Data protection & data processing Policy

Chapter I General Provisions

1.1 Application of the Data Protection and Data Processing Policy

  • Name of educational institution: SEK Bucharest International School
  • Seat of educational institution: Splaiul Independentei 319, Building OB5. 060044 Bucharest.
  • Person responsible for policy contents: Alina Pele, director.
  • Effective date of policy:

This policy lays down the rules pertaining to the protection of natural persons in respect of controlling personal data and to the free flow of personal data. The provisions of this policy shall apply to specific data control activities and to the issuance of instructions regulating data control and related information.

This policy shall remain in effect until revoked and its scope shall extend to the organisation’s officers and staff. This policy could be subject to modification or change.

1.2 Purpose of the Policy

This policy is designed to harmonise the provisions of the other policies of SEK Bucharest International School (hereinafter School) in respect of data control activities in order to protect natural persons’ fundamental rights and ensure the appropriate control of personal data with regard to the School’s staff and students.

During its operation, the School shall seek to fully comply with regulatory provisions governing the control of personal data, especially those of Regulation (EU) 2016/679 of the European Parliament and of the Council.

Another important purpose of this policy is to enable, through familiarity and compliance with the same, the School’s staff to perform the control of natural persons’ data in a lawful manner.

The scope of this policy equally covers the staff (teachers, teaching assistants and non-teaching staff, ) and students of the School/ their parents, their legal representatives, other family members, any natural or legal person having a commercial or contractual relationship with the School, visitors, and the control of personal data concerning them.

1.3 Concepts, definitions and relevant regulations

  • GDPR, the new General Data Protection Regulation of the European Union
  • Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation)
  • Law No 102 of 3 May 2005 on the establishment, organisation and functioning of the National Supervisory Authority for Personal Data Processing, as subsequently amended and supplemented – Repeal
  • Law No 190 of 18 July 2018 on measures implementing Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
  • Law No 363 of 28 December 2018 on the protection of individuals with regard to the processing of personal data by competent authorities for the purpose of preventing, detecting, investigating, prosecuting and combating criminal offences or the execution of criminal penalties, educational and security measures, and on the free movement of such data
  • Controller: according to art. 4 Regulation (EU) 2016/679: The natural or legal person public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
  • Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  • Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller;
    Personal data: Any information relating to an identified or identifiable natural person “the data subject”; identifiable natural person means a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an on-line identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  • Third party: A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
  • Consent of the data subject: Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
  • Restriction of processing: The marking of stored personal data with the aim of limiting their processing in the future;
  • Pseudonymisation: The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
  • Filing system: Any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
  • Personal data breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

1.4 The principles of processing

Personal Data shall be processed lawfully, fairly and in a transparent manner in relation to the Data Subject.

Personal data shall only be collected for definite, clear and lawful purposes.

The personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes

The purpose of personal data control shall be appropriate and relevant and data control shall be limited to the extent necessary.

Personal data shall be accurate and up to date. Inaccurate personal data shall be deleted.

Personal data shall be stored in a form that shall only allow identifying data subjects for the duration necessary. Storage of personal data for longer than that shall only be permitted if so required by law or if storage serves the purposes of archiving in the public interest, of scientific or historic research, or of statistical use.

Personal data shall be controlled in a manner ensuring, by means of appropriate technical or organisational measures, personal data security including protection of data against unauthorised or unlawful processing, accidental loss, destruction or damage.

The principles of data protection should apply to any information concerning an identified or identifiable natural person.

The School’s employee in charge of processing shall handle personal data subject to liability for disciplinary breaches, damage and civil and criminal law violations. If the employee finds out that the personal data processed by him/her are defective, deficient or untimely he/she shall correct such data or have the same corrected by the employee responsible for data recording.

1.5 Processing personal data

Since natural persons may be associated with on-line identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags, this may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

Consent shall be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.

The data subject’s ticking a relevant box when visiting an internet website also qualifies as consent. Silence, a pre-ticked box or non-action shall not qualify as consent.

Relevant technical settings, statements or acts by a user during the use of electronic services clearly indicating the data subject’s consent in the given context to the processing of his/her personal data shall also qualify as consent.

Personal data concerning health shall include all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject. They shall include the following:

  • registration for health care services
  • a number, symbol or particular assigned to a natural person to uniquely identify the natural person for health purposes
  • information derived from the testing or examination of a body part or bodily substance, including from genetic data and biological samples
  • any information on, for example, a disease, disability, disease risk, medical history, clinical treatment or the physiological or biomedical state of the data subject
  • independent of its source, for example from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test.

Genetic data shall be defined as personal data relating to the inherited or acquired genetic characteristics of a natural person which result from the analysis of a biological sample from the natural person in question, in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analysis, or from the analysis of another element enabling equivalent information to be obtained.

Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection shall, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles. In relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.

Personal data shall be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.

Every reasonable step shall be taken to ensure that personal data which are inaccurate are rectified or deleted

1.5 Lawfulness of processing

The processing of personal data shall be lawful where any of the following is fulfilled:

  • The Data Subject has given Consent to the processing of their Personal Data for one or more specific purposes.
  • Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract.
  • Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Processing is necessary in order to protect the vital interests of the Data Subject or of another natural person.
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller.
  • Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child
  • For the purposes of legitimate interests pursued by the controller or by a third party, if enforcing these interests is considered proportionate to the limitation of the right for the protection of personal data, without the data subject’s further consent, or after the data subject having withdrawn his consent.

Processing shall be lawful where it is necessary in the context of a contract or the intention to enter into a contract.

Where processing is carried out in accordance with a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, the processing shall have a basis in Union or Member State law.

The processing of personal data shall also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal data based on the vital interest of another natural person shall in principle take place only where the processing cannot be manifestly based on another legal basis.

The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.

The processing of personal data strictly necessary for the purposes of preventing fraud shall also constitute a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
At any rate, the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing.

The processing by public authorities, computer emergency response teams, computer security incident response teams, providers of electronic communications networks and services and providers of security technologies and services of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security shall constitute a legitimate interest of the data controller concerned.

The processing of personal data for purposes other than those for which the personal data were initially collected shall be allowed only where the processing is compatible with the purposes for which the personal data were initially collected. In such a case, no legal basis separate from that which allowed the collection of the personal data is required.

The processing of personal data by official authorities for the purpose of achieving the aims, laid down by constitutional law or by international public law, of officially recognised religious associations, is carried out on grounds of public interest.

1.6 The data subject’s consent; conditions

  • Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
  • If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.
  • The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
  • When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
  • If the data subject is unable to give his consent on account of lacking legal capacity or for any other reason beyond his control, the processing of his personal data is allowed to the extent necessary and for the length of time such reasons persist, to protect the vital interests of the data subject or of another person, or in order to prevent or avert an imminent danger posing a threat to the lives, physical integrity or property of persons.
  • The statement of consent of minors over the age of sixteen shall be considered valid without the permission or subsequent approval of their legal representative.

Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited except where the data subject has given explicit consent to the processing of those personal data for one or more specified purposes.
Processing of personal data relating to criminal convictions and offences or related security measures shall be carried out only under the control of official authority.

1.7 Processing which does not require identification

If the purposes for which a controller processes personal data do not or do no longer require the identification of a data subject by the controller, the controller shall not be obliged to maintain additional information, acquire or process additional information in order to identify the data subject for the sole purpose of complying with this Regulation.

Where the controller is able to demonstrate that it is not in a position to identify the data subject, the controller shall inform the data subject accordingly, if possible.

1.8 Provision of information to, and the rights of, the data subject

The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes.

Where the personal data are collected from the data subject, the data subject shall also be informed whether he or she is obliged to provide the personal data and of the consequences, where he or she does not provide such data. That information may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing.

The information in relation to the processing of personal data relating to the data subject shall be given to him or her at the time of collection from the data subject, or, where the personal data are obtained from another source, within a reasonable period, depending on the circumstances of the case.

A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing. Every data subject shall have the right to know and obtain communication in particular with regard to the purposes for which the personal data are processed and, where possible, the period for which the personal data are processed.

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her and also to have incomplete personal data completed, including by means of providing a supplementary statement.

In particular, a data subject shall have the right to have his or her personal data erased and no longer processed where the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed, or where a data subject has withdrawn his or her consent to the processing of personal data.

Where personal data are processed for the purposes of direct marketing, the data subject shall have the right to object to such processing of his/her personal data for such purposes.

1.9 Review of personal data

In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review.

1.10 Rights related to data processing

  • Right to request information

The data subject or his/her lawful representative has the right to inquire about the range and source of his/her data processed by the School and about the legal basis, purpose and length of such processing via the indicated availabilities.

  • Right to correction of data

Any person has the right to request their personal data to be modified via the indicated availabilities.

  • Right to erasure of data

Any person shall have the right to request their personal data to be modified via the indicated availabilities.

  • Right to blocking and restricting access to data

Any person has the right to request their personal data to be blocked via the indicated availabilities. Blocking shall last as long as the indicated reason makes the storage of data necessary.

  • Right to objection

Any person shall have the right to object to the processing of their personal data via the indicated availabilities. The objection must be examined, a decision as to its well-founded nature made and information about the decision sent to the indicated availabilities within the shortest possible time.

Legal remedies related to processing
The National Supervisory Authority For Personal Data Processing
Mailing address: anspdcp@dataprotection.ro
Address: B-dul G-ral. Gheorghe Magheru 28-30 Sector 1, cod postal 010336 Bucuresti, Romania
Phone: +40.318.059.211 / +40.318.059.212
Fax:
E-mail: anspdcp@dataprotection.ro

Personal data breach

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud.

A personal data breach shall be notified to the supervisory authority without undue delay and not later than 72 hours, unless it can be demonstrated, in accordance with the accountability principle, that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

The data subject shall be informed of a personal data breach, without undue delay, but not more than 10 calendar days after the notification of the supervisory authority, where that personal data breach is likely to result in a high risk to the rights and freedoms of the natural person in order to allow him or her to take the necessary precautions

Chapter II Special Provisions

As a personal data controller, the School complies with the provisions of the General Data Protection Regulation No 679/2016 in force in the European Union (GDPR). The measures implementing, at national level, the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 are contained in Law 190 of 18.07.2018.

The personal data we collect is necessary for the proper functioning of our school.

2.1. General data processing related to the School’s staff

The School as employer may request an employee to make a statement or to disclose certain information, certified by a document as appropriate, if deemed necessary for the conclusion, fulfilment or termination of the employment relationship or for the enforcement of claims arising from this law.

An employee may be requested to take an aptitude test if one is prescribed by employment regulations, or if deemed necessary, with a view to exercising rights and discharging obligations in accordance with employment regulations.

The School shall inform the data subject of processing as described above.

The School may process the criminal personal data of the person intending to enter into employment to examine whether employment in the vacancy filled or intended to be filled by the employer is restricted or excluded by law.

The School may check the employee in respect of his/her conduct related to employment. Within the scope thereof, the employer may use a technical device, of which it shall inform the employee in advance.

Unless otherwise agreed, the employee may only use information technology devices and systems (hereinafter IT devices) provided by the employer for the performance of work for the purposes of employment.

The employer may view employment-related data stored on IT devices that are used for the purposes of employment.

In applying the aforesaid measures, the School shall proceed in compliance with the relevant provisions of the Labour Code.

The School shall in addition keep records of all personal data of employees (name, place and date of birth, residential address, mother’s name, residential address card number, email address, education and number of certificate proving education, bank account number) that are necessary for entry into employment .According to the legal provisions (art 5 Law 190/2018)

Where monitoring systems by means of electronic communications and/or video surveillance are used in the workplace, the processing of employees’ personal data for the purpose of pursuing the legitimate interests pursued by the employer is permitted only if:

(a) the legitimate interests pursued by the employer are duly justified and override the interests or rights and freedoms of the data subjects;

(b) the employer has provided the employees with full and explicit prior information;

(c) the employer has consulted the trade union or, where appropriate, the employees’ representatives before introducing the monitoring systems;

(d) other less intrusive forms and ways of achieving the employer’s intended purpose have not previously proved effective; and

(e) the duration of storage of personal data is proportionate to the purpose of the processing, but not longer than 30 days, except in situations expressly provided for by law or in duly justified cases.

2.2. Records on teachers kept by authorization under law

The School shall keep records of data included in the public servant core registry, in accordance with the relevant provisions of the legal provisions – personal files, 75 years after their completion –Law on National Archives 16/1996 (Each public education institute shall keep records of the teacher’s educational ID number, teacher’s ID card number, length of service and weekly working time. In addition, the School shall keep records of external teachersname, place and date of birth, gender, nationality, legal basis of – and the title and number of the document authorising – stay in Romania, domicile, residence, educational and qualification data and educational ID number.

The personal data of teachers and of personnel directly assisting pedagogical work shall be entered on the SIIIR – Integrated Education Information System in Romania

The SIIR contains the following data:

  • name, mother’s name, gender, nationality
  • place and date of birth,
  • educational ID No., teacher’s ID card No.,
  • educational and qualification data: name of higher education institute, degree No., education, vocational qualifications, date of obtaining education, vocational qualifications, of passing specialised teacher’s / Ph.D. examination,
  • job title,
  • name, address and Ministry of Education identifier of employer,
  • location of workplace,
  • start date, legal basis of termination of and end date of legal status,
  • executive position,
  • grading,
  • length of service,
  • working time,
  • length of extended absence,
  • residential address,
  • email address,
  • among data related to advancement, pedagogical supervision and fulfilment of professional upgrading obligations:
  • length of professional experience,
  • Academy membership, if any,
  • reduced working time, if any,
  • deadline of passing qualification examination set in appointment document or employment contract,
  • date of signing up for and date of qualification examination and date and result of qualification procedure,
  • date and findings of professional supervision affecting the employee.

2.3. Transmission of data of staff and teachers by authorisation under law

Data described in Points 2.1 and 2.2 may – with maintaining purpose limitation related to the protection of personal data – may be transmitted to the operator, payment location, court, police, prosecutor’s office, public administrative body in charge of public education administration, bodies entitled to verify compliance with employment regulations and the national security service.

Public education institutions may only process employees’ personal data in connection with employment, benefits, allowances, the establishment and fulfilment of obligations, the exercise and fulfilment of citizen’s rights and, respectively, obligations, for national security reasons, for the purpose of managing records defined in this law, and to the extent necessary for and limited to the purpose.

2.4 Data of children and students kept on records by authorisation

According to Law 1/2011 and the Regulations on the regime of study documents and school documents managed by pre-university educational establishments of 24.05.2016 , the School shall keep records of the following data of children and students:

  • the child’s/student’s name, place and date of birth, gender, nationality, address of domicile and residence, social security identifier, in the case of a foreign national,
  • the legal basis, name and number of document permitting stay in the territory of Romania,
  • name of parent, lawful representative, domicile, residence, phone number
  • data related to the child’s preschool development,
  • data related to the child’s legal relationship in preschool and the student’s legal relationship in school,
    • data related to entrance examinations,
    • public education core task to be fulfilled by the legal relationship,
    • data related to the suspension or termination of the legal relationship,
    • data related to the child’s/student’s missed classes,
    • data related to a child/student requiring special attention,
    • data related to accidents suffered the child/student,
    • educational ID No. of the child/student,
    • test identifier.
    • data related to the legal relationship as student:
    • data related to the legal status as private student,
    • evaluation and grading of the student’s behaviour, diligence and knowledge; examination data
  • data related to the student’s disciplinary and compensation matters,
    • student ID card No.,
    • data related to the supply of textbooks,
    • data related to repeat by student of failed academic year,
    • date of and reason for termination of legal relationship as student.
  • national test and evaluation data.
  • in which academic year and in which country the student participated in cross-border excursions

The SRIIR contains the following data of a student:

  • name,
  • gender,
  • place and date of birth,
  • social security identifier,
  • Ministry of Education ID number,
  • mother’s name,
  • address of domicile (residence),
  • nationality,
  • special educational need, integration, learning and behavioral difficulties, if any,
  • student ID card number,
  • with regard to his/her legal status, data concerning whether:
    • he/she is a private student,
    • he/she has reached the compulsory schooling age
    • the start date and end date of suspension of his/her legal relationship
    • start date, legal basis of termination of and end date of legal relationship,
    • name, address, Ministry of Education ID number of the pedagogical-educational institution,
    • the public education task underpinning his/her legal relationship,
    • place of education,
    • in the case of adult education, data related to the work schedule of education,
    • expected date of completion of studies,
    • academic year.

2.5 Transmission of data of children and students by authorisation under law

Of the child’s/student’s data:
a. name, place and date of birth, domicile, residence, parent’s name, lawful representative’s name, domicile, residence and phone number of the parent/lawful representative, start date, duration of suspension and termination of legal relationship, legal status as private student, number of classes missed, establishment of residence to contact parent/lawful representative to verify lawfulness of skipping class, data in connection with existence of legal relationship and fulfilment of compulsory schooling to be sent to the operator, court, police, prosecutor’s office, local municipal notary, public administrative body, and national security service;
b. data related to his/her admission to preschool/school, transfer to the preschool/school concerned, or higher education institute concerned;
c. name, place and date of birth, domicile, residence, social security identifier, name of parent/lawful representative, domicile/residence and phone number of parent/lawful representative, preschool/school health documentation, data related to accident of child/student to establish health status, to be sent to the institution responsible for health and school health tasks;
d. name, place and date of birth, domicile, residence, name of parent/lawful representative, domicile/residence and phone number of parent/lawful representative, data related to classes missed by child/student, data related to a child/student requiring special attention to identify and eliminate vulnerability, to be sent to family support institution, organisation, child and youth protection agency, organisation;
e. data necessary to adjudicate and prove eligibility for application for available subsidy, to be sent to the operator;
f. data for issuing invoices, to be sent to textbook distributors;
g. data of school leaving certificate issued on the basis of state examination, to be sent to the organisation keeping records of school leaving certificates and then to the organisation keeping records of applications to higher education institutes, can be transmitted.

Data
a. on the student’s special educational need, integration, learning and behavioural difficulties, to be exchanged between the institutions of the specialist pedagogical service and pedagogical-educational institutions;
b. on the child’s preschool development and school-readiness, to be sent to parent, institutions of the specialist pedagogical service and school;
c. on the student’s behavior, diligence and knowledge and their evaluation within the class concerned, the teaching staff, to be sent to parent, examination board, practical training organiser, parties to apprenticeship agreement or – if evaluation is done outside the school – to new school and head of professional supervision;
d. required for issuing student ID card, to be sent to SIIR processor and agencies involved in issuing student ID card, can be transmitted.

Furthermore, the pedagogical-educational institution shall keep records of data that are necessary to adjudicate and prove eligibility for statutory allowances. Those data can be processed for this purpose from which the beneficiary’s identity and eligibility for allowances can be clearly ascertained.

Teachers, employees directly assisting with educational work as well as persons assisting in supervising children/students shall be bound by a confidentiality obligation vis-à-vis third parties by virtue of their profession in respect of all facts, data and information related to the child/student and his/her family that they have obtained during contact with the child/student and his/her parents. This obligation shall survive indefinitely after termination of the legal relationship. The confidentiality obligation shall extend to discussions between members of the teaching staff themselves and with the members of the child protection warning system concerning the student’s development.

All data can be communicated with the minor child’s/student’s parent, except where communication of said data would seriously harm the physical, mental or moral development of the child/student.

Parental consent related to voluntary disclosure shall be kept on records until the expiry of the statute of limitations.

The aforelisted data can be used for statistical purposes and can be transferred for statistical use in a format unfit for personal identification.

2.6 Transmission of data of children and students with the express consent of the data subjects

For the transmission of data kept on records and processed by virtue of authorisation by law no consent shall be necessary from the data subject in respect of the goals and uses defined by law, such as recordings of common school areas and classrooms.

Preparing data, likenesses (individual or group) or video or audio recordings falling outside the scope of these data at the School’s events shall be conditional on the data subjects’ consent.

Similarly, the data subjects’ express consent shall be necessary for the use of data, likenesses (individual or group) or video or audio recordings, unless the processing is lawful based on other legitimate reasons other than express consent.

The data subject’s consent shall be required for transferring data necessary and indispensable for task fulfilment by organisations providing supplementary services and being in contact with the School. Supplementary services and their respective providers: provision of meals, provider of transportation services for events and training programs outside the site of the School, provider of off-site training and sports events, local or foreign provider of events abroad for student groups, and organiser of students’ contests.

Furthermore, the data subject’s consent shall be required for any non-predeterminable and unforeseeable processing, use and transmission of data.

In the case of children/students aged under 14 years, it shall be the parent/lawful representative, and in the case of students aged between 14 and 18 years, it shall be the student and the parent/lawful representative together that may grant consent in the declarations annexed hereto.

Chapter III: The tasks of the School; the processing organisation

3.1 Data Security

Data shall be protected by means of suitable measures against unauthorised access, alteration, transmission, public disclosure, deletion or destruction, as well as damage and accidental loss, and to ensure that stored data cannot be corrupted and rendered inaccessible due to any changes in or modification of the applied technique.

For the protection of data sets stored in different electronic filing systems, suitable technical solutions shall be introduced to prevent the interconnection of data stored in these filing systems and the identification of the data subjects.

In designing and applying the measures to ensure data security the latest level of technical development shall be taken into account. Where alternate data processing solutions are available, that shall be selected which ensures the highest level of personal data protection, except where this would entail unreasonable hardship for the controller.

3.2. Processing and data security remits and competences

Processing and data security remits and competences shall be exercised by:

  • the director of the School
  • the person responsible for performing the task.

The director of the School shall:

  • issue, and revise at least annually, this policy,
  • appoint a person in charge of tasks and request regular reports on completion thereof The director of the School shall be authorised to transmit data.

The person in charge of tasks shall:

  • comply with and examine the provisions of the internal policy
  • and complete record-keeping tasks.

3.3. Other documents linked to the Policy and closing provisions

Teaching activites through technology:

ORDER No 5545 of 10 September 2020 for the approval of the Framework Methodology for the conduct of teaching activities through technology and Internet, as well as for processing of personal data.

Security in the virtual learning environment shall be carried out in accordance with the EU Directives on cyber security and the processing of personal data. In the organisation and conduct of activities in the virtual environment, compliance with the requirements for the protection of personal data shall be ensured in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of the European Union of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as Regulation (EU) 2016/679.

Security measures, as an integral part of the digital educational platforms used in the virtual educational environment, and health protection measures for pupils/pre-school children during the use of digital equipment shall be established for the conduct of educational activities.

The processing by the educational establishment of personal data of the participants in the activities carried out via technology and the Internet shall be carried out in order to fulfil the legal obligation of the educational establishment to ensure the right to education, by guaranteeing access to and effective conduct of the educational process in cases where the educational process cannot be carried out face-to-face, in accordance with the legal provisions in force.

The categories of personal data to be processed in compliance with the principles related to the processing of personal data set out in Article 5 of Regulation (EU) 2016/679 are:

a. names and surnames of pre-schoolers/pupils, names and surnames of teachers using the educational IT application/platform;
b. the image, voice of the participants, if applicable;
c. messages, videos, files sent or any other material containing data processed using the educational software/platform;
d. the results of the evaluation;
e. the login details of the educational application/platform used for participation in the online courses: username and password.

As a measure to protect personal data processed when using the educational applications/platforms, it is prohibited to record activities carried out online.

The educational establishment, as the controller of personal data, shall be required to put in place a set of technical and organisational measures for the protection and storage of personal data, which shall cover:

a. security in the online environment;
b. ensuring data confidentiality;
c. preventing the risk of data loss;
d. preventing the modification of personal data;
e. preventing unauthorised access to personal data.

The management of the educational establishment shall make arrangements regarding the provision of the information referred to in Article 13 of Regulation (EU) 2016/679: the identity and contact details of the educational establishment and, where applicable, its representative, the purposes for which personal data are processed, as well as the legal basis of the processing, the recipients or categories of recipients of the personal data, the period for which personal data will be stored, the rights of the data subjects.

The educational establishment shall, through the measures provided for, provide evidence of the safe storage of personal data.

Participants in learning activities carried out using technology and the Internet have the following obligations:

a. be responsible for all messages, videos, files sent or any other material processed through the use of the educational IT application/platform;
b. to use the educational software application/platform only in accordance with legal provisions;
c. not to record, disseminate, use information, containing personal data, in any other way that exceeds the purpose of processing such data.

The personal data mentioned above shall be processed in accordance with the provisions of this Regulation and shall be processed solely for the purposes of teaching.

Any processing of personal data carried out by the educational establishment outside the purposes referred of these purposes shall be prohibited and shall constitute a breach of the law.

Compulsory annexes to the Policy shall include declarations signed by the data subjects concerning data use.

Download Data Protection Policy