1. HOME
  2. Privacy Policy

Contact us details

The English School

By Email

General enquiries:
info@englishschool.ac.cy

Admission enquiries:
admissions@englishschool.ac.cy
      

 By Telephone:
      +357 22 799 300

 By Fax:
      +357 22 799 301

 By Post:
      P.O. Box 23575,
      1684 Nicosia,
      Cyprus.

 Address
      0 Presidential Palace Road and Kyriacou Matsi
      Strovolos
      1082 Nicosia
      Cyprus

 Working Hours
     07:30 - 14:30
     Monday - Friday

Privacy Policy

The English School  - Privacy Notice
  1. Introduction
This Privacy Policy aims to provide important information to all data subjects, including but not limited to students, parents/guardians, staff, as well as prospective or alumni students, parents, staff and webpage visitors (“you”), regarding how The English School (the “School”, “we”) processes Personal Data in accordance with Data Protection Law, including but not limited to the General Data Protection Regulation 2016/679 (“GDPR”) and the Cyprus Data Protection Law 125(I)2018. The School maintains an internal data protection framework with policies, procedures and mechanisms which describe the processing, safeguarding and the principles of data protection established in the context of GDPR and the local legislation.
  1. Our role:
The School mainly acts as the Data Controller regarding processing Personal Data concerning students, parents/guardians, staff, as well as prospective or alumni students, parents, staff and webpage visitors specifically in the context of providing educational services. This means that we are responsible for the lawfulness of processing carried out by the School and thus have the overall control over the purposes and means of the processing.
  1. What Personal Data do we process and how?
We process Personal Data that we receive from you in the context of academic, employer or business relationship. To the extent necessary and in order to operate at the highest education standards, we may also collect and otherwise process Personal Data not specified below, however we will always notify and describe the purposes as necessary at the point of collection.
For all special categories data (also known as sensitive data), we will always communicate to you the purposes for which we wish to use your sensitive information when it is being collected, and, the relevant applicable legal basis in each case for example, if necessary, your explicit consent at that time.  
The following types of Personal Data may be collected as part of School’s operation and education process.
Health
Contact details
Identity information
Health data
Online Teaching
Identity information  of students and staff via the online platforms used by the School
 
Students’ homework and other assessment documents processed over online platforms as part of the learning process
Accounting         data for payment and transaction data
Captured cctv images Identity information
Student and exam Registration Contact details, Identity information, Payment and transaction data, Special Categories of Personal Data
Media
 
Promote students work and School’s activities over the internet and School’s social media channels - Students work in any form mainly photos and videos and students photos and video (streaming) for award ceremonies, graduation, trips, etc.
Website / portal browsing          Contact details, Identity information, Technical information about the devices used (such as IP address, operating system, browser type) log-in information, preferences etc.
Students and staff personal data  may be also processed as part of other School’s coore or ancillary processes such as Teaching/Student Administration, extracurricular activities, school evens etc.
  1. Legal basis for processing
The legal bases used for all personal data processing are as follows:
Contractual obligation
 Legitimate Interest:
  • Due to extraordinary circumstances, such as during the covid -19 pandemic
  • Safeguarding of students
  • H&S and security of staff and visitors on campus
 
Protection of School assets
Consent and Explicit Consent
Legal obligation
  1. Why do we process Personal Data?
When acting as Data Controller, the School will rely on (a) your consent to process certain data sets such as media (images, videos) files, cookies or other analytics through the use of our website, (b) the necessity to perform our contractual obligations with regard to all the educational services provided, (c) on our legitimate interest provide that this interest is not overridden by your rights and freedoms (e.g. safeguarding, providing quality and safe facilities, etc), (d) legal or regulatory obligations we must fulfil as an academic institution.
  1. Disclosure of Personal Data
We may share certain data with relevant national authorities or bodies under our legal obligations or in accordance with Data Protection Law and in particular GDPR Article 28. Such authorities may be the Ministry of Education, Social Insurance department etc. We may also share Personal Data in the context of international examinations and admissions to higher education institutions following  students and parents instructions and exam boards or institutions requirements.  Data may be also shared with our subcontractors for maintenance purposes and other third parties Software providers, Information security and information technology consultants, Legal advisors etc.
  1. Retention of Personal Data
We do not retain Personal Data in a form which may enable the direct or indirect identification of a Data Subject for longer than is necessary for the purposes for which the data is being processed or more than is provided for by specific legislation. Personal Data of students relating to registration, education, exams, and graduation are retained as long as they are registered students and then archived and retained for longer period. Other Personal Data which are also archived and kept for longer periods include data which the School cannot dispose for legal and/or regulatory or are structured in a way that cannot be deleted for technical reasons. In that case the School implements all technical and organisational measures to safeguard the data for the full life cycle.
We maintain an internal records retention policy which provides for every category of Personal Data a specific retention period or criteria for disposal of data. You may email dpo@englishschool.ac.cy for particular Personal Data retention periods.
  1. Data Transfers
We do not normally transfer your Personal Data outside of the European Economic Community. However, your Personal Data may be transferred to entities and institutions, located outside of the EU, provided that such transfers are carried out either a) on the basis of an adequacy decision by the EU Commission in accordance with GDPR Article 45, or b) on the basis of at least one of the other appropriate safeguards, such as the up-to-date EU approved Standard Contractual Clauses. Where none of the appropriate safeguards are applicable, we may carry out the transfer on the basis of at least one of the specific situations, i.e. the data subject’s specific consent, necessity for the performance of a contractual obligation etc. In addition, we will always take into account the relevant provisions under Cyprus Data Protection Law. In any event, we always make sure we take all reasonable and practicable measures to ensure the secure transfer in accordance with the GDPR.
  1. Your data subject rights
When the School acts a Data Controller, Data Subjects may exercise their data privacy rights which the GDPR affords them. These include the right to:
  1. receive certain information about the School’s Processing activities (Right to be informed)
  2. request access to their Personal Data that we process; (Right to Access)
  3. in limited circumstances, request the erasure Personal Data, for example if it is no longer necessary in relation to the purposes for which it was processed; (Right to Erasure)
  4. request the rectification of inaccurate data or to complete incomplete data; (Right to Rectification)
  5. right to request to restrict Processing in specific circumstances; (Right to Restriction)
  6. in limited circumstances, receive or ask for their Personal Data to be transferred to another data controller in a structured, commonly used and machine-readable format; (Right to Portability)
  7. challenge Processing which has been based on our legitimate interests or in the public interest; (Right to Object)
  8. object to decisions based solely on automated Processing, including profiling; (Right not to be subject to automated-decision making) (not applicable to the School at the moment)
Other rights include: the right to be notified of a Personal Data Breach which is likely to result in high risk to your rights and freedoms; the right to make a complaint to the Supervisory Authority; the right to withdraw consent to Processing at any time.
Please note that these rights are not absolute and subject to exceptions. These therefore may be limited where we have an overriding interest or legal obligation to continue to process the data or where data may be exempt from disclosure under applicable law. The applicability of your rights depends on the legal basis on which we rely in each case.
If you want to exercise any of these rights, then please contact our DPO by e-mail at dpo@englishschool.ac.cy. We will take all appropriate steps to respond within the legal timeframe, that is 30 days from day we receive your request or additional 2 months in the case of receiving an excessive request in which case we will keep in touch and informed about the progress and status of your request.
If you wish to raise a complaint on how we have handled your Personal Data, you may contact us to have the matter investigated.
If you are not satisfied with our response or believe we are not processing your Personal Data in accordance with the law, you may lodge a complaint to:
Office of The Commissioner for Personal Data Protection
Office address: Iasonos 1, 1082 Nicosia, Cyprus
Postal address: P.O.Box 23378, 1682 Nicosia, Cyprus
Tel: +357 22818456
Fax: +357 22304565
Email: commissioner@dataprotection.gov.cy
  1. Data security
We are implementing all appropriate and necessary technical and physical security measures to ensure a level of security appropriate to the risk, in order to prevent any Personal Data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Personal Data transmitted, stored or otherwise processed.
We are also regularly assessing the effectiveness of all technical and organisational measures to ensure the security of the Personal Data processed on our systems, equipment and facilities taking into account all the relevant security standards and legal requirements. We maintain an internal information security policy and all staff is responsible to abide by the School’s Data Protection Security Manual to protect of our Personal Data.
  1. Changes to Privacy Policy
We may update this policy from time to time, so please review it frequently. If any material changes are made to this Privacy Policy, we will use reasonable endeavours to inform you in advance by email, notice on the website or other agreed communications channels.
Last review December 2022
.
Follow on Social Media