Otsi
 

Audentes School Foundation Privacy Policy

Audentes School Foundation Privacy Policy

We highly value your privacy at Audentes Private School (hereinafter the private school), Audentes Sports Gymnasium (hereinafter the sports gymnasium), Audentes Children’s School (hereinafter the children’s school) and Audentes Hobby Centre (hereinafter the hobby centre). Our privacy policy helps you understand why and how we process personal data and what your rights as a data subject are.

This privacy policy applies to you:

  • if you are or have requested to be our client;
  • if you use our services without a cooperation agreement, e.g. you attend baby school with your child, or your child attends a hobby group or participates in a city camp.

The authorised processor of personal data in accordance with the customer relationship and services is Audentes Private School, Audentes Sports Gymnasium, Audentes Children’s School or Audentes Hobby Centre (Tondi 84/1, 11316 Tallinn; e-mail: andmekaitse.koolid@audentes.ee).

 

The personal data we process

We process four types of personal data:

  • General data are first name, surname, personal identification code, image and validity of document (birth certificate, passport or ID card and student card);
  • Contact details are telephone number, e-mail address and residential address;
  • health data are records related to a student’s state of health (including dietary restrictions);
  • security camera records are recordings of security cameras that are installed to protect persons and property.

 

Legal grounds for processing personal data

The processing of personal data is based on legal grounds, which are:

  • the need to fulfil an agreement (including the need to provide the service);
  • the obligation to comply with the law;
  • legitimate interest; or
  • the consent of a parent or student aged 18 or over.

Data processing required for the fulfilment of an agreement (including the provision of services)

For example:

Purpose of processing Personal data to be processed
General data Contact details Health data Security camera records
Pre-contractual communication: school admission + + +
Creating a cooperative relationship on the basis of a cooperation agreement or one-off service + + +
Maintaining and developing cooperation + + +
Settlements: drafting and sending out invoices and collecting payments + +
Management of circumstances and events that affect the provision of services: forwarding information, dealing with problems, etc. + + +

 

Statutory data processing
If the obligation to process data arises from law, the private school, sports gymnasium, children’s school, hobby centre and parents cannot influence it. In order to fulfil our legal obligation, we process data for the following purposes.

For example:

Purpose of processing Personal data to be processed
General data Contact details Health data Security camera records
Accounting (including retention of source documents) + +
Notification of the Estonian Data Protection Inspectorate of personal data breaches + +
Responding to information enquiries from public authorities and government agencies + +

 

Data processing arising from legitimate interest

The purpose of data processing based on legitimate interest is to:

  • develop our services and products in order to improve them;
  • protect property, students, parents and employees; and
  • carry out statistical analyses and base business decisions on them.

We are not bound by any law or agreement to conduct data processing based on legitimate interest and we do not require the consent of parents. However, you have the right to ask us for clarifications and submit complaints if you feel that the processing of these data for the following purposes infringes your rights.

For example:

Purpose of processing Personal data to be processed
General data Contact details Health data Security camera records
Service management and development + + +
Data exchange within Audentes + +
Protection of property, employees, students and parents and data +
Marketing activities + +
Maintaining and developing cooperation: daily communication and information exchange + +

In addition to the objectives set out above, we may also process data for other purposes based on legitimate interest if this is reasonable in relation to our core activities and necessary for their development.

 

Data processing based on consent
For example, in order to send you newsletters and send you offers based on your needs, we need your consent. You can always withdraw your consent by notifying our customer service representative in writing or e-mailing andmekaitse.koolid@audentes.ee.

For example:

Purpose of processing Personal data to be processed
General data Contact details Health data Security camera records
Direct marketing (e-mails, newsletters, offers, etc.) + +
Publishing photos taken and videos filmed at events and ceremonies on the school’s website, social media or other information channels +
Publishing information related to representing the school (at contests, competitions, exhibitions, etc.) on the school’s website, social media or other information channels +

Pictures and other recordings at events
Individuals’ consent is not sought for photography or recording at events, provided that photography and recording are expected (ceremonies, concerts, etc.) and relevant.

 

Data processing outside of Audentes

From outside of Audentes, your data can only be accessed by:

  • persons providing services to us, i.e. economic software, IT administration and maintenance service and e-mail server service providers, webmasters, auditors, lawyers, data analysis software developers and collection service providers with whom we enter into client data protection and data processing protection agreements;
  • public authorities and government agencies such as the police, courts, emergency response centre and Data Protection Inspectorate. We only forward your data to them if the law obliges us to do so.

We do not forward your personal data outside of the European Economic Area or to countries to which the data protection adequacy decision pursuant to Article 25 (6) of Directive 95/46/EC or pursuant to its successor document Article 45 (1) of Regulation (EU) 2016/679 does not apply.

 

Retention time of personal data

We only retain your personal data for as long as we are obliged to do so by law or until the purpose of using the data is achieved.

For example:

Retention time Examples
One month (after which they are recorded over) Security camera recording
According to law Educational data (directives, exam protocols, etc.)
Seven years after the date on which the cooperation agreement terminates or is terminated Accounting source documents and documents directly related to them
Until consent is withdrawn Data you have agreed to us processing (newsletter, offers, etc.)

 

Personal data protection measures

We protect your personal data using physical, technical and organisational measures.

We protect your personal data with the necessary physical measures, including
the following: we store paper documents containing personal data in a room and in a locker that is locked or we keep them in an archive that is only accessed by certain employees for fulfilling their duties. Steps have been taken to protect data processing facilities and IT systems from fire, overheating, water, power fluctuations and outages.

We protect your personal data with the necessary technical measures, including
the following:

  • we use video surveillance;
  • all work computers are protected with a password-based screen saver;
  • the IT system locks the user ID if the number of failed attempts to enter exceeds a certain limit;
  • systems which are particularly at risk, such as laptops and smartphones, are well protected (we use encryption, VPN connection, etc.).

We protect your personal data with the necessary organisational measures, including the following:

  • each user of the IT system is assigned a role and profile;
  • if a staff member terminates their contract with Audentes, their access rights are revoked;
  • there is no access without authorisation from public spaces to premises on which personal data is processed;
  • we will sign an agreement with an external service provider who processes the personal data of the customers of the Private School, the Sports Gymnasium, the Children’s School and the Hobby Centre. According to this agreement, the service provider shall undertake to protect the confidentiality and security of personal data and process personal data according to applicable legislation.

 

Your rights in relation to personal data

Right to receive information about your personal data
You have the right to know:

  • what data we have collected about you and your child;
  • the purpose for which we process them;
  • to whom we disclose data;
  • how long we retain your data;
  • what the conditions are under which you can correct and delete your own and your child’s personal data or limit their processing.

We will respond to your enquiry within 30 days.

Right to correct data
You may request the correction of your and your child’s personal data if they are incorrect or incomplete.

Right to delete data
You have the right to demand that your and your child’s data are deleted. This right arises in particular when the processing of these data is based on our legitimate interest or consent you previously granted.

Right to restrict processing
You have the right to restrict the processing of your and your child’s personal data for a certain period in the cases provided in the General Data Protection Regulation, in particular if you have objected to data processing.

Right to object
You may object to the processing of data that is based on legitimate interest. In this event we will terminate the processing of your and/or your child’s personal data unless we can prove that we are processing the data for valid and legally approved reasons.

Right to data portability
If the processing of personal data is based on your consent or on a cooperation agreement with us and we use automatic processing, you have the right to receive your or your child’s personal data in a structured, commonly used format and in machine-readable form. You can also request that Audentes deliver the data directly to another service provider if this is technically possible (i.e. it can be received by the other service provider in a transmittable data format).

 

Use of security cameras

We use security cameras to protect our private school, sports gymnasium, children’s school and hobby centre, its employees and customers and their assets. Security cameras are set up in buildings and rooms in such a way that entrances, corridors and car parks are within the surveillance area.

The basic conditions for video surveillance are:

  • our legitimate interest is the legal basis for using cameras;
  • the surveillance system is stationary and digital, allowing images to be enlarged;
  • in the case of a legal claim we will deliver a recording to the public authorities and government agencies with a right to such a claim;
  • real-time monitoring of the school building is accessible to the security desk staff, the IT manager, the head of administration and the property manager;
  • student home administrators, the IT manager, the head of administration and the property manager have access to the real-time monitoring system of student homes;
  • recordings are accessible to the IT manager, the head of administration and the property manager;
  • we keep the recordings for one month, then the video system automatically overwrites them;
  • recording is done around the clock;
  • while monitoring we also record videos and, if necessary, review the recordings afterwards;
  • the data collected by the surveillance system is protected: the recordings are on a dedicated data medium accessible by the IT manager, the head of administration and the property manager.

How can you obtain information about the data collected about you?
For information pertaining to you, please contact us at andmekaitse.koolid@audentes.ee.

For security camera recordings, take into account that

  • we retain them for only one month.
  • In order to protect the rights and interests of other recorded persons, we must make them unrecognisable in the video, so we do not provide access to recordings immediately. The costs that are incurred in making other recorded persons undetectable are borne by the applicant.

Additional information
If you would like more information about your personal data or rights, please contact us at andmekaitse.koolid@audentes.ee.

 

CERTIFIED
on the basis of the resolution 18.03.2019 no10 p.1.1
of the Management Board of Audentes School Foundation

Jalus