Personal Information Collection Statement (“GDPR”)
The English School of Budapest (ESB) is committed to safeguarding Personal Data. This GDPR document is addressed to Parents or Guardians that are responsible for one or more prospective, past or present Students of the school. It explains how we collect and use your Personal Data and the Personal Data of each Student you are responsible for during the course of our provision of educational and related services to them.
If you are the Parent or Guardian of a Student who is, or becomes, competent to make their own decisions relating to the processing of their personal data, then you must provide a copy of this document to them. More information about provision and withdrawal of consent is set out at Consent.
This GDPR is intended to explain our privacy practices and covers the following areas:
- What Personal Data do we process;
- How we use your Personal Data;
- Use of Special Categories of Personal Data
- Legal Capacity of Students to make decisions about the Processing of their Personal Data;
- Transmission, storage and security of Personal Data;
- Rights relating to Personal Data;
- Changes to our GDPR or our Cookies Policy;
- Lawful Bases;
- Definitions; and
- Contact Details
By providing your information, or the information of any Student you are responsible for (whether via our website, in person, in writing or over the phone) to us, you acknowledge the processing set out in this GDPR. Further notices highlighting certain uses we wish to make of your Personal Data together with the ability to opt in or out of selected uses may also be provided to you when we collect Personal Data from you.
This GDPR only relates to data processing undertaken by ESB. Whilst our websites may contain links to other third party websites, please note that we do not accept any responsibility or liability for their policies in relation to any Personal Data or their collecting processing of any Personal Data.
- What Personal Data do we process?
We may collect and process the following Personal Data about you and any Student you are responsible for:
- Biographical and identification information ► including name, gender, nationality, date and place of birth, details of family members;
- Contact information ► including address(es), telephone number(s), email address(es), emergency contacts;
- Student information ► this includes admission information, start date, health/medical information, any disability; health conditions relevant to education; and any health problems or illnesses that could affect the ability to learn, so that we can maintain a safe environment for all Students;
- Payment information ► including preferred ways/frequency of payments;
- Our correspondence ► where we are contacted by you or a Student you are responsible for, we will keep a record of that correspondence;
- Website and communication usage ► details of visits to our websites and information collected through cookies and other tracking technologies including, but not limited to, IP address and domain name, browser version and operating system, traffic data, location data, web logs and other communication data, and the resources that are accessed;
- Information you have provided to us ► any additional information that you or a Student you are responsible for may provide to us, such as through completing enquiry or feedback forms.
Where we collect Personal Data from
We obtain Personal Data from you (or any Student you are responsible for) directly
- How we use your Personal Data
Your Personal Data (and that of any Student you are responsible for) will only be processed where we have a specific purpose, and a lawful basis, for doing so. These purposes and bases are listed below.
- To assess and enrol Students ► to process application forms, assessments and all activities relating to the Student’s enrolment in a School.
Lawful bases: contract performance; legitimate interests (to enable us to perform our obligations and provide our services). Where we process personal data in the form of photographs, we may also rely on explicit consent.
- To manage the Student’s academic timetable and to provide access to the School’s online study programs (e.g. bug club)► to provide access to the School’s onine programs and other communication tools;
Lawful bases: contract performance; legitimate interests (to enable us to perform our obligations and provide our services)
- To develop and support Students ► To assess and coach Students through dialogue and record keeping
Lawful bases: contract performance; legitimate interests (to enable us to perform our obligations and provide our services).
- To provide a safe and healthy environment for Students and staff ► this may in certain limited circumstances include Special Categories of Personal Data such as Health data, comprising information relating to any injury a Student may sustain at School; any disability; health conditions relevant to education; and any health problems that could affect the ability to learn. We use this data to make suitable provision and adjustments relating to the management of disabilities, allergies, illnesses and injuries, including the provision of such information to third parties such as insurers or medical professionals where appropriate;
Lawful bases: contract performance; legal obligations; legitimate interests (to enable us to perform our obligations and provide our services).
In the limited circumstances where we need to process Special Categories of Personal Data (health data) we may also rely on substantial public interest under Hungarian Legislation or, where there is no legislative requirement, explicit consent. In an emergency where we cannot obtain consent, we may rely on protection of the vital interests of you or another person
- To report back to Parents and Guardians on Students ► To provide reports and note correspondence on Students’ progress, opportunities and any issues.
Lawful bases: contract performance; legitimate interests (to enable us to perform our obligations and provide our services)
- To provide newsletters and marketing materials ► to provide you and any Students you are responsible for with updates and offers relating to our products and services, where you have chosen to receive these. Where required by law, we obtain consent to conduct this marketing activity. We will provide an option to unsubscribe or opt-out of further communication on any electronic marketing communication sent to you or you may opt out by contacting us at firstname.lastname@example.org
Lawful bases: legitimate interests (to promote our services); consent
- To improve our services ► to analyse Personal Data in order to better understand your requirements, or those of any Student you are responsible for. This will assist us in tailoring and developing the services we offer;
Lawful bases: legitimate interests (to allow us to improve our services)
- To monitor certain activities ► to monitor communications to ensure compliance with our internal procedures and any legal requirements;
Lawful bases: legal obligations; legal claims; legitimate interests (to ensure that the quality and legality of our services)
- To ensure website content is relevant ► to ensure that content from our websites are presented in the most effective manner for you and any Student you are responsible for;
Lawful bases: contract performance; legitimate interests (to allow us to provide the content and services on the websites)
- In connection with legal or regulatory obligations ► We may process your personal Data or that of any Student you are responsible for to comply with our regulatory requirements or to engage in dialogue with our regulators. This may include disclosing that Personal Data to third parties, the court service and/or regulators or law enforcement agencies in connection with enquiries, proceedings or investigations by such parties where compelled to do so.
Lawful bases: legal obligations; legal claims; legitimate interests (to cooperate with law enforcement and regulatory and public authorities).
We may also process personal data (including Special Categories of Personal Data) where necessary in relation to the establishment, exercise or defence of legal claims.
- Use of Special Categories of Personal Data
In order to provide our education and schooling services (including extra-curricular activities) effectively to you and any Student you are responsible for, we are, in certain very limited circumstances, required to collect, process and disclose Special Categories of Personal Data of Students, including but not limited to:
- Health/medical information (e.g. allergies, disabilities, dietary requirements, records of accidents and illnesses) so that we can maintain a safe environment for all Students;
- Photographs of Students, (eg. for marketing purposes).
In addition to the usual appropriate technical and organisational measures we implement to ensure the security and integrity of the personal data processed by us, we may implement additional measures in relation to Special Categories of Personal Data, as appropriate. These may include segregation, pseudonymisation or restriction of access to the data.
Where we must process Special Categories of Personal Data, we will do so on the following lawful bases (see Lawful Bases for more information):
|Special Category||Lawful bases / condition for processing|
|Health/medical information||Substantial public interest under Hungarian legislation; to protect vital interests in the event of an emergency.
In the very rare instances where you have requested us to process health data and we do not have a legislative obligation to do so, we will rely on your explicit consent.
|Photographs of Students||Explicit consent or in relation to legal claims.|
Where a Student is under the age of 18, we will obtain explicit consent from a Parent/Guardian responsible for the Student, on his/her behalf. This consent will remain valid until it is withdrawn by the Parent/Guardian who provided it, or the Student, provided that:
- The Student has legal capacity to withdraw consent (see Legal Capacity); and
- Withdrawal of consent does not have a prejudicial impact on the interests of the Student.
In any instance where a Student under the age of 18 who was deemed to be capable of providing consent later withdraws that consent against his/her own best interests, we may revert to a Parent/Guardian to obtain consent on his/her behalf.
We will obtain consent directly from any Student over the age of 18.
- Legal capacity of Students to make decisions about the processing of their Personal Data
Legal capacity will be assessed as follows:
- Students under 13 years of age Where a Student is below the age of 13, they will not be considered sufficiently mature to make decisions about the processing of their personal data. We will provide these Students with a simplified, age-appropriate version of this GDPR and rely on the consent provided by a Parent/Guardian, as required.
- Students between 13-18 years of age Where a Student is above the age of 13 but below the age of 18, they will be presumed to be sufficiently mature to make decisions about the processing of their personal data, subject to an individual evaluation of their maturity and understanding, if deemed necessary. We will provide these Students with a copy of this GDPR but continue to rely on the consent provided by a Parent/Guardian, as required, as described here Consent.
- Students over 18 years of age Where a Student has reached the age of 18, they will be considered to be sufficiently mature to make decisions about the processing of their personal data. We will provide these Students with a copy of this GDPR and re-obtain consent from them directly, as required.
- Transmission, storage and security of Personal Data
Security over the internet
No data transmission over the Internet or through a website can be guaranteed to be secure from intrusion. However, we maintain commercially reasonable physical, electronic and procedural safeguards to protect your Personal Data, and that of any Student you are responsible for, in accordance with data protection legislative requirements.
All information you, or any Student you are responsible for, provide to us is stored on our or our suppliers’ secure servers and accessed and used subject to our security policies and standards. We ask that you, or any Student you are responsible for:
- Refrain from sharing any password providing access to certain parts of our websites, applications or systems with any other person; and
- Comply with any other security procedures that we may notify you of from time to time.
We will retain your Personal Data for as long as is necessary for the processing purpose(s) for which they were collected and any other permitted linked purpose (for example certain transaction details and correspondence may be retained until the time limit for claims in respect of the transaction has expired or in order to comply with regulatory requirements regarding the retention of such data). So if Personal Data is used for two purposes we will retain it until the purpose with the latest period expires; but we will stop using it for the purpose with a shorter period one that period expires. We restrict access to Personal Data to those persons who need to use it for the relevant purpose(s)
Our retention periods are based on business needs and relevant laws. Records that are no longer needed are either irreversibly anonymised (and the anonymised information may be retained) or securely destroyed.
- Rights relating to Personal Data
Be aware of the rights that Data Subjects have in relation to their Personal Data
Data Subjects have a number of rights relating to how their personal data is used. Please be aware that certain exceptions apply to the exercise of these rights and so you will not be able to exercise them in all situations. If you wish to exercise any of these rights we will check your entitlement and respond within a reasonable timescale.
Students may be able to exercise these rights independently, provided that they have Legal Capacity.
Where applicable, you will have the following rights relating to your Personal Data or the Personal Data of a Student you are responsible for:
- Subject Access►Be provided to any Personal Data held about you/a Student you are responsible for, by ESB. This information will generally be provided within one month of us confirming your identity and understanding the scope of your request.
- Rectification►Require to have inaccurate Personal data amended.
- Erasure: ► Require us to erase Personal Data in certain circumstances. If the Personal Data has been made public, reasonable steps will be taken to inform other controllers that are processing the data that you have requested the erasure of any links to, copies or replication of it.
- Withdrawal of consent: ► Withdraw any consents to processing that you have given us or that have been given on your behalf and prevent further processing, if there is no other ground under which we can rely to process your Personal Data.
- Restriction: ► Require certain Personal Data to be marked as restricted in some circumstances, for example, whilst we resolve any complaint we may have received. Restriction means that whilst we still store the data, we will not process it until such time as the restriction may be lifted.
- Portability: ► Have a copy of any Personal Data you have provided to us returned to you.
- Prevent processing: ► Require ESB to stop any processing based on the legitimate interests ground unless ESB’s reasons for undertaking that processing outweigh any prejudice to your data protection rights.
- Marketing: ► Require ESB to prevent processing of your Personal Data for direct marketing purposes.
- Raise a complaint: ► Complain to your local Data Protection Authority about our processing of your Personal Data.
If you have any queries relating to your rights or exercise of your rights, please contact us: email@example.com
- Changes to our GDPR and/or Cookies Policy
This GDPR was last updated on 01 June 2018.
- Lawful Bases
Use of Personal Data under EU data protection laws must be justified under one of a number of Lawful bases and we are required to set out the Lawful bases in respect of each use in this policy. We note the Lawful bases we use to justify each use of your information here: How we use your Personal Data.
These are the principal Lawful bases that justify our use of your Personal Data:
|Consent: You have given your consent to the processing of those personal data for one or more specified purposes. You are free to withdraw your consent by contacting us at firstname.lastname@example.org|
|Contract performance: where your information is necessary to enter into or perform our contract with you.|
|Legal obligation: where we need to use your information to comply with our legal obligations.|
|Legitimate interests: where we use your information to achieve a legitimate interest and our reasons for using it outweigh any prejudice to your data protection rights.|
|Legal claims: where your information is necessary for us to defend, prosecute or make a claim against you, us or a third party.|
These are the principal Lawful bases that justify our use of Special Categories of your Personal Data:
|Explicit consent: You have given your explicit consent to the processing of those personal data for one or more specified purposes. You are free to withdraw your consent by contacting us at email@example.com Where you do so, we may be unable to provide a service that requires the use of such data.|
|Protection of vital interests of you or another person, where you are unable to consent: Processing is necessary to protect the vital interests of you or of another natural person where you are physically ore legally incapable of giving consent.|
|For legal claims: Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.|
|In the substantial public interest: Processing is necessary for reasons of substantial public interest, on the basis of EU or local law|
Data Controller: this is the person which alone or jointly with others determines the purpose and means of the processing of Personal Data. ESB is the Data Controller of all employment details used in its business.
Data Subject: for the purpose of this policy this includes all living individuals about whom we hold Personal Data, including employees, Students, Parents or Guardians, suppliers and business partners. A Data Subject need not be a national or resident of Hungary. Within the EU, all Data Subjects have legal rights in relation to their Personal Data.
Data Processor: this is the person which processes Personal Data on behalf of the Data Controller (not including employees of the Data Controller).
Guardians / Parents: this means any parents or guardians responsible for a Student.
Legal Capacity has the meaning provided to it here: Legal Capacity
ESB, Our, Us, We: English School of Budapest
Parents / Guardians: this means any parents or guardians responsible for a Student.
Personal Data: this is defined as any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified (either directly or indirectly) by reference to an ‘identifier’. These include names, location data, online identifiers or one or more factors specific to the physical, psychological, social identity of that person.
Special Categories of Personal Data: this type of data is, in the EU and some other countries, subject to more stringent processing conditions than other Personal Data and in the EU includes Personal Data which reveals racial or ethnic origin, political opinion, religious or philosophical beliefs, trade-union membership, and the processing of genetic data, biometric data in order to uniquely identify a person or data concerning health, sex life and sexual orientation. Data concerning health covers Personal Data relating to the physical or mental health of an individual which reveals information about the individual’s health status. In the EU, Personal Data relating to criminal convictions or offences or related security measures may only be processed when authorised by Member State or EU law. In other countries the term Special Categories of Personal Data may include other categories of information such as financial information and passwords. If in doubt, please contact the Data Protection Officer.
Student: this means any prospective, past or present student of a School.
School: means English School of Budapest
- Contacting us: Nord Anglia Education Companies and Schools
|ty name||Address||Contact for data protection (and role)||Data Protection Authority|
|English School of Budapest||1021 Budapest, Tárogató út 2-4
Data Protection Officer
+36 20 555 9851
|Hungarian National Authority for Data Protection and Freedom of Information|
What are cookies?
Cookies are text files containing small amounts of information which are downloaded to your device when you visit a website. Cookies are then sent back to the originating web domain on your subsequent visits to that domain. Most web pages contain elements from multiple web domains so when you visit the Website, your browser may receive cookies from several sources
We use the cookies on this website to help you navigate our website efficiently, perform certain functions and to collect site statistics. These cookies do not store any personal information that would, on its own, allow us to identify individual users of this service without your permission. Please be aware that restricting cookies may impact on the functionality of the website and could mean that key features do not work properly. We strongly recommend allowing cookies from this website so that we can provide you with a full service.
What type of cookies do we use?
To help you make an informed decision, we have categorised the cookies used on this site into two categories;
- Necessary cookies – these cookies are fundamental to ensure the site works correctly.
- Optional cookies – These cookies could help us track how you use the website so that we can improve the information and experience provided to you.
How to control and delete cookies
Alternatively, you may wish to visit www.aboutcookies.org which contains comprehensive information on how to do this on a wide variety of browsers. You will also find details on how to delete cookies from your computer as well as more general information about cookies. For information on how to do this on the browser of your mobile phone you will need to refer to your handset manual.
We do not use ’spyware’, that is web bugs or hidden identifiers or other similar devices to gain access to information, store hidden information or to trace your activities.
We keep a record of traffic data which is logged automatically by the server. This includes your IP address, the website address you visited before ours, the website address you visit after leaving our site and which pages you visit on our site. We do not store or analyse this traffic data in a way that identifies any individual. We also use Google Analytics for site statistics – see ‘Cookies’ above for details of how this works.
The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.