1.- RIGHT TO INFORMATION
Through this privacy policy, and in compliance with the Regulation (EU) 2016/679 of the European Parliament of the Council, of 27 April 2016, on General Data Protection (hereinafter, GDPR) and Organic Act 3/2018, of 5 December, on Data Protection and Guarantee of Digital Rights (hereinafter, the PROVIDER, or the Data Controller), provides the conditions of processing personal data.
Definitions
Personal Data: Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is that one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Data Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Profiling: Any form of automated processing of personal data consisting of using this data to evaluate personal aspects of a natural person; in particular, to analyse or predict aspects related to the professional performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements of that person.
Pseudonymization: Processing of personal data in such a way that it cannot be attributed to a data subject without the use of additional information, provided that such information is separate and keep to technical and organizational measures aimed at ensuring that the personal information is not attributed to an identified or identifiable natural person.
File: Is a structured set of personal data accessible according to specific criteria, whether it is centralised, decentralised or distributed functionally or geographically.
Data Controller: Natural or legal person, judicial authority, service or any other entity acting alone or jointly with others and selecting the purpose of the processing.
Data Processor: Natural or legal person, judicial authority, agency or other body which processes personal data on behalf of the controller.
Recipient: Person who personal data is communicated, even he is a third party or not. However, public authorities that may receive personal data in the context of a specific investigation should not be considered as recipients.
Third party: Natural or legal person, judicial authority, agency or other body different of Data Controller, Data Processor or an authorised person to make the data processing in the name of the controller or processor.
Consent of the data subject: Any free, specific, informed and unequivocal expression of will by which the data subject accepts, by means of a declaration or clear affirmative action, the processing of personal data who belongs to him or her.
Supervisory authority: The independent public authority established by a member state, in accordance with the provisions of Article 51 of the GDPR.
Cross-border processing:
a) The processing of personal data carried out in the context of the activities of establishments in more than one member state of a controller or processor in the European Union, if the controller or processor is established in more than one member state, or
b) The processing of personal data carried out in the context of the activities of a single establishment of a controller or processor in the Union, but which substantially affects or may affect data subjects in more than one Member State.
1.3.- Who decides the use that will be made of the data and the means that will be used to carry out the processing?
The Data Controller is St Peter’s School.
1.4.- Who ensures that all the rules that regulate the processing of information in St Peter’s School are correctly applied?
The data protection officer is CIPDI, Treatment of Information S.L. You can contact the DPO at the email dpd@cipdi.com
1.5.- For what purpose will we use your data, what is the legal basis for this data processing and how long will we keep it?
Legal basis | Purpose | Duration |
Services provision | Contractual relationship | 10 years. |
Send information by email | Contractual relationship | Until the revoke of the consent. |
Information request | Consent | 1 years |
Labor personal management | Contractual relationship and legal obligation. | 5 years |
Supplier management | Contractual relationship and legal obligation. | 5 years |
Legal and contractual obligations. | Contractual relationship and legal obligation. | 5 years |
Pictures management. | Consent and article 8 OL 1/1982 | Until the revoke of the consent. |
Security cameras | Legitimate interest. Maintenance of security. | 30 days. |
1.6.- Do we carry out any treatment of your images?
The data controller documents the public events that he organises with photographs and videos to disseminate information on its website or in other public dissemination spaces such as: the website itself, the social networks on which the data controller has a profile created and in its own publications and in the magazine. You can obtain more information about this section by consulting the website of the data controller or by contacting the DPO.
1.7.- Who will be able to access and know the content of your data?
To comply with the above purposes, the persons and entities listed below may have access to personal data. Their access will be limited to the data that are necessary to carry out the functions of the Data Controller. Confidentiality agreements and/or specific agreements have been signed with all the recipient entities and individuals regulating access to information, security measures and the use that can be made of the data. You can access the data:
You can further this information by consulting the Data Protection Officer.
1.8.- Is cross-border data processing carried out?
The Data Controller uses the following programs, which may involve data transfer outside the Schengen area, in addition to the social networks that are announced on our website:
Program | Privacy Policy |
Google classroom | |
Seesaw | |
Innovamat | |
Scratch | |
Tinkercad | https://www.autodesk.com/company/legal-notices-trademarks/privacy-statement |
BridgeU | |
Turnitin | https://help.turnitin.com/Privacy_and_Security/Privacy_and_Security.htm |
Canvas | |
Mangahigh | https://app.mangahigh.com/en/about/termsandconditions#privacy-policy |
ChatGPT | |
Dr. Frost | |
Oxford Owl | |
Miskin |
In these cases, the transfer of data is carried out to countries considered appropriate, as they have an adequacy decision by the European Commission; or in accordance with the guarantees required by the GDPR, such as having standard data protection clauses approved by the European Commission.
All the information on the rights of the users who have allowed the digitised processing can be found in the legal notices of the websites that contain the software and applications. As access is free, we consider all the content of the notices to be reproduced. For the topics’ longitude of the published policies, you can request a copy by contacting the data controller or the data protection officer at the addresses listed in articles 1.3 and 1.4 of this policy.
1.9.- What rights do data subjects and data subjects have?
Right of access. It is regulated by Article 15 of GDPR 2016/679 of 27 April 2016. This involves requesting the data controller to provide free of charge all the information available to them about their own personal data and the communications that have been made, or that have been planned to be made.
Right to rectification. It is regulated in Article 16 of the GDPR 2016/679. This involves asking the data controller to change the content of the information about you and your data, following instructions from the owner of the information.
Right to erasure. It is regulated in Article 17 of the GDPR 2016/679. It consists of asking the data controller to delete any information about the person of the data subject. Erasure means blocking all data and keeping them available to public administrations for the period provided for the right to take legal action to expire.
Right to restrict processing. It is regulated by Article 18 of the GDPR 2016/679. This involves asking the data controller to limit the processing of your data when any of the following conditions are met:
i.- The personal data are not accurate.
ii.- The processing is unlawful.
iii.- The data controller no longer must process the data.
iv.- When the reasons for ceasing to process the data alleged by the affected party prevail over those of the data controller.
The right to information portability. It is covered by Article 20 of GDPR 2016/679. It consists of requesting the data controller to provide the personal data of the owner of the information in a structured, commonly used and machine-readable format, to transmit them to another data controller when the processing is carried out by automated means and is based on express consent.
Right to object. Regulated in Article 21 of GDPR 2016/679. It involves asking the data controller to process the data following certain instructions given by the owner of the personal information.
Right to revoke consent. Regulated in Article 13.2.c) of GDPR 2016/679. It is an order given by the data subject to the data controller notifying them that they revoke the consent gave to process their data.
The right not to be subject to automated individual decisions. It is the request to the data controller that machines do not make all decisions that have legal effects.
To exercise the above rights, you can write to the addresses of the data controller, or send an email to the address dpd@cipdi.com with the text “DATA PROTECTION” in the subject, attaching a photocopy of your DNI, NIE or passport to this email.
1.10.- How can a claim be made?
You can contact to the Compliance Officer using the external whistleblowing channel on the website: https://denuncias.cipdi.com/st-peters-school/es/
If you consider that your rights have been violated, the judicial authority to know the correct application of the rules on information processing is the Spanish Data Protection Authority, with registered office at Calle Jorge Juan n. 6 in Madrid.
1.11.- What obligations do I have as a data subject?
The affected party must provide truthful and up to date information in all data collection processes, being responsible in the event of violation of this obligation.
Depending on the request made by the affected person, the data that is mandatory is already marked on the collection forms. Failure to provide the required data may impair the right to participate in the activity or prevent the requested service or benefit from being provided.
1.12.- Can the Data Controller create profiles?
To provide a more personalized, careful and effective service to the user, it is sometimes necessary to draw up profiles of the recipients of the services. Profiling is not done without the direct intervention of a natural person.
2.- USER CONSENT
It is understood that the user accepts the proposed conditions if he/she clicks on the ‘ACCEPT’ button found in the data collection forms, or if he/she sends an email message to the contact addresses listed on the website.
Personal data are stored in the general administration database of the data controller, which, in any case, guarantees the technical and organisational measures to preserve the integrity and security of the information it manages.
3.- SECURITY
The general database is equipped with the mandatory security document and has all the technical means at its disposal to prevent the loss, misuse, alteration, unauthorised access or theft of the data that you provide us. The processing of personal data is in accordance with the provisions of Organic Law 3/2018 on data Protection and Guarantee of Digital Rights and Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016.
4.- USE OF IP ADDRESSES
To make it easier to find resources that we think will be of interest to you, you can find links to other sites on this website.
This privacy policy only applies to this website. The Data Controller does not guarantee compliance with these rules on other websites, nor is it responsible for access through links from this site.
5.- APPROVED JURISDICTION
This general terms and conditions of use will be governed by Spanish regulations. Specifically, for the courts and tribunals of Barcelona.