Information on personal data processing
The Lingua Centrum Language School, as the controller of personal data, hereby informs about the manner and extent of personal data processing with regard to the EU General Data Protection Regulation (hereinafter referred to as “GDPR”).
The Personal Data Processing Policy aims to provide you with information about what personal data we collect, how we handle it, from what sources we collect it, for what purposes we use it, to whom we may disclose it, and where you can get information about your personal data we process.
What personal data are processed?
We process personal data to the following extent:
- Identification data: name and surname of the student, name and surname of the legal representative,
- Contact details: home address, telephone number, e-mail address,
- Photos for marketing and promotional purposes (subject to your consent),
- Other personal data: assessment of student’s knowledge level, payment information.
The personal data we process with your consent is included in the consent to the processing of personal data that you may grant us.
How do we use your personal data?
We only collect and process your personal data for the intended purpose and use it for:
- Performance of the agreement and provision of services (provision of language and other courses)
- Communication with students, legal representatives,
- Informing about changes and news in the course offer (legitimate interest)
- Allowing access to the LAPort on-line system,
- Fulfilment of legal obligations,
- Accounting and tax purposes
- Keeping customer records
- Marketing and promotional purposes (subject to your express consent).
Personal data for these activities are processed to the extent necessary for the fulfilment of these activities and for the period necessary to achieve them, or for a period directly determined by legal regulations. The personal data are then deleted or anonymised.
How do we protect your personal data?
To ensure the security and confidentiality of your personal data, we use technical and organisational measures, in particular to protect against unauthorised access to and misuse of data and to ensure the security of our IT systems. Where appropriate, we use encryption to protect your data.
Directive on Personal Data Protection
1. Introductory Provision
1.1 Purpose
The purpose of this Directive is to establish a generally valid methodology for the handling and processing of personal data in the language school to ensure the conditions of protection laid down in REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as the “Regulation”), Act No. 101/2000 Coll. on Personal Data Protection, as amended for the purpose of ensuring its proper protection and preventing their leakage, disclosure, misuse, destruction and prevention of its loss.
This Directive governs the practices of the language school and its staff in the handling of personal data, rules for the recovery, collection, storage, use, dissemination and archiving of personal data. The Directive lays down the main and unambiguous principles of responsibility, duty and authority in the processing of personal data and privacy protection settings.
In particular, with regard to the Regulation, this Directive lays down an obligation to process only personal data which is necessary for the pursuit of the activities of the language school. Furthermore, the Directive describes the process of processing personal data in order the due care is taken to reduce the risks of abuse, incorrect handling or unauthorized processing of personal data.
1.2 Scope
This Directive is binding on all employees of the language school.
1.3 Basic terms and abbreviations
Security incident | One or more undesirable or unexpected security events that have or may have violated personal data protection, regardless of severity. |
Supervisory Authority | In the Czech Republic, it is the Office for Personal Data Protection. |
Regulation | General Data Protection Regulation. General Data Protection Regulation or GDPR). |
PD protection | A set of measures in the field of personnel, administrative, physical protection and information security needed to ensure the PD protection. |
Personal data (PD) | Any information about an identified or identifiable natural person (hereinafter referred to as “data subject”); an identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to a particular identifier, such as name, identification number or one or more specific physical, physiological, genetic, psychological, economic, cultural or social identity elements of this natural person. |
Consent of the data subject | Any free, specific, informed and unambiguous manifestation of the will by which the data subject gives their consent to the processing of their PD by a statement or other manifest confirmation. |
PD controller | For the purposes of this Directive, the controller is the language school – the PD controller determines the purpose and means of processing the PD, carries out the processing and is responsible for it. The controller may empower or authorise a PD processor by its processing. |
Data subject | A natural person to whom the PD relate. The data subject shall be deemed to be identified or identifiable if, on the basis of one or more PD, his or her identity can be established directly or indirectly. |
Employee | A natural person who works in the language school in an employment relationship on the basis of a concluded employment contract or on the basis of agreements on work performed outside the employment relationship. |
PDPA | Act No. 101/2000 Coll., on the protection of personal data and amending certain acts, as amended. |
PD processor | A natural or legal person, public authority, agency or other entity that processes PD for the controller |
Processing PD | Any operation or set of operations with PD or PD files that is carried out with or without automated procedures such as gathering, recording, arranging, structuring, storing, adapting or altering, retrieving, inspecting, using, making available by transmission, dissemination or any other access, sorting or combining, restricting, deleting or destroying. |
PD processor | A natural or legal person, public authority, agency or other entity that processes PD for the controller. |
Special data categories (sensitive data) | PD that disclose the racial or ethnic origin, political opinions, religion or philosophical beliefs or trade union membership, and the processing of genetic data, biometric data to uniquely identify a natural person and data on health or sexual life or sexual orientation of the natural person. |
2. Responsibilities, obligations and powers
2.1. Language school
The language school shall:
- create, maintain and manage a system of personal data protection in accordance with the Regulation and the PDPA,
- determine the methods, purposes, means and places of personal data processing,
- ensure that only accurate personal data are processed solely in accordance with the purpose for which it was collected, to the extent necessary to achieve the intended purpose,
- ensure that the data subjects are informed or obtain their consent to processing,
- ensure contractual obligations of cooperating legal and natural persons (such as suppliers, cooperating companies), that use personal data processed by the language school in their activities and process it for its needs and ensure compliance with the Regulation, PDPA and related generally binding regulations and requirements for personal data protection,
- ensure compliance with technical and organisational measures aimed at securing and protecting personal data,
- arrange for an assessment of impact on personal data where it is likely that a certain type of processing will result in a high risk to the rights and freedoms of natural persons,
- ensure the protection and security of personal data from the start of their processing until they are destroyed,
- cooperate with the supervisory authority and act as a contact point for the supervisory authority in matters relating to the processing of personal data,
- act as a contact point for data subjects who may turn to it in cases where their personal data has been breached while processed and in cases of exercising their rights under the Regulation and the PDPA,
- keep a central record of the data subject requirements,
- keep a central record of consents to the processing of personal data,
- keep a central record of non-conformities and security incidents,
- address and investigate security incidents arising in connection with the protection of personal data, analyse their causes and ensure corrective actions,
- inform employees of any significant facts, procedures or events related to the handling of personal data at the language school without undue delay,
- ensure that language school staff are properly instructed about the rights and obligations in personal data protection,
- ensure that language school staff are educated or trained in the protection of personal data where possible and necessary,
- check compliance with the Regulations and the PDPA,
- ensure that the language school is able to properly demonstrate compliance with the legal obligations to protect personal data.
2.2 Employee or contractual worker of the language school
Every employee or contractual worker of the language school shall:
- act so as not to jeopardize the protection of personal data processed by the language school,
- prevent accidental and unauthorized access to personal data of employees, students, legal representatives and other persons, processed by the language school,
- if it detects a breach of personal data protection, unauthorized use or misuse of personal data, or any other unauthorized act related to the personal data protection, immediately prevent further unauthorized use, in particular, ensure non-disclosure, and report this fact to an authorized employee,
- maintain confidentiality of personal data and security measures to protect it; the obligation of secrecy continues even after termination of employment, work done outside employment or relevant work.
3. Personal Data Processing
3.1 Data subjects
Data subjects of the language school are:
- students and their legal representatives,
- natural persons in employment or similar relationship (active and former),
- job seekers,
- business partners – natural persons or representatives of legal entities.
In relation to the identification of the data subject, it is necessary to assess the purpose of processing and whether the consent of the data subject is necessary or whether the processing of personal data is possible under another legal title (conclusion or performance of an agreement, performance of a legal obligation, legitimate interest, etc.).
It is also necessary to specify the manner in which personal data are to be obtained from the data subject, in particular to avoid the use of data obtained for another purpose, or aggregation of data obtained for other purposes, and the method of compliance with the duty to provide information of the controller towards the data subject.
3.2 Purpose for personal data processing
The language school is responsible for determining the purpose of processing personal data and the extent of the data used. Personal data may only be processed with respect to the applicable legislation of the Czech Republic and the Regulation in accordance with the purpose for which it was collected. It may only be processed for other purposes if the data subject has been informed of such change in processing and if such processing cannot be carried out on the basis of a legal title not requiring the prior consent, provided that the data subject has given their consent.
Within the language school, personal data are processed for the following purposes:
- Students and their legal representatives
- Performance of the agreement and provision of services (provision of language and other courses)
- Communication with data subjects
- Informing about changes and news in the course offer (legitimate interest)
- Allowing access to the LAPort on-line system
- Fulfilment of legal obligations
- Accounting and tax purposes
- Keeping customer records
- Marketing and promotional purposes (subject to your express consent)
- Employees and job seekers
- Fulfilment of labour-law employer’s obligations
- Allowing access to information systems
- Recruitment and selection of employees
- Business partners
- Conclusion and performance of an agreement
- Communication with data subjects
- Fulfilment of legal obligations
- Accounting and tax purposes
Personal data for these activities are processed to the extent necessary for the fulfilment of these activities and for the period necessary to achieve them, or for a period directly determined by legal regulations. The personal data are then deleted or anonymised.
3.3. Scope of processed personal data
The scope of the personal data processed must be determined in order to fulfil the intended purpose, without the collection and processing of unnecessary personal data.
3.4. Sources of personal data
Personal data is obtained primarily from data subjects, especially during the conclusion of the agreement and during the contractual relationship.
3.5. Disclosure of personal data and processing through the processor
In addition to the language school and its staff, personal data may also be processed by some other external companies (i.e. processors). Personal data shall only be transferred to such processors if they meet the defined organisational and technical conditions to ensure its adequate protection. The processor is not authorised to process personal data for any other purpose and in any way other than contractually agreed. A condition for the use of the external processor is the conclusion of an agreement on the processing of personal data between the controller and the processor. The agreement is usually concluded as a separate document. The agreement shall contain all particulars in accordance with Article 28 (3) of the Regulation.
3.6. Consent to processing, processing information, protection and exercise of data subject rights
3.6.1. Consent of the data subject
If personal data is processed pursuant to Article 6 (1) of the Regulation, letters:
- b) – Performance of an agreement
- c) – Fulfilment of a legal obligation
- d) – Protection of vital interests
- e) – Public interest or the exercise of public authority
- f) – Legitimate interest, the consent of the data subject is not necessary, but it is necessary to ensure that the data subject is informed.
In other cases, the language school may process personal data only with the prior consent of the data subject. The consent must be instructed, informed and specific, preferably in writing. The consent is obtained only for specific data, for a specific time and for a specific purpose. The data subject has the right to withdraw their consent at any time.
3.6.2. Informing the data subject
The language school shall inform the data subject in a timely and proper manner in accordance with Articles 13 and 14 of the Regulation that it processes their personal data. At the same time, the language school must inform the data subject of their rights under the Regulation. The duty to provide information is fulfilled by publishing the document “Information on personal data processing” on the language school website, or as part of an agreement with the data subject.
3.6.3. Rights of the data subject
In relation to the processing of personal data, data subjects have the possibility to assert their rights (see below). Processing of applications is provided free of charge, only if applications are unfounded or disproportionate, a reasonable fee may be imposed.
3.6.3.1. Right to access information
The data subject has the right to clear, transparent and comprehensible information on how their personal data is processed and what their rights are. For this purpose, the document “Information on personal data processing” is used. The data subject has the right to access personal data.
3.6.3.2.Right to correction
The data subject has the right to have incorrect and incomplete personal data corrected.
3.6.3.3. Right to deletion
The data subject has the right to have their personal data deleted, in particular if: (a) it is no longer needed for further processing; (b) the consent to its processing has been withdrawn; (c) the data subject objects to its processing; (d) has been processed unlawfully; or (e) must be deleted according to legal regulations. The right of deletion cannot be exercised if the language school processes personal data on the basis of a legal title other than with the consent of the subject (e.g. for the performance of an agreement) and there is still a reason and purpose for processing personal data (e.g. archiving personal data for the term set by law).
3.6.3.4. Right to data transfer
The data subject has the right to obtain their personal data and transfer it to another service provider.
3.7. Use of personal data for sending commercial communications (direct marketing)
In order to keep you informed about the latest news in the course offer, the language school sends commercial communications to data subjects, subject to the following conditions:
- The communications only relate to its own products and services,
- The communications are sent by mail, SMS and e-mail
The processing of personal data for this purpose (i.e. direct marketing) is considered to be due to the legitimate interest of the language school. If the data subject objects to the processing for direct marketing purposes, the language school shall ensure that commercial communications are no longer sent to the data subject.
4. Personal Data Protection
In order to ensure the security and confidentiality of personal data, appropriate technical and organisational measures are used within the language school, in particular to protect against unauthorized access to and misuse of data. The measures are designed to correspond to the state of the art, the cost of implementation, the nature, the scope, the context and the purposes of the processing, as well as to the differently likely and differently serious risks to the rights and freedoms of individuals.
4.1. Organisational measures
The organizational measures to ensure the personal data protection are as follows.
- The language school protects all personal data that it handles and processes with appropriate and available means from misuse. Personal data is stored in premises, locations, environments or systems to which a limited, predetermined, known group of persons has access; other persons may gain access to personal data only with the permission of the authorized person.
- Documents containing student personal data are permanently stored in lockers. Documents may not be transferred to third parties or copied and copies provided to unauthorized persons.
- Personal files of employees or contractors are stored in lockers, accessible only by an authorized person.
- The language school shall carry out an assessment of the procedures for the handling and processing of personal data at least once a year. If certain procedures are found to be outdated, unnecessary or not proven, it will shall immediately rectify them.
- When dealing with personal data, each employee or contractor respects its nature, i.e. that it is part of the privacy of a person as a data subject, and adapts the related activities accordingly. In particular, the employee or contractor shall not disclose personal data without verifying that such action is possible, and shall not disclose personal data to persons who do not demonstrate the right to use it. The employee or contractor shall, if such an obligation arises from other documents, inform the data subject of his or her data protection rights.
- The language school immediately handles every security incident related to personal data. If the incident is likely to result in a high risk to the rights and freedoms of individuals, in particular a particular student, employee, legal representative, etc., the language school always informs the person and informs them of the remedial actions taken. A record is made of each incident. The language school shall inform the supervisory authority of any serious incident without undue delay, but no later than 72 hours from the moment it became aware of it, unless it is unlikely that the violation would result in a risk to the rights and freedoms of natural persons.
4.2. Technical measures
The technical measures to ensure the personal data protection are as follows.
- Electronic records of personal data are kept in a secured information system. Individual employees can access this system based on their unique login name and password and only within the scope of the functional assignment. When working with the electronic records, authorized persons must not leave the computer without logging out, they cannot be viewed by any other person and they shall protect confidentiality of the login password, and in case of danger of its disclosure, they shall immediately change it. Access is set by an authorized employee – a computer network administrator who sets the necessary data security.
- Students’ legal representatives or students themselves have secured remote access exclusively to their own data based on their login name and password.
- Information systems must be provided with logging, backup and data recovery.