While conducting our activity, protecting your data and the personal data of your children is a top priority for us and we therefore strive to process data at the minimum, limiting terms of storage, applying appropriate technical and organizational measures for data security. We value the privacy of life, health and confidentiality of personal data.
1. Personal data administrator
2. Types of personal data we process
3. The way we collect and process personal data
4. Access to personal data
5. Your rights regarding personal data
6. Timeframes for storing personal data
7. How to contact us
1. Personal data administrator.
The “personal data administrator” is the person who, individually or jointly with another person, determines the purposes for processing (collecting, using, storing) personal data on paper or in electronic form. AEA will act as an administrator of your personal data when there is reason to process it, for instance, in connection with applying for studying in any of the forms offered by AEA; in connection with booking and organizing AEA campus trip; in connection with filing a request; in connection with a job application to us; in connection with enrolment or application for taking part in additional scholarly or other activities or events of AEA; in connection with educational or informational services provided by AEA; with respect to realizing other lawful/legitimate interests of AEA (for instance, when visiting AEA campus, its premises or events).
In certain cases, personal data may be processed in the hypothesis of “joint administrators” – such as Munsey Limited and Private secondary school of foreign languages “Abraham Lincoln” EOOD, which jointly define the purposes and means of processing personal data for the sake of their educational activities and the protection of their lawful rights and interests. It is important to know that AEA values highly confidentiality and privacy of data and always subdues its processing to high security measures that guarantee the security and confidentiality of your and your children’s data.
2. Types of personal data we process.
The type of personal data we process is always consistent with the purpose aimed as a result of processing – performance of a contract for provision of an educational service, performance of other contracts, fulfilment of legal obligations or protection of lawful rights and legitimate interests. In this regard, the type of data processed changes as regards the relationships you establish with AEA. For example:
- When requesting an AEA campus tour for acquiring information and impression (for future application for education or other event), AEA will process data about you (name and surname, relationship with a student, gender, mobile phone number, e-mail address, video surveillance data during your visit, details of your electronic correspondence as regards your visit) and your child, to which AEA will directly provide services (name, surname, gender, citizenship, upcoming/current grade, academic year, date of birth, video surveillance data, in case your child is visiting along with you);
- At contracting with you or an individual or a legal entity you represent – we will process data about you such as your given name, middle name, surname, employment, position, contact details;
- At contacting you on business – when you have provided your contact details as regards our current or potential future business ventures or when your contact details have been provided by your employer with regard to your office functions;
- When dealing with your complaints/demands and resolving disputes with you since it is important for us to address your complaints and demands individually and meet your expectations and needs in the best possible way;
- When visiting our headquarters where video surveillance is in place since the security of the premises, we store your data is of utmost importance to us hence to privacy of your life and health;
Based on specific objectives and legal grounds, in some cases, AEA processes also the following data:
- Data related to the educational background and regarding school performance of the students: academic, disciplinary or other educational related records, academic references, special needs, hobbies, results of educational diagnosis testing, test results, feedbacks, evaluations etc.;
- Behavioural data as well as data on preferences / interests of students;
- Health data: medical history, allergies, immunization records, disorders, medical examination results and other medical data of the students;
- Photos and videos for the purposes of admission, employment, various events, yearbooks, etc.
We apply strictly and directly the principle of minimizing the processed personal data. AEA does not collect personal data revealing racial or ethnic origin, religious or philosophical beliefs or membership of trade unions, neither processes genetic data, data on sexual life or sexual orientation of the individual, therefore, in the course of your communication with us, you should not reveal such data.
3. The way we collect and process personal data.
As we pointed out, the purposes for processing personal data are:
- fulfilment of legal obligations and contractual obligations;
- execution of your demands, requests, applications and complaints to AEA or related to its activities;
- protection of the lawful rights and interests of AEA with regard to performance of contracts to which you are a party, a representative of a party or a beneficiary of rights;
- realization of lawful/legitimate interests of AEA or of our employees related to its commercial activity, business processing or direct marketing;
In order to achieve these goals, we collect data in a variety of ways with the most commonly processed personal data provided personally by you (as a contracting party or a parent of children to whom AEA provides or is likely to provide educational services) or by other source of information.
When processing your personal data, we apply a variety of technical and organizational security measures through various processing operations (including but not limited to: collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, dissemination, or other means by which data becomes available, arranging or combining, restricting, deleting or destroying) executed manually and automatically. The type and manner of performing specific processing operations depend on the objectives of processing and the business course related to those objectives. In the course of processing, we may use processors strictly monitored for compliance with the requirements of a high level of security and privacy of processed data.
It is important to note that, as stated above, your consent to processing of personal data (including you as one exercising parental rights) is not the only legal basis justifying our data processing activity. Therefore, we will lawfully process information about you, even if you do not expressly consent to such processing, or if after giving your consent, you have exercised your right to withdraw it. As mentioned above, the security of your data is a priority to us.
4. Access to personal data.
We take care that your personal data is processed only in accordance with the goals listed above. In connection with these goals, your data may be provided/disclosed/transmitted to third parties acting as data controllers, as joint administrators or processors. Bulgaria is concerned – processing will take place in the city of Sofia.
In terms of booking AEA campus tour, filing a request or an application when using the information system of AEA at https://aea.openapply.com , the rendered personal data shall be processed in collaboration with partners of AEA, established out of the European Union but obliged to comply to GDPR.
On rare occasions, your personal data may also be processed outside the European Union and there will always be contractual confidentiality and data protection restrictions in accordance with the applicable requirements of the legislation in force in the Republic of Bulgaria. Such processing of personal data outside the territory of the European Union is likely to occur with the use of information services for communication (including on your own initiative), for instance through emails or communication applications where the e-mail servers used are based on hardware devices outside the territory of the European Union.
Regarding the location of your data processing, it should be noted that AEA may also use “cloud” technology to process your data. In this regard, we would like you to know that in our practice we require a contract with the suppliers of such technologies that contains explicit instructions on data protection and confidentiality measures the suppliers are required to comply with.
5. Your rights regarding personal data?
Our adopted practices and methodologies for data protection and information security define the parameters of the established measures, which aim to:
- ensure privacy of information by applying a system of approved restrictions on access and disclosure of information;
- ensure the integrity of information through protection against unauthorized modification or deletion of information;
- ensure accessibility of information through reliable and timely access to information;
- achieve information accountability – by introducing access and rights control to information systems;
In your capacity of a subject of personal data under GDPR, you have the following rights:
- right of access to your personal data – upon request, we will provide you with information about your data under processing;
- right to correct your personal data – if you believe that a portion of your personal data we process is no longer up to date or is incorrect for another reason, you are entitled to requesting correction of that data;
- right to delete your data (right to be forgotten) – You have the right to request deletion of personal data we process for you, and we will honour your request only if we no longer have legal grounds for processing your data. Accordingly, we may respect your request for deletion partially;
- right to restrict processing – you have the opportunity to exercise this right only: when you have questioned the accuracy of your data processed provided the limitation of the processing be within the timeframe we check the accuracy of your data; when the processing is illegal, but you oppose deletion of data; when we no longer need your data for the purposes of processing, but you as a data subject demand them for the establishment, exercise or protection of your legal claims; when you have objected to the processing, and a verification is expected as to whether the legitimate interests of the controller overwhelm your interests as a subject of personal data;
- data portability right – you may ask us to transfer to you or another administrator in a format appropriate for machine reading all or part of your data that is being processed and which you or your employer has provided to us when the processing of data is based on your consent or on the grounds of contract performance, provided the processing is being accomplished by automated means;
- right to object to automated processing of your personal data, to profiling and processing for direct marketing purposes – we give you the opportunity to exercise this right at any time and completely free of charge;
- right to know of security breaches – you have the right to be promptly informed of any breach of security of your data and we will fulfil our obligation in this regard by posting information on any such breach on our website or to your email should you have provided one and it is up to date;
- right to object to processing for the sake of direct marketing – you have the right, at any time and free of charge, to change your marketing preferences and withdraw consent already granted to process your personal data for the sake of direct marketing or to oppose such processing;
- right to withdraw consent to the processing of personal data – you have the right, at any time and free of charge, to withdraw your consent on the processing of personal data. We would like you to know that your consent is not the sole reason for processing your personal data, so we may continue to process your it after your consent has been withdrawn.
You may exercise the above rights by contacting us (see contacts below) and completing the General Data Protection Rights Form that you may wish us to send to you. The completed form should be provided on paper in our office at the address below.
Provided that we contact (establish contractual relationships) different entities on different occasions (including as regards your actual and indirect participation in certain events), the proper handling of your submitted application for rights exercising is directly related to the proper establishment on your side of the grounds for processing of your personal data.
In the exercise of your rights as a subject of personal data, we need to request and process particular personal date of yours for the sake of establishment and verification of your identity. As a data controller, we are not only required to provide a way for you to exercise your rights granted by GDPR but to ensure that those rights are being exercised only by their holder.
Your application for rights exercising will be addressed in due course, in the most general case within thirty (30) calendar days, unless your request is specific and related to a profound data examination. Provided that we greatly appreciate the need for data protection, we have endorsed and apply a procedure for dealing with rights claims under the GDPR which procedure also contains deadlines for processing and responding to applications.
6. Timeframes for storing personal data.
Timeframes for processing your personal data comply with the purpose for processing and the legal requirements for storing accounting and tax information. Determining the specific term for storing your personal data is directly dependent on the type of relationship we have established with you and on which we have processed personal data of yours.
We will not store your personal data longer than necessary and will keep it only in connection with the purposes for collection.
7. How to contact us.
Markan Holding AD and its group companies are under no obligation to appoint a Data Protection Officer, so there is no such appointed person at the moment.
You can contact us at: Sofia, Lozen Area, 1 Orlova Krusha Str. ,phone +359 2 973 12 22 , email: email@example.com
With respect to collection and processing of your personal data, you can also contact the Commission for Personal Data Protection at: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.; www.cpdp.bg