American Academy Alumni Foundation, Larnaca
Introduction
American Academy Alumni Foundation (hereafter referred to as “the School”) commits to privacy and secure processing of the personal data maintained for our teachers, parents, pupils, associates, collaborators and visitors, in an open and transparent manner. The School is also committed to the collection and processing of any personal data, in full compliance with the General Regulation of the Protection of Personal Data of the European Union (Regulation 2016/679, GDPR) (hereafter referred to as “the Regulation”) and the legislation in force in Cyprus that governs the collection and processing of Personal Data of Individuals (L. 125 (I)/2018).Personal Data involves any Data relating to an identified or identifiable natural person (‘data subject’).
This Privacy Policy governs the collection, use, disclosure, transfer and storage of personal data. Please read our Privacy practices carefully to understand our policies regarding data provided to us and how we process and treat them, and do not hesitate to contact us for any questions.
The American Academy Alumni Foundation Privacy Policy governs the collection, use, disclosure, transfer, and storage of Personal Data. This policy applies to all personal data, regardless of whether is in in paper or electronic format.
Definitions
Under the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR), the following definitions apply:
- Personal Data – includes any information relating to an identified or identifiable natural person (data subject), being one who can be identified directly or indirectly by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, phycological, genetic, mental, economic, cultural, or social identity of that natural person.
- Special category Data – includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
- Data Processing – involves any operation or set of operations which is performed on personal data or on sets of personal data, whether by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
- Data Controller – includes a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
- – includes a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
- Third Party – involves a natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
- Consent – involves the data subject and means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to them.
- Personal Data Breach – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored ot otherwise processed.
Our Commitment
The School is committed to maintaining the principles and duties in the GDPR. Therefore, the School will:
- Inform individuals of the identity and contact details of the Data Controller.
- Inform individuals of the contact details of the Data Protection Officer.
- Inform individuals of the purposes that personal information is being collected and the basis for this.
- Inform individuals when their information is shared, and why and with whom unless the GDPR provides a reason not to do this.
- If the school plans to transfer personal data outside the EEA the school will inform individuals and provide them with details of where they can obtain details of the safeguards for that information.
- Inform individuals of their data subject rights.
- Inform individuals that the individual may withdraw consent (where relevant) and that if consent is withdrawn that the school will cease processing their data although that will not affect the legality of data processed up until that point.
- Provide details of the length of time an individual’s data will kept.
- Should the school decide to use an individual’s personal data for a different reason to that for which it was originally collected the school shall inform the individual and where necessary seek consent.
- Check the accuracy of the information it holds and review it at regular intervals.
- Ensure that only authorised personnel have access to the personal information whatever medium (paper or electronic) it is stored in.
- Ensure that clear and robust safeguards are in place to ensure personal information is kept securely and to protect personal information from loss, theft and unauthorised disclosure, irrespective of the format in which it is recorded.
- Ensure that personal information is not retained longer than necessary.
- Ensure that when information is destroyed that it is done so appropriately and securely.
- Share personal information with others only when it is legally appropriate to do so.
- Comply with the duty to respond to requests for access to personal information (known as Subject Access Requests).
- Ensure that personal information is not transferred outside the EEA without the appropriate safeguards.
- Ensure that all staff and governors are aware of and understand these policies and procedures.
Our Role under the Regulation
As the Data Controller the American Academy Alumni Foundation collects, processes and maintains the personal data of its pupils, personnel, parents, associates, visitors and collaborators.
As the Data Processor, the American Academy Alumni Foundation processes personal data as per the means and purposes identified by the Data Controller.
Principles
The GDPR establishes six (6) principles as well as a number of additional duties that must be adhered to, at all times:
- Personal data shall be processed lawfully, fairly and in a transparent manner.
- Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (subject to exceptions for specific archiving purposes).
- Personal data shall be adequate, relevant and limited to what is necessary to the purposes for which they are processed and not excessive.
- Personal data shall be accurate and kept up to date.
- Personal data shall be kept in a form that permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
- Personal data shall be processed in a manner that ensures appropriate security of the personal data.
Legal Basis for Collection, Use and Disclosure of yor Personal Data
There are different legal bases that we rely on to collect, use and disclose your Personal Data, namely:
- Consent: We will rely on your consent to use your Personal Data for other purposes for which the purpose of the process does not relate to the offered services.
- Performance of contract: The use of your Personal Data for purposes of providing the services, customer management and functionality and security as described above is necessary to perform the services provided to you under our term and conditions and any other contract that you have with us.
- Compliance with legal obligation: We are permitted to use your Personal Data to the extent this is required to comply with a legal obligation to which we are subject.
- Protection of your vital interests: The processing of your Personal Data is necessary to protect your vital interests, if you are physically or legally incapable of giving consent.
- Protection of our legitimate interests: The processing of your Personal Data is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data, in particular where the data subject is a child.
Roles and Responsibilities
The Board of Directors has overall responsibility for ensuring that the School complies with its obligations under the GDPR.
Day-to-day responsibilities rest with the Headteacher and Data Protection Officer (DPO). The Headteacher will ensure that all staff are aware of any data protection obligations, and oversee any queries regarding the processing of personal data in collaboration with our DPO.
Staff are responsible for ensuring that they collect, process and store any personal data in relation to our obligations under the GDPR.
How and Why are personal data collected
We collect and process personal data :
- Directly from you,
- Through third parties in the standard course of the business we do in otfer to provide you with the service you requested,
- Through our associates and collaborators.
In general, the School might process personal data for the following purposes:
- Provision of services: to provide you with Data and services request from us;
- Customer management: to create and manage your records (including school records), to provide you with requested services, and/or changes to any services we offer to you, and be able to contact when need to inform about matters rising from our engagement, such as school performance, appointments, and/or execute your payments, or changes to our services;
- Functionality and security: to detect, prevent, and respond to actual or potential fraud and illegal activities;
- Compliance: to enforce our terms and conditions and to comply with our legal obligations as these derive from the applicable laws;
- For any other purpose with provided explicit consent.
Types of personal data collected
The School collects personal data from students, parents/guardians, collaborators etc., to support teaching and learning, to provide care, to assess how the school is performing and provide services.
This data includes, but is not restricted to, the following:
- Name and Surname
- Date of birth
- Identification/passport number
- Contact details (contact address/telephone/email)
- Results of internal assessment and externally set tests
- Data on pupil characteristics, such as ethnic group or special educational needs etc.
- Exclusion information
- Details of any medical conditions and/or medical certifications.
- Curriculum vitae for employees and candidates
- Identification/passport number, IBAN, social security number, and other financial information for school employees.
Paper-based records and portable electronic devices, such as laptops and hard drives, that contain personal information are kept secure when not in use. Papers containing confidential personal information are not left on office and classroom desks, on staffroom tables or pinned to noticeboards where there is general access. Where personal information needs to be taken off site this is carried out in accordance with the school’s policies. Additionally, passwords are used to access school computers, laptops, other electronic devices, and access to educators and applicants (students, parents / guardians).
How we store and protect your Personal Data
The data we collect and process, including Personal Data, is safely stored and maintained in our premises.
The School takes appropriate technical and organisational security measures (including physical, electronic, and procedural measures) to safeguard your Personal Data from unauthorized access, unlawful use, intervention, modification, or disclosure under the requirements of the Regulation.
Only authorized employees are permitted to access Personal Data, and they may do so only for permitted business functions. In addition, the School provides relevant training to all employees on how to handle, manage and process personal data, applied upgraded technical measures, and transformed school policies and procedures in a way that comply with the General Data Protection Regulation.
Disclosure of Personal Data
The School does not share information without given consent unless the Regulation and relevant legislations allow for this. The School is required, by law, to pass certain information about students to specified external bodies, such as the local authorities and the Ministry of Education, enabling the completion of relevant statutory obligations.
The School also uses the collected data, and some of the School’s employees have access to such data, only to the extent required to carry out services on behalf of the clients and the School. The School has also introduced appropriate technical and organisational measures to protect the confidentiality, integrity, and availability of all data during storage and processing.
We may also disclose your Personal Data to other third parties, including official authorities, courts, or other public bodies:
- In response to a subpoena or similar investigative demand, a court order or other judicial or administrative order, or a request for cooperation from a law enforcement or other government agency; to establish or exercise our legal rights; to defend against legal claims; to comply with applicable law or cooperate with law enforcement, government or regulatory agencies; or to enforce our Website terms and conditions or other agreements or policies; or as otherwise required by law (including responding to any government or regulatory request). In such cases, we may raise or waive any legal objection or right available to us, in our sole discretion.
- To the extent a disclosure is necessary in connection with efforts to investigate, prevent, report or take other action regarding illegal activity, suspected fraud or other wrongdoing; to protect and defend the rights, property or safety of our company, our employees, or others and maintain and protect the security and integrity of our infrastructure.
Your Rights Under theRegulation (Subject Rights Request)
We strive to provide you with choices regarding the Personal Data you provide to us. You can choose not to provide us with certain Personal Data, but that may result in you being unable to use certain services.
Subject to the provisions of the General Data Protection Regulation – GDPR, you have the following rights in regard to your Personal Data: (Please note, these rights are not absolute and, in some cases, they are subjected to conditions as defined by Law):
- Right of Access – You have the right to access your own Personal Data, as well as the right to request a copy of your personal data that is maintained and processed by our company.
- Right of Rectification – You have the right to request the correction of any incomplete and / or inaccurate personal Data we hold for you.
- Right to Erasure – You have the right to request the deletion of personal Data only if one of the following reasons is true:
- Personal Data are no longer necessary in relation to the purposes for which they were collected or processed.
- If the processing is based on your consent and you have withdrawn this consent (on which processing is based) in accordance with Articles 6.1.a and 9.2.a of the Regulation and if no other legal basis, for processing, applies.
- If you object to processing in accordance with Article 21.1 of the Regulation and there are no compelling and legitimate reasons for processing.
- If personal Data have been processed illegally.
- If personal Data should be deleted in compliance with a legal obligation under EU law to which our company is subject to.
- If the personal data have been collected in relation to the provision of referred to in Article 8.1 of the Regulation.
- Right to Object – You have the right to oppose the processing of your Personal Data at any time and for reasons related to a specific situation, unless there are compelling legitimate reasons for processing that override your interests, rights and freedoms.
- Right to Restriction of Processing – You reserve the right to request the restriction of processing on your Personal Data so that we may no longer process the specific Data until the restriction is lifted (for example, the data have been corrected).
- Right to Data Portability – You have the right to request the transfer of your personal data, that you have provided to our company. These data will be given to you in a format that is structured, widely used and machine readable and, in certain cases you may also have the right to request for us to send the Data to another organization, provided that such a transfer is technically feasible.
- Right to Object and Automated Individual Decision-Making (Including Profiling) – You have the right to request that we do not make any decision, regarding you, solely on the basis of automated processing, including profiling, only in the case that this decision has legal or significant consequences on you.
You can exercise your rights by submitting in writing, by emailing us at dpo@academy.ac.cy, by letter or by fax 24651046. Please state in the subject, that your request concerns a privacy matter, and provide a clear description of your requirements.
The School will not reveal the following information in response to subject right requests:
- Information that might cause serious harm to the physical or mental health of the pupil or another individual.
- Information that would reveal that the child is at risk of abuse, where disclosure of that information would not be in the child’s best interest,
- Information contained in adoption and parental order records.
- Certain information given to a court in proceedings concerning the child.
Subject Right Requests will be provided within thirty (30) days following a request to our Data Protection Officer.
Retention of Personal Records
The School will only retain Personal Data collected for as long as is necessary to satisfy the purpose for which it has been collected. The period for which Personal Data is kept and is necessary for compliance and legal enforcement purposes, varies and depends on the nature of legal obligations.
To the extent the School has collected your Personal Data for purposes of provision of services, customer management, and customisation of content as described above, your information is kept for as long as you are associated with the School, as needed to provide you with respective services and in compliance with the relevant laws of Cyprus.
Any Personal Data collected under the lawful basis of the consent, such as contact details for communication purposes will be deleted when you withdraw your consent, and this can be done at any given time requested. For further information regarding specific retention period, please contact the School’s Data Protection Officer at dpo@academy.ac.cy.
Changes to our Privacy Policy
The School may modify or revise the privacy policy documents from time to time. Although the School may attempt to notify you when major changes are made to this privacy policy, you are expected to periodically review the most up-to-date version found at the School’s portal (www.academy.ac.cy), so you are aware of any changes.
Contact Details
If you have any questions about this privacy policy or our data-handling practices, please contact the School’s Data Protection Officer via the School’s contact address/telephone/email provided below:
American Academy Larnaca:
- Contact address: 32 Grigori Afxentiou Avenue, 6021, Larnaca, Cyprus P.O. Box 40112, 6301, Larnaca,
- Contact telephone: +357 24815400
- Contact email address: dpo@academy.ac.cy
Submission of a Complaint: If you feel that your concerns regarding the use of your personal data or any of your data protection rights have not been addressed by the School, please contact the School’s Data Protection Officer at dpo@academy.ac.cy and submit a formal complaint. You also have the right to submit a complaint with the Personal Data Protection Commissioner’s Office at www.dataprotection.gov.cy.
Last Modified: 16/11/2021