British International Schools

Privacy Policy

British International Schools in Sweden  (BIS) is committed to data protection and to proactively address and correct business practices that lead to, or potentially could lead to, violations of individuals’ privacy and breaches of applicable data protection and privacy laws.

1 Validity

The entire British Schools and British International Schools in Sweden.

2 Purpose

BIS is committed to data protection and to proactively address and correct business practices that lead to, or potentially could lead to, violations of individuals’ privacy and breaches of applicable data protection and privacy laws.

BIS will always comply with data protection and privacy laws applicable where BIS operates. For companies established within the European Union (EU) and the European Economic Area (EEA) this means that they must comply with the requirements of the EU General Data Protection Regulation (GDPR) and any supplemental national laws. BIS Companies established outside the EU and EEA must comply with national data protection and privacy laws applicable where they operate.

The purpose of this document is to set out the rules and procedures to be applied when processing personal data, and to lay out certain rights of the individuals whose personal data are being processed by BIS. Should applicable national laws conflict with this document the more stringent requirements prevail.

3 Key concepts

3.1 Personal data

Personal data is any information relating to an identified or identifiable individual. An individual might be able to be identified, directly or indirectly, in particular by reference to his name or social security number, an online identifier, location data, or to one or more factors specific to his physical, physiological, genetic, mental, economic, cultural, or social identity. Examples of personal data are name, address, email address, phone number, IP address, gender, work title, CV, salary, interests, health information, marital status, and log-in details.

3.2 Processing

Processing is the legal term for handling personal data whether or not by automated means. It includes a variety of activities performed on personal data such as collection, recording, organisation, storage, adaptation, using, transmitting, and erasure.

3.3 Data subjects

Data subjects are individuals whose personal data are being processed. BIS processes personal data of various categories of data subjects such as current and former employees, parents, and students.

3.4 Controller and processor

When a company processes personal data and does so on its own initiative, determining the purposes and means of the processing of personal data, it acts as a “controller”. BIS typically acts as a controller when processing student personal data and parents’ data.

When two or more companies jointly determine the purposes and means of the data processing this is referred to as joint controllership. For instance, if two BIS companies jointly determine the purposes and means for a specific processing operation, they are deemed joint controllers.

When a company processes personal data on behalf of another company and according to its instructions, it acts as a “processor”. BIS’s suppliers frequently act as processors of BIS. Moreover, BIS sometimes acts as a processor when providing services to its customers.

4 BIS’s obligations

4.1 Principles for processing of personal data

BIS’s processing of personal data shall be based on the following principles:

  1. a) Lawfulness, fairness and transparency: The processing of personal data by an entity must be justified on a legitimate basis and it must be clear for the individual that personal data related to the individual are being processed, the identity of the entity doing that and for what purpose.
  2. b) Purpose limitation: The obligation to ensure that the purpose for the processing of personal data is specified, explicit and legitimate and that the personal data are not processed beyond this purpose.
  3. c) Data minimisation: The obligation to ensure that the personal data processed are adequate, relevant, and limited to what is necessary for the purpose.
  4. d) Accuracy: The obligation to ensure that the personal data processed are accurate, kept up-to-date and to take every reasonable step to correct inaccurate data or erase it.
  5. e) Storage limitation: The obligation to ensure that personal data are not stored for a longer period than is necessary for the purposes for which the personal data are processed, which means that entities processing personal data must have visibility of its processing activities, established retention periods and/or periodic review processes.
  6. f) Integrity and confidentiality: The obligation to process personal data in a manner which ensures appropriate security and confidentiality of personal data and prevents unauthorised access (such as hacker attacks) or accidental loss of data.
  7. g) Accountability: Entities processing personal data must be able to demonstrate that they follow the obligations set out above.

4.2 Lawfulness of processing

BIS may only process personal data if a legal ground applies, such as:

  1. a) Consent: The data subject has agreed to the processing. Consent must be freely given, specific, and informed.
  2. b) Legal obligation: BIS must process the personal data to fulfil a legal obligation (e.g. personal data can be supplied to public authorities if such derives from a statutory obligation regarding reporting, information or disclosure.).
  3. c) Performance of a contract: The processing of personal data is necessary for BIS to fulfil its obligations in a contract that it has entered into with the data subject (e.g. We process personal data for the purpose of identifying pupils, guardians or staff.)
  4. d) Legitimate interest: BIS may process personal data when it is necessary for the purpose of its, or a third party’s, legitimate interests (e.g. keeping a database of information on students or parents, or collecting the names and phone numbers of emergency contacts for its employees).
  5. e) Other: There are other rare grounds on which personal data may be processed, namely the protection of the vital interests of the data subject or tasks carried out in the public interest.

5 Data subjects’ rights

Data subjects should be empowered with information and choices about how BIS processes their personal data to protect their privacy. Under the GDPR, data subjects have the following rights:

  1. a) Transparency: The right to receive clear and accessible information about BIS’s processing of personal data.
  2. b) Access rights: The right to obtain a copy of their own personal data.
  3. c) Right of rectification: The right to have inaccurate or incomplete data corrected.
  4. d) Right to object to certain processing activities: The right to cease direct marketing activities, and other processing in the absence of an overriding interest.
  5. e) Right against automated decision-making: The right to be excluded from certain automated decision-making processes made without their consent.
  6. f) Right to restriction of processing: The right to confine the use of their personal data to limited purposes.
  7. g) The “right to be forgotten”: The right to have personal data deleted in limited circumstances.
  8. h) Right to data portability: The right to have their personal data handed over to a new entity.

6 Procedures for BIS’s processing of personal data

6.1 Introduction

Prior to altering an existing data processing activity or initiating a new data processing activity the mandatory procedures set out in this section 6 must be adhered to. Any deviation from these procedures must be managed and duly reported in accordance with the deviation procedure.

6.2 BIS processing personal data as a controller

When BIS processes personal data as a controller the following procedure applies.

Any alteration of an existing information system (or application etc.) or introduction of a new information system involving the processing of personal data shall be subject to the BIS Legal Analysis for Information Systems Handling Personal Data (Legal Analysis). The Legal Analysis reflects the key legal requirements of the GDPR applicable to controllers and is also an integrated part of BIS’s accreditation process for information systems.

In certain situations, BIS will process personal data in a manner which will not be subject to the accreditation process for information systems, for example when the personal data is contained on a less sophisticated media such as an excel sheet, a word document, or a manual filing system. The introduction or alteration of any such data processing activity shall also be subject to the Legal Analysis as a separate process.

The purpose of the Legal Analysis is to ensure that processing of personal data within BIS will meet applicable legal requirements for processing of personal data, assist BIS in identifying compliance gaps, and guide BIS in selecting remedial actions to close any compliance gaps.

A BIS company not subject to the GDPR can modify the Legal Analysis to ensure compliance with data protection and privacy laws applicable to its data processing activities.

6.3 BIS processing personal data as a processor

When BIS processes personal data as a processor the following procedure applies.

Any alteration of an existing information system (or application etc.) or introduction of a new information system involving the processing of personal data acting as a processor shall be subject to the Legal Analysis. The Legal Analysis reflects the key legal requirements of the GDPR applicable to processors and is an integrated part of BIS’s accreditation process.

A BIS company not subject to the GDPR can modify the Legal Analysis to ensure compliance with data protection and privacy laws applicable to its data processing activities.

How to contact BIS 

It is important to us at BIS to hear what users have to say about our services, and our policies. If you as site user have any questions, concerns, or complaints, or want to let us know what you think about any of our off-line and on-line products and services, you can use our general Contact form.

If you want to access or have another request regarding your personal data, you can do that via sending an e-mail to admissions(at)steameducation.se. BIS staff with direct access to HR Direct who wish to file a complaint or a request pertaining to their Personal Information shall contact hr(at)steameducation.se.

If you have any questions or a complaint pertaining your Personal Information you can also contact the Group Data Protection Officer by postal mail at:

British International Schools 

Box 5

33221 Gislaved