Opening Times: 8:00am - 6:00pm
 Call us on: 029 2052 1007

About Us

This privacy notice lets you know what happens to any personal data that you give to us, or any that we may collect from you. It applies to all instances where we collect your personal data. We will only record your personal details if you provide them voluntarily via our website contact forms, by contacting us via e-mail or filling in details on contact forms and enrolment packs. We may change this privacy notice from time to time by updating this policy in order to reflect changes in the law and/or our privacy practices. We are based in the UK, so your personal information will never be transferred outside of the EU.

Our Data Protection Officer

At Little Cherubs we are data controllers of your personal data. The dedicated data protection officer (DPO) is Lisa Latner. You can contact the DPO if you have any complaints or queries via e-mail on or at Little Cherubs Day Care Nursery Ltd, 12 Penlline Road, Whitchurch, Cardiff, CF14 2AD, 02920 521 007.

We endeavour to keep all our information as secure as possible which includes locked filing cabinets and office, online firewall systems and restricted access to our office computer.

You can contact the Information Commissioner’s Office if you have any concerns or complaints about the way we handle your data. You can contact them on 0303 123 1113.

What is the Purpose of this Document?

Little Cherubs Day Care Nursery LTD is a company incorporated and registered in England and Wales (company number 4517225) with its registered office address at 12 Penlline Road, Whitchurch, Cardiff, CF!$ 2AD (“the Nursery” or “we”) is committed to protecting the privacy and security of your personal information.

This privacy notice describes how the Nursery collects and uses personal information about children attending the Nursery (“Child” or “Children”) and the parents of the Children (“Parents”) (known collectively as “You” or “Your”), in accordance with the General Data Protection Regulation (GDPR).

The Nursery Little Cherubs is a “data controller”. This means that we are responsible for deciding how we hold and use personal information about You. We are required under data protection legislation to notify You of the information contained in this privacy notice.

This notice applies to Children and Parents. This notice does not form part of any contract of employment or other contract to provide services. We may update this notice at any time but if we do so, we will provide You with an updated copy of this notice as soon as reasonably practical.

It is important that, Children and Parents read and retain this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about You, so that You are aware of how and why we are using such information and what Your rights are under the data protection legislation.

Data Protection Principles

We will comply with data protection law. This says that the personal information we hold about You must be:
  1. Used lawfully, fairly and in a transparent way.
  2. Collected only for valid purposes that we have clearly explained to You and not used in any way that is incompatible with those purposes.
  3. Relevant to the purposes we have told You about and limited only to those purposes.
  4. Accurate and kept up to date.
  5. Kept only as long as necessary for the purposes we have told You about.
  6. Kept securely.

The Kind of Information We Hold About You

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

There are “special categories” of more sensitive personal data which require a higher level of protection, such as information about a person’s health or sexual orientation.


We will collect, store, and use the following categories of personal information about Children:
  • Name
  • Date of birth
  • Home Address
  • Dietary requirements
  • Attendance information
  • Photographs and video clips of the Child to signpost Children to where their belongings are stored at the Nursery that they attend, and also for general display purposes
  • Emergency contact should Parents be unavailable and the emergency contact’s contact details
  • Record book for each Child containing the work of the Child whilst at the Nursery, observations about the Child’s development whilst at the Nursery from Employees of the Nursery, specific examples of the Child’s progress, photographs demonstrating the Child’s development whilst at the Nursery, and personal details of the Child (e.g. their date of birth) (“Progress Report”)
  • Records relating to individual Children e.g. care plans, common assessment frameworks, speech and language referral forms
  • Accidents and pre-existing injuries forms
  • Records of any reportable death, injury, disease or dangerous occurrence
  • Observation, planning and assessment records of Children
We may also collect, store and use the following “special categories” of more sensitive personal information:
  • Information about a Child’s race or ethnicity, spoken language and nationality.
  • Information about a Child’s health, including any medical condition, health and sickness records.
  • Information about a Child’s accident or incident reports including reports of pre-existing injuries.
  • Information about a Child’s incident forms / child protection referral forms / child protection case details / reports.


We will collect, store, and use the following categories of personal information about Parents:
  • Name
  • Home address
  • Telephone numbers and personal email addresses
  • Work contacts
We may also collect, store and use the following “special categories” of more sensitive personal information:
  • Information about a Parent’s race or ethnicity, spoken language and nationality.
  • Conversations with Parents where Employees of the Nursery deem it relevant to the prevention of radicalisation or other aspects of the governments Prevent strategy.

How is Your Personal Information Collected?

Children and Parents:

We collect personal information about Children and Parents from when the initial enquiry is made by the Parents, through the enrolment process and until the Children stop using the Nursery’s services.

Personal data will only ever be collected from a child’s parents or guardians or a person who has responsibility such as a grandparent. Collection processes include online contact forms, e-mails, social media, registration forms, questionnaires and enrolment packs. We require all this information to enrol your child at our nursery that satisfies CIW regulations and ensures health and safety of your child whilst in our care.

We need all the categories of information in the list above (see Parents section within the Paragraph entitled ‘The Kind of Information we Hold About You’) primarily to allow us to perform our contracts with Parents and to enable us to comply with legal obligations. The situations in which we will process personal information of Parents are listed below.
  • The personal information of Parents will be shared with local authorities without the consent of Parents for funding purposes.
  • To report on a Child’s attendance
  • To be able to contact a Parent or a Child’s emergency contact about their Child
  • To ensure nursery fees are paid
  • If you contact us via an online contact form, we will only use that information to respond to your enquiry. Our website uses cookies.
  • To improve the operation of our business through information such as questionnaires.
  • For gaining reviews on our advertising and social media sites by contacting you via e-mail
  • To send you important information regarding nursery such as illnesses, events, newsletters and relevant nursery related topics

If Parents or guardians fail to provide personal information

If Parents or guardians fail to provide certain information when requested, we may not be able to perform the respective contracts we have entered into with Parents, or we may be prevented from complying with our respective legal obligations to Children and Parents.

Change of Purpose

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use Your personal information for an unrelated purpose, we will notify the Child or Parent, as is appropriate in the circumstances, and we will explain the legal basis which allows us to do so.

Please note that we may process a Child’s or a Parent’s personal information without their respective knowledge or consent, as relevant to the circumstances, in compliance with the above rules, where this is required or permitted by law.

How We Use Particularly Sensitive Personal Information

Special categories of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We have in place an appropriate policy document and safeguards which we are required by law to maintain when processing such data. We may process special categories of personal information in the following circumstances:
  1. In limited circumstances, with Parent explicit written consent.
  2. Where it is needed in the public interest, such as for equal opportunities monitoring or CIW collection data.
Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect a Child or a Parents’ interests (or someone else’s interests) and the Child or Parent as is appropriate is not capable of giving consent, or where the Parent has already made the information public.

Lawful basic we have for processing your data

Types of processing and personal data we hold has been documented and reviewed so that each one has been identified with a lawful basis.

Data sharing

We may have to share Child or Parent data with third parties, including third-party service providers and other entities in the group.

We require third parties to respect the security of Your data and to treat it in accordance with the law.

Why might the nursery share Child or Parent personal information with third parties?

We will share Your personal information with third parties where required by law, where it is necessary to administer the working relationship with You or where we have another legitimate interest in doing so. We will share your personal information with third parties when required to do so with Care Inspectorate Wales (our governing body) and in any safeguarding instances where we are legally obliged to do so and to prevent and suspected harm to a child. We will share your financial information with our accountant in the processing of fees and vouchers.

Which third-party service providers process my personal information?

Third parties includes third-party service providers (including contractors and designated agents), local authorities, regulatory bodies, schools and other entities within our group. The following third-party service providers process personal information about you for the following purposes:
  • Local Authorities – for funding and monitoring reasons (e.g. equal opportunities and uptake of funded hours)
  • Regulatory bodies – for ensuring compliance and the safety and welfare of the children
  • Schools – to provide a successful transition by ensuring information about the child’s progress and current level of development and interests are shared

How secure is my information with third-party service providers and other entities in our group?

All our third-party service providers and other entities in the group are required to take appropriate security measures to protect Your personal information in line with our policies. We do not allow our third-party service providers to use Your personal data for their own purposes. We only permit them to process Your personal data for specified purposes and in accordance with our instructions.

What about other third parties?

We may share Your personal information with other third parties, for example in the context of the possible sale or restructuring of the business. In this situation we will, so far as possible, share anonymised data with the other parties before the transaction completes. Once the transaction is completed, we will share Your personal data with the other parties if and to the extent required under the terms of the transaction.

We may also need to share Your personal information with a regulator or to otherwise comply with the law.

Data Retention

How long will you use my information for?

We will only retain Your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of Your personal data, the purposes for which we process Your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances we may anonymise Your personal information so that it can no longer be associated with You, in which case we may use such information without further notice to You. Once you are no longer a Child benefiting from the Nursery’s services or a Parent, as is appropriate, we will retain and securely destroy your personal information in accordance with applicable laws and regulations.

For how long is your personal information retained by us?

Certain personal information is held in accordance with Care Inspectorate Wales regulations and National Minimum Standards
  • As long as we provide a service to you
  • For child protection purposes records of children who have attended the setting, accident and incident records and child protection records need to be retained until the child reaches the age of 21-or until the child reaches the age of 24 for child protection records

Rights of Access, Correction, Erasure and Restriction

Your duty to inform us of changes

It is important that the personal information we hold about You is accurate and current. Please keep us informed if Your personal information changes during your working relationship with us.

Your rights in connection with personal information

Under certain circumstances, by law You have the right to:
  • Request access to Your personal information (commonly known as a “data subject access request”). This enables You to receive a copy of the personal information we hold about You and to check that we are lawfully processing it.
  • Request correction of the personal information that we hold about You. This enables You to have any incomplete or inaccurate information we hold about You corrected.
  • Request erasure of your personal information. This enables Parents to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove Your personal information where You have exercised Your right to object to processing (see below).
  • Object to processing of Your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about Your particular situation which makes You want to object to processing on this ground. You also have the right to object where we are processing Your personal information for direct marketing purposes.
  • Request the restriction of processing of Your personal information. This enables Parents, as is appropriate, to ask us to suspend the processing of personal information about You for example if You want us to establish its accuracy or the reason for processing it.
  • Request the transfer of Your personal information to another party.
If You want to review, verify, correct or request erasure of Your personal information, object to the processing of Your personal data, or request that we transfer a copy of Your personal information to another party, please contact the manager in writing or e-mail

No fee usually required

You will not have to pay a fee to access Your personal information (or to exercise any of the other rights).

What we may need from You

We may need to request specific information from You to help us confirm your identity and ensure Your right to access the information (or to exercise any of Your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

Right to Withdraw Consent

In the limited circumstances where You may have provided Your consent to the collection, processing and transfer of Your personal information for a specific purpose, You have the right to withdraw Your consent for that specific processing at any time. To withdraw Your consent, please contact the manager. Once we have received notification that You have withdrawn Your consent, we will no longer process Your information for the purpose or purposes You originally agreed to, unless we have another legitimate basis for doing so in law.

Consent forms and how and when can you withdraw your consent?

  • Where we are relying on your consent to process personal data, you can withdraw this at any time by contacting the DPO unless we have a legitimate reason for refusal.
  • Consent forms are used in our enrolment pack for the following- Outings, photographs for nursery use, observations and assessments, application for sun cream, emergency calpol permission, emergency medical treatment, certain activities, art work on the website and Facebook.
  • There is an option to give consent for photographs of your child to go on Facebook. If this consent is ticked, then a further separate form is given detailing consent.
  • There is an opt in box in the enrolment pack asking for permission for sending e-mails
  • Where by the opt in box is not included in our older versions of the enrolment pack all parents will receive a ‘repaper’ to update consent. This opt in consent box applies to information sending, holding and processing your data.

What are your rights under data protection laws?

The following is a list of the rights that all individuals have under data protection laws. They don’t apply in all circumstances. More information can be found on your rights and how you can make a complaint to the Information Commissioner’s Office at
  • The right to be informed about the processing of your personal information
  • The right to have your personal information corrected if it is inaccurate and to have incomplete personal information completed.
  • The right to object to processing of your personal information
  • The right to restrict processing of your personal information
  • The right to have your personal information erased (the “right to be forgotten”)- such requests will be undertaken unless we have a legitimate reason for refusal.
  • The right to request access to your personal information and to obtain information about how we process it.
  • You can withdraw any permissions you have given us in the past (such as permission to send you newsletters via e-mail, you can change your mind at any time)
  • The right to move, copy or transfer your personal information (“data portability”)
  • Rights in relation to automated decision making which has a legal effect or otherwise significantly affects you.

CCTV policy

There is a separate CCTV policy available on request.

Detecting, reporting and investigating a personal data breach

The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. We will do this within 72 hours of becoming aware of the breach, where feasible.

If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, we will also inform those individuals without undue delay.

We will ensure we have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not we need to notify the relevant supervisory authority and the affected individuals.

We will also keep a record of any personal data breaches, regardless of whether we are required to notify.

We will follow guidelines, procedures and advice from the ICO should there be a data protection breach.

Changes to This Privacy Notice

We reserve the right to update this privacy notice at any time, and we will provide You with a new privacy notice when we make any substantial updates. We may also notify You in other ways from time to time about the processing of your personal information.

If you have any questions about this privacy notice, please contact Jessica Miller, Lisa Latner, 02920 521 007.
© Copyright 2022. All Rights Reserved | View our privacy policy
Website design & development by Designer Websites Ltd.