This document has been prepared in compliance with the requirements of Regulation (EU) No. 2016/679 (General Data Protection Regulation) and the related Personal Data Protection Act. One of our primary responsibilities is to ensure the security of the information entrusted to us. This policy provides answers to significant questions related to the processing of personal data at St. George International School Ltd /SGIS/.
St. George International School Ltd is registered in the Commercial Register at the Registry Agency under UIC 204426056, with its registered office and address of management in Sofia, 47 Blvd Nikola Vaptsarov.
The SGIS guarantees that the collection of personal data is carried out in accordance with applicable legislation, best practices, and business standards. The regulatory framework includes, but is not limited to, the General Data Protection Regulation (Regulation (EU) 679/2016), the Preschool and School Education Act (PSEA), the Child Protection Act, Ordinance No. 8 of 11.08.2016 on information and documents in the preschool and school education system, as well as the secondary legislative acts issued based on them, the Labour Code, the Social Security Code, the Personal Data Protection Act, the Health and Safety at Work Act, the Accounting Act, and others. The School protects personal data by implementing all appropriate technical and organisational measures at its disposal to prevent unauthorised access, unauthorised or malicious use, loss, or premature deletion of information. This policy applies to all systems, individuals, and processes that form the information system, including employees, suppliers, and all other third parties with access to the School's personal data systems.
The school collects, processes, and stores personal information for various reasons and based on several legal grounds. We use the personal data provided by you regarding yourself, another parent/guardian, and your child, collected while performing activities as a private school, namely, the provision of an educational service that meets state educational requirements and standards in accordance with the Preschool and School Education Act and its implementing acts, as well as related laws and secondary legislation.
Pursuant to Regulation (EU) No. 2016/679 and applicable Bulgarian legislation, we have the right to collect and process personal information on the basis of one or more of the legal grounds listed below: under a contract concluded with you, pursuant to a legal obligation, when we have a legitimate interest, and when you have provided your consent.
When we have a reason related to our activities to process your information, we rely on the legal basis of "legitimate interest." When processing the information you provide based on this legal ground, we strive to ensure a fair balance between the legitimate interests of the school and your rights.
The school collects, processes, and stores your personal data based on the following legal grounds:
2.1. Compliance with Legal Obligations:
Some of the data we process about you/your child is required by various legal and regulatory acts in the fields of education and healthcare, such as the Preschool and School Education Act, the Health Act, and others. Certain data is also necessary for compliance with the Accounting Act and the Obligations and Contracts Act.
2.2. Performance of Contractual Obligations:
In the execution of a contractual relationship under which the School is entitled:
To process and store your and your child's personal data for the purpose of providing educational services; To contact you via mail, telephone, text messages, email, social media, the school's website, or any other legally permissible means; As part of fulfilling our contractual obligations with you, in certain cases, we may share your child's data with service providers to enhance the quality of our services (e.g., for medical assistance, insurance, student meals, extracurricular activities, etc.). 2.3. Legitimate Interest:
The legitimate interests that require the School to process the personal data you provide are primarily related to ensuring order, security, and the health of children, employees, and visitors within the private school, as well as protecting our property. This legal basis also applies when we strive to provide a diverse, high-quality education that aligns with modern educational trends and offers additional services.
2.4. When You Have Provided Consent:
The School uses, processes, and stores personal data about your child based on your explicit consent in the following cases: the use of photographs, video materials, and the publication of information on social media. You may withdraw your consent at any time through our contact channels, without incurring any fees. In such cases, the School will cease using your child's data for the purposes described above.
Who is responsible for processing your data?
The responsibility for processing your data is assumed by St. George International School Ltd., in its capacity as a data controller, in accordance with Regulation (EU) 2016/679.
For any questions related to the processing of your personal data (and/or your child's data), you may contact us or your designated Data Protection Officer at St. George International School & Preschool, Ms. Nadezhda Shemshirova, at +359 2 414 4414, or by writing to us at Sofia, 47 Nikola Vaptsarov Blvd., or via email at gdpr@stgeorgeschool.eu.
How We Collect Personal Data
The School processes your and your child's personal data that you provide or that we collect in the course of our relationship with you:
When you provide us with information orally or in writing—through application forms, contracts, emails and letters, complaints, conversations with school staff, or other communication channels; We use video surveillance on school premises and collect images to ensure the health and well-being of students; The School may also collect, process, classify, and store personal data lawfully obtained from government institutions, public sources, or third parties, such as a general practitioner, speech therapist, etc.
What Personal Data We Collect and Why We Process It
In accordance with the General Data Protection Regulation (GDPR), personal data is defined as:
"Any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person."
SGIS processes personal data of the following categories of natural persons—"data subjects":
Students; Legal representatives of students (parents, guardians, custodians); Teaching, administrative, and support staff; Contractors.
Website
When you visit our website, www.stgeorgeschool.eu, we may collect data about your website usage through so-called "cookies." Cookies are small text files that are stored on your computer or mobile device upon your first visit to our website. For more details, please refer to our Cookies Policy.
For the Purpose of Student Enrollment
St. George International School Ltd. aims to attract students with high academic and personal skills, and we believe it is essential to provide comprehensive information about our educational process. This ensures that parents and prospective students can make an informed decision when choosing an educational institution. As part of the preliminary assessment process, we evaluate the student's age, academic potential, maturity, readiness for the respective grade, school performance, recommendations, participation in competitions, projects, and initiatives, as well as English language proficiency. This assessment helps us accurately determine the candidate’s level and enables us to provide an individualized approach to each student.
Personal Data Collected through the Application Form
For your child: Full name, Personal Identification Number (PIN), place of birth, gender, nationality, age, native language, preferred name, home address; Health information, including blood type, allergies, cardiovascular conditions, chronic illnesses, central nervous system disorders, vision impairments, other significant medical information, and medications used for fever reduction.
For the parents: Full name, date of birth, nationality, profession and workplace, email address, mobile and landline contact details.
Purpose of Data Collection and Processing - Identification and pre-contractual arrangements for the admission process at St. George International School. Accurate determination of the candidate’s level and personalized educational approach; If the assessment is conducted on the school premises, the collection of health-related information ensures swift and adequate action by competent personnel in case of an accident or sudden deterioration of the student's health.
Data Storage Method - Paper and electronic formats.
For the Purpose of Contract Conclusion and Execution
The provision of personal data is a mandatory contractual requirement, as well as a requirement for entering into a contract. In most cases, we require your personal data in order to sign a contract for the fulfillment of a legal obligation or for the protection of our legitimate interests. Of course, for some services, you provide this information yourself by choosing and accepting that it will be processed. Without this data, we would not be able to provide the corresponding services. ST. GEORGE INTERNATIONAL SCHOOL processes the data only for the purposes for which it was collected and does not use it for other purposes. These purposes are fully related to the educational service offered. Specifically, these purposes include:
Entering into contracts; Administering concluded contracts; Offering additional products and services; Arranging financial relations; Ensuring effective communication; Ensuring security; Safeguarding the life and health of students.
Personal data required for the conclusion of an education contract:
Full name of the parent (legal representative) with whom the contract is concluded; Personal Identification Number (PIN) of the parent (legal representative) with whom the contract is concluded; Personal ID number of the parent (legal representative) with whom the contract is signed; Address of the parent; Full name of the child to be enrolled; Personal Identification Number (PIN) of the child to be enrolled; Address of the child. Purpose of collection and processing: Identification of contractual relationships. Storage method: On paper and electronic media.
Personal data required for the execution of the education contract (non-exhaustive list):
Parent's (legal representative's) email address - Purpose: necessary for the electronic diary, communication, and information channel regarding the student and for the use of the Electronic Payment Portal; Phone number and address as per the ID card / corresponding mailing address for the parents - Purpose: for communication and in case of emergencies; Parent's PIN, children's health data - Purpose: required by the Ministry of Education and other state and municipal institutions, as well as for safeguarding the life and health of the students; Date of birth, place of birth, and address of the child - Purpose: for identification, issuance of a certificate for completed educational stages, enrollment for competitions, exams, and communication; Full name and date of birth of a third party - Purpose: for identification when a third party is authorised to pick up your child after the end of the school day; Bank details - related to identifying and correctly processing payments made under the Education Contract and the related Payment Plan, as well as scholarships, etc.; Data on additional support for at-risk children, students with special educational needs, and children with exceptional talents; Health and medical information, vaccination schedule, data from medical certificates, decisions of the National Expert Medical Commission (TELK), medical expert reports, etc.; Data from the video surveillance system and other video materials; Data from RFID cards / QR code for building access; Photographic images. Storage method: On paper and electronic media.
Storage period
The period for which personal information is stored depends on its nature and the purposes for which it is processed. St. George International School determines the appropriate retention periods, taking into account all legal obligations for storage. We will process your and your child’s personal data while the student is enrolled at the school and after the termination of your relationship with the school, in accordance with the legal obligations for storage. If the legal retention periods have expired, the data will be either destroyed or anonymized, meaning that all identification characteristics will be removed from the personal data.
We adhere to a strict retention period for video surveillance images.
If you wish to obtain further information regarding retention periods, please contact the Data Protection Officer using the contact information provided in this Privacy Policy.
Additional data or amendments to the purposes of data processing may be found in the relevant contractual documents, templates, consent statements, and/or other information you provide (e.g., in the context of using our website or our terms and conditions).
Who we share personal data with and for what purposes
St. George International School does not disclose your personal data to third parties until we are certain that all technical and organisational measures have been taken to protect this data. We conduct strict control to achieve this goal. In some cases, providing personal data is mandatory, and in this regard, we share information with:
The Ministry of Education and the regional education management in Sofia-city, in accordance with the Pre-School and School Education Act and its related sub-legislative normative acts; Other schools and institutions, in accordance with the Pre-School and School Education Act and corresponding sub-legislative normative acts; Durham University – the English partner of St. George International School, which processes the results of applicant students to determine their English language proficiency during application. For data protection regulations, Durham University is responsible for processing the above categories of data sent by us; Cambridge – to fulfill contractual obligations, given that St. George International School is a registered Cambridge school. For data protection regulations, Cambridge International School and Cambridge Primary School are responsible for processing the personal data sent by us; External service providers (e.g., IT support/technical support, IT applications, document archiving, processing). The company has entered into explicit agreements to protect the provided data; Physical or legal entities that process personal data and need your personal data to fulfill our contractual and legal obligations or in the context of our legitimate interest, for internal administrative purposes – for example, medical centers, catering companies, document storage, archiving and destruction companies, providers of cloud storage, IT and telecommunication service providers, software developers, computer support companies, etc.; The National Revenue Agency; Competent authorities that, by law, have the right to request information, including personal data, such as courts, prosecutors, bailiffs, various regulatory bodies such as the Consumer Protection Commission, the Personal Data Protection Commission, and other government agencies; Auditors; Within the organisation, only those departments involved in fulfilling our contractual relationships, legal obligations, or the protection of legitimate interests have access to the personal data you have provided. In the context of our contractual relations, we may delegate processing to subcontractors who have access to your personal data. Data protection compliance is ensured through a contract with our subcontractors.
We may collect your personal data in the following cases:
When transferring personal data within our group, based on the legal grounds provided in Regulation 2016/679; When you contact us through a communication channel (e.g., letters and emails we receive from you during our communication). The data is used solely to process the request and respond. The reason for processing is the legitimate interest of the parties involved. When applying for a scholarship from non-governmental organizations, in addition to basic personal data (full name, personal identification number (PIN), national identification number (NIN), permanent address, correspondence address, email, etc.), the following are required: i) Data about family status, ii) Proof of income (rent, management, employment contract), etc.; George International School conducts video surveillance as part of its personal data processing activities. Video surveillance data is stored for the maximum period defined in the data retention procedure. The video surveillance activity is carried out by a company with which St. George International School has signed a service contract. The purpose is to ensure the legitimate interest of the organisation, as well as the safety of employees and students, and to protect their property without infringing on the rights and dignity of the data subjects. When conducting recruitment campaigns.
Automated Algorithms
We do not use automated decision-making tools.
Security
The security of the data you have entrusted to us is very important to us. Therefore, we protect your data by implementing all appropriate technical and organizational measures at our disposal to prevent unauthorized access, improper, or malicious use. St. George School takes measures to protect your personal data from accidental loss and unauthorized access, use, alteration, or disclosure. There are policies and procedures in place to safeguard the information from loss, misuse, and unauthorized disclosure. Additionally, we implement further measures for information security, including access control, strict physical security, and reliable practices for the collection, storage, and processing of information. Some of the actions taken include:
Physical, Organi s ational, and Technical Measures for Protection:
Determining areas with controlled access; Determining the rooms where personal data is processed, including where our servers are located, as well as access restrictions; Organising physical access control; Determining technical means for physical security – in special rooms and cabinets; Establishing a response team in case of violations.
Protection Provided by Staff:
Familiarising the staff with the specifics of processing personal data and the regulations in the field of personal data protection, this policy, and other related internal rules; Confidentiality of information; Staff training.
Protection of Documents:
Setting retention periods; Rules for distribution; Procedures for destruction, verification, and control of processing.
When do we begin the process of destroying your personal data?
We store all the information we have collected about you and destroy it in a defined manner within the legally established timeframes, and if none are provided, within the timeframes determined by our Retention Policy.
All conditions set by St. George International School comply with the purposes of the provided personal data and the respective services provided. Personal data will be stored for the period necessary to fulfill the above-mentioned purposes. In some cases, we retain personal data for the general statute of limitations period (5 years) for the purpose of establishing and defending against legal claims.
Some retention periods are legally defined:
10 years according to the Accounting Act for the storage and processing of accounting data; 50 years, in accordance with Regulation No. 8 of 11.08.2016 on the information and documents in the system of preschool and school education (in force since 15.09.2017).
Data Transfers Between Countries
We may share information about you/your child when necessary with our service providers outside the European Economic Area (EEA), but only if they agree to work according to our instructions to protect your information at the same level of protection that applies in the European Economic Area and complies with Bulgarian legislation. Such data transfers are used to fulfill our contract with you, meet a legal obligation, and respond to your or our legitimate interests.
For more information, you can visit the European Commission’s website here: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu_en
Your Rights Regarding Personal Data
You can request St. George International School and Preschool at any time to provide information and access to the personal data we collect and store about you. You may also request that St. George International School and Preschool correct, delete, or update such personal data. We also grant you the right to object to and limit the processing of personal data and your rights regarding automated decision-making. St. George International School and Preschool takes the necessary measures to exercise the rights of data subjects in accordance with Regulation (EU) 2016/679 and applicable legislation.
You may withdraw your consent for the collection, storage, and use of your personal data at any time. The right to withdraw consent for data processing may be exercised when the data is processed solely based on your explicit consent. However, the withdrawal will not affect data that has been lawfully processed before the withdrawal.
When exercising your right to data portability, you have the right to request that personal data be sent directly to us by another data controller, to the extent technically feasible.
Some of your rights, such as data deletion or objection to processing, may be restricted by applicable law.
Data subjects may exercise their rights by filling out templates prepared by the data controller and published on the St. George International School and Preschool website at www.stgeorgeschool.eu or in writing. Requests for information access or correction must be submitted in person or by an authorized person with written permission. The request may also be submitted electronically in accordance with the Electronic Documents and Electronic Signature Act.
St. George International School will review and decide on all received requests or complaints, except for anonymous submissions where the data subject cannot be identified. Requests/complaints are reviewed within one month of receipt. If necessary, this period may be extended by an additional two months due to the complexity and number of requests. We will inform you of any such extension within one month of receiving the request, stating the reasons for the delay.
The response will be communicated to the data subject in writing or by another convenient method. If we do not fulfill your request within the required periods or refuse to accept a complaint, we will provide the reasons why we have not acted or refused to do so.
The actions for exercising the rights of data subjects are free of charge.
We would like to inform you that according to the applicable legislation, you have the right to file a complaint regarding how your data is processed with the Personal Data Protection Commission, located at 1592 Sofia, Prof. Tsvetan Lazarov Blvd. No. 2, or at www.cpdp.bg.
Are You Obliged to Provide Personal Information About You and Your Child?
Regarding the admission campaigns and within the framework of contractual relations for the provision of educational services, you must provide the necessary personal data to initiate, conduct, and terminate these relationships and fulfill the related obligations. We are legally obliged and have the right to collect such personal data to protect our legitimate interests and safeguard the life and health of the students. Without processing this data, we would not be able to provide the educational services.
Changes
This personal data protection procedure is subject to updates.
