DATA PROCESSING AND DATA PROTECTION PRINCIPLES

This Privacy and Data Protection Policy (the "Policy") explains how we handle your personal data when we provide education and training in accordance with the laws of the Czech Republic, provide services as part of our complementary activities, or when you visit our website.

This policy describes how we collect, use and process your personal data and how we comply with our legal obligations to you. Your privacy is important to us. We consider the protection of your personal data and related rights to be one of our priorities.

This Privacy Policy applies to job applicants, education applicants, children/students, their legal guardians, employees, contractors, users of our website and others who interact with our organization.

In order to comply with the requirements of the applicable legislation governing the protection of personal data (including but not limited to the General Data Protection Regulation (EU) 2016/679), hereinafter referred to as "GDPR" and Act 110/2019 Coll., we hereby state that the organisation responsible for the handling of your personal data (hereinafter referred to as "Controller") is the school.

Základní škola a gymnázium Square s.r.o.
Prague - Nusle, Svatoslavova 333/6, Postal Code 140 00
ID 24318582
PO Box identifier: yyhiaag
File number 196256 C, Municipal Court in Prague

Tel: +420 602 633 310
e-mail: ahoj@skolasquare.cz

Contact details of the Data Protection Officer: e-mail: poverenec@skolasquare.cz

We are entitled to make continuous modifications to this Privacy Policy. All amendments and the current version of the Policy will be available on this page and in paper form at the Headmaster's office.

Basic concepts

General Data Protection Regulation (GDPR) - a legislative instrument of the European Union aimed at harmonising European data protection laws. This regulation is effective from 25 May 2018 and all references to it should be interpreted with reference to the national legislation in which it is or will be implemented.
Personal data -any information about an identified or identifiable natural person (hereinafter referred to as "data subject"); an identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier (e.g. name, address, date of birth, birth number...).
Personal data of a special category (sensitive data) - personal data of a nature that may in itself be harmful to the data subject in society, employment, school, or may cause discrimination. It is data relating to the national, racial or ethnic origin, political opinions, trade union membership, religious or philosophical beliefs, health or sex life of the data subject and genetic data of the data subject; such data shall also include biometric data which permits direct identification or authentication of the data subject.
Processing of personal data - any operation on personal data, such as collection, recording, storage, alteration, consultation, use, dissemination, restriction, erasure, etc.
Controller - the legal or natural person (in this case the school) who determines the purposes and means of the processing of personal data.
Processor - the natural or legal person or entity that processes personal data for the controller (the controller hires the processor - e.g. School Service Centre, payroll accountant, occupational health service provider, etc.).
Trustee - a person who assesses the controller's or processor's activities for compliance with applicable law, informs them, advises them, makes recommendations. The Headteacher designates/appoints the Data Protection Officer in accordance with Article 37 of the Regulation. He/she shall enter into an employment or contractual relationship with the Data Protection Officer in accordance with Act No. 89/2012 Coll., Civil Code, as amended.
Job applicants- are persons applying for positions offered by the Controller, including full-time, part-time and temporary positions or hired to perform certain roles, as well as persons who have speculatively sent their CVs to the Controller without reference to a specific job.
Employees - This category includes employees and internal staff who are directly involved in the Administrator's activities. The "employees" category does not include independent contractors and consultants providing services to the Administrator, which may be defined as "contractors" for purposes of this Policy.
Educational Applicants - a category of persons who enroll, apply for admission, transfer, or otherwise express their intent to benefit from the educational and training activities of the Administrator.
Children/students - this category is apparently unambiguous in its meaning. It includes persons to whom the Administrator provides educational services in accordance with its charter.
Boarder - persons who use the services of the school canteen and thus participate in school meals. Whether they are children/pupils, school staff or external boarders.

Suppliers - are partners, companies and e.g. independent contractors or self-employed persons who provide their services to the Administrator. In this sense, suppliers are independent contractors, self-employed persons or employees of suppliers and may be considered processors from a data protection perspective. Please note that in this sense, the Controller requires that suppliers make their employees aware of the relevant sections of the Policy.
Other persons who may be contacted by the Administrator - This category may include emergency contacts by the Administrator's staff, persons confirming references of applicants and persons authorised by legal guardians to collect the child/student. We will only use these contacts when necessary.
Website Users - all persons who open/enter the Administrator's website.
Visitor - any person who physically enters the external or internal premises of the Manager.
Legal basis for processing your personal data

Performance of a legal obligation (by law)

We process some personal data about you because it is necessary to comply with a legal obligation to which we are subject. This includes, in particular, the maintenance of statutory documentation and data therein, such as school records, data required by other public authorities, etc. We must process this personal data and we do not need your consent to do so, nor can you prohibit us from doing so. Which data is affected by such processing is explained below.

Giving consent

We are required to obtain your consent to process your personal data in certain circumstances.

Confirmation of consent is "any free, specific, informed and unambiguous indication of the data subject's wishes by which he or she gives his or her consent to the processing of his or her personal data by means of a declaration or other manifest affirmation." In ordinary language, this means:

that you must give us your consent freely, without us exerting any pressure on you,
that you must know what you are giving your consent for, so we must provide you with sufficient information,
that you should have control over what processing you do and do not consent to,
that you should expressly and affirmatively give your consent - usually by ticking the YES/NO box to ensure that this requirement is clearly and unambiguously met.
Such cases of processing of personal data on the basis of consent are, in particular, the processing of the bank account of the guest, taking photographs and other audiovisual recordings for the case of promotion and presentation of the Administrator, etc.

Legitimate interests

This is where we may process your data where it is "necessary for the purposes of the legitimate interests of the Controller or a third party, except where those interests are overridden by your interests or fundamental rights and freedoms requiring the protection of personal data." These cases include, for example, taking CCTV footage for a legitimate interest in the form of protecting health and property, or requiring a criminal record statement from THP staff, particularly to protect the health and life of children/pupils.

Performance of a contract or contract negotiations

The processing is necessary for the performance of a contract to which you are a party or for the implementation of measures taken prior to the conclusion of the contract at your request. This includes, for example, the processing of data for the preparation of a contract with a prospective tenant, for boarding, for an employment relationship, etc.

Protection of vital interests

Should there be an accident, accident or other situation where your health or other vital interest may be at risk, we may process your personal data.

Making, exercising and defending legal claims

The processing of personal data in accordance with local legislation and other requirements, including sensitive personal data, may sometimes be necessary in our view in connection with the assertion or defence of our legal claims. Legislation allows us to do so where such processing is "necessary for the establishment, exercise or defence of legal claims or where the courts are acting within their jurisdiction". Such a situation may arise, for example, if we need legal advice in the context of legal proceedings or if legislation requires us to retain or provide certain information in the context of legal proceedings.

What data we process:

Data about job applicants

We consider it reasonable that if you are applying for a job or have posted your professional CV on a job portal or professional contact page, you will not mind if we collect and use your personal data to offer you the best job opportunity for your requirements. We only ask for the information we really need, such as:

name and surname
your age
contact details
your education details
professional experience
emergency contacts
It is up to you what personal information you provide us with in a personal meeting or on your CV. We process this personal data in our legitimate interest.

Employee data

We collect information about you mainly because of a legal obligation under Czech law:

name and surname
date and place of birth (for pension registration sheets sent to the Social Security Office)
all former surnames (For pension insurance registration sheets sent to the Social Insurance Institution)
birth number (For pension registration forms sent to the Social Insurance Institution)
place of permanent residence (For pension registration forms sent to the Social Security Agency)
the name and address of the foreign insurance carrier and the foreign insurance number - if the employee has been participating in pension insurance abroad and the employer is the employee's first employer after termination of pension insurance abroad (For pension registration forms sent to the Social Security Institution)
education and previous experience (For the correct calculation of wages)
type of pension received (For correct calculation of monthly tax advances)
number of children - for women (To determine the exact date of entitlement to retirement pension)
disability (To meet the compulsory proportion of disabled persons in the total number of employees)
data on health status (For compliance with the obligations under Act No 373/2011 Coll. on specific health services)
health insurance company (For payment of health insurance or in the event of an accident)
nationality (For the purpose of reporting the employment of foreigners)
Surname and name of spouse, name and address of employer (Income taxpayer's declaration - if the employee claims tax benefits and the spouse is employed)
the name, surname and birth number of the child (Income taxpayer's declaration - if the employee claims the benefit for a dependent child)
a criminal record statement (required by the Data Controller in the legitimate interest of protecting the health and life of children/pupils and the property of the Data Controller)
bank account number (In case of concluding an agreement pursuant to Section 143 of Act No. 262/2006 Coll., the Labour Code) 
other data for the fulfilment of legal obligations under special laws
Data on applicants for education

The data that we process about applicants, on the basis of the law (according to § 34 or 36 of Act No. 561/2004 Coll., the Education Act), are:

name and surname
date of birth
the address of the child's permanent residence, or, in the case of a foreigner, the place of residence of the child.
Information on children/students

We need to collect certain information about the children/pupils who attend our school in order to provide them with education and training in accordance with the Education Act. According to Section 28 of Act No. 561/2004 Coll., the Education Act, we process the following data about them:

name and surname
birth number
date of birth (if no birth number has been assigned to the child/student)
nationality
place of birth
place of permanent residence
place of residence in the Czech Republic or place of residence abroad (depending on the type of residence of the foreigner)
details of previous education, including the level of education attained
date of commencement of education at the school
data on the course and results of education at the school, language of instruction
data on the child's/pupil's handicap referred to in Section 16 of the Education Act, data on exceptional aptitude, data on support measures provided to the child/pupil by the school in accordance with Section 16 of the Education Act and on the conclusions of the examination referred to in the recommendation of the school advisory facility
information on the pupil's fitness for education and on any health problems which might affect the course of education
the date of leaving school
the health insurance company (only in the case of an accident)
Details of the legal representatives of the children/pupils

We process this data about you because of the legal obligation imposed on us by Section 28 of Act No. 561/2004 Coll., the Education Act, to ensure the smooth and safe conduct of schooling, in particular for better information:

name and surname
place of permanent residence or domicile, if he/she is not permanently resident in the Czech Republic
address for the delivery of documents
telephone number
address of the data box, if one has been set up
e-mail address, if provided
Data on boarders

In the event that a child/pupil of our school makes use of school catering services, we are obliged to process the following information about them on the basis of Section 28 of Act No. 561/2004 Coll., the Education Act:

name and surname
birth number
date of birth (if no birth number has been assigned to the child/pupil)
nationality
place of permanent residence
place of residence in the Czech Republic or place of residence abroad if the child/pupil does not reside in the Czech Republic (depending on the type of residence of the foreigner)
date of commencement and termination of school service or education,
details of medical fitness or, where applicable, any health problems which could affect the provision of school services or education
data on the child's/pupil's handicap as referred to in § 16, data on exceptional aptitude, data on the support measures provided to the child, pupil or student by the educational establishment in accordance with § 16 and on the conclusions of the examination referred to in the recommendation of the school advisory establishment
the name of the school in which the child/student is educated
If you use the school meals service and you are an employee or a third party, we process personal data about you that are necessary for the conclusion and performance of the meals contract.

In the case of using a bank account for the purpose of payment for meals, we will only process your account number on the basis of your consent.

Supplier data

In order to ensure a smooth cooperation, we also need to know a few things about our suppliers. These include the contact details of important people in your organisation with whom we will communicate. These are names, phone numbers and email addresses. We process this data for legitimate interest. We also need other information, such as your bank account details, so that we can send you payments for services you provide to us (where these are part of a contract we have entered into with you). We then process such information because it is necessary for the performance of the contract.

Other persons who may be contacted by the Controller

If a job applicant lists you as a person confirming references, we will use your personal data to contact you specifically to confirm the references. This is part of our quality assurance procedures which we consider necessary as an organisation and as a legitimate interest in our employment.

If a member of staff or child/student identifies you as an emergency contact and provides us with your contact details, we will contact you in the event of an injury or accident. We would certainly agree that this is a key element and fully consistent with our legitimate interests.

If you have been authorised by your child's legal guardian to collect your child/pupil from school, we process personal data about you to the extent that:

name and surname
date of birth
place of residence
We use this personal data to verify the identity of the person picking up the child and process it in the legitimate interests of the child and his/her legal guardian.

Users of the website

We collect a limited amount of data about website users to help us improve the usability of our website and to better manage the display of important information about us. This category includes information about the ways in which you use our website, the frequency of your visits to the site, and the periods during which our site is most popular.

Who do we provide personal information to?

Depending on the circumstances and in accordance with applicable law and other requirements, we may provide your personal information to the following categories of people in different ways and for different reasons:

To tax, audit and other authorities, if we believe that we are obliged to provide such data by applicable law (e.g. upon request of the tax office, ČSSZ, Police of the Czech Republic, OSPOD, Labour Inspectorate or in connection with planned legal proceedings, etc.).
To third parties who perform some of our functions as external service providers (including external consultants, business partners and professional advisors such as lawyers, accountants, technical support staff and IT consultants).
Third parties who provide us with IT services or who store our documents and with whom we have entered into a relevant data processing agreement (or similar agreement).
To third parties such as the Ministry of Education and the CSI, to whom we transfer personal data on the basis of a legal obligation referred to in particular in §28, paragraph 5 and §174 of Act No. 561/2004 Coll., the Education Act.
To third parties such as NIDV and other organisations providing DVPP that process personal data of teachers pursuant to §29 of Act No. 563/2004 Coll., the Teaching Staff Act, or other organisations providing further training pursuant to §230 of Act No. 262/2006 Coll., the Labour Code.
How do we protect personal data?

We care about the protection of your data. We are therefore committed to taking all reasonable and appropriate measures to protect the personal data we manage from misuse, loss or unauthorised access. We ensure this protection through a range of appropriate technical and organisational solutions. These measures to deal with potential threats to data security are contained both in the Data Processing Directive and in the records of personal data processing activities. However, these documents are non-public, precisely in order to enhance the protection and security of personal data.

How long do we keep personal data?

We retain personal data as part of documents in accordance with applicable legislation. In particular, Act No. 499/2004 Coll. on archiving and filing services and on amendments to certain acts and the school's filing and archiving regulations.

How do you access the personal data you have provided, how can you change it, how can you withdraw your consent to its use and what rights do you have?

One of the main aims of the GDPR is to protect and clarify citizens' rights in terms of data protection. This means that there are certain rights associated with your data even after you provide it to us. A detailed description of these rights is set out below.

There are various rights attached to the personal data you have already provided to us. We will deal with all your requests without undue delay and in all circumstances in accordance with applicable law. Please note that we record our communications with you to ensure that any issues you raise are dealt with smoothly.

Right to object


If we use your data because we consider it necessary to provide:

our legitimate interests,
a vital interest,
it is necessary for the performance of a contract,
a legal obligation
and you do not agree with this use of your data, you have the right to object to it. We will respond to your request within 30 days (in certain cases we are entitled to extend this period and this extension will always be justified to you).

Right to withdraw consent to the use of personal data

You may withdraw your consent to the processing of personal data for certain activities, for certain purposes (e.g. for the purpose of presenting a photograph on the Controller's website) at any time and we will terminate the specific activity you have previously consented to. The exception to this is where we consider that there is an alternative reason for continuing to process your data for that purpose (e.g. where a voluntary data becomes mandatory by a change in the law), a circumstance of which we will inform you.

Withdrawal of consent does not affect the lawfulness of processing based on consent given prior to withdrawal.

Requirements for access to personal data

You are of course entitled to ask us at any time for information about what data we hold about you. You can also ask us to modify, update or delete your data. We may comply with your request, or we may ask you to verify your identity and provide further information about your request, and we may refuse your request in accordance with the law, for which we will always provide you with appropriate justification. Any access to the data we hold about you will not incur a fee unless it is "manifestly unreasonable or unauthorised". Requests for further copies of such data from us may be subject to the payment of a reasonable administrative fee. We may also refuse your request in similar cases in accordance with applicable law. If this happens, we will always tell you our reasons.

Right to erasure

You have the right to request the erasure of your personal data in certain circumstances. One of the following criteria must apply to the data in question:

The data is no longer necessary for the purpose for which it was originally collected and/or processed,
you have subsequently withdrawn your previously given consent to our processing and there is no valid reason for further processing,
the data has been processed in violation of applicable law (e.g. in a manner that is not in accordance with the GDPR),
the data must be erased in order for us to comply with our legal obligations as data controller; or
we are processing the data because we believe that we are pursuing our legitimate interests in doing so, you object to the processing and we cannot demonstrate that there are legitimate overriding reasons for further processing.
If we comply with a valid request for erasure, we will take reasonable and practicable steps to erase the relevant data.

Right to data portability

If we process your data on the basis of your consent or the performance of a contract to which you are a party, you have the right to request the transfer of your personal data to another data controller. In this case, we will transfer your data directly or provide you with a copy of your data in a machine-readable format, if technically feasible.

Right to restriction of processing

In certain circumstances, you have the right to request that we restrict the processing of your personal data. In such cases, we may only continue to store your data and may not carry out further processing unless you consent or for the establishment, exercise or defence of legal claims, for the protection of the rights of another natural or legal person or for reasons of important public interest. The circumstances in which you are entitled to request limited processing of your personal data include:

Cases where you dispute the accuracy of your personal data that we process. If this circumstance applies, we will restrict the processing of your personal data until we have verified its accuracy
Where you object to our processing of your personal data to further our legitimate interests. If this circumstance applies, you may request limited processing of your data until we have verified our reasons for processing it
If our processing of your data is unlawful and you request limited processing instead of erasure
If we no longer need to process your personal data but there is a need on your part to use the data to establish, exercise and defend a legal claim.
If we have provided your data to third parties in these circumstances, we will inform these parties of your request for limited processing. The exceptions are where it would be impossible or would require a disproportionate effort to do so. We will of course inform you of any revocation of the limited processing of your personal data.

Right to rectification

You also have the right to request the correction of any inaccurate or incomplete personal data we hold about you. If we have disclosed your data to third parties in such circumstances, we will inform those parties of your request for rectification. The exceptions to this are where it would be impossible or would require a disproportionate effort to do so. Where appropriate, we will also tell you which third parties we have provided inaccurate or incomplete personal data to. If we believe that it is not desirable for us to comply with your request, we will provide you with the reasons for such a decision.

Right to lodge a complaint with a supervisory authority

You also have the right to lodge a complaint with the local supervisory authority.
Data Protection Authority
Phone: (+420) 234 665 111
E-mail: posta@uoou.cz
Postal address: Office for Personal Data Protection, Pplk. Sochor 27, Prague 7, 170 00

What are cookies and how do we use them?

Cookies are small files stored on your computer's hard drive. Almost all websites use them and they do not pose any danger to your computer. They give us an idea of your activity and help us to make your visit to our website as pleasant as possible. Based on the information from the cookies, we can offer you options tailored to your needs on each subsequent visit. Cookies are also used to track website traffic and for advertising purposes. If you wish to review or modify the types of cookies you agree to use, you can typically do this in your browser settings.

How do we use cookies?

We use cookies for the following purposes:

To track how you use our website. This enables us to understand the individual requirements of users grouped together in larger groups, so that we can develop and improve our website to ensure that the services it provides meet the expectations and needs of our visitors.
Cookies can be divided into several categories

Session cookies: cookies that are stored on your computer during your browser session and are automatically deleted when you close your browser. They are usually stored under an anonymous session ID that allows you to browse the site without having to log in on each page. These cookies do not obtain any information from your computer.
Persistent cookies: cookies that are stored as files on your computer and remain on your computer after you close your web browser. The websites that create these cookies will reload them each time you visit the site. We use persistent cookies for the purposes of Google Analytics.
Necessary cookies: these cookies ensure the effective use of the website. Without them, our website would not be able to provide you with the relevant services. These cookies do not collect any information that could be used for marketing purposes or to track your activity online.
Performance cookies: these cookies allow us to monitor and improve the performance of our website. For example, they allow us to count visits to the site, identify sources of traffic to the site, and determine which sections of the site are most popular.
Functionality cookies: these cookies allow our website to remember the options you choose (such as your username) and offer you better features. We may also use them to see what text size or font type you prefer or to further customize specific sections of the site. They are also used to provide services according to your requirements, such as watching videos or posting comments. The data collected by these cookies is usually anonymous.
How do I refuse the use of cookies?

If you do not wish to allow cookies whose use is not strictly necessary to provide the basic functions of our website, you can disable their use in your browser settings. Most web browsers allow cookies, but if this method of data collection bothers you for any reason, you can disable cookies in your browser's privacy settings. However, if you disable all cookies, you may not be able to use all of the features of our website. Individual browsers vary, so please refer to the Help section for all the information you need to adjust your cookie settings.

For more information about cookies, including how to disable them, please visit aboutcookies.org. You can also find out how to delete cookies from your computer on that page.