(General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016, hereinafter GDPR)
Brussels International Catholic School (BICS) is committed to protecting the privacy of our pupils, families and other stakeholders. BICS is aware of the importance of the GDPR; therefore, all teachers and members of staff are given a specific formation on data protection during their In Service Day at least once per year.
BICS is the Data Controller for the purposes of the GDPR (hereinafter, the Data Controller). This Policy outlines the terms on which the Data Controller collects, holds and treats personal data.
The Data Controller collects, holds and treats data from pupils (and their families) in order to implement the school’s teaching objectives. In the case of candidates, data is treated in order to assess the candidate towards admission to the school as a pupil.
The Data Controller keeps personal data for as long as it needs to in order the fulfill the objectives for which it was collected, as set out in this Policy, and for as long as we are required to keep it by law.
Data treated for pupils is that included in the application form, the medical form and the ID. Data treated for candidates that do not later become pupils only includes the application form. As from GDPR’s entry into force, the application form will contain a provision of compliance with the GDPR.
Pupils and candidates’ data as previously described is kept securely in the school administration, with access restricted to the Headmaster, Deputy Heads, Headmaster’s Secretary, School Secretaries and School Bursar. Teachers keep an attendance list with their class pupils’ names in each respective classroom; this list is kept securely in the teacher’s desk.
The Data Controller also holds digital pictures of pupils for eventual publication in the school webpages (www.bicschool.be and www.facebook.com/bicschool.be). Consent for this publication is previously provided for by the pupils’ parents.
Pictures on the website www.bicschool.be only intend to show School life. If you appear on a picture and do not want it to be displayed, please let us know by sending an email to firstname.lastname@example.org and we’ll take down the picture. If you do not want to appear at all on our website, please let us know by sending an email to email@example.com. Pictures on the school website belong to the school. It is not permitted to copy or use them, in any way, without the consent of the school, whether it is for private or commercial purposes.
Except for publication in school webpages as established in the previous paragraph, the Data Controller only shares pupil data with the Belgian administration authorities in order to comply with applicable national regulations.
As from GDPR coming into force, all computers in the school have a password. Usage of mobile phones by teachers and members of staff is forbidden inside of the school except for emergency circumstances or a specific situation approved by the school management. Therefore, no pictures of pupils can be taken by teachers or members of staff using personal mobile phones.
Personal data of employees is kept securely in the school administration, with restricted access by members of the school administration (Headmaster, Headmaster’s Secretary). This data is shared by the Data Controller with the external social security entity and the school accountant so that the payroll or other social benefits can be implemented every month.
Personal data of providers is kept securely in the school administration, with restricted access by members of the school administration (Headmaster, Headmaster’s Secretary, School Secretary). This data is not shared with third parties.
Contracts with employees and providers after the coming into force of the GDPR will include a clause compliant with GDPR.
Personal data of people entering the building as per the access registry is not shared with third parties. The compliance with GDPR regarding this personal data is specifically provided with by a GDPR compliant notice available next to the access registry.
The Data Controller guarantees the following rights of individuals whose data are being held and processed: The right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability and the right to object.
With regards to the right to be informed and the right of access, the School Secretary will provide the necessary data by email, not later than one month and as indicated by the Data Protection Officer. The Data Protection Officer might refuse the request by giving a justified written reply by email, including the right to complain to the supervisory authority and to an eventual judicial remedy.
The right of update and/or rectification will be handled by the same employees and through the same procedure as established in the previous paragraph. In the unlikely event that the Data Controller had shared inaccurate data with another organization, the school administration will inform the other organization about the inaccuracy not later than one week.
The right to erasure and the right to restrict processing will also be implemented by the School Secretary, as indicated by the Data Protection Officer, not later than one month. Our systems and files enable us to locate and delete the data within that period, unless we are required to retain the data for a longer period by law.
With regards to the right to data portability, the School Secretary will provide the personal data by email in a structured, commonly used and machine readable form; if the owner of the data requests it, the School Secretary will transmit the data directly to the other organization as much as it will be technically possible. The delay will not be more than one month, unless the request is complex.
All data subjects will be informed of their right to object at the point of first communication and in the Data Controller privacy notice.
For the exercise of the previous rights, please contact the school secretary by certified letter addressed to rue Général Leman 86, 1040 Bruxelles.
The Data Controller has appointed Mr. Sylvain Charat, Deputy Head of the Data Controller, as Data Protection Officer. The Data Protection Officer will organise an information audit every year.
In the unlikely event of a data breach, please email the School Secretary at firstname.lastname@example.org and the Data Protection Officer will investigate it and, if necessary, report the breach to both the Data protection authority and to the data owner, if it is likely to result in a risk to his rights. Data subjects have a right to complain to the Data Protection authority if they think there is a problem with the way that the Data Controller is handling the data.