The American International School of Zagreb (“AISZ”) processes personal data on its prospective, current and former students and their parents or legal representatives, as part of its everyday operations of providing educational services.
AISZ handles your personal data according to the General Data Protection Regulation no. 679 / 2016 applicable in the European Union (“GDPR”). For these purposes, AISZ acts as controller with regard to your personal data and the personal data of students (“Personal Data”), meaning AISZ establishes the purposes and means of processing the Personal Data.
For the purposes of this Privacy Notice, please note that the term “processing” shall represent any operation performed on Personal Data, whether or not by automated means such as collection, recording, storage, adaptation, alteration, consultation, use, disclosure by any means, erasure or destruction.
AISZ wishes to be completely transparent with regard to the processing of Personal Data and therefore, we have presented below all the information you may need on this subject matter.
Please read this privacy notice to understand the data processing operations carried out by AISZ.
1. The purposes for which AISZ processes your Personal Data:
AISZ processes Personal Data that pertain following purposes:
- Provision of educational services, starting with the application process, enrolling students, administration of classes and timetable, teaching activities, administration of internal and public examinations, assistance regarding the application process to various universities, issuance of academic records.
- Provision of educational ancillary services: pastoral care, career and personal counselling, library services, extracurricular activities, school trips, financial assistance and scholarship, managing school’s publications, setting up the virtual learning environment and granting access to AISZ’s Intranet and Internet network as well as monitoring the use of AISZ’s network.
- Ensuring campus security: monitoring access on campus, performance of video surveillance.
- Provision of the medical care and counselling that students may need.
- School administration: handling student records and other academic documentation, administration of fees and accounts, internal and external audits and controls, reporting and statistics creation, implementing school policies, ensuring collaboration with other schools, archiving, assessing the quality of our services, facilitating research activities.
- School related communications: conveying various messages related to the students and AISZ’s activities by any communication means.
- Organizing fundraising activities and other school events (e.g., concerts, theatre productions, talent shows), including marketing communications related to the fundraising activities organized by AISZ.
- Dispute resolution and litigations.
2. The categories of Personal Data that AISZ processes, include, but are not limited to the following:
- Identification and contact information (first and last name, citizenship, country of birth, address, information included in ID’s / passports, phone number, e-mail etc).;
- Health data: medical history, allergies, immunization records, disorders, medical examination results and other medical data of the students;
- Data related to the educational background and regarding school performance of the students: academic, disciplinary or other educational related records, academic references, special needs, hobbies, results of educational diagnosis testing, test results, feedbacks, evaluations etc.;
- Behavioral data as well as data on preferences / interests of students;
- Family information: household information, language background, financial data, profession and workplace of parents etc.;
- Authentication and physical access data: e-mail, passwords, badge number, location data, other on-line identifiers, car details etc.;
- Photos and videos.
Generally, the Personal Data held by AISZ were provided directly by the parents or resulted from the interaction the parents and the students have with the school. In some cases, third parties (e.g., representatives of former schools attended by students) supply data.
3. The lawful basis for the processing operations we conduct with regard to the Personal Data
AISZ collects and further processes Personal Data, based on one of the following legal grounds, expressly laid down by the GDPR:
- For the performance of the enrollment contract, as well as in order to take steps at your request for entering into the enrolment contract and to further provide the educational services.
Please note that there are some mandatory categories of personal data necessary to AISZ in order to conclude the enrolment agreement and provide the educational services to students at a high standard and in the best interest of the students.
The mandatory categories of personal data are included in the application form, which you have filled in on-line or on paper forms and listed in the enrollment contract you already have / will sign with AISZ. All the categories of data that are compulsory for contract conclusion are marked accordingly in the application form.
Please take into consideration, that all the mandatory categories of data are necessary for AISZ to be able to evaluate your application and finally to enroll your child. Failure to provide all the information marked as mandatory will lead to the impossibility of AISZ to process your application and to enter into a contract with you.
- A legal obligation that requires AISZ to process your Personal Data (e.g. performance of video surveillance).
- For the performance of a task carried out in the public interest, considering that AISZ provides educational services, regarded as a service of public interest, according to the Croatian applicable provisions on education, many processing operations conducted by AISZ that are strictly related to educational purposes will be founded on this lawful basis for processing. We refer here mainly to: issuing and storing academic records, evaluating students’ performance etc.
- The legitimate interest pursued by AISZ.
AISZ relies on this legal ground in order to provide the educational services it has committed to deliver and additional services related to this scope at the highest standards, always for the benefit of the students and without outweighing the parents or the students’ rights and liberties.
AISZ may invoke the legitimate interest legal ground in the following cases:
- monitoring use of the AISZ’s virtual learning environment and network, including monitoring the use of e-mail accounts and devices provided by AISZ;
- conducting fundraising activities, including marketing of such activities;
- enforcement of legal claims, addressing complaints and third party controls;
- management, control, reporting and performing statistics on schools activity;
- ensuring security;
- maintaining close relationships with alumni and AISZ’s community;
- collaboration with other schools and educational institutions;
- performance of agreements with suppliers, including insurance suppliers;
- access to grants and other funding sources.
With respect to the processing of the special categories of personal data under the GDPR, respectively health data, please take into consideration that AISZ processes health data based on the following legal grounds:
- The necessity of the Medical Office to process such data for the purpose of preventive and occupational medicine, medical diagnosis and the provision of health or social care or treatment on the basis of European Union or national law;
- Processing is necessary for reasons of substantial public interest, on the basis of European Union or national law. Such a legal ground is used especially in those situations where the school has to assess the learning capacity of a student and adapt the teaching activities to the special needs of a student.
- The consent you have granted us, prior to any processing of the personal data, for:
- the processing of your child’s personal data on allergies.
- the use of students’ photographs and videos in various school publications, promotional images including AISZ news, School managed social media accounts (including Facebook, Instagram, YouTube, Twitter)
- child’s / children’s images in school advertising (digital / print)
- other consents that may be granted from time to time for various processing activities.
- The explicit consent granted by you for the disclosure of the personal data of students related to the allergies they suffer from.
4. Disclosure of Personal Data
AISZ discloses your Personal Data only to those members of AISZ, staff and collaborators, who need access to the personal data mainly for ensuring the provision of the educational and ancillary services. In this respect, please take into account that only the Medical Office has access to the students’ medical records. Other departments of the school have access to specific health data (i.e. for allergies) or in order to protect a substantial public interest based on E.U. or national law (e.g., various medical conditions triggering special learning needs).
With respect to the disclosure of your Personal Data to third parties, outside AISZ, please note that such disclosure is performed solely in the regular activity of the school. The categories of recipients include the following:
- IT providers, including educational applications, on-line tools, server hosting suppliers such as ManageBac, SchoolIS, SeeSaw, NWEA and College Board etc.
- Cafeteria Owner in its capacity of independent provider of meal services on campus;
- Other educational institutions or organizations, not limited to other schools;
- Travel agencies, catering and transportation providers;
- Photographer and video crew;
- Courier services providers;
- Utilities services providers;
- Public authorities and institutions, national or foreign, judicial courts and foreign embassies or other forms of diplomatic missions;
- Bank, financial institutions and insurance providers
- Tax, legal and accounting consultants
5. Third country transfers
AISZ transfers your personal data to the third countries, as follows:
- United States of America – to third parties that have obtained EU – US Privacy Shield certification (i.e. Faria Systems LLC as provider of the ManageBac). With other USA based providers of applications, AISZ is in the process of implementing appropriate safeguards in order to ensure secure transfers of personal data by May 25, 2018.
If you wish to consult the appropriate safeguards put in place by AISZ about the transfers of personal data to USA, please refer to the contact point at the end of this Privacy Notice.
6. Retention of Personal Data
AISZ holds all your Personal Data for as long as you are in a contractual relation with us, and afterwards for a standard period of 5-year, period for which AISZ can justify a need in storing such personal data. AISZ keeps the student file and all the data related to the student interaction with AISZ mainly for the scope of assessing the school’s activity and the quality of services provided but also for addressing potential request of students with regard to their school trajectory within AISZ, which usually appear after the students have graduated.
Notwithstanding the retention period mentioned above, please be informed, that all the academic records and other school acts and documents related to study activities are kept for an indefinite period of time, according to the legal obligations that AISZ has in this respect. Moreover, in any case where a legal provision imposes a minimum retention period, AISZ will keep the Personal Data for at least that mandatory period. In case of a legal process data will be retained as long as the legal process requires.
7. Your rights related to the processing of Personal Data by AISZ
The GDPR provides certain rights related to the processing of personal data, that both you and the students have.
AISZ respects all the rights mentioned under the GDPR and is committed to furnishing the appropriate means by which you can exercise these rights, according to the details mentioned below:
- The right to rectification, that allows you to request AISZ rectification of any inaccurate Personal Data that AISZ may hold, as well as to have your incomplete Personal Data to be completed.
- The right to erasure meaning that in the situations expressly regulated by law, you may request erasure of your personal data. Please take into account, that the cases where the law provides for the possibility of erasure of personal data amount to the situations where the processing is unlawful or where the processing is based on your consent, and you have withdrawn such consent.
- The right to restriction of processing, signifying your right to obtain restriction of processing your Personal Data from AISZ’s part. Please bear in mind that this right can be exercised only in specific situations laid down by the GDPR such as when you challenge the accuracy of your Personal Data. During the period necessary for us to rectify your data, you may ask us to restrict the processing of your Personal Data.
- The right to data portability implying your right to receive the personal data in a structured, commonly used and machine-readable format and further to transmit such data to another controller. This right to data portability shall be applicable only to the personal data you have provided to us and where the processing is carried out by automated means based on your consent or for the performance of the contract you have concluded with AISZ.
- The right to object to the processing of your Personal Data by AISZ, on grounds relating to your particular situation. The right to object applies to the situations where AISZ relies on consent as legal basis for processing (e.g. using your e-mail address for conveying fundraising related messages).
- The right to lodge a complaint designates your right to challenge the manner in which AISZ performs processing of your Personal Data with the competent data protection authority.
- The right to withdraw your consent given for various processing operations, in cases where the consent represents the lawful basis for processing. In cases where you withdraw your consent to processing your Personal Data, please note that the processing will end from the moment the withdrawal takes place without any effect on the processing that took place prior such withdrawal.
Confidential references provided by the American International School of Zagreb
Confidential references given by AISZ for staff or students, which includes references on its behalf written by staff either in their formal capacity or as part of a standard procedure, are exempt from subject access requests where the references relate to:
- education, training or employment of the data subject
- appointment of the data subject to any office
- provision by the data subject of any service
This means that AISZ has absolute discretion to refuse to release confidential references written on its behalf if requested to do so in a subject access request or as part of a request.
Once the reference has been received by another organisation or individual, the reference ceases to be exempt from data subject access and, consequently, could be accessed by the data subject through the receiving organisation. Please note in the above example, that the right to release the reference rests with the institution not the individual faculty.
AISZ creates various profiles through automated means based on the Personal Data that pertain to students. Generally, such profiles are created via various applications used in the on-line education environment such as: MAP Testing Tool.
AISZ creates and uses such profiles to evaluate the performance of its students, to identify gaps in their development or to assess specific traits that characterize students’ personality, preferences, and behavior or professional inclinations.
9. Video Surveillance
AISZ has implemented a video surveillance system on the campus, in order to ensure security of its students, staff and all the other persons that enter our premises. The security and wellbeing of our students is our primary concern and these video cameras allow us to offer real time protection.
All the areas covered by a video camera are signalized on campus through specific banners, informing you with regard to the video surveillance conducted by the AISZ.
10. Contact Point
In the situation where you may wish to exercise any of the rights listed under point 7 of this Privacy
Notice or to obtain additional information or clarifications on the subject of processing your Personal Data please contact AISZ, via its appointed Data Protection Officer – responsible for ensuring that AISZ complies with all the requirements of the GDPR.
Contact Details of AISZ’s Data Protection Officer:
Phone Number: 01/7999 323