Personal data protection policy / Polityka ochrony danych osobowych

Embassy International School ul. Edmunda Biernackiego 10 30-043 Kraków pursuant to the law (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Flow of Such Data and Repealing Directive 95/46/EC, the so-called “GDPR”) is the Administrator of your personal data.

This means that it is responsible for its use and security. The law requires us to provide the following information.

1. In order to protect the personal data that we process to the highest possible extent we have appointed the Data Protection Officer, Ms Dorota Gross, who can be contacted in all matters related to the processing at

2. Your personal data will be processed for the following purposes:

a) admitting the child to school,

b) implementing education tasks,

c) ensuring the child’s safety during his or her stay at School,

d) enabling the child to use the full offer of the School,

e) implementing the School’s promotion activities,

f) fulfilling legal obligations incumbent on the School,

g) informing on the implementation of education and recreation tasks and the child’s behaviour,

h) performing contracts concluded with the School’s contractors,

i) in other cases, personal data is processed only on the basis of previously granted consent to the extent and for the purpose specified therein.

3. The legal basis for data processing is the following:

a) your consent (Article 6 (1) (a) of the GDPR) – e.g. given during the processing of your child’s image or other data, the processing of which does not result directly from legal provisions,

b) performance of the contract (Article 6 (1) (c) of the GDPR) – acts and executive acts such as:

– Act of 14th December 2016 – Education Law;

– Act of 7th September 1991 on the Education System;

– Act of 11th March 2004 on Tax on Goods and Services;

– Act of 26th June 1974, the Labour Code;

-Act of 20th April 2004 on Employment Promotion and Labour Market Institutions

-Act of 13th October 1998 on the Social Insurance System;

– Act of 23rd April 1964 – Civil Code.


4. Personal data is stored for the period resulting from the provisions of law and internal regulations:

a) in the case of a contract, for a period of 10 years of its termination;

b) in the case of video monitoring, up to 30 days from the moment of registration;

c) in the case of photos or videos, until the consent is withdrawn or for a period of 5 years;

d) for financial data up to 7 years;

e) in the case of employee data, from 10 to 50 years of the termination of the contract;

f) in the case of a CV, for a period of 2 years or until consent is withdrawn.


5. Your data will not be subject to profiling, i.e. automated decision making without human intervention.

6. To achieve the purposes mentioned above, we require data that will help us identify you and data, for example, on the physical and mental development and health of children. Their scope has been limited to the strict minimum. Providing some data is a statutory obligation (resulting from separate provisions), and providing other data (e.g. when we ask for your consent to process it) is voluntary.

7. With regard to the processing of personal data, the recipients of your personal data may be:


a) public authorities and entities performing public tasks or acting on behalf of public authorities, to the extent and for the purposes that result from the provisions of generally applicable law;

b) other entities which, pursuant to relevant contracts signed with the School, process personal data, the Administrator of which is the School.


8. We do not obtain data from sources other than yourself.

9. We will transfer some data outside the EEA (European Economic Area – European Union countries, Norway, Liechtenstein, Iceland) only with your consent.

10. With regard to the processing of your personal data, you have the following rights:


a) the right to access personal data, including the right to obtain a copy of this data;

b) the right to request the correction (revision) of personal data – if the data is incorrect or incomplete;

c) the right to request the deletion of personal data (the so-called right to be forgotten), if:

– the data is no longer necessary for the purposes for which it was collected or otherwise processed,

– the data subject has objected to the processing of personal data,

– the data subject has withdrawn consent on which the processing of personal data is based and there is no other legal ground for processing,

– personal data is processed unlawfully,

– personal data must be removed in order to comply with the legal obligation;

d) the right to request the restriction to the processing of personal data – in the following events:

– the data subject questions the correctness of personal data,

– data processing is unlawful, and the data subject opposes data deletion, demanding their restriction instead,

– the Administrator no longer needs the data for its purposes, but the data subject needs it to establish, defend or pursue claims,

– the data subject has objected to the processing of the data, pending determination of whether the legitimate grounds on the part of the Administrator override the grounds of objection;

e) the right to transfer personal data – if the following conditions are collectively fulfilled:

– data processing takes place on the basis of an agreement concluded with the data subject or on the basis of the consent expressed by such person,

– the processing is automated;

f) the right to object to the processing of data – if the following conditions are collectively fulfilled:

– there are reasons related to your special situation, in the case of data processing on the basis of a task carried out in the public interest or as part of the exercise of public authority by the Administrator,

– the processing is necessary for the purposes arising from the legitimate interests pursued by the Administrator or by a third party, except where these interests are overridden by the interests or fundamental rights and freedoms of the data subject, requiring the protection of personal data, in particular when the data subject is a child.


11. If the processing of personal data is based on consent to the processing of personal data (Article 6 (1) (a) of the GDPR), you have the right to withdraw this consent at any time. Withdrawal of consent does not affect the lawfulness of the processing of data, which was made on the basis of consent before its withdrawal.

12. If you believe that the School violates the provisions on the processing of your personal data, you have the right to file a complaint with the supervisory body – the President of the Office for Personal Data Protection, ul. Stawki 2, 00-193 Warszawa.

13. Where the processing of personal data is based on the consent of the data subject, providing your personal data to the Administrator is voluntary.

14. Providing your personal data is obligatory when the condition for processing of personal data is a legal provision or an agreement concluded between the parties.

15. Your data may be processed by automated means and will not be profiled.




Date of introducing changes to the document 19th February 2021.