-
- Who does the Privacy Policy apply to?
- What is “personal data” and what does “data processing” mean?
- What personal data we collect and otherwise process?
- How do we gather personal data?
- Why we collect, use and otherwise process personal data
- Who we share personal data with
- For what length of time do we gather and store information?
- Information for Job Applicants
- CCTV information
- Use of visitors’ Wi-Fi network, emails, website and other IT systems
- Data transfers outside of the European Economic Area (EEA)
- What are your rights under the Data Protection Laws?
- Whether you have an obligation to provide us with personal data
- Changes or updates to this Privacy Notice
- How to contact us
Introduction
Lumio Private School (“the School”, “we”), is committed to the maintenance of your privacy and the proper handling of information relating to individuals (“personal data”). We understand the implications that the use, storage and disclosure of personal data may have for the individuals concerned. We are committed to protecting the privacy of individuals and the confidentiality of the information concerning them and treating any personal data in accordance with all legal provisions applicable to the processing of personal data, including the General Data Protection Regulation 2016/679 (the GDPR) (“the Data Protection Laws”).
The School is the data controller of the personal data of its staff, students and their parents and/or guardians, and of its associates, which is collected and used in the context of the School’s activities. This mean that the School is responsible for compliance with the Data Protection Laws.
This Privacy Notice provides an overview of how and why we collect, use, store, disclose and protect personal data in the course of the School’s activities, and outlines the rights of any individuals concerned under the Data Protection Laws. It supplements any other notices that may be issued on particular instances, and it is not meant to override them.
Please read the following carefully in order to understand our policies and practices regarding your personal data and how we process it.
1. Who does the Privacy Policy apply to?
This Privacy Notice is directed to:
-
- Student Applicants, their parents/guardians, current and former students of Lumio Private School;
- Job Applicants to school roles;
- Visitors to our premises or our website and other online media;
- Individuals who are business associates or service providers or suppliers (or who are associated with organisations we have business dealings with); and
- Any other individuals communicating or interacting with us in the course of the School’s operations and activities.
References to “you” are used in this Privacy Notice to refer to any individual within its scope.
2. What is “personal data” and what does “data processing” mean?
Personal data is recorded information that identifies you as an individual and which relates to you, e.g. contact details, financial information, information about a student’s progress and behaviour, and photo and video recordings.
Information that has been irreversibly rendered anonymous in such a way that the individual is not (or no longer is) identifiable, is not considered to be personal data.
In accordance with the Data Protection Laws, we herein used the term “processing” or “process” to collectively refer to any actions or set of actions performed upon personal data, such as the collection, recording, retention, structuring, storage, use, disclosure, adaptation or alteration, transfer, deletion or destruction of personal data.
3. What personal data we collect and otherwise process?
As a matter of principle, the School only collects and further processes the personal data required for specific purposes, depending on the particular needs, such as:
-
- Information gathered through the admissions process regarding the students and their families/guardians. This includes data provided by the parents/guardians themselves while filling out the relevant forms and the School’s Enrolment Agreement (e.g. identification details; financial details; information about the student’s background, family circumstances, abilities and needs; information about the parents’ and guardians’ preferences when filling in consent forms); further information about the students, as given by the students themselves during the interviews stage; and information from third parties (e.g. as provided by the parents and guardians or obtained directly from third parties following the parents’ /guardians’ approval).
- Financial information relating to the parents and guardians regarding the payment of school fees and other expenses payable to the School (e.g. names of payers; bank accounts’ information; information about the payment method and reason for payment; status of payments (paid/unpaid); information about receipts).
- Information about the students’ academic performance (e.g. attendance records; progress reports; information about assessments and examinations; information about participation in competitions and educational programmes).
- Other information about participation in the School’s activities (e.g. nature of activity; date; consents information (if applicable)).
- Information about the students’ behaviour (e.g. disciplinary records).
- Health information, if and when required (e.g. special educational needs, dietary requirements; allergies; reports by medical practitioners/experts; medical reasons and doctors’ notes regarding absences).
- Images, audio and video recordings.
- In the case of business associates and service providers or suppliers: information about the nature and purposes of our relationship; information about the applicable terms and conditions; financial information; status of business relationship (e.g. applicable dates; ongoing or terminated relationship; names, roles and contact details of the particular individuals we interact with).
- Recruitment of staff
- collecting the info about the applicants for any positions in the School (CV, resumes, references from previous employees, police checks;
- collecting info about the perspective employee to process the enrolment , including educational credentials, ID, marriage status, etc. that can affect the legal procedure of work employment for School;
- collecting data about a member of staff working in the School to ensure safeguarding of children.
- Information about/from personal devices: IP-address, mac-address, UserAgent etc
4. How do we gather personal data?
We collect information about individuals before and during the contracted time at the school. Such information is collected through various ways, such as directly from the individuals concerned and/or, in the case of students, from their parents or guardians. For example, through the admissions/registration process where parents provide us with personal data about their child/ren, themselves and their families and through other various forms (in either paper or digital format) that individuals provide in the course of the School’s operations. Data is also collected through communications and interactions with the individuals concerned, such as by emails, post and verbal communications (face-to-face, phone, or video conference) that are registered or that subsequently become registered, if and when necessary. Personal data may also be collected through observation (e.g. students’ behaviour and attendance information that is filed in our records) or generated by the individuals themselves by other means (e.g. by the students, in the course of their school activities and assessments). If when required, personal data may be collected through third parties, such other professionals and authorities (e.g. psychologists, previous school data, public authorities like the Ministry of Education, medical, administrative or other such authorities, or through publicly available sources (e.g. press reports regarding students’ achievements).
5. Why we collect, use and otherwise process personal data
The School only processes personal data where there is a legal justification to do so, in accordance with the Data Protection Laws. We mostly rely on the following legal grounds:
Contract
We will process personal data in order to perform a contract (e.g. to provide educational services to the students pursuant to the Enrolment Agreement signed by their parents/guardians), or to take steps, upon request, prior to entering into a contract (e.g. for the purposes of examining and processing a student’s admission application).
Legal Obligations
We may process personal data in order to meet our legal or regulatory obligations, for example to comply with the applicable education laws and the requirements of the Ministry of Education (e.g. by keeping particular student records; submitting the required information to the Ministry of Education and facilitating inspections); to comply with other legal or regulatory obligations we have (e.g. for tax reasons); and, on specific instances, where we are legally required to provide personal data to a court of law, the police, or other governmental or public authority (e.g. for reporting a concern to Social Welfare Services).
Consent
We may rely on your consent for certain actions that involve the collection and use of personal data (e.g. for the provision of our newsletter; for publishing photos of children). In such an event, we will only perform such actions provided that you grant us your consent and authorisation to do so.
Legitimate Interests
We may process personal data where it is necessary for safeguarding and pursuing our own legitimate interests or those of others, based on our evaluation that the processing is fair, reasonable and balanced, having taken into account your reasonable expectations.
Examples of processing operations based on this legal ground include the promotion and efficient operation of the School’s activities; the management of security and safety arrangements (e.g. regarding our CCTV, network and IT systems); building and maintaining relationships with alumni and the wider School community (including the parents and guardians); assessing and reviewing the quality of the School services; administering and implementing the School’s policies and procedures; fulfilling a contract to which the individual concerned is not a party to (e.g. for insurance purposes in the case of an incident); organising School events and other activities; responding to inquiries and complaints; and operational management (e.g. statistical analysis; planning and forecasting); for IP rights protection; for establishing, pursuing and/or defending claims in judicial or regulatory or administrative or out-of-court proceedings; for taking measures in respect of an actual or potential restructuring, joint venture, sale, transfer, assignment, merger and acquisition, financing of or investment in, part of or all of our business or assets or any associated rights or interests; and for the prevention and investigation of unlawful and fraudulent activities.
Public interest
We may process personal data where it is necessary for the School, as an educational institution, to carry out a task in the public interest, for example for the keeping of student records in accordance with the relevant laws and where the use of student data is in the best interests of a child.
Vital Interests
In certain circumstances, we may process personal data when it is necessary to protect the vital interests of the individual concerned (e.g. where needed for the provision of emergency medical care, following an incident).
Moreover, when it comes to data classified as “special category data” under the Data Protection Laws (e.g. personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, data concerning health or data concerning a natural person’s sex life or sexual orientation), the School will only process such data where necessary and provided that the processing is allowed on particular legal grounds, including where:
-
- Valid consent has been given;
- The relevant information was made public by the individual concerned;
- Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the School or of the individual concerned in the field of employment and social security and social protection law;
- Processing is necessary for the protection of vital interests;
- Processing is necessary for legal claims or for court proceedings;
- A public interest or a health-related reason has been identified, in accordance with the relevant legal requirements and provisions of the Data Protection Laws.
6. Who we share personal data with
Data confidentiality, especially the confidentiality of student data, is important to the School and measures are implemented to ensure that information is handled with the appropriate level of security and confidentiality.
Within the School, personal data is only processed by the departments and members of staff that are authorised to access, consult, use and otherwise process them, on a “need-to-know” basis.
As a matter of principle, we limit the sharing of personal data to external parties to a minimum, where and to extent necessary for specific reasons. The categories of external recipients of personal data may include:
Third parties connected to us
Data may be disclosed and/or transferred to trusted third parties that support us in the provision of our services, for example providers of technological systems, expertise, solutions and support; file storage, archiving, records management companies; canteen staff; transportation companies; photographers and video crews; translators; professional advisors and experts (e.g. lawyers, accountants, auditors and tax advisors); insurance companies; and banks.
Where appropriate, we use measures such as contractual terms specifically for the protection of personal data and confidentiality agreements, pursuant to which they are bound to use data only as instructed by the School, are prohibited from using personal data for their own purposes, and are required to comply with the applicable confidentiality and other data protection obligations; and measures such as the “masking” or redaction of identifiable information or using data in an anonymised form as part of statistics or other aggregated data.
Third parties connected to our students
This may include other schools, universities, colleges and other educational institutions and bodies or other professionals (e.g. health professionals that provide services to the student), upon request by a student (or on their behalf) and/or where it is in interests of the student to do so.
Public authorities / institutions / bodies
This usually happens where there is a legal obligation for the School to do so, for example the Ministry of Education; the competent tax authorities; Statistics Office; immigration authorities; and welfare authorities. We may also need to disclose personal data to law enforcement authorities (e.g. the police) and courts where we are subject to a legal obligation to do so (e.g. pursuant to an order by a competent court), or where necessary for us to pursue, establish and/or defend legal claims.
7. For what length of time do we gather and store information?
The length of time we keep personal data depends on the particular category of information and the reason it was collected in the first place. We only use, store and retain personal data for as long as necessary to fulfil the purpose it is processed for, taking into account factors such as the amount, nature and sensitivity of personal data, the purposes of processing, whether these purposes can be achieved by other means, as well as the applicable legal requirements (e.g. about the retention of school records).
We may retain personal data for longer than our established data retention periods if further retention is deemed necessary in particular instances, due to any pending disputes or differences, claims, proceedings and/or investigations, or for legal or regulatory reasons.
We hold all information securely for the set amount of time required (as explained above) and we will delete, destroy or anonymise personal data (so that it can no longer be associated with the individuals concerned) when we no longer need it.
8. Information for Job Applicants
When you apply for a position with the School, we will collect the information that you will provide us, such as your name, contact details, your academic/professional credentials and other information provided in your application and its supporting documentation (e.g. copies of certificates and university degrees). During the recruitment stage, we will collect further data such as our evaluation of your interview, and any additional information we may request from you. We may also collect information about you from other sources, such as publicly available information from professional networking media (LinkedIn) and your referees / previous employer. As a matter of principle, we will obtain personal data from third parties in very limited circumstances, where it is necessary for us to confirm certain information provided by you and to collect certain information necessary for us to evaluate your application. Kindly note that conditional employment offers may require pre-employment checks to confirm identity, right to work, and trustworthiness. The provision of such information is necessary for us to evaluate your application. We will use the information collected to ascertain your identity and credentials, to contact you and to assess your suitability for the position applied for. We are under legal obligation to share certain information about successful applicants with the Ministry of Education (e.g. by using the relevant Ministry of Education form to obtain the Ministry’s approval for the appointment), but personal information collected during the recruitment process will not normally otherwise be disclosed to other third parties.
Data collected in the context of our recruitment operations will be retained throughout the relevant recruitment process. Thereafter, personal data will be retained for a period of six (6) more months after an application is rejected by us or the successful applicant declines a work/placement offer from us, for future reference purposes if a suitable opportunity arises during that period. Such individuals have the right to object to the retention of their personal data for this six-month period, or to request that we retain their information in our talent pool records for longer, for the purposes of assessing it should a suitable position with the School open in the future.
9. CCTV information
The School operates a CCTV system for safety, security and access control reasons, on the basis of the School’s “legitimate interests” (as explained above).
CCTV cameras are placed at the main entrance/s-exit/s of the School premises, as well as around the School boundaries. The recording range is limited within the boundaries of the School premises and parking spaces; no adjacent private or public spaces are recorded. CCTV footage is kept for a few days only, unless further retention is required to investigate particular incidents or for legal reasons. CCTV footage may be accessed by designated personnel and security providers (on a “need to know” basis) and, in the event of an incident, may be shared with public authorities, the police, courts, the School’s professional advisors (e.g. lawyers) and insurance companies. The School applies security measures to prevent any unauthorised disclosure of its CCTV footage.
10. Use of visitors’ Wi-Fi network, emails, website and other IT systems
When you use our visitors’ Wi-Fi network , information such as your IP address and duration of use is automatically collected, for ensuring the security of our technological systems.
Information is also collected when using our IT systems (e.g. IP addresses, log on/off times, device information) to ensure the security of our systems (e.g. to prevent unauthorised access) and for diagnostic and for analytical purposes.
Our email service provides standard basic encryption and protection of email traffic. If your email service does not support this security system, you should be aware that any emails we send or receive may not be protected in transit. We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.
Our website used cookies. Through our cookies consent tool, you can accept or reject the different cookies categories and be informed about the kind of cookies our website asks to collect. You may also disable cookies through your web browser’s settings.
11. Data transfers outside of the European Economic Area (EEA)
Personal data may be transferred to non-EEA countries in the course of the School being provided with IT products and services (e.g. through the use of cookies). Where our suppliers of IT products and solutions are located in non-EEA countries, we take all reasonable steps to ensure that they (and their relevant sub-contractors) provide a high standard of data protection, and we enter into specific data protection agreements with our suppliers to that effect or we rely on “adequacy decisions” by the European Commission, which certifies that the particular country has an adequate level of data protection.
12. What are your rights under the Data Protection Laws?
12.1. You have the following privacy rights regarding your personal data:
Right to access | You have the right to obtain confirmation from us as to whether or not we process information about you and, if that is the case, access to such data and further information about your data (including being provided with a copy of such data). This is not an absolute right though; the School may reject or partially comply with a right-to-access request, taking into account the rights and freedoms of others, the best interests of a child (if and where applicable) and whether such a request is manifestly unfounded or excessive. |
Right to rectification | You have the right to request and obtain from us rectification of inaccurate information about you and, taking into account the purposes for which we process your data, to have any incomplete information about you completed. |
Right to erasure (“right to forget”) | You have the right to request us to delete or remove your personal data where certain conditions apply, such as where: - We process such data on the basis of your consent and you later withdraw such consent; - We process your personal data in order to pursue our legitimate interests and you object to the School processing your data for the particular purposes, provided that no overriding legitimate grounds for the processing apply. |
Right to restrict Processing | You have the right to request and obtain from us restriction (or “blocking”) of processing of your personal data for a certain period of time, provided that particular conditions apply, for example: - Where you contest the accuracy of such data, for a period that allows us to verify their accuracy; - Where you have objected to the processing of your data on the grounds of our legitimate interests, until we verify whether the grounds on which we process such data override your rights and freedoms. |
Right to object to Processing | You can request from us, at any time, to stop processing your personal data for direct marketing purposes. In such cases, we will stop such processing once we receive your request. Moreover, you have the right to object to us processing your personal data on the basis of our legitimate interests, at any time, on grounds relating to your particular situation. Should you exercise this right, we will no longer process such data unless we are able to demonstrate compelling legitimate grounds for the processing. |
Right to data portability | You have the right to receive a copy of the personal data that you have provided to us and to reuse it elsewhere or to request that we transmit such data directly to an organisation of your choice, provided that: - We process such data on the basis of your consent, or for the purposes of you entering into a contractual relationship with us, at your request, or for us to perform a contract we have already entered into with you; and - The relevant processing activities are carried out by automated means. |
Right to withdraw consent | Where we seek to process personal data on the basis of your consent, you have the right to refuse to give such consent. Moreover, where you have already given us such consent, you can revoke it at any time. Any such revocation will not affect the lawfulness of data processing prior to the revocation. |
Right to lodge a complaint | Please do not hesitate to contact us for any issues regarding the way we process your personal data. You are also entitled to file a complaint with a competent supervisory authority, which, in the Republic of Cyprus, is the Commissioner for Personal Data Protection: Office address: Kypranoros 15, Nicosia 1061, Cyprus Postal address: P.O.Box 23378, 1682 Nicosia, Cyprus Tel: +357 22818456 Fax: +357 22304565 Email: commissioner@dataprotection.gov.cy Website: http://www.dataprotection.gov.cy |
12.2. Exercise of Privacy Rights relating to student data
Parents/guardians of students can normally exercise the privacy rights of their children on their behalf, but it must be remembered that the personal data of students, as well as the privacy rights that the students have, belong to the students themselves.
Where a parent/guardian makes a request about their child’s data, the child may be consulted or be asked to contribute to such decisions made, depending on the child’s age, maturity and autonomy. This means that the School may ask for and consider the child’s own opinion on the matter. The School will assess all requests for the exercise of the privacy rights of students taking into account the prevailing principle of the best interest of the child.
In general, students will not be consulted for the ordinary disclosure of their personal data to their parents / guardians (e.g. for the parents/ guardians to receive information about their child’s academic progress, development and behaviour), unless there is good reason to do otherwise on the basis of the factors stated above. For example, the School may be under obligation not to disclose information received by the child in a confidential manner where that child expressly requests that the information remains confidential, unless the School believes that the disclosure of the information is in the child’s best interest or required by law.
Students of sufficient age, maturity and autonomy levels may exercise their privacy rights directly, without the participation of their parents / guardians. Students will be able to submit a request via the Health, Wellbeing & Pastoral Leader. This can be done through the Pastoral team, including the student’s Homeroom Advisor, the School Counsellor or Health, Wellbeing & Pastoral Leader.
12.3 How parents/guardians and other adults can exercise those rights
Please contact us if you wish to exercise any of these rights, as explained below.
Kindly note that we may request proof of your identity (and/or relationship with a student / proof of parental responsibility, where applicable) before complying with a request, a measure which will also ensure that personal data is not disclosed to any persons that have no right to receive it. We may also request to receive further information regarding the nature and subject-matter of a request, so that we can deal with it efficiently.
13. Whether you have an obligation to provide us with personal data
The various forms that the School uses (e.g. the admissions application form) usually mark which information is mandatory to be provided, so that we can process the given form (mainly for legal or contractual reasons). In other instances, we will also inform you whether you are obliged to give us the requested information. Should you fail to provide the School with the required (mandatory) information, we may be unable to process your request or deliver our services to you or your child.
14. Changes or updates to this Privacy Notice
We may change or update this Privacy Notice from time to time in order to reflect any changes to our practices or the applicable laws. In such an event, we will post the most recent version of this Privacy Notice on our website (noting the updated revision date, at the end of this Privacy Notice). Where appropriate, we will notify you of the updated version by placing a notice on the website and/or by other proper means. We encourage you to check this Privacy Notice occasionally to ensure that you continue to be happy with how we collect and use your personal data.
15. How to contact us
For any matters arising out of, or in connection with this Privacy Notice, including for exercising your rights, for requesting further information about how we process your personal data, and any comments and complaints, you may contact our Privacy Officer at the following details:
Email: info@lumio.school
Telephone number: +357 26 44 3003
Postal Address: Ikarou 25 Str, Paphos 8041
Alternatively, you may submit a request through our website or you may contact us via Telegram or other social media channels to guide you through the relevant process.