. Data is required for the purposes of carrying out our statutory obligations, delivering services and meeting the needs of individuals that we deal with.

Policy objectives:

In order to comply with the requirements of the General Data Protection Regulation (GDPR), we will ensure that:

Any personal data will be collected, used and held, lawfully and appropriately.

Regular data sharing with external partners and other relevant agencies will be subject to information sharing agreements. Partnerships will only be entered into where there is a clear statutory power enabling Every Student to participate such as the Crime and Disorder Act 1998.

External agencies contracted to undertake any data processing on behalf of the us will be required to demonstrate compliance with the General Data Protection Regulation (GDPR) and satisfy us that it has the necessary technical and organisational measures in place to protect personal data.

There are policies and procedures in place which are regularly reviewed and updated to ensure staff understand their responsibilities towards protecting personal data.

Training needs are identified and provided to ensure that those handling personal data are trained appropriately.

There is an appointed officer within the organisation who has specific responsibility and knowledge about data protection compliance covering all aspects within the scope of this policy and who is a point of contact for all queries.

There are a number of employees throughout the organisation who have specific responsibilities for data protection.

Data Subjects rights can be fully exercised.

Subject Access Requests are dealt with promptly and courteously.

Any new projects being implemented that involve personal data will undergo a privacy impact assessment.

We will regularly review and update this policy, procedures and guidance for Every Student employees and Members.

We are required by law to share or make available some of the personal data we collect and hold. This information may be shared for a number of reasons including to safeguard public funds and for the prevention and detection of fraud, and for the prevention and detection of crime.

Meeting our policy’s objectives:

In order to meet the objectives that are listed above we need to ensure that the following are always considered and that appropriate controls and procedures are in place to ensure compliance with the General Data Protection Regulation (GDPR).

Collecting and processing personal data:

When we collect personal data we will ensure that where required, we make individuals aware that their information is being collected, the purpose for collecting the data specified, and whether it will be shared with any third parties. This will be done through the use of privacy notices. When reviewing documents and forms, we will always consider whether a privacy notice should be included.

No new purpose for processing data will take place until the Information Commissioner’s Office has been notified of the relevant new purpose and the data subjects have been informed and consent has been sought where required.

Data security:

Every Student employees and Members must report any suspected data breaches to the Data Protection Officer for investigation and where necessary the Data Protection Officer will notify the Information Commissioner’s Office.

Every Student employees and Members must use appropriate levels of security to store or share personal data. Corporate guidance will be published and training will be provided to employees and Members.

When new projects involving personal data are being developed, Privacy Impact Assessments will be carried out by the Project Manager and reviewed by the Data Protection Officer in order to assess any privacy risks.

An Information Asset Register will be maintained by the Data Protection Officer identifying:

  • all personal data held
  • where it is held
  • how it is processed
  • what teams have access to it
  • who has overall responsibility for the data

Personal data will not be shared with a third party organisation without a valid business reason and where required we will notify individuals that the sharing will take place in the form of a privacy notice. If any new purposes for the data sharing are to take place, we will seek consent from the individuals concerned.

When personal data is to be shared regularly with a third party, a Data Sharing Agreement must be implemented.

Any data sharing will also take into consideration:

any statutory basis of the proposed information sharing whether the sharing is justified how to ensure the security of the information being shared.

Data access:

Our employees and Members will have access to personal data only where it is required in order to fulfil their role.

All data subjects have a right of access to their own personal data; employees will be made aware of and will provide advice to data subjects about how to request or access their personal data held by us. More information is available on our Subject Access Requests page.

Our employees and Members are aware of what to do when requests for information are made under the General Data Protection Regulation (GDPR).

Our employees and Members are made aware that in the event of a Subject Access Request being received by us, their emails may be searched and relevant content disclosed.

Privacy Notices will include a contact address for data subjects to use should they wish to submit a Subject Access Request, make a comment or complaint about how we are processing their data, or about the handling of a Subject Access Request.

A Subject Access Request will be acknowledged to the data subject within 24 hours, with the final response and disclosure of information (subject to exemptions) within 30 calendar days.

A data subject’s personal data will not be disclosed to them until their identity has been verified.

Third party personal data will not be released by us when responding to a Subject Access Request (unless consent is obtained, it is required to be released by law, or it is deemed reasonable to release).

Compliance with this policy:

This Policy applies to all our employees and all people or organisations acting on behalf of Every Student.

Each Head of Service/Director shall ensure compliance with this policy appropriate to the personal data activities within their remit.

If any Every Student employee, or Member or persons acting on our behalf are found to knowingly or recklessly breach Every Student’s Data Protection Policy appropriate disciplinary and/or legal action will be taken.

Every Student has a designated Data Protection Officer and designated officers with data protection responsibilities have been identified in all service areas.

Implementation of this policy will be led by our Data Protection Officer. Any questions or concerns about this policy should be taken up with our Data Protection Officer.

Data protection:

Make a Data Protection Request:

The General Data Protection Regulation (GDPR) allows you to find out what information about you is held on computer and in some paper records. This is called the right of subject access and includes facts and opinions expressed about you.

Requests for access to this data can be made in writing to us. To ensure that we get all the information we need, we suggest that you use the form below.

Please be as specific as possible about the information which you want access to. To make a data protection request to Every Student, please click the below link

Subject Access Request Form:

Requests for access to personal data can be submitted in any format, however before we can start processing your request we must have received proof of your identity.

If you wish to submit your request in person:

We require to see the original copies of one form of photographic ID only.

If you wish to submit your request via email or post:

We require two forms of ID to ensure that we are releasing data to the correct person. We ask that you supply one form of photographic ID to identify yourself and a recent utility bill stating your full name and address.

Forms of photographic ID that we accept include:

The pages which identify the individual in their passport.

Driving licence.

If you are making a request on the behalf of someone else, you will also need to provide a signed letter of consent from them and proof of their identity.

Please send requests to or to the following address:

Data Protection
Every Student
First Names House
Victoria Road
Isle Of Man.

What action we will take:

We will acknowledge your request and set out our deadline for responding, which will be within 30 calendar days of its receipt.

We may also ask you to provide further information or clarification if we require it to process your request, and may contact you again for additional information or clarification if necessary. In these cases, the 30 day deadline will commence from the date when we receive the additional information.

The data may take the form of photocopies, printouts, transcripts, or a combination of these, depending on what is most appropriate in the circumstances.

If we hold no data about you, you will be informed of this.


We may withhold disclosure of information we hold about you where the law allows. The main exemptions are where information is held in order to:

Prevent or detect crime or apprehend or prosecute offenders;

and the disclosure would prejudice that work being done, or harm you.

If information is already published or available elsewhere (for instance in the Electoral Register) then we do not need to repeat it.


If you are unhappy with how we deal with your request, please contact the Data Protection Team in the first instance, to see if your concerns can be resolved informally. This may lead to a quicker resolution than a formal complaint. You can contact them at

If you remain dissatisfied after contacting the Data Protection Team, you can complain to us under our complaints procedure.

You can also complain to the Information Commissioner’s Office at the following address:

Information Commissioner

Wycliffe House
Water Lane
Cheshire SK9 5AF
United Kingdom

More information is available on the Information Commissioner’s Office website.

How to contact us:

If you have a cookie concern, complaint or question for Every Student Corporate Governance Manager, please email

Every Student is the trading name of both Boudicca One Limited and Boudicca Two Limited.

This document was last updated on 04th August 2022.

Skip to content