Data Protection Policy
The American School of Paris (ASP) requires certain personal data – including some that is sensitive – about its employees, students, parents, alumni, and other community members, in order to function well as an international school, and as an employer in France.
This policy is intended to ensure that ASP takes care of all personal data in accordance with the EU General Data Protection Regulation (EU–GDPR), and other related legislation. It applies to data regardless of the way it is collected, used, recorded and shared, and irrespective of whether it is held in paper files or electronically.
This policy applies to all employees, trustees, volunteers, and others working on behalf of ASP. All employees involved with the collection, processing and disclosure of personal data should be aware of their duties and responsibilities and adhere to these guidelines.
Individuals at the American School of Paris may have access to a wide range of personal and sensitive data regarding other individuals, depending on their role in the school.
Personal data means any information about, or that may be used to identify, a living person. ASP recognizes that any such data belongs to that person (the ‘data subject’), and NOT to ASP or any other person or organization with whom we may share it. The data subject must be provided with complete information concerning the use of their data, and have ultimate control over its use.
Personal data includes, but is not limited to:
• information about members of the school community, including students, employees or parents, such as their name, address, phone numbers, health records and disciplinary records;
• curricular or academic data about students such as attendance records, grades, comments on progress and achievement, reports and recommendations;
• professional records such as employment history, taxation and social insurance records, confidential employee files and references;
• data held as photographs, video clips (including CCTV footage) or as sound recordings;
• any expression of opinion about an individual kept in a school file or system, or any indication of the school’s or someone else’s intentions towards an individual;
• any other information that might be disclosed by parents, or by other individuals or agencies working with families or employees.
Under the EU-GDPR, special categories of personal data (‘sensitive data’) require additional protection: information that concerns or reveals a person’s political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, state of health, and sex life or sexual orientation. Data concerning children under the age of 15 is also subject to special protections.
Data Protection Principles
The EU–GDPR establishes six principles to which ASP is held accountable whenever it handles personal data. Personal data shall be:
1. processed lawfully, fairly and in a transparent manner in relation to the data subject;
2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
4. accurate and, where necessary, kept up to date;
5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
The ASP Board of Trustees is ultimately responsible for ensuring that the necessary systems, policies and procedures are in place to ensure that all personal data is appropriately protected, and that all employees of the American School of Paris who process or use personal data follow these principles at all times. To that end, ASP has developed this Data Protection Policy.
This policy does not form part of any employee’s contract, although it forms part of the policies accepted as a condition of employment and may be amended at any time. Any breach of this policy by employees may result in disciplinary action.
In order to protect personal data from loss, theft and unauthorized access or disclosure, ASP will deploy necessary physical and technological security systems.
These systems and backup systems will be fully documented, regularly tested, and periodically audited.
All individuals who use technology provided by ASP will be required to comply fully with the respective protocols and procedures.
This policy will be reviewed as it is deemed appropriate, but no less frequently than every two years by the Board of Trustees or a nominated representative.
We ask that you read this privacy notice and our data protection policy before you begin the application process, and that you check the box below to confirm that you have done so, and understand how and why we process your data.
We require the personal data requested in the application process:
• in order to establish the contract, should you choose to enroll your child at ASP,
• to fulfil our legal obligations, and
• to protect the vital interests of your child.
We retain the data for one full admissions cycle of two years, after which it is deleted. You may, of course, request a full deletion of your personal data at any time should you decide to cancel the application.
If at any time you wish to access, verify, or amend your personal data, or that of your child, or have any questions about its use, please contact: firstname.lastname@example.org