Privacy policy

Responsible for the treatment

SAGRADO CORAZON MUNDAIZ SCHOOL

Postal address: Calle Mundaiz 30, 20012-Donostia-San Sebastián (Gipuzkoa)

E-mail: dp*@gm******.com

Contact DPD

Grupo Vadillo Asesores. E-mail: dp*@gm******.com

We are concerned about your personal data: If you have any queries, complaints or claims about the processing of your data, you can raise them directly with our DPD before, where appropriate, raising them with the Data Protection Agency. We will respond within a maximum of two months from receipt of the complaint.

How we have obtained your data

Obtained from the interested party: The data of students (current or potential) and/or their legal representatives have been sent to us, either off-line or on-line, by the interested parties themselves when requesting our educational services for the maintenance of the pre-contractual or contractual relationship. They are also provided to us directly by the interested party, for example, if they send us a curriculum vitae to work with us.

When you provide us with personal data, you guarantee that you are entitled to provide this information and that it is true, truthful, accurate and up-to-date, that it is not confidential, that it does not violate any contractual restrictions or third party rights and that you undertake not to impersonate other Users.

Obtained automatically when you visit our website: If you have provided data to us through this website, we collect information, for example, when you access the site, when you fill in any forms with personal data, or when you communicate with us directly by email.

When you visit our website, data is sent from your browser to our server to optimise our services and improve your user experience, for example when you access the site or when you log in to our Services via third party services such as social media.  This data may be automatically collected and stored by us or by third parties on our behalf. This data may include:

  • the user’s IP address
  • the date and time of the visit
  • the URL of the site from which the user came
  • the pages visited on our website
  • information about the browser used (browser type and version, operating system, etc.).

We may process and record such usage, sessions and related information, either independently or with the help of third party services, including through the use of cookies and other tracking technologies such as flash cookies and web analytics.

Social networks and instant messaging applications: In the event that our website has connectors to social networks, when you choose to interact with us through a social network, we cannot be responsible for the privacy settings chosen by the user, the social network may report your IP address or what page you are visiting on our Website and may set a cookie to allow them to function properly, or for example your name will appear in the “likes” you give or in the comments you make on our page on a social network. If you do not want your personal data associated with those “likes” or comments to appear, set up your privacy settings to prevent this by pseudonymising your data, for example by giving yourself a nickname or alias that does not reveal your name and surname.

If you log in to one of these social networks during your visit to our website, the social network may add that information to your profile and that information will be transferred to the social network. If you do not want this data transfer to take place, please log out of the social network before entering our websites or mobile applications, as we have no influence over this data collection and transfer via social plugins.

If the user, through our official page on a social network, decides to publish and/or share texts, photos, videos and other types of information and/or content, he/she is solely responsible for ensuring that such content complies with the relevant legal regulations.

In any case, we may remove from both this website and our pages on social networks, any content published by the user when we detect that the user has violated current legislation, and as indicated in this privacy policy.

Social Networks are not hosted directly on our Services. Your interactions with them are governed by their policies and not ours. Please read the privacy policies of those social networks for detailed information about the collection and transfer of personal data, your rights and privacy settings.

We do not recommend the use of WhatsApp or similar applications to communicate with the school or teachers, as the educational platforms are available for this purpose. Only in exceptional and/or urgent cases will we use it, in cases where the best interests of the pupil are at stake (special needs due to health reasons, accidents, indisposition on excursions…) to inform and reassure parents or guardians.

If the data subject’s data is not provided to us by the data subject or his or her legal representative but by a third party, the pupil data may have been provided to us, where applicable, by another institution in the case of a transfer of academic records, or by the education authorities. In the event that it is not the data subject himself but a third party who provides us with the data, it is the third party who expressly guarantees that he has the data subject’s authorisation (or, where applicable, legal legitimisation) for the provision of the data, exonerating us from any liability in the event of any claim by the data subject, a liability which is assumed solely and exclusively by the party who has provided us with the data on behalf of or in the interest of the data subject.

Third-party data and images

With regard to other people’s data, you must respect their privacy and take special care when publishing their personal data. We remind you that, as a user, you can only provide and consent to the processing of your personal data, but not those of third parties, and that if you provide us with data of third parties you are transferring personal data (unless you are their legal representative or guardian), it being your responsibility to have the prior and express consent of those third parties to use and provide them to us, and you are responsible for informing them of the inclusion of their data in our files. The publication of third party data without their consent may infringe, in addition to the regulations on data protection, the right to honour, privacy or self-image of said third parties, rights whose protection is governed by the provisions of Organic Law 1/1982, of 5 May, on the civil protection of the right to honour, personal and family privacy and self-image.

The school has an internal policy on the capture, use and dissemination of images in the school environment to ensure that such actions are carried out with respect and in a proportionate manner. In the event of images being taken by pupils’ families at events, Christmas or end of year festivals, Carnivals, sporting events, etc., and even more so if the intention is to disseminate the images via the Internet, we remind you that these images may only be used for personal or domestic use and under your own responsibility.

Purpose and legitimisation

The data you provide us with, as well as all the data generated during the development of our relationship with you, may be processed for different purposes and with different legitimate bases:

Purpose 1: If you are a current or potential student (e.g. if you have requested information or pre-registration) or a participant in any activity organised by the Centre, or a family member, guardian or legal representative of the latter, to maintain contact and communication; manage the services/activities provided by the Centre, exercise the educational and guidance function, and, where appropriate, send you information about our activities and/or services.

Legitimacy: Contractual relationship (such legitimacy includes the processing of images for educational purposes or those derived from the teaching and/or guidance function such as photographs to identify students in relation to their academic record, school work or evaluations, academic record, yearbooks, transcripts, etc.) or pre-contractual and compliance with regulations that affect us (consumers and users, state and regional regulations on education in force) / legitimate interest (to send you information).

Purpose 2: If you are a mere user of our website or the sender or recipient of an e-mail, to maintain contact and communication with you and manage the requests you make to us online.

Carrying out opinion and/or satisfaction surveys, information on the composition of bodies related to the school, for which purpose we will inform you on the website of the names and surnames of the people who make up these bodies (Parents’ Association, School Council, Alumni Association…), and to use educational management platforms to improve the teaching and learning processes which may include the processing of personal data.

Legitimation: legitimate interest.

Purpose 3: In the case of providing us with your curricular data or sending us your CV, to contact you and manage the selection processes that we carry out.

Legitimation: Application of pre-contractual measures at the request of the data subject (art. 6.1.b RGPD).;

Purpose 4: To capture images of activities, outings or trips organised by the Centre, to form part of the Centre’s image archive and to publicise its services and activities, and they may be published on the College’s website and blogs, on its profiles on any social networks and YouTube, as well as in any other type of medium: college magazine, brochures, programmes, posters and other College stationery.

Legitimation: Consent;

Purpose 5: Academic/educational profiling. No solely automated decisions will be made on the basis of this.

Legitimation: Compliance with regulations or legal obligation (LOE) and Contractual relationship.

When the legitimacy is based on consent, you may withdraw this consent at any time by sending us an e-mail to that effect to dp*@gm******.com . Such withdrawal does not condition the processing of your data for the other purposes described above.

If it is based on our legitimate interest, we consider that the processing of your data indicated is proportionate and has a minimal impact on your privacy, but your interests, rights or freedoms will always prevail over our legitimate interest, so if you do not want us to process your data for these purposes, please send us an e-mail to that effect to dp*@gm******.com and we will do so.

Retention period

We will retain personal data for as long as the contractual relationship is maintained and, once it has ended, for as long as the data subject does not request its deletion, for the purpose of issuing certificates of qualifications and studies. Even if requested, we may keep them for as long as necessary and limiting their processing, only to comply with the legal/contractual obligations to which we are subject and/or during the legal periods foreseen for the prescription of any responsibilities on our part and/or the exercise or defence of claims arising from the relationship maintained with the data subject.

Addressees

We inform you that the data you provide us with may be communicated to third parties for purposes directly related to the legitimate functions of the transferor and transferee, such as:

  1. To banking entities for the management of collections and payments.
  2. To entities or bodies to which there is a legal obligation to communicate data (e.g. Departments of Education (for admission process management, special educational needs, academic records, grants and scholarships, management through the Basque Government’s IKASGUNE platform…) and Health (for vaccination and revision campaigns) of the Basque Government; School Council; Town Councils, Provincial Councils and Sports Federations for educational campaigns and management of school sports competitions; to other centres, in the case of transfer of academic records, municipal or provincial social services…).
  3. Where appropriate, to the Sports Club for the management of registration and collection of fees for sports activities organised by the same, in the event that it is the School that carries out the registration procedures for the same and/or the management of collection on behalf of the Sports Club.
  4. To Social Security, hospitals and insurance companies and private companies contracted for health care.
  5. To hotels, travel agencies, transport companies or centres to be visited, for excursions, exchanges or trips organised by the school.
  6. To companies that provide extracurricular activities services to the school in the event that the school carries out the registration procedures for these activities and/or the management of the payment of these extracurricular activities.
  7. Where appropriate, to bookshops with which the Centre’s book reserves have been arranged, as well as to publishers in the case of centralised acquisition of digital books so that they can activate the digital licences.
  8. The Parents’ Association will bi able to communicate the data of the associated families. Those who have not been associated will only be communicated with the prior consent of the interested parties for this purpose.
  9. To management-entities, families and/or foreign host centers in case of participating in exchange programs or courses abroad.

INTERNATIONAL TRANSFERS

We will ensure that personal data are always processed and located within the European Economic Area. However, in certain circumstances, we may make international transfers of data, for example, if this is necessary for the conclusion or performance of a contract, in the interest of the data subject, between the Centre and another natural or legal person; or where necessary for the performance of a contract between the data subject and the Centre, for example when using service providers located outside the European Union, who may have access to personal data, for the provision of services ancillary to our business (hosting, hosting, SaaS, remote backup, IT support or maintenance services, e-mail managers, sending e-mails and e-mail marketing, file transfer, etc…) or for communicating data to foreign families and/or host centres in case of participation in exchange programmes, or for using non-European educational applications.

These entities may be different and vary over time, but we will endeavour to choose entities either belonging to countries with a level of protection equivalent to the European level of data protection, or with adequate guarantees to reach that level, or on the basis of one of the exceptions provided for in the GDPR.

Apart from those cases indicated above, in the event of having to make transfers to a country that does not have a level of protection equivalent to the European level, for example, because it does not have a data protection authority or regulation that protects the rights of data subjects, by accepting this data protection policy you authorise the transfer, for the purposes indicated in this clause.

Use of educational applications

These platforms usually belong to companies that provide a cloud service to the school and that process and store data on behalf of the school.

We have specific policies for contracting this type of service providers in accordance with the recommendations issued for this purpose by the AEPD. You can consult the policies of Google workspace for education in the following link https://edu.google.com/intl/ALL_es/why-google/privacy-security/ as well as the legal notice on the processing of data by the company in the following link https://policies.google.com/?hl=es

From October 2023, for the purposes of access to third party applications (Kahoot, Canva…) through Google corporate email accounts for children under 18, the school will enable in the administration console of the Google educational suite the registration and operation of such applications. As for what information of the corporate account of the students can access such application, the center will choose by default the option “with restricted access” and, in some cases, directly by the option to block them. In case of blocking, the application cannot be accessed with the school’s Google account (and if the student wishes to access it, he/she will have to do it, outside the school-educational environment, with his/her personal email account). The school will also establish by default the most restrictive option regarding the sending of data by the school to GOOGLE, limiting it to the ESSENTIAL SERVICES established by GOOGLE.

Rights

You may, where appropriate, exercise your rights of access, rectification, deletion, limitation and opposition to their processing, as well as the right not to be subject to decisions based solely on the automated processing of your data before our Data Protection Officer, at the postal or e-mail address (of our DPD) indicated at the beginning of this privacy policy; in both cases by means of a written and signed request, attaching a copy of your ID card or passport or other valid document that identifies you. In case of modification of your data, you must notify us at the same address, and the Centre declines all responsibility in case of failure to do so.

Right of access: You can ask us what personal data we are processing and even request a copy of it.

Right of rectification: You can ask us to rectify inaccurate personal data or to complete incomplete personal data, including by means of an additional declaration.

Right to erasure (right to be forgotten): You can ask us to erase your personal data if: it is no longer necessary for the purposes for which it was collected, you withdraw your consent, there has been unlawful processing of your personal data or in compliance with a legal obligation.

Right to limitation of processing: You can ask us to limit the processing of your data, in which case we will only keep them for the exercise or defence of claims.

Right to object: You may object to the processing of your data if such processing is based on the legitimate interest of the data controller or is for advertising purposes.

Once we have received any of the above requests, we will respond to you within the legally established deadlines. You can complain to the Spanish Data Protection Agency. If you would like more information about the rights that you can exercise and to request model forms for exercising your rights, you can visit the website of the Spanish Data Protection Agency, www.aepd.es.

Categories of data

The categories of data we process are: identification data, economic and financial data, academic and professional data, special categories of data (mainly health).