GDPR Privacy Statement
1. The Data Controller
The American Overseas School of Rome “the school” represented by the Chair of the Board of Trustees, is the Data Controller and the Data Processor, as prescribed and defined by GDPR (Global Data Protection Regulation) requirements. The school is a US not-for-profit corporation, and the operation branch is registered in Italy, Rome, Via Cassia 811.
2. The Purpose of this Privacy Notice
This notice provides information about how the school will use (or "process") individuals personal data (carried out on paper and electronically) including current, past, and prospective staff, students, parents or guardians (referred to in this policy as "parents"), visitors and independent contractors. GDPR gives individuals the rights to understand and protect their personal data. Staff, parents and students are all encouraged to read this Privacy Notice and understand the school’s obligations to the entire community. This Privacy Notice is applied in addition to all school's agreements, contracts and policies. Anyone who works for, or acts on behalf of the school (including staff, Board members and service providers) should be aware of and comply with GDPR requirements.
3. Responsibility for Data Protection
The School has appointed a Data Protection Manager. He will handle all requests and inquiries concerning the school’s use of your personal data (see section on Your Rights below) and will attempt to ensure that all personal data is processed in compliance with this notice and the EU General Data Protection Regulation 2016/679 (the “GDPR”).
4. Why the School Needs to Process Personal Data
In order to fulfill administrative, fiscal and scholastic obligations, the school needs to process a wide range of personal data about individuals (including current, past and prospective staff, students and parents) as part of its daily operation, in general to pursue its “legitimate interests”
- To admit new students and parents, as part of the community;
- To provide educational services, including extra-curricular activities, sports, field trips, and to monitor students’ progress and educational needs
- To maintain relationships with the school alumni and community, including direct marketing or fundraising activities
- To manage and research statistical analysis
- To inform authorities as required by local and international regulations
- To give and receive information and references about past, current and prospective students
- To enroll our students in local and international examinations
- To monitor use of the school's IT and communication systems in accordance with the school's Technology Acceptable Use Policy and Cybersecurity compliance
- To maintain personnel files
- To use students, staff and visitors images in school publications, on the school website and (where appropriate) on the school's social media channels, in accordance with the school's policy on taking, storing and using images
- To safeguard students' welfare and medical care, and to take appropriate action in the event of an emergency, incident or accident, including by disclosing details of an individual's medical condition or other relevant information where it is in the individual's interests to do so
- To provide educational services in the context of any special educational needs of a student
- To record memberships, for example Corporation and Parent Teacher Organization (“PTO”) members
In addition, the school will on occasion need to process special category personal data (i.e. health conditions or medical information) or criminal records information ( to complete the employment contract and in accordance with the laws and regulations), as follows:
To safeguard students' welfare and provide appropriate emergency medical care, to take appropriate action in the event of an emergency, incident or accident, in the best interest of the individual
To provide educational services in the context of any special educational needs of a student
In connection with staff employment contract, as union membership or pension plans
For legal and regulatory purposes (for example child protection, diversity monitoring and health and safety) and to comply with its legal obligations and duties of care.
5. Types of Personal Data Processed by the School
This will include by way of example:
names, addresses, telephone numbers, e-mail addresses and other contact details;
bank details and other financial information, e.g. about staff and about parents or tuition fees payers;
past, present and prospective students' academic, disciplinary, admissions and attendance records (including information about any special needs), and examination results;
Information about individuals' health and welfare, and contact emergency details;
Correspondence with prospective, current and past staff, students and parents; and
Staff, students, parents and visitors’ images for the above mentioned use.
6. How the School Collects Data
Generally, the school receives personal data from the individual directly or, in the case of students, from their parents. This may be via a form, or simply in the ordinary course of interaction or communication (such as telephone calls, in person, email or written communication or assessments).
7. Who has Access to Personal Data and Who Does the School Shares it With
Occasionally, the school will need to share personal information relating to its community with third parties, such as:
professional advisers (e.g. lawyers, insurers, etc.);
For the most part, personal data collected by the school will remain within the school, and will be processed by appropriate individuals only in accordance with access protocols. Particularly strict rules of access apply in the context of:
medical records and safeguarding files.
However, a certain amount of a student’s relevant information will need to be provided to staff more widely in the context of providing the necessary care and education that the student requires, particularly for students with special needs.
Some of the school’s processing activity is carried out on its behalf by third parties, such as IT and communications systems, or cloud storage providers. This is always subject to contractual assurances that the third party is compliant with current Data Protection Legislation (GDPR) and that personal data will be kept securely and only in accordance with the school’s specific directions governed by a Data Sharing Agreement where necessary. In order to carry out our day to day activities, some staff and student names, email addresses and performance data is held by a number of third party online learning platforms and websites. These are only used when the third party is compliant with current Data Protection Legislation (GDPR). A full list of current third party suppliers is available on request from the Data Protection Manager.
8. Transferring your Data Internationally
Sometimes we will need to transfer or store your information outside of the Italy, for example, by our Management Information System: PowerSchool (USA); our online learning platform: Google G-Suite for Education (USA and EU) and testing software (i.e. MAP Growth (USA)); all the software in use by the College Counselor to complete the college application for AOSR students and any other programs needed to comply with local and international policies.
Countries to which we transfer information may have different standards to control how your information is used and protected and these standards may not be as strict as those in place in Italy. We will only transfer information to organizations who are working towards compliance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), and are in countries which have laws offering an adequate level of protection for your information. In the case of the USA, we will make sure that the organization which receives the information is in compliance with the Privacy Shield Framework Rules (for more information, please visit the Privacy Shield website). We will put in place appropriate safeguards to protect your information, or otherwise ensure that we can transfer your information in a way that complies with Data Protection Law.
We put in place appropriate safeguards to protect information which we transfer, the safeguards may include securing additional Data Sharing Agreements to protect your information.
9. How Long We Will Retain Personal Data
The school will retain personal data securely and only in line with how long it is necessary to keep for a legitimate and lawful reason. Typically, the legal recommendation for retaining ordinary staff and student personnel files is up to 10 years following departure from the school or after the end of the employment contract, in case of faculty and staff members. However, incident reports and safeguarding files may need to be kept longer, in accordance with specific legal requirements.
A limited and reasonable amount of information will be kept, for example for historical or archiving purposes. In the event that one has requested not to be contacted by the school, we will still need to keep a record of your information in order to fulfill your wishes (called a "suppression record").
Further information can be found by contacting the Data Protection Manager at email@example.com.
10. Keeping in Touch and Supporting the School
The school will use the contact details of current, past and prospective staff, students, parents, and other members of the school community to send updates about the activities of the school, news, and events of interest, including but not limited to sending updates and newsletters, by email, sms message and by mail.
The school will share contact details of the Parent Teacher Organization (PTO) members who can be contacted in order to receive information regarding PTO activities, reminders about school events, requests for assistance, etc.
Should you wish to limit or object to any such use of personal data, or would like further information, please contact the Data Protection Manager at firstname.lastname@example.org. At any given time, you have the right to withdraw consent, where given, or otherwise object to direct marketing or fundraising communication. However, the school is nonetheless likely to retain some of your details (For example to ensure that no further communications are sent to that particular address, email or telephone number by request).
11. Your Rights
Individuals have various rights under the Data Protection Law to access and understand personal data held by the school, and in some cases may ask for said data to be erased or amended or have it transferred to others, or for the school to discontinue processing it. However, these requests are subject to certain exemptions and limitations.
Any individual requesting access or amendments to their personal data, requesting data to be transferred to another person or organization, or who has an objection to how their personal data will be used, should put their request in writing to the Data Protection Manager at email@example.com.
The school will attempt to respond to any such written requests as soon as reasonably possible and within statutory time-limits (one month in the case of requests for access to information).
You should be aware that the right of access is limited to your own personal data, and certain data is exempt from the right of access. This includes information which identifies other individuals (parents must be aware that some of this data may include their own children, in certain limited situations), or information which is subject to legal privilege (for example legal advice given to or sought by the school, or documents prepared in connection with a legal action).
The school is also not required to disclose any student examination scripts (or other information consisting solely of student test answers), provide examination or other test marks ahead of any ordinary publication, nor share any confidential reference given by the school itself for the purposes of the education, training or employment of any individual.
Certain situations may provide compelling reasons to refuse specific requests to amend, delete or stop processing you (or your child's) personal data: for example, a legal requirement, or if it falls within a legitimate interest identified in this Privacy Notice. All such requests will be analyzed individually.
A person with parental responsibility will generally be entitled to make a subject access request on behalf of younger students, but the law still considers the information in question to be the child’s. Students aged 18 and above are generally assumed to have sufficient maturity to make a request themselves, although this will depend on both the child and the personal data requested, including any relevant circumstances at home.
In line with the Fee Agreement and School Policy, parents will generally receive educational updates about their children. The school will assume that students’ consent is not required for ordinary disclosure of their personal data to their parents, e.g. for the purposes of keeping parents informed about the student's activities, progress and behavior, and in the interests of the student's welfare, unless a court decision establishes differently. All information requests from, on behalf of, or concerning students will be considered on a case by case basis.
In some cases, it may be necessary or appropriate to seek the student's consent. Parents should be aware that in such situations they may or may not be consulted, depending on the interests of the student, the parents’ rights by law or under their contract, amongst other specific circumstances.
The school relies on consent to process personal data, and any person may withdraw this consent at any time (subject to similar age considerations as stated above). Some examples where the school relies on consent include the use of images during normal school operations, activities, and events on or off campus involving the school (field trips, sporting events, conferences, etc). Please be aware however that the school may not always be relying on consent but have another lawful reason to process the personal data in question even without your consent.
Students and Staff are required to respect the personal data and privacy of others, and to comply with the school's Technology Acceptable Use Policy and the school rules.
12. Data Accuracy and Security
The school will attempt to ensure that all personal data held in relation to an individual is as up to date and accurate as possible. Individuals must please notify the school of any significant changes to important information regarding them, such as contact details.
The school will take appropriate technical and organizational steps to ensure the security of personal data about individuals, including policies of the use of technology and devices, access to school systems, and destruction of data at the end of the relevant retention period. All Faculty, Staff and Board Members will be made aware of this policy and their duties under Data Protection Law and receive relevant training.
13. This Policy
The school will update this Privacy Notice from time to time. Any substantial changes that affect your rights will be communicated to members of the community.