1. Who we are (Data Controller)
The private school called “Pinewood Schools Thessaloniki”, from hereon now mentioned as “Pinewood”, “Pinewood American International School”, or simply, “school”, is a non-profit, non-governmental organization offering PreK-12 educational services based on the educational system of the United States of America in Greece.
We believe that your privacy matters, and we do our best to manage your personal data responsibly, according to best practices. We also comply fully with any and all legislation concerning personal data within Greece and the European Union.
Please note that we collect certain information regarding our website visitors, that may directly, or indirectly, lead to their verification.
In accordance with current legislation, such information is considered as personal data, and you as visitors of our website, are considered as “data subjects”, while we, the school, are considered as “data controller” of your personal data.
- Which data we process, for how long, and according to which legal basis
- For how long we store your data
- Who are the recipients of your data
- Your legal rights and how you can exercise them
- Our legal interests
- Your consent and when it’s required
- Personal data collected by cookies
Before we begin though, we would like to present to you…
Basic principles regarding the processing of your personal data
The school is processing your personal data in accordance with current legislation, as stated in the General Data Protection Regulation (GDPR), N. 4624/2019, N. 3471/2006, and Ministry of Education regulations regarding primary and secondary education.
What this means is:
- We collect and process your data only for specific and legal purposes
- We collect and process only the data absolutely necessary for the purposes we state
- We make every possible effort in order for your data to be up to date, giving you the ability to correct and/or erase them
- We store your data for a time frame that is required in accordance with the purpose we used in order to collect it
- We make every possible effort to safeguard the security of your data from unauthorized or illegal processing, random access, destruction, or corruption.
In order to secure the personal data we process, we take a series of security and organizational measures, have internal security policies, train our staff, which is bound by confidentiality clauses, and use a series of technologies that secure your data (ie. Using SSL certificates in web applications, encrypting certain data, using certified web providers). As is customary by security best practices, the technical and organizational measures are regularly monitored, and if necessary, are updated and adjusted according to new best practices.
2. What kind of personal data do we process and why
In essence, we collect and process data of parents/guardians and students of the school, in order for us to provide educational services. For this reason, and in accordance with Greek legislation, we collect data required by said legislation in order to enroll a student in the school, namely:
- Birth certificate
- Student ID/passport
- Parent/guardian ID/passport
- School transcript and/or records from the past 2 years (with Apostile)
- Official health form
- Vaccination/immunization records
- VAT number
Moreover, we collect and process data of the users/visitors of our website, only when they provide such data directly, therefore, just visiting the website does not mean that we process your data. However, that may not always be the case in two cases: data collected using cookies and certain data that are collected automatically during your visit, like the IP address of your connection.
2A. Data collected automatically
Due to the nature of the internet, as soon as you visit a website, our server takes a record of your IP address, which is personal data, even if, as a website, we cannot identify you using that element alone. The reasons behind collecting your IP address, in addition to the date and time of your connection and the storing of said data in special files called log files, are the following:
- Our legitimate interest to process these data is to safeguard our network, information, and services from random events, malicious events, or hacking attacks, that may set the availability, authenticity, integrity, and confidentiality of data transferred through that network in danger, and in order to state or exercise our legal rights.
- On the other hand, we have a legitimate interest to store these data, as the protection of your data from malicious users is our priority and our duty. Moreover, according to current legislation, we may have to provide said data to the authorities, under strict terms and conditions.
2B. Data that you provide us
Data we process
In order to communicate with you effectively, we collect and process the following data:
- Email address
- Phone number
- Physical address
These data are not available publicly, and can only be accessed by administrators and users of services we use for mass communication.
The main legal basis on processing said data is in order to provide you with answers on questions you may have.
In case you are a parent/guardian of a student of ours, or a former student of ours, we will keep your tax data in accordance with current Greek tax legislation. Moreover, if you are an alumni of ours, or a former student, we will keep your registration records, in addition to your last transcript or report card indefinitely, according to Greek legislation.
These data are stored in separate areas, and access to that data is limited to the Admissions department of the school.
3. Contact Form
Data we process
We give the visitors of pinewood.gr the ability to contact us through a contact form system. The records required for such a contact is your name and email.
We process your data according to your consent, which you give by sending us a message where you expect an answer from us. You have the right to withdraw your consent at any given time, without the legitimacy of any processing done before the withdrawal of your consent being affected by that. Sending us only a single email, or submitting it through our contact form is not a valid reason to enter your email for us to use your email for promotional purposes.
4. Where and for how long do we store your data
Your data is stored either in physical form, inside the school, or in electronic form, in systems or services of the school, hosted either internally, or externally, in Data Centers of Hetzner, Microsoft, Amazon, and Google, within the borders of the European Union. Management of said servers is done using industry standards, and from strictly limited personnel from the companies the school uses. As a general rule of thumb, we keep your data only for the timeframe necessary for each purpose that the data was collected for. Of course, there are clearly defined periods of storing data for each category of data according to Greek legislation and/or best practices.
For example, if you enroll in our newsletter, we keep your data for as long as you remain part of our newsletter list. Rules for defining the retention periods come from rules regarding the protection of personal data, best practices, and securing the daily operation of the school. Moreover, we would like to note, that even if you request for your data to be erased, we may have to keep some of them available due to legislation or for legal requirements.
We balance our obligation to protect your personal data with the needs of the school, and use such technologies sparingly, in order for you to have a comfortable and effective browsing experience, and for us to have some anonymized information regarding your visit.
Cookies are small text files stored on your hard drive or any other electronic device you use to access a website. Cookies are unique for each browser you use, like Chrome, Firefox, Edge, etc., and contain anonymized information regarding websites you visit and the device you use.
By continuing browsing of pinewood.gr without changing the default settings, you agree with the use of strictly necessary cookies, that include your cookie preferences.
6. What are your rights
In accordance with the General Data Protection Regulation, you have a series of rights regarding the processing of data done by the school.
More specifically, regarding the school, you have the right to:
- Access your data – meaning that you can submit an application and be informed if we process your data, what kind of data we process, and other information (ie. what’s the scope of said processing, etc.), and access your personal data,
- Modify your data – meaning that you can request the modification of your data, or you can amend it (important note, if you are a parent/guardian, you can do that through your account settings in our School Information System),
- Request to erase your data – meaning that under certain circumstances, you may request to have your data erased,
- Request to limit our processing – meaning that you can request that we limit the processing we do on our part on your personal data,
- Request to transfer your data – meaning that you can request that we transfer your data in a commonly used format by computers, if that is possible, in accordance with the GDPR.
Finally, in case of a data breach that may endanger your personal data and liberties, and is not under the exemptions found in the GDPR, we have the obligation to inform you without undue delay.
Our compliance with legislation regarding the processing of personal data, and the legislation itself, and the exercise of your rights, is of utmost importance for the school. For this reason, we have the right to ask you for additional information that may be required, in order for us to verify your identity, before you request certain rights to be exercised, such as the deletion of your data.
We are obliged to reply to your request within 30 days of its receipt. If absolutely necessary, taking into consideration the complexity of the matter, and the amount of requests pending for processing, the request may be postponed for an additional two months. In any case, we shall inform you as soon as possible, and within one month from the submission of your request, for the progress of your request and any possible delays.
In case your requests are invalid or extreme, due to their repetitive nature, the school may request that you deposit a fee, taking into consideration the logistical expenses for providing said information or the execution of the request. Moreover, the school may also deny your request. In case you believe that we do not comply with the legislation regarding the protection of personal data, you have the right to file an official complaint to the relevant supervisory authority (in Greece, it’s the Greek Data Protection Authority).
For any questions regarding the protection of your personal data by the school, or to exercise your rights, please don’t hesitate to contact our Data Protection Officer at: firstname.lastname@example.org.