I. Introduction
A. This Data Protection Policy describes how personal data must be collected, handled and stored to meet the data
protection standards established by the European Union (EU) Regulation 2016/679 with regard to the processing of
personal data and on the free movement of such data. This regulation is referred to as the GDPR.
B. This policy is to provide a general framework whereby an adequate level of protection of personal data of students,
parents and legal guardian of students, employees, and contractual partners of 51ºÚÁÏ is ensured in its
processing.
C. This policy provides guidelines to ensure that 51ºÚÁÏ:
- complies with the EU data protection laws (GDPR);
- protects the rights of employees, students and parents and other contractual partners;
- is transparent about how it stores and processes individuals’ personal data:
- adequate safeguards are in place to protect itself and others whose personal data is processed from risks
such as breaches of confidentiality, reputational damage and appropriate choice us data usage.
D. To these ends, the actions of all staff who have access to any type of personal data must comply with this policy.
II. Types of Client Data Collected at 51ºÚÁÏ
A. Client/Student data include but are not limited to:
- Client’s contact details (i.e., name, surname, business or residential address, telephone number, e-mail
address) for marketing purposes. - Student exam and other academic results, date of birth, evaluations results, grade, pictures, and movies,
social/behavioral commentary and health/medical data. - All client data that has been obtained by the client in the course of discussing or performing professional
educational services and data obtained from any sources that are necessary for the performance of
professional educational services and consequently for invoicing purposes as per the requirements of the
applicable laws, including financial data, personal identification numbers, etc. - All client data obtained from a client in the course of provision of professional educational services.
B. This information is required in carrying out the duties of the school and its educational mission.
Examples of personal data collected (not exhaustive):
• name and surname
• full name of family members
• address (home/residence)
• profession/job title
• training/diplomas/studies
• date and place of birth
• citizenship
• passport/identity documents
• birth certificate data
• health data
• telephone/fax
• e-mail address
• image
• gender
• physical data
• habits, preferences, behavior
• economic and financial situation
• family status
• military status
• civil status data
• bank data
• voice
• signature
• academic background, evaluations, results, and details of experience
• CCTV images and recordings of staff, personnel, students, and visitors to the school
III. Data Processing Requirements and Purposes
A. The principles of lawfulness, fairness, and transparency are fundamental to all data collection and processing at AISSalzburg. There must be a legitimate, defensible basis for which the processing of all personal data occurs, including consent from the data subject and clear necessity for compliance with legal obligations to which the school must adhere. All data collection processing and its purpose must also be clearly explained in understandable communication with the clients of 51ºÚÁÏ.
B. The processing of personal data must comply with all applicable laws and in conformity with the following principles:
- Processed fairly, lawfully and in a transparent manner;
- Processed only for limited, specified and lawful purposes;
- Adequate, relevant and limited to what is necessary in relation to purposes;
- Accurate and kept up-to-date;
- Not kept longer than necessary;
- Processed in a manner that ensures appropriate security, including protection against unauthorizes or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures;
- Disclosed only if required by the data subject, applicable law or regulation;
- Transferred only to countries with adequate protection or to entities offering adequate protection.
C. 51ºÚÁÏ will collect personal data for specified, explicit and legitimate purposes and not process the data further than for the purpose, for which it was collected. 51ºÚÁÏ can process personal data only if one of the following circumstances is met:
- With the explicit and unambiguous consent of the individual to whom the data relate;
- Where necessary, to execute a contractual relationship
- When necessary, to protect the legitimate interests and rights of the individuals;
- Where necessary, for the purposes of the legitimate interests of 51ºÚÁÏ without prejudicing the rights,
freedoms or legitimate interests of the persons to whom the data relates; - Where necessary to fulfill applicable laws.
D. 51ºÚÁÏ will process only data that is adequate, relevant, limited to and necessary for the purposes of professional education in a boarding setting.
E. 51ºÚÁÏ is obliged to ensure that all personal data is accurate and up-tp-date where required.
F. 51ºÚÁÏ will not retain personal data for a longer period than what is necessary for the purposes for which it was collected and processed.
G. 51ºÚÁÏ will only transfer personal data outside the European Economic Area where there are appropriate safeguards in place, such as the right contractual framework.
H. Data subjects rights will be adhered to by 51ºÚÁÏ. All data subjects have the right to access a copy of the personal data we hold on them.
I. Both 51ºÚÁÏ as well as any data processor authorized by 51ºÚÁÏ, shall keep the confidentiality of the personal data, under the requirements of the law, will not disclose, publish or otherwise reveal any information relating to personal data and operations performed without an appropriate legal basis allowing them to do so. Data processors authorized by 51ºÚÁÏ shall disclose personal data only with 51ºÚÁÏ authorization, unless a legal obligation imposes data processors to act otherwise.
J. In case of loss or leakage of personal data or suspicions of potential loss or leakage of personal data to unauthorized persons, 51ºÚÁÏ shall inform the competent authorities and the relevant persons accordingly.
K. 51ºÚÁÏ will maintain data security by protecting the confidentiality, integrity and availability of the personal data. Confidentiality will be maintained by limiting access only to those authorized to access it. Integrity will be protected by ensuring that the personal data is accurate and suitable for the purposes for which it was collected and processed. Personal data will be made available to authorized users if they require it for authorized purposes.
IV. Sensitive Data Processing
A. 51ºÚÁÏ prohibits the collection or processing of data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, physical or mental health data, trade-union membership, and the processing of data concerning health or sex life, unless:
- The individual has given explicit consent of he processing thereof.
- Processing is necessary to protect the vital interests of the data subject or of another natural person where the
data subject is physically or legally incapable of giving consent. - Processing of personal data relates to data which are manifestly made public by the data subject.
- Processing is necessary for preventative medicine, for the assessment of the appropriateness of participation in educational programming, for medical diagnosis, for the provision of health or social care or treatment or the management of health or social care systems and services on the basis of the European Union or member state law or pursuant to contract with a health professional.
V. Individual Notification
A. 51ºÚÁÏ will inform individuals of this data protection policy with notice concerning:
- the purposes for which their personal data are processed.
- other relevant information: the nature and categories of the processed personal data, the categories of third parties to which the personal data are disclosed and how and when individuals can exercise their rights.
VI. Consent
A. The consent of the client is defined by the GDPR as ‘freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.’ 51ºÚÁÏ will keep records of valid consent throughout the enrollment period of any client.
VII. Withdrawal of Consent
A. Data subjects have the right to withdraw his or her consent at any time. 51ºÚÁÏ accepts a written statement signed by the data subject which specify the exercise of the right of withdrawal of the consent. It should be forwarded to office@51ºÚÁÏ or by mail using the school’s street address: Moosstrasse 106, 5020 Salzburg, Austria.
VII. Data Use
A. Paremeters of internal personal data usage:
- When working with personal data, authorized employees of 51ºÚÁÏ will ensure that the screens of their personal computers are always locked when left unattended.
- Personal data will not be shared informally and never sent by e-mail.
- Data will be encrypted before being sent electronically.
- Authorized employees will not save copies of personal data on their own computers; they will only access and update the central copy (PowerSchool).
- Personal data will not be disclosed to unauthorized persons, either within 51ºÚÁÏ or externally.
- Data will be regularly reviewed and updated if it is found to be out-of-date. If no longer required, it will be deleted.
- Only those authorized employees who require access to personal data in the functioning of their responsibilities will be granted access by the Data Protection Officer.
VIII. Data Storage
A. Personal data will be stored at 51ºÚÁÏ in such a form that permits identification of data subjects for no longer than necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods so far as the data will be processed solely for archiving purposes in the client’s or public interest or for scientific, historical, or statistical purposes with appropriate safeguards.
B. All personal data stored will be in such a manner that ensures appropriate security against unlawful processing and
accidental loss, destruction or damage.
C. Security measures in place at 51ºÚÁÏ:
- Users will always lock their laptop/desktop when moving away from the computer.
- Users will never attempt to circumvent computer or server security or gain access to a system for which they have no authorization.
- Servers and workstations will be protected by using security software and firewall rules.
- Servers are located in places specially equipped with access and environmental controls and will be inaccessible to unauthorized individuals.
- Data will be frequently and regularly backed up.
- Employees of 51ºÚÁÏ must use strong passwords which are frequently changed. All passwords must be kept confidential by all employees.
- Access to the IT systems at 51ºÚÁÏ are granted on a ‘need to know’ basis, based upon privileges required to perform specific duties.
D. Security for printed data at 51ºÚÁÏ:
- Users working in departments that handle confidential information will lock and secure all information and equipment when they are away from their desk areas.
- Access controls are implemented throughout the school and are applied to all employees, clients, contracted partners, and visitors to the school.
- Retention and disposal schedules are in place to ensure legal compliance with GDPR as well as protect personal and intellectual property.
IX. Data Accuracy
A. Personal data stored and processed at 51ºÚÁÏ will be updated to be kept as accurate as possible. Inaccurate data will be discarded or deleted immediately. All employees at 51ºÚÁÏ will maintain vigilance in an effort to ensure that all stored data is accurate.
X. Transfer of Data to Third Parties
A. Authorized employees of 51ºÚÁÏ will remain vigilant in their transferral of personal data for purposes specifically required by professional educational practice and supported by the school’s mission. In all cases where possible, authorized employees will evaluate, with the assistance of the IT Coordinator, the security of all transfers in or outside of the EU and implement appropriate safeguards as required by the GDPR.
B. The 51ºÚÁÏ college counselor will require that third parties in reception of personal data (e.g., universities, medical officials) prove that appropriate security measures are in place for the transfer of such data as well as the submission of further data that relies upon stored and processed personal data from clients of 51ºÚÁÏ.
C. The 51ºÚÁÏ office administration will ensure that all contracted partners and clients with which personal data is transferred prove secure systems are in place for such transferral. In all such cases, such transfers will take place only through transparent necessity in meeting the school’s professional educational goals and mission.
XI. Data Protection Officer (DPO) at 51ºÚÁÏ
A. The Data Protection Office at 51ºÚÁÏ is Mr. Paul McLean, [email protected], 51ºÚÁÏ, Moosstrasse 106, 5020 Salzburg, Austria. The DPO is required to:
- Keep the administration of 51ºÚÁÏ updated about all data protection responsibilities, risks and other issues.
- Review all data protection procedures and related policies.
- Arrange data protection training and advice to employees responsible for processing personal data.
- Deal with requests from individuals to see the data 51ºÚÁÏ stores on them (‘subject access requests’)
- Checking and approving any contracts or agreements with third parties that may handle our sensitive data.
- Control and monitor all data protection procedures.
- Stay informed of all data protection laws and procedures.
XII. Employees with Access to Personal Data at 51ºÚÁÏ
A. Access to personal data shall be access in accordance with the following limitations:
- Only access personal data to the extent necessary to serve the applicable legitimate purposes for which AISSalzburg processes personal data and to perform their job.
- Report any incident or issue relating to the security of personal data to the DPO.
- Never discuss confidential information in public areas or with individuals who do not have the need to know.
- Dispose of sensitive documents properly.
- Power off computing devices when not in use for extended periods.
- Lock and secure all information and equipment when they are away from their desk areas.
- Keep all secure information out of sight or view when away from their desks.
- No storage of passwords in plain text.
- Promptly report and suspected breach of security that comes to their attention.
- Consult the DPO whenever they have concerns about data privacy.
XIII. IT Manager at 51ºÚÁÏ with Access to Personal Data
A. The IT Manager at 51ºÚÁÏ will follow the following guidelines in storage, processing and access of personal data:
- Ensure that all systems, services and equipment used for storing data meet acceptable security standards.
- Perform regular checks and scans to ensure security hardware and software is functioning properly.
- Evaluate any third-party services 51ºÚÁÏ is considering using to store or process data in order to ensure the integrity, confidentiality and availability of processed data.
- Identify and implement technical measure to ensure the security of personal data stored.
- Provide support for investigating potential breaches of security.
- Provide personnel assistance on technical and security standards for the processing and protection of personal data.
XIV. Admissions and External Relations
A. All actions involving the processing of personal data for admissions and external relations shall be restricted by the following guidelines and limitations:
- Ensuring that the marketing strategies comply with the principles of this policy.
- Ensure that personal data databases used for marketing purposes is accurate and up-to-date.
- Work with other organization representatives to ensure that marketing initiatives respect the principles of personal data protection.
- Coordinate any requests of media regarding the protection of personal data.
- Ensure any statement of personal data that accompanies advertising material, or is used in communication channels (e-mail, letters).
XV. Data Subject Rights
A. In the collection of personal data directly from the data subjects to whom it relates, 51ºÚÁÏ will make sure that those persons are aware of the following at the time when personal data are obtained:
- The identity and the contact details of the DSO.
- The purposes of the processing and legal basis
- The legitimate interests pursued by the school or a third party, where applicable.
- The recipients or categories of recipients of the personal data, if any.
- The fact that the school intends to transfer personal data abroad and the existence or absence of an adequacy decision, where applicable.
- The period for which the personal data will be stored, or criteria used to determine that period.
- The existence of the rights of the data subject: to request access to and rectification or erasure of personal data, or a restriction on processing or to object to processing, the right to data portability, the right to withdraw consent at any time, and the right to lodge a complaint with a supervisory authority.
- Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data, and the
possible consequences of failure to provide such data.