Privacy Notice

This Privacy Notice sets out how the ICAN, a private nursery, kindergarten and preschool registered and authorised by the Cyprus Ministry of Education and Social Welfare Office as well as a private primary school, operated by ICANSCHOOL LTD, a limited liability company incorporated and registered in the Republic of Cyprus under company number HE434549and have its registered office address Stasandrou 9, Elias Building, Floor 2, Office 201, Nicosia Cyprus together with its affiliated entity ΤΑΣΟΥΛΛΑ ΠΙΤΤΑΚΑΡΑ ΛΙΜΙΤΕΔ a limited liability company incorporated and registered in the Republic of Cyprus under company number ΗΕ23716 and have its registered office address at Mousaiou 8, Agia Zoni 3090 Limassol Cyprus (collectively referred to as ICAN) and their registered brand names: ICANSCHOOL PRIMARY PRIVATE SCHOOL, ICANSCHOOL PRIVATE KINDERGARDEN and PRIVATE KINDERGARTEN ICAN KIDS (collectively referred to as ICAN “we” or “us”) uses the personal information relating to its students (existing, prospective or former), their parents, partners, prospective, current and former employees, temporary and contract staff, third party contractors (“you” and “your ”).

We will only collect and use personal data in ways that are described here, and in a way that is consistent with our obligations and your rights under the applicable local legislation, the Data Protection Legislation and the Privacy and Electronic Communications (EC Directive) Regulations 2003 and the- EU Regulation No. 2016/679 the General Data Protection Regulation (collectively “GDPR”).

This Privacy Notice is intended to help you understand why and how we may use your information. The lists and examples below are illustrative, non-exhaustive and not fully representative for every individual.

Please note that this Privacy Notice is addressed to our prospective, current, and former clients/ parents of our students. If you are, were or may be an employee or third-party contractor your personal information will be used in connection with your agreement in accordance with a separate privacy policy.

Data protection principles

We shall at all times comply with the GDPR and all local data protection law (as may be applicable). This means that the personal data we hold about you must be:

• Used lawfully, fairly and in a transparent way.
• Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
• Relevant to the purposes we have told you about and limited only to those purposes.
• Accurate and kept up to date.
• Kept only as long as necessary for the purposes we have conveyed to you.
• Kept securely at all times.

The kind of information we hold about you

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

Please note that the examples are illustrative and non-exhaustive.

Type of Personal Information	Examples
Information about you:	Name, address, date of birth, marital status, nationality, gender, photo and preferred language, details of any disabilities, work restrictions and/or required accommodations.
Information about the student’s family details	Parents’ names, telephone numbers, passport numbers, addresses;
Information to contact you at work or home:	Name, address, telephone and email address.
Information about who to contact in case of an emergency (yours or ours):	Name, address, telephone, email address and their relationship to you.
Information to identify you:	ID, photographs, passport and/or driving license details, electronic signatures.
Information about your suitability to work for us and/or our clients:	References, interview notes, work visas ID information such as passport details and driving license information, records/results of pre-employment checks, including criminal record checks, credit and fraud checks.
Information about your skills and experience:	CVs, resumes and/or application forms, references, records of qualifications, skills,training and other compliance requirements.
Information about the student’s academic background	Admissions, academic, disciplinary and other education related records, information about special educational needs, references, examination scripts and marks
Information about your terms of employment with us:	Letters of offer and acceptance of employment, your employment contract, location, billing and subscription information.
Information that we need to pay you:	Bank account details, certificate of non- bankruptcy, national insurance or social security numbers (where applicable), salary and benefits, expense allowances.
Information that we need to provide you with benefits and other entitlements:	Length of service information, health information, leave requests.
Information relating to your work travel expenses:	Bank account details, passport, driving license, vehicle registration and insurance details.
Information relating to your pension entitlements:	Pensionable salary, pension base, annual pension accrual, pension benefits.
Information to allow you to access our buildings and systems:	Computer or facilities access and authentication information, identification codes, passwords, answers to security questions, photographs, video images (including those captured via CCTV).
Information relating to your performance at work:	Performance assessments and ratings, leadership ratings, financial interests, directorships, targets, objectives, records of performance reviews, development records and/or notes of one to ones and other meetings, personal development plans, training recommended and completed, personal improvement plans, secondments, correspondence, reports.
Information relating to sickness and absence management:	Absence and time-keeping records, start and end date of reporting in sick, sick certificates, percentage of sickness and absence per employee, address where an employee is being treated (when different than home address).
Information relating to discipline, grievance and other employment related processes:	Interview/meeting notes or recordings, correspondence.
Information required to ensure your independence and the independence of our firm:	Financial interests including publicly available debt, equity securities, tradable financial notes issued by banks, mutual funds, hedge funds, money market funds, unit investment trusts and other investment vehicles of our employees, their spouses (or spousal equivalent) and/or financial dependents; Financial interests held through a financial product or investment agreement, owned by our employees their spouse (or spousal equivalent) and financial dependents such as underlying publicly available securities related to: (i) insurance policy investments, (ii) retirement investments, (iii) investment club investments; (iv) investments included in trusts, and (v) discretionary accounts managed by others. Other financial relationships such as loans, brokerage relationships, deposits, insurance; information. Information on family members’; employment relationships. Brokers/investment accounts, deposits, credit cards, other loans, real estate interests, insurance policies, employer sponsored retirement savings plans, non-public investments.

How we use particularly sensitive personal information

Some types of information are classified as ‘sensitive’ for the purposes of the GDPR and there are additional restrictions on how we may use and hold this information. Sensitive personal information is information that relates to a person’s:

• Racial and ethnic origin;
• Physical or mental health;
• Genetic or biometric data;
• Alleged or actual criminal convictions and proceedings.

The above are merely illustrations and we do not collect all of the above information. However we may, if absolutely necessary, be required to collect some information that may be classified as “sensitive”. As school we need to process sensitive data.Generally, it is necessary to obtain your consent before we can hold and use such information. However, we may hold and use such information without consent for limited statutory purposes such as monitoring compliance with our equal opportunities policies and health and safety rules, or if necessary to protect your vital interests, for legal claims, or in the public interest.

In any case, we will make clear the purposes for which we wish to use your sensitive information when it is being collected, and, if necessary, obtain your consent at that time.
Information about criminal record.

We collect and maintain information as to whether you have a clean criminal record for purposes of complying with our legal and regulatory obligations as your employer. In doing so we have in place an appropriate policy and safeguards to maintain such information.

How is your personal information collected

We collect personal data either directly from the individual concerned (or in the case of students from their parents or guardians). In some cases, we collect personal data from third parties (for example, referees, previous schools or professionals or authorities working with the individual) or from public available sources.

How we will use information about you

We will process your personal data to support the school’s operations as a private school/ kindergarten and nursery registered and authorised by the Cyprus Ministry of Education and/or Social Welfare Office and in order to allow us to efficiently perform our contract with you and to enable us to comply with our legal obligations as your employer. In some cases we may use your personal data to pursue legitimate interests of our own or those of third parties, provided your interests and fundamental rights do not override those interests. The situations in which we will process your personal information are listed below (Permitted Purposes).

Purposes for which we need your personal information	Examples Please note that these examples are illustrative and non- exhaustive.
Recruitment:	To assess the student’s suitability; To assess the teacher’s suitability to work for us; To perform requisition and applicant management activities; To perform precision matching to job vacancies; To conduct screening, assessments and interviews; To maintain a library of correspondence; To make offers and provide contracts of employment; and To conduct pre-employment checks, including determining your legal right to work and carrying out criminal record and credit checks where applicable.
Provision of education to students:	administration of the school curriculum and timetable; monitoring student progress and educational needs; reporting on the same internally and to parents; administration of students’ entries to internal and external examinations, reporting upon and publishing the results; providing references for students (including after a student has left); maintenance of discipline; provision of careers and library services; administration of sports fixtures and teams, school trips; provision of the school’s IT and communications system and virtual learning environment (and monitoring the same) all in accordance with our Student Use of Educational Technology Policy. safeguarding of students’ welfare and provision of pastoral care, welfare, health care services by school staff; research into and development of effective teaching and learning methods and best practice/
Human Resources (“HR”), finance and other business administration purposes:	Staffing, including resource planning, secondments, skills allocation, engagement management, recruitment, termination and succession planning; Budgetary and financial planning and administration; Organizational planning and development and workforce management, including monitoring the effectiveness of our equal opportunities policies and the fair and consistent treatment of staff members and job applicants; Compensation, payroll, and benefit planning and administration, including salary, tax withholding, tax equalization, awards, insurance and pensions; Workforce development, education, training and certification, maintaining up to date records of; professional qualifications, memberships and continuing professional development programmes; Performance management and performance rating details (including achievements and work history); Problem resolution, including carrying out internal reviews, grievances, investigations, audits and disciplinary procedures; Business travel and expense management; Administration of use of company cars; To assist with Visa and submitting immigration applications for working permits for our employees and/or their close family members; To conduct business reporting and analytics; Administration of flexible work arrangements; Administration of employee enrolment and participation in activities and programmes offered to eligible employees, including matching donations to non-profit organizations, political action committee contributions, and wellness activities; Promotional and marketing materials and activities, including quotes, photos and videos; Work-related injury and illness, including the management of employee Health & Safety, and disabilities, sickness and absence management; To provide HR helpdesk support and case management; To communicate with you and to facilitate communication between you and other people (including voicemail, e-mail and electronic collaborations); Compliance and compliance reporting, including conflict of interest and gifts and hospitality reporting; Risk management; Project Management; Billing, time-keeping; Monitoring and assessing compliance with our Staff Handbook, other policies and standards (e.g. the IT Code of Connection); Training and quality purposes; and In the event of a take-over or merger, providing information to a future purchaser of any part of the Company’s business.
Diversity & Inclusiveness (D&I):	Focus on diversity and inclusiveness in serving clients, developing people and playing a leadership role in communities. Meeting D&I targets (i.e. regarding increasing the number of females and minority hires/promotions)
Security purposes:	Physical access control; Authorizing, granting, administering, monitoring and terminating access to or use of the Company’s or third party facilities, records, property and infrastructure including communications services such as business telephones and email/internet use; CCTV; and Prevention and detection of crime.
Information Technology (“IT”) administration purposes:	IT Systems access control and use monitoring; IT fault reporting, management and resolution; Systems administration, support, development, management and maintenance.
Legal purposes:	Compliance with legislation and regulation including the preparation of information for inspections, submission of information to the Ministry of Education and other government departments; To comply with our legal obligations, including anti- bribery and corruption, conflicts of interest and money laundering. To keep a register of violations, incidents or personal data breaches. In a take-over or merger, providing information to a future purchaser of the Company or any part of the Company’s business.

Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.

If you fail to provide personal information

If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers).

Change of purpose

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the purpose for which it has been collected. In such a case we shall notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

Automated decision-making

We generally do not use automated decision-making. If we use this procedure in individual cases, we will inform you of this separately.

Sharing your data

We may share you data in the following circumstances, the following are examples of where and how your information may be transferred, but please note this is not an exhaustive list and that due to ongoing changes in our IT and operational infrastructure this may change at any time:

• We may share your data between the related and/or affiliated entities on a confidential basis.
• We may have to share your data with third parties, including third-party service providers. We require third parties to respect the security of your data and to treat it in accordance with the law.
  (i) To travel agents/coordinators for the purpose of arranging business trips;
  (ii) To our insurance company(ies) for the purpose of providing the car insurance for use of the company cars;
  (iii) To public authorities including but not limited to examination boards, the school’s professional advisors, the Ministry of Education, Welfare Office, Department of Statistics, Immigration Office, Tax Department, Social Insurance Services;
  (iv) To our external accountants/auditors.

International Transfers of Personal Information

When making transfers between the affiliated and/or related entities and/or to a third country, we will ensure that they are subject to appropriate security measures and safeguards as deemed appropriate, under GDPR and the relevant national and international laws. This may include entering into the appropriate contractual relationships to regulate any such transfers and safeguard any personal information transferred to them.

In particular, if a data transfer is required to an entity located in third country in order for us to be able to provide you with employment opportunity, we will, prior to proceeding with such transfer, provide you with more information on the particular data protection laws and regulations regulating the collection and processing of data in that particular jurisdiction.

All entities and offices who data is transferred to will ensure an adequate level of protection for your personal data at all times.

If you want to obtain further information on any data transfers mentioned above please contact us through the points of contact listed in the section OUR CONTACT DETAILS below.

Data security

We have put in place measures to protect the security of your information. Details of these measures are available upon request. Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. Details of these measures may be obtained from the Human Resources Department.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

How long will we use and keep your information

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further Notice to you.

Rights of access, correction, erasure, and restriction

Under certain circumstances, by law you have the right to:

• Request access to your personal information.
• Request correction of the personal information that we hold about you.
• Request erasure of your personal information.
• Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.
• Request the restriction of processing of your personal information.
• Request the transfer of your personal information to another party.

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact the Human Resources Department in writing.

Students Data

The rights under GDPR belong to the individual to whom the data relates. However, we will often rely on parental consent to process personal data relating to students (if consent is required) unless, given the nature of the processing in question, and the student’s age and understanding, it is more appropriate to rely on the student’s consent.

Parents should be aware that in such situations they may not be consulted, depending on the interests of the child, the parents’ rights at law or under their contract, and all the circumstances.

In general, we will assume that students’ consent is not required for ordinary disclosure of their personal data to their parents, e.g. for the purposes of keeping parents informed about the student’s activities, progress and behaviour, and in the interests of the student’s welfare, unless, in the school’s opinion, there is a good reason to do otherwise.

However, where a student seeks to raise concerns confidentially with a member of staff and expressly withholds their agreement to their personal data being disclosed to their parents, we may be under an obligation to maintain confidentiality unless, in our opinion, there is a good reason to do otherwise; for example, where the school believes disclosure will be in the best interests of the student or other students, or is required by law.

Students can make subject access requests for their own personal data, provided that they have sufficient maturity to understand the request they are making. A person with parental responsibility will generally be entitled to make a subject access request on behalf of students, but the information in question is always considered to be the child’s at law. A student of any age may ask a parent or other representative to make a subject access request on their behalf. Moreover (if of sufficient maturity) their consent or authority may need to be sought by the parent making such a request.

Data protection officer

We have appointed a data protection officer (DPO) to oversee compliance with this privacy Notice. If you have any questions about this Privacy Notice or how we handle your personal information, please contact the DPO. You have the right to make a complaint at any time to the Commissioner for the protection of personal data’s Office, the Cyprus supervisory authority for data protection issues.

Changes to this Privacy Notice

We reserve the right to update this Privacy Notice at any time, and we will provide you with a new Privacy Notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.

Our contact details

If you have any questions about this Privacy Notice, please contact our DPO Officer.

To enable us to process your request we may require that you provide us with proof of your identity, such as by providing us with a copy of a valid form of identification. This is to ensure that we appropriately protect the personal data we hold from unauthorised access requests and comply with our security obligations.