A. This Data Protection Policy describes how personal data must be collected, handled and stored to meet the data
protection standards established by the European Union (EU) Regulation 2016/679 with regard to the processing of
personal data and on the free movement of such data. This regulation is referred to as the GDPR.
B. This policy is to provide a general framework whereby an adequate level of protection of personal data of students,
parents and legal guardian of students, employees, and contractual partners of AIS-Salzburg is ensured in its
C. This policy provides guidelines to ensure that AIS-Salzburg:
D. To these ends, the actions of all staff who have access to any type of personal data must comply with this policy.
II. Types of Client Data Collected at AIS-Salzburg
A. Client/Student data include but are not limited to:
B. This information is required in carrying out the duties of the school and its educational mission.
Examples of personal data collected (not exhaustive):
• name and surname
• full name of family members
• address (home/residence)
• profession/job title
• date and place of birth
• passport/identity documents
• birth certificate data
• health data
• e-mail address
• physical data
• habits, preferences, behavior
• economic and financial situation
• family status
• military status
• civil status data
• bank data
• academic background, evaluations, results, and details of experience
• CCTV images and recordings of staff, personnel, students, and visitors to the school
III. Data Processing Requirements and Purposes
A. The principles of lawfulness, fairness, and transparency are fundamental to all data collection and processing at AISSalzburg. There must be a legitimate, defensible basis for which the processing of all personal data occurs, including consent from the data subject and clear necessity for compliance with legal obligations to which the school must adhere. All data collection processing and its purpose must also be clearly explained in understandable communication with the clients of AIS-Salzburg.
B. The processing of personal data must comply with all applicable laws and in conformity with the following principles:
C. AIS-Salzburg will collect personal data for specified, explicit and legitimate purposes and not process the data further than for the purpose, for which it was collected. AIS-Salzburg can process personal data only if one of the following circumstances is met:
D. AIS-Salzburg will process only data that is adequate, relevant, limited to and necessary for the purposes of professional education in a boarding setting.
E. AIS-Salzburg is obliged to ensure that all personal data is accurate and up-tp-date where required.
F. AIS-Salzburg will not retain personal data for a longer period than what is necessary for the purposes for which it was collected and processed.
G. AIS-Salzburg will only transfer personal data outside the European Economic Area where there are appropriate safeguards in place, such as the right contractual framework.
H. Data subjects rights will be adhered to by AIS-Salzburg. All data subjects have the right to access a copy of the personal data we hold on them.
I. Both AIS-Salzburg as well as any data processor authorized by AIS-Salzburg, shall keep the confidentiality of the personal data, under the requirements of the law, will not disclose, publish or otherwise reveal any information relating to personal data and operations performed without an appropriate legal basis allowing them to do so. Data processors authorized by AIS-Salzburg shall disclose personal data only with AIS-Salzburg authorization, unless a legal obligation imposes data processors to act otherwise.
J. In case of loss or leakage of personal data or suspicions of potential loss or leakage of personal data to unauthorized persons, AIS-Salzburg shall inform the competent authorities and the relevant persons accordingly.
K. AIS-Salzburg will maintain data security by protecting the confidentiality, integrity and availability of the personal data. Confidentiality will be maintained by limiting access only to those authorized to access it. Integrity will be protected by ensuring that the personal data is accurate and suitable for the purposes for which it was collected and processed. Personal data will be made available to authorized users if they require it for authorized purposes.
IV. Sensitive Data Processing
A. AIS-Salzburg prohibits the collection or processing of data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, physical or mental health data, trade-union membership, and the processing of data concerning health or sex life, unless:
V. Individual Notification
A. AIS-Salzburg will inform individuals of this data protection policy with notice concerning:
A. The consent of the client is defined by the GDPR as ‘freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.’ AIS-Salzburg will keep records of valid consent throughout the enrollment period of any client.
VII. Withdrawal of Consent
A. Data subjects have the right to withdraw his or her consent at any time. AIS-Salzburg accepts a written statement signed by the data subject which specify the exercise of the right of withdrawal of the consent. It should be forwarded to [email protected] or by mail using the school’s street address: Moosstrasse 106, 5020 Salzburg, Austria.
VII. Data Use
A. Paremeters of internal personal data usage:
VIII. Data Storage
A. Personal data will be stored at AIS-Salzburg in such a form that permits identification of data subjects for no longer than necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods so far as the data will be processed solely for archiving purposes in the client’s or public interest or for scientific, historical, or statistical purposes with appropriate safeguards.
B. All personal data stored will be in such a manner that ensures appropriate security against unlawful processing and
accidental loss, destruction or damage.
C. Security measures in place at AIS-Salzburg:
D. Security for printed data at AIS-Salzburg:
IX. Data Accuracy
A. Personal data stored and processed at AIS-Salzburg will be updated to be kept as accurate as possible. Inaccurate data will be discarded or deleted immediately. All employees at AIS-Salzburg will maintain vigilance in an effort to ensure that all stored data is accurate.
X. Transfer of Data to Third Parties
A. Authorized employees of AIS-Salzburg will remain vigilant in their transferral of personal data for purposes specifically required by professional educational practice and supported by the school’s mission. In all cases where possible, authorized employees will evaluate, with the assistance of the IT Coordinator, the security of all transfers in or outside of the EU and implement appropriate safeguards as required by the GDPR.
B. The AIS-Salzburg college counselor will require that third parties in reception of personal data (e.g., universities, medical officials) prove that appropriate security measures are in place for the transfer of such data as well as the submission of further data that relies upon stored and processed personal data from clients of AIS-Salzburg.
C. The AIS-Salzburg office administration will ensure that all contracted partners and clients with which personal data is transferred prove secure systems are in place for such transferral. In all such cases, such transfers will take place only through transparent necessity in meeting the school’s professional educational goals and mission.
XI. Data Protection Officer (DPO) at AIS-Salzburg
A. The Data Protection Office at AIS-Salzburg is Mr. Paul McLean, [email protected], AIS-Salzburg, Moosstrasse 106, 5020 Salzburg, Austria. The DPO is required to:
XII. Employees with Access to Personal Data at AIS-Salzburg
A. Access to personal data shall be access in accordance with the following limitations:
XIII. IT Manager at AIS-Salzburg with Access to Personal Data
A. The IT Manager at AIS-Salzburg will follow the following guidelines in storage, processing and access of personal data:
XIV. Admissions and External Relations
A. All actions involving the processing of personal data for admissions and external relations shall be restricted by the following guidelines and limitations:
XV. Data Subject Rights
A. In the collection of personal data directly from the data subjects to whom it relates, AIS-Salzburg will make sure that those persons are aware of the following at the time when personal data are obtained: