Personal data processing policy
ST. GEORGE'S SCHOOL PERSONAL DATA PROCESSING POLICY
This Personal Data and Information Processing Policy (hereinafter the "Policy"), aims to implement the provisions contained in Law 1581 of 2012 and Decree 1377 of 2013, with regard exclusively to databases, files and information containing personal data subject to processing and explains how the St. George's School (THE school), collects, stores, uses, circulates and processes information that you provide us through different means, due to the educational activity and administrative management that it develops.
1. CONTACT DETAILS OF THE CONTROLLER RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA
Colegio San Jorge de Inglaterra S.A.S Carrera 92 156-88, Suba, Bogotá-Colombia
Correo electrónico: tratamientodedatos@sgs.edu.co
Teléfono: (57+)+601 4324000
2. PERSONAL DATA PROTECTION REGIME
-
Political Constitution of Colombia
-
Law 1266 of 2008
- Law 1581 of 2012
- Decree 1377 of 2013.
- Sentence C-748 of 2011.
- Decree 1074 of 2015.
- Decree 886 of 2014.
3. GUIDING PRINCIPLES
EL school is committed to understanding and applying the principles set out in Law 1581 of 2012 in a harmonious manner:
-
Principle of legality in the processing of data: The processing referred to in this law is a regulated activity that must be subject to the provisions set forth therein and in the other provisions that develop it.
- Principle of purpose: The processing must obey a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the Data Subject.
- Principle of freedom: Processing may only be carried out with the prior, express and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorisation, or in the absence of a legal or judicial mandate that relieves the Consent.
- Principle of truthfulness or quality: The information subject to processing must be truthful, complete, accurate, up-to-date, verifiable and comprehensible. The processing of partial, incomplete, fragmented or misleading data is prohibited.
- Principle of transparency: The right of the Data Subject to obtain from the Controller or the Processor, at any time and without restriction, information about the existence of data concerning him/her, must be guaranteed in the Processing.
- Principle of restricted access and circulation: Processing is subject to the limits arising from the nature of the personal data, the provisions of this Law and the Constitution. In this sense, the Processing may only be carried out by persons authorised by the Data Controller and/or by the persons provided for in this Law. Personal data, except for public information, may not be made available on the Internet or other means of mass dissemination or communication, unless access is technically controllable in order to provide restricted knowledge only to Data Controllers or authorised third parties in accordance with this Law.
- Principle of security: The information subject to Processing by the Data Controller or Data Processor referred to in this law shall be handled with the technical, human and administrative measures necessary to ensure the security of the records, avoiding their adulteration, loss, consultation, unauthorised or fraudulent use or access.
- Principle of confidentiality: All persons involved in the Processing of personal data that are not of a public nature are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks involved in the Processing, and may only supply or communicate personal data when this corresponds to the development of the activities authorised in this law and under the terms of the same.
4. PROCESSING AND PURPOSE OF PERSONAL DATA
EL school has defined the data it administers, including identification, contact, academic and health data, as well as the activities it carries out with said data, particularly in its reception, conservation, disposal and administration for the purposes of educational and administrative management.
In the course of its work, school may collect sensitive personal data such as:
- Health information, necessary for the priority medical attention provided in the Medical Service, the therapeutic processes developed in the CADI - Centro de Atención y Desarrollo Integral and the counselling for emotional, learning and relational situations provided in School Counselling.
- Biometric information such as hand measurements for identification of students and employees, photographs, videos and voice recordings. As these are sensitive personal data, authorisation for their processing is optional.
EL school may hire third parties for the development of specific activities that may include the processing of personal data. In this case, the person in charge must comply with the obligations defined by law, as well as this Information Processing Policy. Likewise, it may transfer personal data to the third parties necessary to carry out the purposes described in the Policy.
PURPOSES OF DATA PROCESSING:
EL school collects personal data from the different members of the educational community: from the children and adolescents who are its students and their families (parents, siblings and guardians); from teachers, employees and managers, from people who work with the different suppliers or third parties with whom school has a relationship in the development of its activity. This Policy applies to all of them.
The purposes of data collection by St. George's School are part of the Institution's own work:
- Provide formal education services.
- To develop the academic management of pupil during their stay at school and afterwards to ensure the availability of relevant information that may be required by the latter.
- To develop extracurricular recreational, sporting, cultural and educational activities through third parties, inside or outside the country, who will accredit the sufficiency of their compliance with the rules on the protection of personal data.
- Generate content and material for internal communications and publications for school.
- Providing food services, counselling, medical services, CADI, etc.
- Comprehensive learning and development centre, school transport and other complementary services required for school management.
- Conduct studies on student habits and behaviour for the evaluation and improvement of the services provided.
- Circulate or transfer information to external control bodies, such as the Ministry of National Education and the Secretariat of Education of the Capital District, among others.
- Evaluate and implement preventive health activities guided by the plans developed by the State to act jointly with educational establishments.
- Execute the admission, assessment and recruitment processes and the execution of the contractual relationship with parents and/or guardians, pupils, candidates for employment, employees, managers and suppliers, including the demand for payment of their contractual obligations.
- Maintain ongoing communication with parents about students' academic performance and other relevant information. This includes communication about school activities and non-profit events.
- To dispose of the information in order to circulate, transmit or transfer it when it is to be used in pre-judicial and judicial collection procedures or actions by specialised collection entities, or by the proxy hired for this purpose by EL school;
- Comply with legal requirements for retention of student and employee information.
- To know and follow up on the financial suitability and commercial behaviour of suppliers, as well as to have the information required to make the necessary payments and to demand the fulfilment of the obligations contracted with school. Likewise, the data of former suppliers are kept in order to provide a commercial reference when requested to school, and to contact them again for the provision of new services.
- Monitor the school operation to maintain safe conditions for EL school, its students, employees and other members of the community who access the facilities.
- To supply, share, send or deliver personal data to institutions dedicated to the provision of educational services or third parties that require the information for the same purposes indicated herein. - Evaluate the quality of the service and support the corresponding processes.
- Supporting statistical, historical, technical-actuarial processes of their own or of trade associations in the education sector, or to preserve the institutional historical and cultural memory.
- Conduct non-profit campaigns, promotions or competitions aimed at supporting institutions dedicated to social and community service.
- Health purposes of contact tracing in case of contagion.
5. RIGHTS OF THE OWNERS
a. To know, update, rectify or delete (the latter provided that there is no legal or contractual link that requires it) their personal data against EL school in its capacity as Data Controller. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading data, or data whose processing is expressly prohibited or has not been authorised.
b. Request proof of the authorisation granted to EL school except when, in accordance with the Law, the Processing being carried out does not require it.
c. To be informed by EL school, upon request, regarding the use it makes of their personal data.
d. To file complaints with the Superintendency of Industry and Commerce for breaches of Law 1581 of 2012 and its regulatory decrees. Prior to this, the consultation or complaint procedure must have been carried out with EL school.
e. To revoke the authorisation and/or request the deletion of the data when the Processing does not respect the constitutional and legal principles, rights and guarantees.
f. Access free of charge, through the channels provided by EL school, to their personal data that have been subject to Processing.
6. DUTIES OF SCHOOL AS DATA CONTROLLER
a. Guarantee the Data Subject, at all times, the full and effective exercise of the right to habeas data.
b. Request and keep, under the conditions provided for, a copy of the respective authorisation granted by the Data Controller.
c. Duly inform the Data Subject about the purpose of the collection and the rights he/she has by virtue of the authorisation granted. d. Keep the information under the conditions provided for. Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, use or unauthorised or fraudulent access.
e. Ensure that the information provided to the Data Processors is truthful, complete, accurate, updated, verifiable and understandable.
f. Update the information, communicating in a timely manner to the Data Processors, all developments regarding the data of the Data Controller. Furthermore, to adopt the necessary measures to ensure that the information is kept up to date.
g. Rectify the information when it is incorrect and communicate the relevant information to the Data Processors.
h. Provide the Data Processor, as the case may be, only data whose Processing has been previously authorised in accordance with the provisions.
i. Respect the security and privacy conditions of the Data Controller's information and demand the same from the Data Processors.
j. To process the queries and claims formulated in the agreed terms.
k. Inform the Data Processors when certain information is under discussion by the Data Subject, once the claim has been filed and the respective process has not been completed.
l. Inform at the request of the Data Controller about the use given to his/her data.
m. Inform the data protection authority when there are violations to the security codes and there are risks in the administration of the data subject's information.
n. Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce on the particular subject.
7. AUTHORISATION OF THE OWNERS
Without prejudice to the exceptions provided for in the Law, the processing of the data subject's personal data requires the prior and informed authorisation of the data subject, which must be obtained by any means that may be subject to consultation and subsequent verification, or through a suitable technological mechanism that allows the data subject to express his or her consent in order to unequivocally conclude that, had a certain action not been taken, the data would never have been captured and stored in the database.
The collection of data will be limited to those personal data that are relevant and adequate for the purpose for which they are collected.
Authorisation is not required in the case of:
a. Information required by a public or administrative body in the exercise of its legal functions or by court order.
b. Data of a public nature.
c. Cases of medical or health emergency.
d. Processing of information authorised by law for historical, statistical or scientific purposes.
e. Data related to the Civil Registry of Persons.
It is the responsibility of Data Subjects to provide information in a truthful, complete, timely and responsible manner.
For the collection and processing of sensitive personal data, the data subject shall be clearly informed of what the data are, the purpose of the processing and the information that he/she is not obliged to authorise the processing.
8. PRIVACY NOTICE
When it is not possible to make the personal data processing policy available to the Data Subject, EL school will inform the Data Subject by means of a Privacy Notice about the existence of this policy and how to access it, previously and in any case at the latest at the time of the collection of the personal data.
The advertisement should highlight the responsibility of the Data Subjects to update their information for the optimal fulfilment of the duties of THE school.
In any case, the Personal Data Processing Policy will be published on the website school www.sgs.edu.co.
9. STANDING TO EXERCISE THE HOLDER'S RIGHT
The rights of the Data Subjects may be exercised by the following persons:
a. By the Holder, who must prove his identity sufficiently by the various means made available to him by EL school.
b. By the Beneficiary's successors in title (in cases where the Beneficiary is absent due to death or incapacity), who must provide proof of such status.
c. By the representative and/or attorney-in-fact of the Holder, upon accreditation of the corresponding representation or power of attorney.
d. By stipulation in favour of or for another.
The rights of children or adolescents shall be exercised by persons who are empowered to represent them.
10. PERSON RESPONSIBLE FOR DEALING WITH QUERIES AND COMPLAINTS
EL school has created the role of Data Protection Officer, assigned to the Head of Information and Technology, who will be responsible for the definition, implementation and monitoring of the actions required to guarantee this right to the Owners of personal data held by school, in accordance with the regulations in force.
11. PROCEDURE FOR DEALING WITH QUERIES AND COMPLAINTS
The Data Protection Officer of school shall be responsible for receiving, managing and responding to queries and claims submitted by Data Subjects, assignees or proxies.
Inquiries will be answered within a maximum term of fifteen (15) business days from the date of receipt thereof. When it is not possible to answer the consultation within such term, the Holder will be informed, stating the reasons for the delay and indicating the date on which the consultation will be answered, without exceeding eight (8) business days following the expiration of the first term.
Claims for correction, updating or deletion, or for alleged breach of any of the duties contained in the law, will be processed under the following rules:
- The claim shall be formulated by means of a request addressed to the Data Controller or the Data Processor, with the identification of the Data Subject, the description of the facts that give rise to the claim, the address, and accompanied by the documents that he/she wishes to assert. If the claim is incomplete, the data subject shall be required within five (5) days of receipt of the claim to rectify the faults. If two (2) months have elapsed since the date of the request without the applicant submitting the required information, it shall be understood that the claim has been withdrawn. In the event that the person who receives the claim is not competent to resolve it, he/she will transfer it to the appropriate person within a maximum of two (2) working days and inform the interested party of the situation.
- Once the complete complaint has been received, a legend will be included in the database stating "complaint in process" and the reason for the complaint, within a period of no more than two (2) working days. This legend shall be maintained until the claim is decided; and 3. The maximum term to attend to the claim shall be fifteen (15) working days from the day following the date of its receipt. When it is not possible to deal with the claim within said term, the interested party shall be informed of the reasons for the delay and the date on which the claim will be dealt with, which in no case may exceed eight (8) working days following the expiry of the first term.
12. MODIFICATION AND/OR UPDATING OF THE PERSONAL DATA PROTECTION AND INFORMATION HANDLING POLICY
Any substantial change in the processing policies will be communicated in a timely manner to the data subjects through the usual means of contact and/or through the school website, www.sgs.edu.co.
13. PERMANENCE OF THE DATABASES AND VALIDITY OF THE PERSONAL DATA PROCESSING POLICY
The data will be kept in accordance with the principles of necessity and reasonableness, as well as the principles of expiry and temporality as provided for by law and jurisprudence. EL school will keep the data of:
Students: For as long as there is a legal or contractual duty to remain in the databases and for as long as any commercial or service relationship or any other type or obligation in force with EL school subsists, in compliance with the established purposes.
Former students: up to a maximum period of thirty (30) years, once the relationship with EL school has ended.
Employees and Suppliers: They shall be maintained for the duration of the contractual relationship and thereafter, in accordance with the provisions of the law.
Student applicants and employee applicants: For one (1) year from the end of the recruitment process.
The holder of the information shall maintain the authorisation granted for as long as there is a legal or contractual duty to remain in the database and for as long as any commercial or service relationship, or any other type of relationship or obligation in force with EL school remains in force, which shall constitute the period of validity of the data. Once the legal term has expired and/or all contractual, commercial, service or any other type of relationship has been extinguished, the personal data will be removed from the database or files of EL school.
La presente Política rige a partir de abril de 2024
_____________________________________
JAIME HERNANDO ACOSTA ALLEN
Headmaster