Data Privacy
Providing a safe and healthy environment for students and the entire ISP community is our first priority. The following sections provide more information about our approach to privacy.
If you have any questions or concerns, please contact us at privacy@isp.cz.
Information Memorandum
The purpose of this information memorandum is to explain the necessity for the International School of Prague (also referred to as “ISP” or the “School” or “we”) to collect, process and store the Personal Data of prospective, current and former parents, students, staff, service providers, volunteers, candidates and interns, and to inform them of their rights concerning their Personal Data as now required by the European Union (“EU”) General Data Protection Regulation (“GDPR”) and the data protection law applicable by national legislation.
The primary reason that ISP uses Personal Data is to enable the School to provide educational and support services to enrolled students. This notice explains how ISP uses personal information, who this information might be shared with and the ways in which the School protects and accounts for privacy. It also explains decisions that parents, students, staff, service providers, volunteers, candidates and interns can make about their Personal Data held by the School.
Document last updated: 5 September 2024
- I) Personal Data Processing and Disclosure
- II) Third-Country Transfers
- III) Data Retention
- IV) Learner Profiling
- V) Video Surveillance
- VI) Contact Point
I) Personal Data Processing and Disclosure
ISP collects Personal Data, including special categories of Personal Data of students, parents, teachers and staff and service providers in order to provide a safe and caring international environment for teaching, learning and general educational purposes.
More specifically, ISP processes Personal Data for the following purposes:
- Provision of educational services, starting with the application process, enrolling students, administration of classes and timetable, teaching activities, administration of internal and public examinations, assistance regarding the application process to various universities and issuance of academic records.
- Provision of educational ancillary services: pastoral care, career and personal counselling, library services, extracurricular activities, school trips, managing the school’s publications, setting up the virtual learning environment and granting access to ISP’s Intranet and Internet network as well as monitoring the use of ISP’s network.
- Ensuring campus security: monitoring access on campus, performance of video surveillance.
- Provision of the medical care and counselling that students may need.
- School administration includes handling student records and other academic documentation, administering fees and accounts, conducting internal audits and controls, creating reports and statistics, implementing school policies, ensuring collaboration with other schools, archiving, assessing the quality of our services, and facilitating research activities.
- School related communications: conveying various messages related to the students and ISP’s activities by any communication means.
- Organising fundraising activities and other school events (e.g., concerts, theatre productions, talent shows), including marketing communications related to the fundraising activities organised by ISP.
- Dispute resolution and handling of litigation.
- To provide a safe and secure learning and working environment (to ensure the safety and security of students and staff, including camera surveillance) to protect the health of the parents, students, staff, service providers, volunteers and interns. ISP may also use personal data provided to the School by health professionals in order to safeguard parents, students, staff, service providers, volunteers and interns.
- For employment of qualified teachers and staff to work in our school, the school uses data obtained through respective external Job Portals and/or Recruitment Services providers, to post vacancies and obtain Curriculum Vitaes from candidates. As part of the Safe Recruitment practises, the school conducts background checks, including confidential references and process CVs to a shortlist, interview and hire employees of the School and its Board members.
- To support and develop our employees in the performance of their duties.
- To develop contracts with third service providers.
- For the school's business and financial operations, this includes parent-teacher contracts/payments, teachers' contracts and salaries, and data about vendors.
The categories of Personal Data that ISP processes include, but are not limited to, the following:
The School needs to know the relevant Personal Data of parents, staff, service providers, volunteers, candidates and interns and students. This could also mean recording and processing special categories of personal data such as confidential references, medical data, religion as well as CCTV, photos and video recordings (all together, the “Personal Data”). This notice applies to all Personal Data collected for or on behalf of the School whether in analogue form (documents and forms in writing) or in digital form (such as information systems, databases and emails).
Personal Data that ISP processes by stakeholder groups may include, but are not limited to the following:
- Students and alumni
- Parents
- Employees, volunteers and interns
- Service providers
- Special categories and sensitive data
Students and alumni
- Identification and contact information: names, addresses, dates of birth, languages spoken
- Authentication and physical access data: e-mail, passwords, badge number, location data, other online identifiers, car registration number details, etc.;
- Educational background and learning performance data: academic, disciplinary or other educational-related records, academic references, special educational needs, hobbies, results of educational diagnosis testing, test results, feedback, evaluations, attendance records, behavioural data, as well as data on preferences / interests of students;
- Health data: medical history, allergies, immunisation records, disorders, medical examination results and other medical data of the students;
- Family information: household information, language background, profession and workplace of parents etc;
- Photos and videos.
Parents
- Identification and contact information: names, addresses, dates of birth, language background, bank account details
- Authentication and physical access data: e-mail, passwords, badge number, location data, other on-line identifiers, car registration number details, etc.;
- Family information: household information, profession and workplace;
- Photos and videos.
Employees, volunteers and interns
- Identification and contact information: name, date of birth, gender, addresses, languages, emergency contacts, bank account details;
- Authentication and physical access data: e-mail, passwords, badge number, location data, other online identifiers, car registration number details;
- Professional qualification and background data: academic degree achieved, disciplinary or other performance-related records, previous job-related references, criminal background checks;
- Health data: obligatory medical checks;
- Photos and videos.
Service providers
Special categories and sensitive data
The education services the School provides require us to collect and process also special categories of data, such as health information, for the purposes of safeguarding the protection of our students and the wellbeing of those within our care. We do not disclose or share special categories of data, or other categories of data deemed sensitive, such as confidential references, without explicit and unambiguous consent unless we have to do so where we are required to by law, or where we have good reason in protecting the vital interests of an individual.
We collect and use Personal Data to carry out the education services as described above. ISP collects and further processes Personal Data, based on one of the following legal grounds, expressly laid down by the GDPR:
- The consent you have granted us, prior to any processing of the personal data, for:
- the use of students’ and employees’ photographs and videos in various school publications, on ISP’s website and social media pages;
- the use of your contact details for direct marketing communications on ISP’s fundraising activities;
- other consents that may be granted from time to time for various processing activities.
- We do so under the lawful basis that the processing is necessary for the performance of an enrollment contract in which you are entering or have entered into. Please note that there are some mandatory categories of personal data necessary to ISP in order to conclude the enrollment agreement and provide the educational services to students at a high standard and in their best interests.
- For the performance of the employment contract, as well as in order to take steps at your request for entering into the employment contract and to further provide employment.
- For the performance of the service contract, as well as in order to take steps at your request for entering into the service contract and to further provide the related services.
- A legal obligation that requires ISP to process your personal data (e.g. names of students registered with a Czech school).
- The legitimate interest pursued by ISP, namely our interests such as providing a safe learning environment, maintaining the School community, fundraising, etc.
ISP may invoke the legitimate interest legal ground in the following cases:
- safeguarding the protection of our students and the wellbeing of those within our care;
- monitoring use of the ISP’s virtual learning environment and network, including monitoring the use of e-mail accounts provided by ISP;
- conducting fundraising activities, including marketing of such activities;
- enforcement of legal claims, addressing complaints and third party controls;
- management, control, reporting and performing statistics on schools activity;
- ensuring security;
- maintaining close relationships with alumni and the ISP community;
- collaboration with other schools and educational institutions;
- performance of agreements with suppliers, including insurance suppliers;
- access to grants and other funding sources.
With respect to the processing of the special categories of personal data under the GDPR, specifically medical and health data, ISP processes these data based on the following legal grounds:
- The vital interests of the individual, including their health and the health of those around them.
- The explicit consent granted by you for the processing and disclosure of personal data beyond the grounds listed above.
ISP discloses your Personal Data only to those members of ISP, staff and collaborators, who need access to the Personal Data, mainly to ensure the provision of the educational, employment and ancillary services. Only the Health Office has full access to students’ medical records; other departments of the school have access to specific health data based on the legitimate interest of the School, the vital interest of the individual, or by legal requirement.
With respect to the disclosure of your Personal Data to third parties outside ISP, please note that such disclosure is performed solely in the regular activity of the school. The categories of recipients include the following:
- IT providers, including educational applications, on-line tools, server hosting suppliers, etc. This includes, but is not limited to, providers such as International Baccalaureate Organisation, Veracross, Teacher Tools Pvt. (Toddle), Google, Maia Learning, NWEA, etc.;
- Cafeteria Owner in its capacity of independent provider of meal services on campus;
- Other educational institutions or organisations, not limited to other schools;
- Travel agencies, catering and transportation providers;
- Photographers and videographers contracted by ISP;
- Payroll and financial service providers;
- Public authorities and institutions;
- Tax, legal and accounting consultants.
II) Third-Country Transfers
Personal Data may be transferred to organisations outside the Czech Republic and outside the European Union (EU). This may, for example, occur for the purposes of student applications for college or university. Various teaching and learning applications are also used that are based outside the European Union. For such transfers of Personal Data outside the EU, ISP has implemented suitable safeguards in the form of appropriate contractual clauses where required under applicable data protection legislation. More information on these transfers and suitable safeguards can be requested from the ISP Data Protection Committee.
III) Data Retention
ISP will retain Personal Data for as long as required by law or best educational practice. ISP retains Personal Data after parents, students, staff, service providers, volunteers and interns have left the School in order to provide confirmation of academic, employment, and contractual service history. It is widely accepted that a School should hold data on the achievements and experiences of a student for their benefit in later life should they need to access that information. Subject to appropriate safeguards, ISP may keep some information during a longer period if needed for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. In any case where a legal provision imposes a minimum retention period, ISP will keep the Personal Data for at least that mandatory period.
Your rights related to the processing of Personal Data by ISPThe GDPR provides certain rights related to the processing of Personal Data, that individuals (be they parents, students, employees, suppliers, etc) have. Students that have reached a certain age and an appropriate level of understanding may themselves exercise the rights listed in this section.
ISP respects all the rights mentioned under the GDPR and is committed to furnishing the appropriate means for individuals to exercise these rights, according to the details mentioned below:
- The right of access, which entails your possibility to obtain the confirmation from ISP whether your Personal Data is being processed by ISP, and, in cases where it is, to solicit access to this data, as well as additional information regarding that Personal Data, such as: the purposes of processing, the categories of recipients the Personal Data are being disclosed to and the envisaged retention period. In the situations where you may need to exercise the right of access, please contact ISP and request confirmation or access to your Personal Data by completing and submitting our Access to Personal Data Request Form. Please note that there might be specific situations that are exempted from the right of access, such as information that identifies other individuals or which is subject to confidentiality obligations.
- The right to rectification, that allows you to request ISP to rectify any inaccurate Personal Data that it may hold, as well as to have your incomplete Personal Data made complete.
- The right to erasure, that in situations expressly regulated by law, you may request erasure of your Personal Data. Please note, that the cases where the law provides for the possibility of erasure of Personal Data amount to situations where the processing is unlawful or where the processing is based on your consent, and you have withdrawn such consent.
- The right to restriction of processing, which is your right to obtain restrictions on the processing of your Personal Data by ISP. Please bear in mind that this right can be exercised only in specific situations laid down by the GDPR such as when you challenge the accuracy of your Personal Data. During the period necessary for us to rectify your data, you may ask us to restrict the processing of your Personal Data.
- The right to data portability, that is your right to receive the Personal Data in a structured, commonly used and machine-readable format and further to transmit such data to another controller. This right to data portability shall be applicable only to the Personal Data you have provided to us and where the processing is carried out by automated means based on your consent or for the performance of the contract you have concluded with ISP.
- The right to object to the processing of your Personal Data by ISP, on grounds relating to your particular situation. The right to object applies to the situations where ISP relies on consent as a legal basis for processing (e.g. using your email address to communicate with you regarding our fundraising efforts).
- The right to lodge a complaint designates your right to challenge the manner in which ISP performs processing of your Personal Data with the competent data protection authority.
- The right to withdraw your consent given for various processing operations, in cases where the consent represents the lawful basis for processing. In cases where you withdraw your consent to process your Personal Data, please note that the processing will end from the moment the withdrawal takes place without any effect on the processing that took place prior to such withdrawal.
IV) Learner Profiling
ISP creates learning profiles based on the Personal Data and, specifically, educational data that pertain to students. ISP creates and uses such profiles to:
- Support and enable the academic and personal objectives of students, including the monitoring and reporting of progress.
- Provide a tailored learning environment and make evidence-based educational decisions for the students we serve.
V) Video Surveillance
The School operates a camera monitoring system (“CCTV”) installed in corridors inside the School and at outside sports fields and playgrounds in accordance with the relevant provisions of the Protection of Personal Data Act No. 101/2000 Coll., as amended (the “PPD Act”), and processes related personal data obtained from the cameras in order to:
- ensure the protection and safety of the School’s students, employees, authorized visitors and other persons
- monitor the safety and protection of School property and the personal belongings of the School’s students, employees, authorised visitors and other persons.
VI) Contact Point
In the situation where you may wish to obtain additional information or clarifications on the subject of processing your Personal Data, please contact ISP, via the appointed Data Protection Committee responsible for ensuring that ISP complies with all the requirements of the GDPR.
Contact Details of ISP’s Data Protection Committee:
- E-mail address: privacy@isp.cz
- Phone Number: +420 220 384 111