This Privacy Notice applies to all individuals who share data with us whether they are parents, students, prospective students, staff, visitors to the school, or even just visitors to our website. Lennen Bilingual School is the Data Controller and you are the Data Subject.
To help you understand how we process the data that is within our control we have arranged this document in the following sections:
- What categories of personal data are collected and processed?
- Why is the data collected and how is the data used?
- What is our lawful basis for processing the data?
- How the is data collected, stored, for how long and how is security ensured?
- Who else has access to the data, for what purpose and how is security ensured?
- What are your rights over your data?
When we talk about processing the data, we include the actions of collecting, storing, sharing, analyzing, backing up or deleting the data. For clarity we give many illustrative examples and will note explicitly where such examples are not exhaustive.
1. What categories of personal data are collected and processed?
We process your data in order to fulfil our mission as a school. It is simplest to think in terms of data categories where the processing shares a common purpose.
In the table below we list some of the most important data categories for students and parents. Please note that data are necessarily provided by the parents.
|Data category||Examples of typical data|
|Admissions process||Name, date of birth, previous school details, transcripts, references|
|Student characteristics||Nationality, language, gender|
|Student assessment||Teacher reports, homework assignments, external examination results|
|Personal identifiers authentication||Unique pupil number, security badges|
|Attendance||Sessions attended, number of absences and reason for absence|
|Optional services e.g. hot lunch||Dietary requirements|
|Field trips and activities||ID information|
|Medical information||Doctor’s report, vaccinations, allergies, individual health plans|
|Safeguarding||Child protection referral information|
|Special educational needs||Assessment information, specialist reports|
|Parent contact information||Email, mobile phone, address, emergency contact details|
|Fee payments||Parent’s company, occupation, payment details.|
Please note that this list is not exhaustive and that some categories would apply only to certain students.
We may also collect some additional categories of data if you access our wireless network while visiting one of our campuses or if you browse our website. This information might include your IP address, the name or MAC address of the mobile device you use to connect through, or it might include the exchange of cookies with your device.
2. Why is the data collected and how is the data used?
The personal data collected is essential in order for the school to fulfil its stated educational goals as an international school, to meet local legal requirements and to execute the contract between you and the school. We use the personal data we collect for students and parents to:
- Provide the child with an education
- Support student learning
- Engage you as a parent in your child’s education
- Monitor and report on student progress
- Provide appropriate pastoral care
- Meet the standards of accrediting authorities
- Keep children safe
- Meet the legal requirements placed upon us
- Ensure the security of the school premises
- Process payments
- Process applications to the School
Whilst the majority of the personal data you provide to the school is mandatory, some is provided on a voluntary basis. When collecting data, the school will inform you whether you are required to provide this data or if your consent is needed. Where consent is required, the school will provide you with specific and explicit information with regards to the reasons the data is being collected and how the data will be used.
3. What is our lawful basis for processing the data?
Under the General Data Protection Regulation (GDPR), the lawful bases we rely on for processing student or parent personal data are that it is necessary:
- To perform or establish a contract (1, 2, 3, 4, 5, 10, 11)
- To comply with a legal obligation (7, 8)
- To protect the vital interests of a data subject (7, 9, 11)
- As part of a task carried out in the public interest (1)
- For the legitimate interests of the controller (6, 9, 10, 11)
One exception to this is where we make use of student personal data in the form of photos, audio or video on the school website, on social media or through other non-private channels.
In this case we ask for your explicit consent, giving illustrations of how such data might be used. Such recordings provide students with useful feedback, help teachers improve teaching practice and are required as evidence of learning for visiting accreditation bodies.
You may give consent for the use and for the sharing of such materials through other channels by completing an authorization form. The form also indicates how you can easily withdraw your consent.
In some situations where we collect more sensitive data, we might also ask for consent to share this information in a restricted way. Examples include passport number details for students participating in overseas field trips and individual health plan information for those with medical conditions that need to be known by those caring for them, or for academic reasons with educational administrative bodies. We might for example share details of a particular condition that would entitle a student to extra time in an examination.
4. How is data collected, stored, for how long and how security is ensured
We collect only the minimum data required for our purposes and keep it only for as long as it is needed to fulfil our contractual and legal obligation.
All personal data we process follows the same data minimization principle and is:
- Collected lawfully, fairly and transparently
- Collected for the stated specific purposes with no further processing
- Adequate, relevant and limited to what is necessary
- Accurate and up to date (as far as this is possible)
- Retained only for a limited time
- Stored and processed with appropriate security
- Application and registration forms
- Doctor’s form and medical records
- Files from previous schools
- Through the online application interface
- Through email exchanges
- Via postal services
- During face-to-face meetings
For important information such as emergency contact numbers or active email addresses we work throughout the year to ensure that our records remain accurate and up to date.
We hold student data securely for the set amount of time shown in our data retention schedule.
5. Who else has access to the data, for what purpose and how security is ensured?
We do not share information about our students and parents with anyone without consent unless the applicable law, the relevant departments within the authorities who have responsibility for education on a statutory basis, or the fulfilment of the contract that is entered for the schooling of a child require us to do so.
For example, we might share some payment details with a third-party provider in order to process the payment in application of the contract entered with the School.
We provide portability for any personal data stored in our systems. In the simplest cases this may mean just data exports in standard ‘csv’ file format or, where it is possible, in a format that allows direct migration to a different system.
We share some core elements of the personal data we keep with vendors who provide information systems or services that are part of our routine operations as a school.
Transferring data overseas
We may send your information to other countries in situations where:
- we store information on computer servers based overseas;
- we communicate with you or your child when you are overseas (for example, during the summer holidays if you live in a different country)
- you request that we do so (say for a school application)
The European Commission has produced a list of countries which have adequate data protection rules. The list can be found here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_en
If the country that we are sending your information to is not on the list or, is not a country within the EEA (which means the European Union, Liechtenstein, Norway and Iceland) then it might not have the same level of protection for personal information as there is in France. For what concerns the subcontractors, we would then require contractually the subcontractor to comply with the GDPR requirements according to GDPR article 28.
Below you will see some examples of our subcontractors with information about how they process personal data. The list is illustrative not exhaustive.
|Mobile App, email, virtual classrooms||Here|
|Onesignal||Mobile app notifications||Here|
6. What are your rights over your data?
You have the right to:
- Be informed of the personal data we hold on you or your minor children
- Request access to the data without charge
- Have errors rectified
- Request data to be erased; where it is no longer necessary for us to use or keep the information; where you have withdrawn consent or if we have no legal basis to keep the information.
- Restrict further processing of personal data that was shared for a specific purpose
- Request a copy of the personal data we hold in a common digital format (Data portability)
We will take all measure to resolve any of your concern regarding our processing of your personal data. However, in cases where despite our efforts have not enable us to resolve your concerns locally.