General Data Privacy Notice

ISF International School Frankfurt Rhein-Main Verwaltungs-GmbH

GENERAL INFORMATION

This General Data Privacy Notice provides detailed information on how ISF International School of Frankfurt Rhein-Main ("we", "us", "our", "School”) handles the personal data of its Students, Prospective Students, Students' Parents/Legal Guardians (“Representatives”), Employees, and Prospective Employees within the scope of its activities.

The detailed provisions throughout this General Data Privacy Notice will apply to the operation of the School and in particular to the courses and/or to any educational services offered by the School in the Federal Republic of Germany (Germany).

1. DEFINITIONS

In this General Data Privacy Notice, the following terms are used with their respective meaning:

2. INFORMATION ABOUT US

For the purposes described in this General Data Privacy Notice, the School shall be taken as the legal person responsible for determining the purposes and means of the Personal Data that had been submitted by Students, Prospective Students, Students' Representatives, Employees, and Prospective Employees and may be identified and contacted through the channels below:

3. PROCESSING PERSONAL DATA

As part of its educational activities, the School will collect and process the Personal Data identified below, with the following purpose and legal basis:

• Student, Prospective Student, and Students' Representatives' Identification Data: Types of data that enable the identification of the Data Subject who has any legal bond with the School – Students, Prospective Students, Students' Representatives – consisting, for example, of full name, date of birth, nationality, place of birth, profession, home address, E-mail address, postal code, and telephone and/or cell phone number(s).
  
  Purpose: The Personal Data is collected in order to enable the proper identification of Students, Prospective Students, Students' Representatives, that either have established or will establish a contractual relationship with the School.
  
  Legal Basis: The processing of Identification Data by the School will be carried out in order to allow the controller to perform the tasks and services described in the contract to which the Data Subject is a party, pursuant to Article 6, 1 b, of GDPR.
  
  
• Employees Identification Data: The School may collect the following data related to the Employee:
  • Name
  • Gender
  • Home address
  • Telephone number
  • Date of birth
  • Marital status
  • Belonging to the Catholic or Protestant Church in Germany, where applicable for tax reasons
  • Number of children under the age of 18, where applicable for tax reasons
  • Employee identification number
  • Employee photos
  • Emergency contacts: By providing such personal data to us, the Employee must ensure and secure evidence that these related parties have given their free and express consent that their personal data may be processed by the School for the purposes described below.
  • Residency
  • Work permit status
  • Nationality
  • Passport information
  • Social security or other taxpayer/government identification number
  • Payroll information, banking details
  • Wage and benefit information
  • Retirement account information
  • Sick pay, Paid Time Off, retirement accounts, pensions, insurance, and other benefits information (including the gender, age, nationality, and passport information for any spouse, minor children, or other eligible dependents and beneficiaries).
  • Information from interviews and phone-screenings
  • Date of hire, date(s) of promotion(s), work history, technical skills, educational background, educational degrees, professional certifications and registrations, language capabilities, and training records.
  • Forms and information relating to the application for, or in respect of changes to, employee health and welfare benefits; including, short and long-term disability, medical and dental care, vaccination records, police background check, etc.
  • Physical limitations and special needs in order to provide reasonable accommodations.
  • The School may collect and store any medical data required by and in accordance with local laws and regulations if any.
  • Information captured on security systems and key card entry systems.
  • Employee files; professional development records and certificates, performance and evaluation results, written warnings, amendments to contract, doctor notes, personal day request forms.
  
  Purpose: The School collects the above Employees' Personal Data for purposes including:
  • Recruitment, training, development, promotion, career, and succession planning
  • Providing and administering remuneration, salary, benefits, and incentive schemes and providing relevant information to payroll
  • Allocating and managing duties and responsibilities and the business activities to which they relate
  • Identifying and communicating effectively with other employees and management
  • Business operational and reporting documentation
  • Selecting the best training
  • Supporting HR administration and management and maintaining and processing general records necessary to manage the employment or work relationship and operate the contract of employment or engagement
  • Centralizing HR administration and management processing operations in an efficient manner for the benefit of the Employees
  • Authorization and accreditation requirements
  
  Legal Basis: The processing of Employee Identification Data by the School will be carried out in order to allow the Controller to perform the tasks and services described in the contract to which the Data Subject is a party, pursuant to Article 6, 1 b, of GDPR and §26 BDSG.
  
• Students’ Representative Financial Data: Personal Data that allows the School to perform bank collection or compensation for the educational services provided or for the registration of Students or Prospective Students, consisting, for example, of bank details, payment information, and credit card details of the Students’ Representative.
  
  Purpose: Student’s Representative Financial Data is collected to enable the School to properly and securely charge for its services.
  
  Legal Basis: The Student’s Representative Financial Data will be processed due to the need for the School to execute, or be allowed to execute, the contract in which the Data Subject takes part, according to Article 6, b, of GDPR.
  
  
• Health-Related Data: Personal Data relating to certain health conditions of Students and Prospective Students.
  
  Purpose: Data concerning the health of Students, Prospective Students is collected to enable the School to render appropriate medical treatment when and if necessary, either during or before the execution of the enrollment contract, as a preparatory measure by the School for the timely provision of services.
  
  Legal Basis: This type of data will always be processed in the best interest of Students and Prospective Students, with the specific consent of at least one of their Representatives and/or Legal Guardians, pursuant to the purposes listed above (Article 6, I, a, of GDPR)
  
  
• Student Performance Data: Data related to the Student's pedagogical performance, consisting, for example, of disciplinary and educational observations, evaluations, tests, reports of grades, and absences.
  
  Purpose: Performance Data is collected to allow Students, their Representatives, and the School to be aware of the Student's pedagogical performance. Amongst the intended purposes are (i) supporting Student learning; (ii) monitoring Student learning performance; (iii) managing the educational services provided by the School to Students; and (iv) compliance with legal and regulatory obligations, which determine, for example, the measurement of Student grade averages and attendance.
  
  Legal Basis: The processing of Student Performance Data by the School will be carried out in order to allow the School to perform the tasks and services described in the contract to which the Data Subject is a party, pursuant to Article 6, b, of GDPR.
  
  
• Employee Performance Data: Data related to the Employee’s performance, consisting, for example, of disciplinary and educational observations, evaluations, and absences.
  
  Purpose: Employee Performance Data is collected to allow the School to monitor the Employee's performance. Amongst the intended purposes are (i) supporting Student learning; (ii) managing the educational services provided by the School; and (iii) compliance with legal and regulatory obligations, which determine, for example, the measurement of attainment of targets set by the School.
  
  Legal Basis: The processing of Employee Performance Data by the School will be carried out in order to allow the School to perform the tasks described in the contract to which the Data Subject is a party, pursuant to Article 6, b, of GDPR and §26 BDSG.
  
  
• Photography and Filming: Images of Students, Prospective Students, and Employees.
  
  Purpose: The images are collected in order to allow the School to properly identify its Students, Prospective Students, and Employees during or prior to the provision of educational services, as well as to implement appropriate security measures on the school premises, via the CCTV system and others.
  
  Legal Basis: Images of Students, Prospective Students will be processed by the School when at least one of their “Representatives" grants specific consent to do so.
  
  
• CCTV System: Footage collected from the School’s perimeter video surveillance systems:
  
  Purpose: The purpose of collecting Personal Data from the CCTV system includes:
  
  
  1. To control access to the School premises and to ensure its security, the safety of the Students, Employees, and visitors, as well as property and information located or stored on the premises;
  2. To prevent, deter, and if necessary, investigate unauthorized physical access, including unauthorized access to secure premises and protected rooms, IT infrastructure, or operational information;
  3. To prevent, detect, and investigate theft of equipment or assets owned by the School, visitors, or staff or threats to the safety of personnel working at the School (e.g. fire, physical assault).
  
  

  The CCTV surveillance system is not used for any other purpose, such as to monitor the work of employees or their attendance. It is important to note that the location and positioning of the video cameras are such that they are not intended to cover the surrounding public space; the cameras are aimed to give a general overview of what’s happening in certain places, but not to recognize persons.
  
  The cameras are installed at the School entrances and placed and focused in a way that only people who want to access the site or the annexed facilities, including parking areas property, are filmed. The cameras cover the area of entry and exit points of the building, entry points inside the building, delivery, garage, and outer area of the building. The recorded material can be accessed by the security staff members of the School. Access to the hard-disc recorder is highly limited, being protected by a password and recording any log or action from the staff members. The data cannot be accessed without the authorization of the School Director, the School’s Head of Administration, or a member of the School Management.
  
  The recorded material is kept for 7 days after the Data Subject visits the School. After that period, any recorded material is automatically overwritten. The recorded material may be kept for a longer period in the event they are related to an incident, crime, or event that would lead to future prosecution.
  
  The School does not share Personal Data captured on CCTV with any third party unless the Data Subject has provided permission or there is a specific request from the police or other law enforcement authorities. If Personal Data is shared with a third party, the Data Subject will be notified.

  Legal Basis: The video CCTV system is used based on a legitimate interest according to Art. 6 para.1 lit f, of GDPR.
  
  
• Direct Marketing: Students, Prospective Students, and their Representatives may be asked to provide Personal Data, such as their name and E-mail address, for the purpose of receiving marketing communications by E-mail.
  
  Purpose: The Personal Data provided is used to provide school-related information to the Data Subject, who will be asked to affirmatively opt-in to E-mail marketing communications.
  
  Legal Basis: Specific consent to receive marketing material.

4. COLLECTING PERSONAL DATA

The School shall only collect data for specific purposes and with a proper legal basis for processing. Data obtained for specific purposes will not be processed for purposes different from the ones specified in this policy unless the School properly notifies Data Subjects regarding it.

The collection of Personal Data occurs in the following cases:

Data Provided by the Data Subject or their Representative:

• Voluntary completion of registration forms, applications, or vacancy forms by the Student’s Representative or by a Prospective Employee;
• Direct contact by E-mail, telephone, or any other form of electronic correspondence and/or letters;
• The Student, his/her Representative, or the Employee voluntarily creates a profile on any of the School’s Online Platforms;
• Through the completion of electronic or paper forms, evaluations, reports, tests, simulations, notes, and attendance lists, as well as taking part in interviews and meetings, all of which are deemed a necessary part of the educational services contracted and are submitted by the Student, the Student’s Representative, or Employee to one of the School’s agents.

Internet Trackers:

The Data Subject’s personal information is electronically collected for statistical purposes and for the improvement of the School website, using cookies (files stored in the Data Subject’s browser). The School and its service providers may also use other tracking technologies for website management and user tracking.

Online Platforms:

The School uses Online Platforms during the rendering of its educational services and, therefore, provides its Students access to software that is not operated by the School. Please note that this General Data Privacy Notice does not apply to third-party software. This General Data Privacy Notice does not govern the practices of third parties, including the School’s partners, third-party service providers, and/or advertisers, even when those services are branded as or provided on behalf of the School.

Third Parties:

This consists of the collection of Personal Data that is provided by and/or shared with authorized third parties or government agencies, including:

• Doctors, therapists, speech therapists, and other health professionals, always with the specific consent of the Student’s Representative and in his/her best interest;
• Other educational establishments;
• Government bodies and regulatory authorities.

In case of medical emergencies, the Personal Data of Students may be collected without specific consent and its processing will be carried out exclusively for the protection of the Children or Adolescents, according to Article 6. Para. 1 d, of GDPR.

Personal Data from third parties will be properly analyzed by the School in order to ensure that the information has been collected, is being shared on a legal and/or regulatory basis, and is accurate and up to date.

5. PHOTOGRAPHY AND FILMING FOR PERSONAL USE

The School is not responsible for, nor does it hold any interference with, any filming or photographs made by Students, Prospective Students, and their Representatives, Employees, and Prospective Employees, during the regular School day activities or social events organized by the School.

However, in order to provide a healthy environment for its Students, the School will publicize guidelines among its Students, and their Representatives, and Employees on sharing images and footage of minors, reminding all those participating in the School environment of the provisions in this General Data Privacy Notice, including:

• Reminding Students and their Representatives about their option of updating their consent preferences for any data processing operation involving their children.
• Requesting that photographs and footage of Students and Employees that are taken during the School’s social events must not be shared on social media without prior authorization from the Student’s Representative.
• Reminding Students and their Representatives about the terms of this General Data Privacy Notice

6. PHOTOGRAPHY AND FILMING FOR SCHOOL USE

The School recognizes the need to safeguard the Personal Data and the privacy of its Students and Employees, both at the School and on social media.

Under the terms of the enrollment contract signed between the School and the Student(s)’ Representative(s), the School is authorized to use the Student's image, by means of photographs, videos, and/or recordings, for the purpose of publicizing the educational services provided on Online Platforms and general media, always in the best interest of the Student and the legitimate interest of the School.

The School recognizes the need to protect the Personal Data and privacy of its Students, both at the School and on social media, and, therefore, will only use the image of Students with the specific consent of their Representative(s), which will be collected from at least one of the Representatives through a specific form.

7. CONSENT – STUDENTS

The processing of Students’ Personal Data will be restricted to the purposes outlined above in Clause 3 and in accordance with this General Data Privacy Policy.

8. ACCESS TO PERSONAL DATA

Access to the Personal Data of Students, Prospective Students, and their Representatives, as well as that of Employees and Prospective Employees, will be restricted to professionals and agents assigned to the specific function of developing the process of enrollment, selection, and rendering of educational services provided by the School.

9. STORING AND PROTECTING PERSONAL DATA

The School takes advanced administrative, technical, organizational, and physical measures to protect the Personal Data under its control. These measures include computer protection mechanisms and secure files and facilities. In turn, once the purpose of the data processing is fulfilled, the School adopts appropriate measures to securely delete or permanently dissociate the Personal Data, depending on the applicable legislation and compliance with the minimum data retention principle.

The School will only keep Personal Data for as long as necessary to process Students’, Prospective Students’, Employees’, and Prospective Employees’ applications or to inform them about future opportunities unless it is necessary to retain it for an underlying period, which will be done on the basis of the provisions Article 5- e, of GDPR.

The School reserves the right to contract third parties – Processors – to carry out the storage of Personal Data under its custody, in which case these agents will have to process the Personal Data of prior written instructions determined by the School and ensure the confidentiality and security of Personal Data.

10. SHARING PERSONAL DATA WITH THIRD PARTIES

The School does not share Personal Data with any third parties, unless in the following situations:

• With public regulatory or executive authorities, courts, and government agencies to comply with legal orders, legal or regulatory requirements;
• With Service Providers ("Processors"), regulatory authorities, and government agencies to detect and prevent fraud or other criminal activity and to protect the rights of the School or others;
• With “Processors" for the execution of contracts and business development at the request of the School.

When the Personal Data of Students, Prospective Students, Representatives, Employees, and Prospective Employees has to be shared with third parties other than as described above, the School will notify the Data Subject to obtain specific consent for that purpose, subject to exceptions provided in applicable law.

Accordingly, the School reserves the right to store Personal Data under its custody with Processors who may or may not be located in the German territory. When Personal Data is transferred to other jurisdictions, the recipient of such information will always be countries or international organizations capable of providing an adequate degree of protection compatible with Article 46 of the GDPR.

11. CROSS-BORDER TRANSFER OF PERSONAL DATA

As the School is a member of the SABIS^® School Network, the Personal Data may be transferred outside the territory of Germany:

• The Personal Data is securely replicated to the databases located in Microsoft Cloud Services in Ireland in order to provide Students and their Representatives with access to SABIS^® Applications hosted in the Cloud. SABIS^® Applications support students’ learning by monitoring and following up on their academic and non-academic performance, including but not limited to, exam results, attendance and discipline records, school calendar, study material, and Student Life Organization (SLO) participation. The replicated Personal Data will also be used to run analytics/statistics on Students, sections, classes, and overall School’s academic performance.
• Further to the School’s requests and instructions, authorized personnel at SABIS Educational Services s.a.l., Adma, Lebanon have access to the replicated data in order to operate, develop, improve, deliver, or support the applications and services.
• In accordance with the Management Agreement entered into by and between the School and SABIS Educational Systems, Inc. (SES Inc.), under which SES Inc. is to provide academic support and assistance services for Students and Employees, the Personal Data is transferred to the United States, where appropriate security measures are enforced to protect the confidentiality, integrity, and security of the Personal Data.

12. DATA SUBJECT RIGHTS – COMPLIANCE WITH ART. 15 to 21 OF GDPR

According to GDPR, Data Subjects have rights in relation to the processing of their Personal Data, among them:

• The right not to provide the School with their Personal Data, unless this piece of information is essential for the purposes highlighted in this General Data Privacy Notice;
• The right to be informed about the existence of processing of their Personal Data;
• The right to access, rectify, and update their Personal Data;
• The right to request the erasure of their Personal Data, except in those cases where the Personal Data is essential to the activity provided by the School or when its storage results from a legal, regulatory, or contractual obligation or for the legitimate exercise of rights;
• The right to have their Personal Data transferred to another controller; consisting, for example, of sending Personal Data of Students to other educational institutes; and
• The right to withdraw their consent to the processing of their Personal Data, when applicable.

If the Data Subjects choose to exercise any of the rights described above, or if they have any questions about how the processing of their Personal Data flows, they may contact the School’s Data Protection Officer through the channels highlighted in Item 2 of this General Data Privacy Notice.

13. DATA SUBJECT DUTIES

The Student and the Student’s Representative(s) is (are) responsible for the accuracy of the information provided during the registration process with the School.

14. CHANGES TO THIS DATA PRIVACY NOTICE

The School reserves the right to amend or modify this General Data Privacy Notice at any time, considering, among others, legislative, regulatory, and case law updates.

In the event of a change to the terms set forth herein, the School will notify the Students, their Representatives, and Employees, detailing the changes and, if applicable, requesting an update of consent for the processing of their Personal Data.

If you have any questions, please contact us through the channels provided in Item 2 of this General Data Privacy Notice.