“PRIVATE MONTESSORI PRIMARY SCHOOL – OTKRIVATEL” EOOD (the “School”, the “Controller”) acknowledges the need for implementation of adequate protection of the personal data of the data subjects and strives to respect their privacy. This Personal Data Protection Statement (the “Statement”) is provided to held the data subjects understand in what way and for what purposes the School processes, uses and protects their personal data.
For the purpose of its operations the School processes personal data in strict compliance with Regulation (EU) 2016/679 (“General Data Protection Regulation”, “GDPR”), the Personal Data Protection Act and other applicable regulations and the Statement.
This Statement provides information regarding:
Definitions
Scope of this Statement
Data identifying the Controller and the Controller’s contact information
Contact data of the data protection officer
Personal data categories
Data subjects the personal data of whom is processed
Purposes for which personal data is processed
Grounds on which personal data is processed
Recipients of personal data
Periods of time over which personal data is stored
Rights of the data subjects and how these rights can be exercised
Giving and withdrawing consent
Right to file a complaint with the supervisory body
Security measures concerning personal data
Definitions
“Personal data” means any information relating to an identified or identifiable natural person who can be identified, directly or indirectly;
“Processing” means any operation or set of operations, which is performed on personal data or on set of personal data, whether or not by automated means or otherwise;
“Controller” means “Private Montessori Primary School – Otkrivatel” EOOD, which, alone or jointly with others, determines the purposes and means of the processing of personal data;
“Processor of personal data” means a natural or legal person, public authority, agency or other body, which processes personal data on behalf of the controller;
“Recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not;
“User” means a natural person that is user of the website and has subscribed for a “visit” or “registration” thereon;
“Data subject” means a website user or a student that has been enrolled and admitted to the School;
“Website” means the website – montessorischools.bg
Scope of this Statement
This Personal data protection statement is applied in the relations between “PRIVATE MONTESSORI PRIMARY SCHOOL – OTKRIVATEL” EOOD on one hand and the website users on the other, as well as upon admission of children to the School. The statement is intended to inform the data subjects as to their rights in accordance with art. 12 and the following of Regulation “EU” 2016/679.
Data identifying the Controller and the Controller’s contact information
The personal data Controller is “PRIVATE MONTESSORI PRIMARY SCHOOL – OTKRIVATEL” EOOD, UIC 204398023, having its address at: city of Sofia, Vitosha Region, Boyana Residential Estate, 15C, Siri Dol str., e-mail: hello@montessorischools.bg, tel. +359 877 202 640.
Contact data of the data protection officer
The data protection officer at “PRIVATE MONTESSORI PRIMARY SCHOOL – OTKRIVATEL” EOOD is “GDP Management” OOD, having its address at: city of Sofia, Ovcha Kupel Region, 42, Voyvodina Mogila str., ground floor, ap. 1; e-mail: office@zld.bg; telephone: 0879323259, contact person – Teodora Dimitrova.
Personal data categories
The School collects directly from the data subjects the following categories of personal data:
- Upon registration of the users:
Registration on the website is made for the purpose of admission of the child to the School. Subscription is made in the “registration” section. When data subject is registered on the website, they provide to the Controller the following personal data categories: first and family name of the child, date of birth, first and family name of the legal representative of the child, telephone number, e-mail, address, IP address.
- Upon visit to the School:
Visits to the School are made via subscription in the “visits” section. Visits are made so that the parents would get acquainted with the Montessori education methods. When the users fill-in of the visit form the Controller processes the following personal data categories: First and family name, telephone number, e-mail, age of the student, comments, IP address.
- When an enquiry is submitted through the contact form:
Each user may submit an enquiry using the contact form available on the website. An enquiry may be made over the telephone as well. In these cases the School processes the following personal data categories: name, e-mail, telephone number, comments and IP address.
- Upon admission of a student to the School:
Upon admission of students to the School for whom there is an education agreement signed with a parent / guardian, the Controller processes the following categories of the student’s personal data: names, personal ID number, data on the health condition, data on the psychological condition of the child.
- Upon the signing of an education agreement with the School and its performance:
Upon the signing of an education agreement the School processes the following categories of personal data of the student’s parents: names, personal ID number, personal ID card number, address, telephone number, e-mail, marital status, bank account, signature.
- Upon the use of the information system of the School:
Upon the use of the information system of the School the Controller processes the following types of personal data of the parents and the children: names, date of birth, group, address, telephone, e-mail, photographs / images, information regarding the child’s progress, data on the health condition of the child.
- Protection of legal interests:
In case of legal disputes the Controller may process the following categories of personal data, more specifically: names, e-mail passport data and other data from the registration form.
- Marketing purposes:
The Controller may process personal data for marketing purposes when applicable. In this case the Controller collects from the data subjects, in an appropriate manner, names, e-mail, telephone number.
When personal data is provided by the data subject to the personal data Controller without legal grounds under art. 6, paragraph 1 of Regulation (EU) 2016/679 or in contradiction with the principles of art. 5 of the above-mentioned Regulation, the School returns such data within one month as of the time it becomes aware of this fact, and if this is impossible or would involve a disproportionate effort, the School erases or destroys such personal data. Erasure and destruction are documented.
Data subjects the personal data of whom is processed
The Controller processes personal data of the following categories of data subjects:
- Website users;
- Students enrolled and admitted to the School;
- Parents of students enrolled and admitted to the School;
- Website users.
Purposes for which personal data is processed
The School processes personal data for the following purposes:
- For the purpose of concluding and performing an agreement to which the data subject is a party. This includes, but is not limited to, the cases of admission of a child in the School, participation in events and initiatives, which require the signing of an agreement;
- In order to comply with the Controller’s legal obligations to state authorities and institutions;
- To protect the life and health of the children;
- For marketing purposes;
- For protection of legitimate interests of the Controller, including administrative activities, such as: legal services and information services, and analysis of the use, information security, etc.
Grounds on which personal data is processed
The School processes personal data of the data subjects based on the following legal grounds:
- When the processing is required for the performance of an agreement which the data subject is party to, or to undertake steps at the request of the data subject prior to the signing of an agreement;
- When the processing is required to ensure compliance with a legal obligation applicable to the Controller. Such obligation pay be at the explicit request for provision of information from law enforcement authorities, such as the Ministry of Interior, State Agency National Security, the Ministry of Education and Science, Child Protective Service, the Prosecution Office, etc.;
- When the processing is required to protect the vitally important interests of the data subject;
- When the processing is required for the purpose of protecting the legitimate interests of the Controller or a third party, unless the interests or basic rights and freedoms of the data subject that require protection of the personal data, prevail.
- When the data subject has given consent for processing of their personal data for one or more specific purposes;
The School processes special category of personal data on the following legal grounds:
- When the processing is required to protect the vitally important interests of the data subject.
Recipients of personal data
The School may share personal data of the data subjects with the following categories of recipients:
- State institutions and authoritative bodies, when the Controller is obliged by law to provide the personal data – the Ministry of Interior, State Agency National Security, Ministry of Education and Science, Child Protective Service, the Prosecution Office, etc.;
- Trade partners, servicing the Controller, in their capacity as personal data processors, for information security support and provision of services related to the website, the information systems for education activities, providers of courier services, legal firms, accountancy firms, etc.;
- Controller’s employees processing personal data in accordance with their assigned office / work functions as per job description and labour contract.
The website may offer links to third party websites, add-ons and applications. Clicking on or activating such links may allow third parties to collect or share data for the data subject. The Controller does not control such third party websites and is not responsible for their personal data protection statements. When the data subject leaves the website they should read carefully the personal data protection statement of each website they visit.
The School implements appropriate technical and organisational measures for protection, in order to ensure the rights and freedoms of the data subjects in compliance with the “integrity and confidentiality” principle. In particular, the Controller selects suitable recipients that have undertaken the guarantees necessary to protect the personal data provided to them, and in view of the existing risks to ensure the relevant security level, including, where appropriate:
- Pseudonymisation and encryption of personal data;
- Functionality to ensure continuous confidentiality, integrity, availability and sustainability of the processing systems and services;
- Functionality for timely recovery of the availability and access to personal data in case of physical or technical incident;
- Process of regular testing, assessment and judgement of the efficiency of the technical and organisational measures in order to ensure the security of the processing.
The Controller may provide personal data to countries outside the European Union. In such case the provision of personal data may be made in compliance with the requirements of Chapter V of Regulation (EU) 2016/679 and the applicable international treaties between the European Union and third countries (for example, Privacy Shield).
Periods of time over which personal data is stored
“PRIVATE MONTESSORI PRIMARY SCHOOL – OTKRIVATEL” EOOD stores personal data in compliance with the “storage limitation” principle. More specifically for the above mentioned purposes the School:
- Personal data contained in accounting documents, are stored over the periods of time set out in the Accountancy Act, the Tax and Social Security Procedure Code and other regulatory documents;
- Personal data related to the signing of an agreement are stored in compliance with the 5-year statute of limitation principle;
- Personal data related to the educational activities of the School are stored in accordance with the requirements set out in the Pre-School and School Education Act and the Ministry of Education and Science.
Rights of the data subjects and how these rights can be exercised
Data subjects the personal data of whom is processed by the Controller:
- Have the right to access to personal data, including to receive a copy thereof;
- Have the right to correct such data;
- Have the right to erasure of such data (“right to be forgotten”);
- Have the right to limitation of the processing;
- Have the right to transferability of the data;
- Have the right to objection against the processing.
The rights listed above may be exercised by sending a request in an electronic format to hello@montessorischools.bg, signed with a qualified electronic signature in accordance with the Electronic Documents and Electronic Certification Services Act. Written request may also be filed on site at the office of the School in: city of Sofia, Vitosha Region, Boyana Residential Estate, 15C, Siri Dol str.
Giving and withdrawing consent
The School may require consent by the data subjects as legal grounds for the processing of their personal data for one or more purposes. Some of these purposes may include, for example, profiling related to follow-up, behavioural advertising, or others. In this case the School shall request the consent of the data subject in order to have legal grounds to process their personal data, for which the School shall notify the data subject in due time and in an appropriate manner. Personal data may include more categories of those listed above, and the consent shall list explicitly the personal data categories that have to be processed for the respective purpose.
Consent should be expressed freely, specifically, in an informed manner and by means of an unequivocal instruction as to the will of the data subject. Consent may be withdrawn at any time in the manner set out herein above in the section dealing with the exercising of the rights of the data subjects.
Right to file a complaint with the supervisory body
In accordance with the General Data Protection Regulation and the Personal Data Protection Act the data subjects have the right to file a complaint to the Commission of Personal Data Protection at the following address: city of Sofia, 2, Professor Tsvetan Lazarov blvd.
Security measures concerning personal data
The Controller undertakes the personal data security measures required. All documents in the form of printouts, containing personal data, are stored in locked cabinets in the office of the School, and only authorised staff members have access thereto. Data in electronic format are stored in compliance with the requirements for information security and restricted access.