Confidentiality and personal data protection policy

CONFIDENTIALITY AND PERSONAL DATA PROTECTION POLICY of E-PAYMENT PORTAL of ST. GEORGE INTERNATIONAL SCHOOL AND PRESCHOL

І. General Provisions

We, at St. George International School EOOD, unique ID code 204426056 (“the Company”, “the School”, “we”, “us”, “our”) respect your personal data and we commit ourselves to protect and process them fairly and transparently in compliance with the provisions of Regulation 2016/679 of the EU with regard to the protection of individuals at processing of personal data and for the free movement of such data and for cancellation of Directive 95/46 / EC (“GDPR / the Regulation”). All your personal data and information belong to you and we confirm and respect that. The security and the correct use of the personal data are of significant importance for both our users and us. This is why it is important for us that our users understand why and how we process their personal information in relation to the use of the e-Payment Portal (“the Portal”/, “the Platform”).
This Confidentiality and Personal Data Protection Policy is inextricably linked to the General Conditions of the e-Payment Portal of St. George International School & Preschool, however it is not a part of them. It does not regulate any rights and obligations, but it aims to explain to the users what kind of personal data is processed, why and how this is done, as this includes the cases when it might be necessary to disclose personal data before third parties. Also, within the frames of the current Personal Data Protection Policy, you may find information about your rights as a data subject and how to exercise them.
According to St. George International School and Preschool Cookies Policy, there are “cookies” that are used in the Portal.
The Portal is intended to be used solely by the users of services at St. George International School and St. George Preschool. The users can book Activities by Interest of children and students at St. George Preschool and St. George International School, they can make the respective payments of tuition fees, food and others that are due for the children and the students.
This Confidentiality Policy is applied only with regard to the data which we process at and on the occasion of use of the e-Payment Portal of St. George International School and Preschool.
Aiming to be clearer, and for the comfort of the users, examples that show why and/or how St. George International School processes the personal data have been provided in some parts of this Confidentiality Policy. Nevertheless, those examples are not exhaustive.
Before having access to or use our website in other way, please read carefully the presented Confidentiality Policy, together with our General Terms and Conditions of the e-Payment Portal of St. George International School and Preschool.
Should there be anything not clear enough, or should you need further information about any section of this Confidentiality Policy, please do not hesitate to contact us, using the details below.

ІІ. Definitions

To make it easier for you to review this Confidentiality Policy, below you can find a vocabulary of the respective legal terms/ concepts and their definitions/ explanations:
General Personal Data Protection Regulation(GDPR) – Regulation of EU 2016/679 for protection of individuals with regard to the processing of personal data and the free movement of such data and for cancellation of Directive 95/46/ЕC. The whole text of the Regulation is accessible at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:02016R0679-20160504&qid=1531857927851&from=EN

Personal Data – Any information, related to an identified or to a liable to identification individual (“Data subject”); individual who can be identified is a person who may be directly or indirectly identified, more specifically by quoting a name, an identification number, personal Id No., personal foreigner’s number, location data, online identifier or one or more factors, specific for the physical, physiological, genetic, mental, economic, cultural or social identity of this individual.

The types of personal data, subject of this Confidentiality Policy are: data for registration at the e-Payment Portal of St. George International School and Preschool; user’s data; full names of children whose parent/ guardian is the User and for whom there is a concluded Tuition contract with St. George Preschool or St. George International School; data for amounts due and data regarding the accounts; data for the current use; data for the payments;
Specific Personal Data Categories -This type of data is not collected when using the e-Payment Portal. For the purpose of definition – this is data, disclosing racial or ethnic origin, political views, religious or philosophical beliefs or membership at syndicates, genetic data and biometric data, aiming to simply identify an individual. Also, this is data, concerning the health or the sexual life or the sexual orientation of an individual.

Data Subject/ User – Identified or identifiable individual, whose personal data is processed and who stated use of the Portal.
Processing – Means any operation or a set of activities applied to the personal data or to a set of personal data, no matter whether by means of automated instruments such as collecting, registration, organisation, structuring, keeping, adapting; or change, extracting, consulting, use, announcement by transmitting, distribution or provision in any other way; or by alignment or combining, restriction, erasure or invalidation.

Controller – An individual or a legal entity, a public authority, an agency or another authority which independently or in cooperation with others defines the goals and means for personal data processing.
Processor – An individual or a legal entity, a public authority, an agency or another authority that processes personal data on the behalf of the controller.
Receiver – An individual or a legal entity, a public authority, an agency or another authority before which the personal data is disclosed, regardless this being a third party or not.
Consent – Freely provided, specific, informed and unambiguous statement of the wishes of the data subject, by which she/he, by a statement or by clear positive activities, provides consent for the personal data processing, related to him/her.
IP address -Тhe IP address is a unique number which allows the computer, a group of computers or another device linked to the internet (such as your mobile phone or your tablet) to browse the Internet.

The e-Payment Portal, all available services and consequently all related activities for data processing are performed and made by the following company: St. George Private School EOOD, registered at the Commercial Register with the Registry Agency under UIC 204426056, with head office and management address in 47, Nikola Vaptsarov Blvd., the city of Sofia, in its capacity of a Controller.
Should you have any questions regarding this Confidentiality Policy, or if you wish to exercise any of your rights, stipulated in it, please contact us in one of the following ways:
Send an e-mail to gdpr@stgeorgeschool.eu (attn. to Mrs. Nadezhda Shemshirova, Data Protection Officer);
Send a letter to the address: 47, Nikola Vaptsarov Blvd., the city of Sofia, postal code 1407, St. George International School & Preschool, attn. to Mrs. Nadezhda Shemshirova – Data Protection Officer;

ІІІ. What kind of personal data do we process

1.Registration data: This is data, necessary for the initial registration in the Portal, which includes full names, mobile number, e-mail;

2. User’s data: This is the user’s name and surname, mobile number, e-mail;

3. Data for children/ students at St. George Preschool and St. George International School: full names of children and/ or students, whose parent/ guardian is the User;

4. Data for the Tuition contract and issued invoices as per the Tuition contract for children/ students at St. George Preschool and St. George International School: This is data, concerning the registration number of the Tuition contract of a child and/ or a student at St. George Preschool and/or St. George International School, as well as issued current and due invoices under the Tuition contract .

5. Payment data: This is the data which is processed for the purpose of payments of any amounts due.

6. Data for the use of the Portal and Analytical Data – We use third parties’ analytical instruments (Google Analytics), which help us measure the traffic, productivity and the trends when using the Portal.

ІV. How do we collect the personal data

At and on the occasion of using the Portal, the Company collects data for the users in different ways. In most cases we receive information directly by them. Certain data is automatically generated when the users use the Portal, and sometimes the data is provided to the School by third parties.

V. How do we process data

1. Processing of data necessary for the use of the e-Payment Portal by the users:
We process data in order to provide access to the Portal, as well as to provide the users with a comfortable, reliable and secure way to enter it.
We process data in order to let the users obtain certain information in relation to the provided by us services through the Portal.
One of the main purposes of the Portal is to let the users obtain certain information that refers to them (for example a current invoice, previous due payment, history of payments, etc.). If we don’t process the users’ personal data, this would be impossible.
We process data to let the users pay due amounts under invoices through the Portal.

It is important to point out, that the School does not process and keep any card details and payment authorization data (for example CVV). Such data is provided by the user only to the online card payments page of the bank or to the page of the payment institution – our partner which service the payments through the Portal; the School has no access to the contents of confidential data that is exchanged between the card holder and the bank or the payment authority.
We process data to maintain the Portal.

To be able to prevent, to open, to localize and to troubleshoot defects and software bugs in the Portal, we need to process data on how the users use it.
We process data to provide access to the Portal.
We process user’s data in order to provide them with a comfortable, reliable and secure way to enter the Portal.

We process data to let the users obtain certain information related to the provided by us services through the Portal.
A main purpose of the Portal is to provide the users with the opportunity to receive certain information, related to them (for example current invoice, previous unpaid debts, history of payments, etc.). If we didn’t process personal data about the users, this would not be possible.

2. Data processing necessary for the performance of legal obligations:
1. In certain cases, the applicable national and European legislation requires from the School to process personal data regarding its users for specific purposes, in a certain way and/ or for a specific period. At the presence of legally stipulated prerequisites, the personal data that is being processed by the School should be provided to the competitive authorities, as, for example, pursuant to the Criminal Procedure Code (CPC), upon demand by the court, by a prosecutor or by an investigation authority, the Company is obliged to provide the files or the data it has and which is of significance for the respective case. It is possible the required files or data to contain users’ personal data.

2. The commercial activity performed by the School is a subject of control by different state and municipal authorities – for example the Commission for Consumer Protection (CCP), the Commission for Personal Data Protection (CPDP), the National Revenue Agency (NRA) and others. In the course of performing this control, these authorities have the power to make inspections, as well as to require from us to provide them with documents and information that we have. It is possible that the so required documents and information contain users’ personal data.

Examples: At received signal or complaint by a user, the CCP or CPDP have the power to require from the School to provide relevant to the case documents and information that may contain user’s personal data; During a tax audit, the NRA bodies have the power to require from the School to provide accounting documents that may also contain personal data for specific users.

3. We process personal data to fulfill obligations in compliance with the accounting and tax legislation. The tax and accounting legislation in the Republic of Bulgaria require from the School to prepare certain accounting and commercial information, this including to keep it for a certain period of time, and also any other information and documents that have their role for the taxation. When performing this obligation, the respective information and documents which also contain users’ personal data are being kept by the School for the periods of time that are defined in the respective laws. These periods of time are of great length (for example the documents for tax and social security control should be kept for a period of eleven years).

4. Processing of data needed for the protection of the legal interests of the School

We process personal data to perform internal analyses for the purpose of improving the Portal, including the introduction of new services, development of new functionalities and optimization.
We process users’ data in order to find out how they use the Portal, which, on the other hand, allows us to improve and develop further its functionalities, to introduce new services, as well as to optimize its design. The data is processed in summarized form and is collected both internally and by using the analytical instrument of Google Analytics.

By means of the summarized data analysis:
• we measure the number of users who use the Portal;
• we measure what activities do the users perform in the Portal;
• we create reports, that show the trends when using the Portal;
• we obtain the chance to visualize how the users navigate in the Portal;
The users may refuse their data to be analyzed through Google Analytics at any moment, for free. To refuse it, please check at https://tools.google.com/dlpage/gaoptout.

We process personal data when we have to provide information to banks and payment institutions when payments, made through the e-Payment Portal are being disputed. After a successful payment through the Portal, it is possible the card holder to dispute the payment before the organization – issuer of his/ her card. In such cases this organisation requires from us and our bank to provide certain information for the purpose of making an inspection. For the purposes of this inspection we need to disclose certain, limited in its volume information, related to the payment that was made (for example the number of the invoice under which the payment was made, the transaction code, etc.). As a result of such inspections it is possible the card holder to receive the paid amount back and the payment made in the Portal to be cancelled.

We process personal data when this is necessary for settling legal disputes. Sometimes, in order to exercise certain rights of its, or legal interests, it is possible that the School or a related to it party processes personal data of certain users of the School in order to make an out-of-court claim or to file a case for due payments. Respectively, it is possible the parties quoted above, and the users of the Portal themselves, to make an out-of-court claim and to file a case against the School. In such cases it may become necessary the School to process personal data of certain users in order to organise and carry out the defense under the respective claim or case (in this way the School aims to protect itself from unlawful encroachment against its property and/ or reputation). The type and volume of the personal data depend on the nature of the claims made or the cases filed.

VІ. Categories of parties to whom we disclose personal data under this Policy

1. Processors of personal data are parties that process personal data on the behalf of and following an assignment by the School on the grounds of a written agreement. They have no right to process the personal data provided to them for personal purposes which differ from the execution of the work, assigned to them by the School. The processors are obliged to observe all instructions of the School. The Company undertakes the necessary measures to make sure that the processing officials strictly observe the personal data protection legislation and our instructions, as well as that those have undertaken appropriate technical and organizational measures to protect the personal data.

Examples of personal data processors:
• Suppliers of services under implementation and/ or maintenance of software systems who sometimes would need to have access to personal data that is processed in the respective systems, for the purposes of access and operation of the e-Payment Portal;
• Accounting companies or other consultancy services suppliers.
2. Partners of the School: To provide access to the Portal and certain services through it, the School enters into contracts with third parties (partners). In relation to this, it is sometimes necessary the respective partners to be provided with personal data of the e-Payment Portal users.
3. Banks and payment institutions: With regard to servicing the Portal users’ payments made through it, it is necessary to have data exchange between the School and the respective bank or payment institution.
4. Third parties in relation to transformation (for example merger, acquisition) or to a transfer of a company: In case of transformation of the School, as well as in case of transfer of assets in accordance with the applicable legislation, it is possible that the personal data of the Portal users, administered by the School, is provided to a third party – a successor.
5. Teachers and support staff – with a view to providing educational services.

VІІ. How long do we keep your personal data

The School keeps the personal data of the e-Payment Portal for as long as it is necessary in order to achieve the goals quoted in this Confidentiality Policy or for the purpose of complying to the legislation requirements. With regard to performing our obligations in compliance with the tax and accounting legislation, data for a certain user is kept for a period of 11 years as of the date of termination of the last Tuition contract, as much as the user has no due payments to the School or to the Private Kindergarten.

VІІІ. What are your rights as a data subject?

With regard to the personal data we keep for you, you have the following rights:
Right to be informed about how your personal data is used:
You have the right to obtain enough information in short, transparent and easily understandable form in order to get the idea and the understanding about our processing activities and this way to guarantee transparency in using personal data. We developed and provided this Confidentiality Policy for those informational purposes.
Right of access
In brief
If you send us an access request, we will confirm if we process your personal data and if so, we will provide you with a copy of this personal data (along with some other details).
In details
Upon your request, we will confirm if we process your personal data, and if so, we will provide you with a copy of your personal data – subject of processing along with the information below:

a. the purposes of processing;
b. the categories of the respective personal data;
с. those who received it or the categories of those who received it, to whom the personal data was or should be disclosed;
d. whenever possible, the period for which the personal data should be kept or, if this is not possible, the criterion used to define this period;
е. The availability of the right to require from the controller to correct or to delete personal data or to limit the processing of the personal data referring to the data subject, or the right to object against the processing;
f. the right to file a complaint with a supervisory authority;
g. when data was not collected from the data subject, all available information about the source;
The first copy of your personal data is provided for free. For additional copies of the same personal data we may charge a reasonable additional fee, taking into account the related to this administrative expenses.

Right to correct the personal data
Should the personal data we keep for you be incorrect or incomplete, then you would have the right to correct it by submitting a request for that. We will make the necessary changes.
If we shared your personal data with other people, we will inform them of the changes when this is possible. If you ask us, should this be possible and lawful, we will disclose before you with whom we shared your personal data so that you would be able to directly contact them.
To keep the data correct, we may sometimes require from you to confirm/ update our personal data.
Right to erase personal data
In brief
Known also as “the right to be forgotten”, this right allows you to require the deletion of your personal data at some circumstances, such as for example when we no longer need them or if you withdraw your consent (where applicable). We will execute your request, unless there is a reason that we keep your personal data.
If we shared your personal data with other parties, we will inform them of the deletion when this is possible. If you request, in case it is possible and lawful, we will inform you also about whom we shared your personal data with so that you could contact them directly.
In details
You may ask us to delete your personal data and we will answer your request without unreasonable delay in case of the following circumstances:

a. The data is no longer required for the purposes which it was collected or processed for;
b. You withdrew your consent for data processing when this processing was based on your consent and there was no other legal basis on which we process your personal data;
c. You oppose to your personal data processing from our lawful interest, including profile creation on the grounds of this basis;
d. Your data was processed illegally;
e. The personal data should be deleted in order to observe the legal obligation pursuant to the law of the European Union or the national legislation;

Unless this becomes impossible or if it included extraordinary effort, for the purposes of the deletion we will inform each person before whom your personal data has been disclosed. We will inform you of those who received your personal data upon your request.
We keep the right to refuse deletion of your personal data when processing is required:

a. for exercising the right for free expressing and information;
b. to observe a legal obligation which refers to us in our capacity of a personal data controller;
c. for the purpose of archiving in public interest, scientific or historical research or for strategic goals, as much as the deletion of the data could make it impossible or could seriously affect the achievement of the processing goals;
d. to establish, exercise or protect a right at the court.

Right to limit us in using your data
In brief
At certain circumstances (this including when we use lawful interests, as stated above), you could ask us to stop processing your personal data or request from us to restrict the ways under which we process this data. In some cases, however, we may refuse such request – if we do so, we will provide you with information explaining why we rejected your request.
In details
You may require from us to block and to restrict the processing of your personal data in the following cases:

a. it affects the accuracy of the data – in this case, upon your request, we will restrict the processing for the period during which we perform the necessary inspections for the accuracy of your data;
b. the processing of data is unlawful and you do not wish to delete your data;
c. we no longer need your data to process, but the data which we processed might be necessary for you to establish, exercise or protect your right in the court;
d. you opposed to the processing of your data according to our lawful interest, this including the profiles creation on the grounds of this basis – in this case, upon your request, we will restrict the processing for the period during which we check that our lawful rights do not prevail your rights.

If the data processing was restricted, we would be able to only keep your data. Any other way for processing outside the place for keeping it will only be used:
after obtaining of your consent;
• to find, exercise or protect the right in the court;
• to protect the rights of another individual or a legal entity;
• for reasons of public interest of the European Union or of a member-country.

We will inform you before we remove the restriction for processing, as stated above.
Unless this appears to be impossible or if it included huge effort, we will inform each receiver to whom your personal data has been disclosed, restricting the processing of this data. Should you wish so, we will inform you about those receivers.

Right to challenge
You may require from us not to further process your personal data due to reasons, related to your specific circumstances and if the processing of your personal data was based on our lawful interest. We will terminate the processing of your personal data unless we prove we have legitimate and imperative reasons that justify this processing and if those reasons prevail over your interests, rights or freedom or if the purpose of the processing was to establish, exercise or protect a right in the court.
Right to file a complaint to the supervisory authority
You have the right to contact the Commission for Personal Data Protection of the Republic of Bulgaria (CPDP), should you believe that the processing of your data does not correspond to the applicable law.
You may get further information regarding the CPDP by visiting – https://www.cpdp.bg.

Right to seek for court protection
After expiration of the periods for personal data processing, it is made anonymous or it is deleted/ erased, unless:
• it is needed for a pending court arbitration, administrative or enforcement procedure, or in case of a received complaint by the respective user, which complaint should be considered by the School; or
• the respective user exercised its right to require restriction of the personal data processing related to him/her.

The internal course of the procedures: How you can exercise your rights as a data subject and our procedure for filing data requests
Submitting a request. To exercise the rights, quoted above, please submit your written application or contact us by e-mail, using the quoted above contact details.
Applicant’s identification. To be able to correctly address and manage your application, we kindly invite you to identify yourself as detailed as possible. Should we have reasonable doubts about your personality, we would require additional information to confirm the assumed identity.
Time for response. We will respond to your requests without unreasonable delay and in any case within one month as of receiving the application. Since your application is complex or because we process a large number of requests, we may reasonably delay sending the response up to two months as of the date of receiving of your application.
Providing our response. We will provide you with our response and any requested information electronically, unless you want us to give them to you on other media.
In case of refusal. If we refuse to answer your request, we will inform you of the reasons which led to this decision, as well as for the opportunity to file a complaint to the CPDP or to another competitive supervisory authority and to require court defense.
Fees. Exercising your rights as a data subject is free of charge. However, to an extent to which your claims are obviously ungrounded or exorbitant, especially taking into account their repeating character, we keep the right to refuse answering such requests.

ІХ. Confidentiality and Security

We hereby commit ourselves in keeping the personal data you provide us with and we will undertake all necessary measures to protect your personal data from loss, abuse or amendment. We do not sell your personal data for any purposes.
We implemented policies for protection of the personal data, rights and technical measures for personal data protection in order to protect the personal data we keep under our control, from a potential threat such as:

• unauthorized access;
• incorrect use or disclosure;
• unauthorized modification; and
• unlawful deletion or accidental loss.

All our officials and data processing controllers (i.e. those who process your data on our behalf), who have access and are related to the personal data processing are obliged to observe your personal data confidentiality.
The security of activities under the processing of your data is guaranteed through the application of adequate precautionary technical measures and regular observation of our servers and information systems for probable vulnerabilities and attacks.

Х. Updating the Confidentiality Policy:

This Confidentiality Policy is effective from 19 February 2020.
This Confidentiality Policy may be amended or supplemented due to a change in the applicable legislation, upon initiative of the School, of the users or of a competent authority (for example the Commission for Personal Data Protection).
The School informs the Portal users regarding the amendments or supplements of this Confidentiality Policy within a period not shorter than 7 (seven) days before they come into effect by sending an e-mail to the users.
The School makes efforts to ensure the processed personal data of the users is updated (and upon necessity – corrected), as well as to ensure that there is no unnecessary data for achieving the goals, described above kept.

Date of last revision: 21 August 2020