Privacy & Cookies Policy - Thames British

WEBSITE PRIVACY POLICY

Thank you for your interest in our services.

The security of your data is our priority. We protect it in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as: GDPR) (OJ EU L 119 of 04.05.2016) and national regulations.

We provide this Privacy Policy to clearly inform you who manages your data, for what purpose and on what basis we process it, and what rights you have in relation to this processing.

PERSONAL DATA CONTROLLERS AND DATA PROTECTION SUPERVISOR

The joint Controllers of personal data are:
1. Thames British School sp. z o. o.
2. Meridian sp. z o. o.
with their registered office at 66/74 Wawelska Street, 02-034 Warsaw.

You can contact the Controllers:
− by letter, writing to the above-mentioned correspondence address,
− by phone: (+48) 22 299 30 00,
− via email address:[email protected].

The Controllers have appointed a Data Protection Officer – Mr. Paweł Maliszewski, who can be contacted in matters relating to the processing of personal data via the following e-mail address: [email protected].

1. DEFINITIONS

1.1. Data anonymisation – an irreversible process of destroying or overwriting personal data in a manner that permanently prevents the identification of a specific User.
1.2. Personal data – any information about an identified or identifiable natural person (e.g. name, email address, IP number, location data or online identifier).
1.3. Personal data breach – accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or unauthorised access to processed personal data.
1.4. Restriction of processing – the flagging of stored personal data to restrict its use in the future.
1.5. Policy – this Privacy Policy.
1.6. Profiling – the automated processing of personal data used to assess specific characteristics of a natural person, particularly to analyze or predict their personal preferences, interests, location, or behavior.
1.7. Processing – any operations performed on personal data, such as collecting, recording, organizing, storing, adapting, viewing, using, disclosing or deleting them.
1.8. Pseudonymisation – processing personal data in such a way that they cannot be assigned to a specific person without the use of additional information that is stored separately and technically secured.
1.9. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data.
1.10. Service – website operated at: https://thamesbritishschool.pl.
1.11. External service – websites of partners, service providers or entities cooperating with the Controllers.
1.12. Device – an electronic terminal device (e.g., computer, smartphone) and its associated software, used by the User to access the Website.
1.13. User – any natural person visiting the Website or using its functionalities.
1.14. Consent – a voluntary, specific, and informed declaration of the User’s will, expressed through a statement or a clear confirmatory action (such as ticking a checkbox), consenting to the processing of personal data.

2. DATA PROCESSING IN CONNECTION WITH THE USE OF THE SERVICE

The Controller collects personal data to the extent necessary to provide individual services and information about the User’s activity on the Website (e.g. IP address, system logs) in order to continuously improve the quality of services provided and ensure security.

3. PURPOSES AND LEGAL BASIS FOR DATA PROCESSING ON THE WEBSITE

During each visit to the Website, our server automatically records technical data known as system logs. This information includes, among other things: the name of the requested file, IP address, date and time of access, and the volume of data transferred.

We process the data of persons using the Website (including IP address, identifiers and information from cookies) for the following purposes:
− to provide services electronically – to provide you with the content available on the Website, which is necessary for the performance of a contract (Art. 6(1)(b) GDPR),
− to ensure the security and efficient operation of the Website – for technical and administrative purposes, which constitutes a legitimate interest (Art. 6(1)(f) GDPR).

EMAIL AND CONTACT FORMS

The Controllers provide the possibility of contact via e-mail and contact forms.
The use of these contact methods requires the provision of personal data necessary to conduct correspondence with the User and to respond to the submitted inquiry. The User may also provide additional data to facilitate the handling of their inquiry. Providing data is voluntary; however, failure to do so will make it impossible to conduct correspondence. Personal data provided in the e-mail/contact form will be processed for the purposes of managing correspondence, providing information, and answering submitted questions, which constitutes the legitimate interest of the Controllers (Art. 6(1)(f) GDPR).

TELEPHONE CONTACT

The Controllers will request personal data during a telephone call only when it is necessary to achieve the purpose of the call, including for identity verification.

If the telephone call is being recorded, you will be informed of this before speaking with a representative of the Controllers. You may choose not to consent to the recording, in which case you should end the call. Where telephone calls are recorded, the purpose is to monitor the quality of services provided by the Controllers and to defend against or pursue legal claims, which constitutes a legitimate interest of the Controllers (Art. 6(1)(f) GDPR).
Providing personal data will generally be voluntary, but may be required by the Controllers depending on the purpose for which they are provided.

SOCIAL MEDIA PROFILES

The Controllers, together with the providers of social media platforms:
− Meta Platforms Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) – in relation to Facebook and Instagram,
− TikTok Technology Limited (10 Earlsfort Terrace, Dublin, D02 T380, Ireland) – in the scope of the TikTok service,
− X Corp. (1355 Market Street, Suite 900, San Francisco, CS 94103, United States) – in the scope of the X service,
are joint controllers of the personal data of Users accessing Thames British School profiles on these services.

The processing of personal data of individuals visiting the profiles is carried out for the purpose of providing information about Thames British School’s activities, promoting events and student achievements, and communicating with Users through the available functionalities of the services (comments, private messages, reactions, likes, shares). The legal basis for processing personal data for this purpose is the legitimate interest of the Controllers (Art. 6(1)(f) GDPR), which consists of building a positive image of Thames British School and maintaining relationships with the school community.

The Controllers have access to aggregate statistics regarding profile visits and the popularity of published content (analytical functions provided by Meta, TikTok, and X). This data is anonymous in nature and is used to analyse interest in the published materials, which constitutes a legitimate interest of the Controllers (Art. 6(1)(f) GDPR).

Interaction with the profiles (e.g., clicking “Like”, “Follow”, or posting a comment) is entirely voluntary; however, it results in the personal data contained in the User’s profile (e.g., name and surname, profile picture) being made available to the Controllers. The User may delete their comments or withdraw their interaction from a post/video at any time.

In the case of publishing images of students on social media profiles, this is done on the basis of separate, voluntary consent granted by parents or legal guardians (Art. 6(1)(a) GDPR). This consent may be withdrawn at any time, which will result in the removal of the material from the profiles.

CAREERS

The Controllers provide the opportunity to apply for vacancies and submit application documents via a dedicated e-mail address.

Submitting application documents (CV, cover letter) requires the provision of personal data necessary to conduct the recruitment process and assess the candidate’s qualifications for a given position. The provision of data within the scope specified by the provisions of the Labour Code is mandatory; failure to provide this data will prevent participation in the recruitment process. The provision of additional data (e.g., an image/photograph) is voluntary and is based on the candidate’s consent.

Personal data will be processed for the purposes of:
− conducting the recruitment process – which constitutes a legitimate interest of the Controllers (Art. 6(1)(f) GDPR) and is necessary for the fulfilment of legal obligations arising from the provisions of labour law (Art. 6(1)(c) GDPR);
− future recruitment processes – provided that the Candidate has given separate consent (Art.6(1)(a) GDPR).

STUDENT ADMISSIONS AND EDUCATIONAL PROCESSES

The Controllers provide the opportunity to submit school admission applications via a dedicated contact form.

Participation in the admission process requires the provision of personal data concerning both the candidate and their parents or legal guardians, which is necessary to conduct the qualification process and assess whether the criteria for school admission have been met. The provision of data required under educational law is mandatory; failure to provide this data will prevent participation in the recruitment process. The provision of additional information is voluntary and serves to better identify the candidate’s educational needs.

Personal data will be processed for the purposes of:
− conducting the recruitment process – which constitutes the fulfilment of a legal obligation to which the Controllers are subject, arising from the provisions of educational law (Art. 6(1)(c) and Art. 9(2)(g) GDPR);
− taking steps prior to entering into a contract for the provision of educational services (Art.6(1)(b) GDPR);
− conducting marketing and information activities – including contacting individuals who participated in the recruitment process but did not enter into a contract, in order to present the current educational offer and extracurricular activity proposals – which constitutes a legitimate interest of the Controllers (Art. 6(1)(f) GDPR).

REGISTRATION FOR EXTRA-CURRICULAR ACTIVITIES AND ONLINE PAYMENTS

The Controller, Thames British School sp. z o. o., enables children to be enrolled in extracurricular activities via the Website. Using this service requires the provision of personal data necessary for participant registration, contact with parents, and the processing of the payment transaction.

Enrolment for activities does not require the signing of a separate contract; it is completed by filling out an online form and making a payment through the integrated payment system. For this purpose, it is necessary to provide the parent’s identification data (name, surname, e-mail address, telephone number), the child’s data (name and surname), and payment card details required to finalise the transaction. Providing data is voluntary; however, refusal to do so will make it impossible to register for activities and pay for participation.

Personal data provided in the enrolment form will be processed for the following purposes:
− providing educational and childcare services within the framework of extracurricular activities at the request of the interested parties (Art. 6(1)(b) GDPR);
− processing online payments and fulfilling tax and accounting obligations related to the sale of services (Art. 6(1)(c) GDPR);
− ongoing communication with parents regarding organisational matters related to the activities – which constitutes a legitimate interest of the Controllers (Art. 6(1)(f) GDPR).

“VISIT OUR SCHOOL” FORM AND ORGANISATION OF VISITS

The Controllers provide the opportunity to arrange a visit to the Campus or participate in Open Days via dedicated application forms.

Using the forms requires the provision of personal data necessary for the organisation of the visit, contact for appointment confirmation, tailoring the presentation of the Thames British School educational offer to the interested User’s needs (e.g. the child’s educational level), and enabling participation in programmes organised as part of Open Days (e.g. Stay & Learn). Participation in the aforementioned events is intended to allow visitors to familiarise themselves with the teaching staff, infrastructure, educational resources, as well as the forms and methods of working with students. Providing data is voluntary; however, refusal to do so will prevent the submission of the application and the scheduling of a visit. Participation in events does not require the signing of a contract and is based on the completed form available on the Website.

Personal data provided in the forms will be processed for the following purposes:
− taking steps at the request of the interested parties prior to entering into a contract (Art.6(1)(b) GDPR);
− providing information regarding the educational offer, organising Campus tours, and facilitating participation in cognitive educational programmes – which constitutes the fulfilment of the interested parties’ request and a legitimate interest of the Controllers (Art. 6(1)(f) GDPR).

ONLINE MEETING

The Controllers provide the opportunity to conduct information and recruitment meetings using remote communication tools (video conferencing).

Participation in an online meeting requires the provision of personal data necessary to identify the User and establish a connection (e.g. e-mail address, username). During the transmission, personal data in the form of the User’s image and voice are processed, as well as any other data voluntarily shared by the User (e.g. through the chat function or screen sharing).

Personal data will be processed for the purposes of:
− conducting the online meeting and providing information – which constitutes a legitimate interest of the Controllers (Art. 6(1)(f) GDPR);
− taking steps at the request of the interested parties prior to entering into a contract (Art.6(1)(b) GDPR).

The Controllers wish to inform you that, as a standard practice, they do not record online meetings unless the User is explicitly notified in advance and provides separate consent for such recording.

4. PERSONAL DATA RETENTION PERIOD

The period of data processing by Thames British School depends on the type of service provided and the purpose of the processing:
1. in the case of performance of a contract/service – data is stored for the duration necessary for its execution;
2. where the basis for processing is the legitimate interest of the Controllers – data is stored until the User lodges an effective objection;
3. where the basis for processing is your consent – data is stored until such consent is withdrawn.

The processing period may be extended by the statute of limitations for claims, if processing is necessary for the establishment, pursuit, or defence of such claims.
In cases where data is necessary to fulfil legal obligations (e.g. tax or accounting requirements), it will be stored for the period specified by the relevant provisions of law.
Upon the expiry of the processing periods, the data is irreversibly deleted or anonymised, making it impossible to identify the User.

5. USER PERMISSIONS

In accordance with the scope and principles set out in the GDPR, Users of the Website have the right to:
• access their personal data, including the right to obtain a copy thereof;
• request the rectification of their personal data;
• request the erasure of their personal data (the “right to be forgotten”);
• request the restriction of data processing;
• data portability;
• withdraw consent to data processing;
• object to the processing of personal data, where such processing is based on the legitimate interest of the Controllers.

6. RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY

If you believe that your rights have been violated as a result of our personal data processing activities, you have the right to lodge a complaint with a supervisory authority – the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych). (ul. Moniuszki 1A, 00-014 Warsaw,https://uodo.gov.pl).

7. DATA RECIPIENTS

For the purposes indicated in this Policy, the Controllers may transfer Personal Data to the following categories of third parties:
− Partners providing IT tools for internal management and data sharing, to whom the Controllers entrust processing based on data processing agreements. Recipients of personal data may include, in particular, internet service providers, including email providers,
− entities and bodies entitled to receive data from the Controllers on the basis of generally applicable legal provisions.

8. TRANSFER OF DATA OUTSIDE THE EUROPEAN ECONOMIC AREA
As a general rule, your personal data will not be transferred to countries outside the European Economic Area (EEA).
The Controllers shall always inform you of any intention to transfer personal data outside the EEA at the stage of its collection.

In connection with the management of Thames British School profiles on Facebook, Instagram, and TikTok, your personal data may be transferred to the USA and other third countries (Meta Platforms, Inc., TikTok Technology Limited/ByteDance Ltd., X Corp.). Data transfers are carried out on the basis of:
− an adequacy decision (Art. 45 GDPR), i.e. within the EU-U.S. Data Privacy Framework, to which Meta Platforms, Inc., TikTok Technology Inc. (USA), and X Corp. have adhered;
− appropriate safeguards, including standard data protection clauses (Art. 46 GDPR), applied by Meta, TikTok, and X in their relationships with users and page administrators.

If your personal data is transferred to recipients in third countries (outside the EEA) as part of the processing, such transfers may take place on the basis of:
− an adequacy decision (Art. 45 GDPR), e.g. the United Kingdom, the USA;
− appropriate safeguards, including standard data protection clauses, an approved code of conduct, or an approved certification mechanism (Art. 46 GDPR);
− binding corporate rules (Art. 47 GDPR);
− derogations for specific situations (Art. 49 GDPR).

9. DATA PROVISION REQUIREMENT

Providing personal data to the Controllers is voluntary, but necessary to achieve the purposes indicated in Section 3.

10. PERSONAL DATA SECURITY

Data Controllers ensure that Personal Data is processed securely, ensuring, above all, that only authorised individuals have access to the data and only to the extent necessary for the tasks they perform. Data Controllers ensure that all operations on Personal Data are recorded and performed only by authorised employees and associates. Data Controllers take all necessary measures to ensure that their subcontractors and other collaborating entities also guarantee the application of appropriate security measures whenever they process Personal Data on their behalf.

11. PRIVACY POLICY CHANGES

This Policy is reviewed on an ongoing basis and updated as necessary.

WEBSITE COOKIES POLICY:

HTTPS://THAMESBRITISHSCHOOL.PL

1. WHAT ARE COOKIES

The website uses cookies, which are small text files installed on the user’s device. They enable the collection of information that facilitates the use of the website, for example, by remembering visits and actions taken.

2. ESSENTIAL COOKIES

Necessary cookies are used to ensure the safe and proper operation of the website (e.g., maintaining sessions, security), which constitutes the legitimate interest of the Administrators (Article 6, paragraph 1, letter f of the GDPR). Without them, the website cannot function.

3. ANALYTICAL AND MARKETING COOKIES

As part of our website, we use the services of external suppliers who may place cookies in your browser to ensure the proper functioning of the website, to analyze traffic, and to conduct informational and promotional activities.

GOOGLE ANALYTICS (GOOGLE IRELAND LTD.)

We use this tool to collect anonymous information about how visitors (parents, students) use our website. This allows us to track which sections (e.g., admissions) are most frequently visited and how users arrive at our website. This data helps us continually improve the structure and content of the Thames British School website.

MICROSOFT CLARITY (MICROSOFT CORPORATION)

We use this tool to analyze how users interact with the website (e.g., session recording, clickmapping). It helps us understand whether contact forms are working correctly and whether site navigation is intuitive for those seeking information about Thames British School.

META PIXEL (META PLATFORMS IRELAND LTD.)

We use solutions provided by Meta (Facebook, Instagram) to measure the effectiveness of our recruitment and outreach campaigns. This technology allows us to send reminders about important events (e.g., open houses) to people who have previously visited our website.

TIKTOK PIXEL (TIKTOK TECHNOLOGY LTD.)
We use TikTok technology to monitor the effectiveness of our promotional activities on the platform. This allows us to analyze whether people who view videos about Thames British School decide to visit our website.

GOOGLE ADS (GOOGLE IRELAND LTD.)

This system allows us to measure how effective our ads are in Google search. It allows us to know whether people who click on a Thames British School ad complete a desired action on the website, such as submitting an enquiry via a form.

COOKIEYES (COOKIEYES LTD.)

We use this solution to manage your privacy consent. This tool remembers which of the above technologies you have consented to, so we don’t have to ask you about it every time you visit the Thames British School website.

4. COOKIE MANAGEMENT

The user can:

◦ manage expressed consents via the cookie banner,
◦ change cookie settings in your web browser,
◦ delete saved cookies.

Consent to the use of analytical and marketing cookies may be withdrawn at any time.

5. CHANGES TO COOKIE POLICY

This Policy is reviewed on an ongoing basis and updated as necessary.

Apply Now