PRIVACY POLICY AND PROCESSING OF INFORMATION

1. RIGHT TO INFORMATION

In application of the provisions of Article 11 of Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD) and Article 13 of the General Data Protection Regulation 2016/679 (GDPR), we describe below how personal data is processed at Kids&Us.

1.1 Definitions

For the purposes of this Privacy Policy, the following definitions shall apply:

1) Personal data: any information relating to an identified or identifiable natural person (the data subject). An identifiable natural person is any person whose identity can be established, directly or indirectly, by using an identifier, such as a name, an identification number, location data, an online identifier or one or more elements of that person’s physical, physiological, genetic, mental, economic, cultural or social identity.

2) Processing: any operation or set of operations which is performed upon personal data or upon a set of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

3) Profiling: any form of automated processing of personal data consisting of using such data to evaluate personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that person’s professional performance, financial situation, health, personal preferences, interests, reliability, behaviour, location or movements.

4) Pseudonymisation: processing of personal data in such a way that they cannot be attributed to a data subject without the use of additional information, provided that this information is separated and subject to technical and organisational measures designed to ensure that the personal information is not attributed to an identified or identifiable natural person.

5) File: this is a structured set of personal data accessible according to specified criteria, whether centralised, decentralised, functionally or geographically distributed.

6) Controller: the natural or legal person, public authority, service or any other body which, alone or jointly with others, decides on the purpose of the processing.

7) Processor: the natural or legal person, public authority, service or any other body processing personal data on behalf of the Controller.

8) Recipient: the person to whom personal data are disclosed, whether a third party or not. However, public authorities that can receive personal data in the framework of a specific investigation should not be considered as recipients.

9) Third party: a natural or legal person, public authority, service or body other than the data subject, the Controller, the Processor and the persons authorised to process personal data under the direct authority of the Controller or the Processor.

10) Consent of the data subject: any freely given, specific, informed and unambiguous indication of the data subject’s agreement, by means of a clear affirmative statement or action, to the processing of personal data relating to him or her.

11) Supervisory authority: the independent public authority established by a Member State in accordance with Article 51 of the GDPR.

12) Cross-border processing:

  1. The processing of personal data carried out in the context of the activities of establishments in more than one Member State of a Controller or Processor in the European Union, if the Controller or Processor is established in more than one Member State, or
  2. Processing of personal data carried out in the context of the activities of a single establishment of a Controller or a Processor in the EU, but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

1.2. What personal data are collected?

The only personal data to which Kids&Us will have access will be those provided voluntarily by the User. In this regard, it is necessary for Users to understand that in order to access some of the services offered through the website, personal data will be requested. If they are not provided, you will not be able to access or use these services and contents. You are informed that all the fields that appear on the forms must be filled in, so that the omission of any of them may result in us not being able to deal with your request, unless there are data that can be filled in voluntarily on the form.

In addition, there are accesses to applications in Google Play Store (through a link/hyperlink) with educational content to facilitate the development and learning of the proposed language (learning tools, games, among others), but Kids&Us does not process any personal data in them.

On the other hand, there is an educational content management application for parents in which Kids&Us collects personal data on students’ exam results and general student monitoring reports, as well as, by way of example, data related to student behaviour, learning, motivation and performance; invitations for tutorials; minutes; the student’s age, given name and surname; given name and surname and telephone data of the student’s parents/guardians; the course or group; timetables; class attendance record; student photos and event announcements; administrative data for billing management and activities related to the course, in order to process the data and maintain an active communication channel between the centre and the parents/guardians of the students in all matters related to the school and educational management of their children, as well as a digital agenda in which the teaching staff will record the monitoring of the student. This app requires the User to have a Google Play Store account on Android to download apps. In addition, the app may automatically collect other information, such as the type of mobile device, the User’s country, IP addresses, the mobile device’s operating system and information about how the app is used. This data will not be disclosed by Kids&Us to third parties and will only be accessed for the purpose of providing the Google Play Store service.

1.3. Who decides on the use to be made of the data and the means to be used to carry out the processing?

The Controller is:

KIDS&US ENGLISH, S.L.

Tax ID number (NIF) B-64622087

Registered address Av. Tudela no. 12

08242, Manresa, Barcelona (Spain)

Tel. no. +34 93 875 33 45

E-mail info@kidsandus.com

1.4. Who ensures that all the rules governing the processing of information by Kids&Us are correctly applied?

The data protection officer is CIPDI Tratamiento de la información, S.L., with registered office in Mataró (Barcelona), C/ Sant Agustí no. 1, 1-1, dpd@cipdi.com

1.5. For what purpose will we process your data and for how long will we keep them? What is the legal basis for this processing?

 

Purpose

Legal basis

Retention

Provision of the services you request from us

Contractual relationship

For 5 years from the end of the relationship.

Sending of information on activities by e-mail or by post

Contractual relationship and consent

Until consent is withdrawn.

Request for information

Consent

Until consent is withdrawn.

Personnel management

Contractual relationship and legal obligation

For 5 years

Supplier management

Contractual relationship and legal obligation

For 5 years

Meeting legal and contractual obligations

Contractual relationship and legal obligation

For 10 years

Image management

Consent and Article 8 of Organic Law 1/1982

Until consent is withdrawn.

Video surveillance

Legitimate interest. Security maintenance.

For a maximum of 30 days from the date of capture.

 

1.6. Do we carry out any processing of your images?

The Controller documents the public events it organises with photographs and videos for the purpose of dissemination on its website or other spaces for the public dissemination of information such as: the website itself, social networks where the Controller has created a profile and its own publications or in the press. You can obtain more information on this section by consulting the Controller’s website or by contacting its DPO.

Images may be captured for promotional purposes with the prior consent of the data subject.

1.7. Who will be able to access and know the content of your data?

In order to fulfil the above purposes, the persons and entities listed below may have access to the personal data. Their access shall be limited to the data necessary for the performance of the Controller’s tasks. Confidentiality agreements and/or specific agreements regulating access to information, security measures and the use that can be made of the data have been signed with all the entities and persons to whom the data is addressed. The following can access the data:

  1. Personnel duly authorised by the Controller.
  2. The KIDS&US ENGLISH, S.L. franchise network can be consulted on the website.
  3. Suppliers necessary to fulfil the services requested or to fulfil legal and contractual obligations. These suppliers may be located in the European Union or outside the European Union.
  4. Public administration in the field of its purview.
  5. Social networks, provided that you have given prior consent to the dissemination of identification data.

You can obtain further information from the Data Protection Officer.

1.8. Is cross-border data processing carried out?

The Controller uses the following platforms, which may involve transfer of data outside the Schengen area:

  1. Microsoft. For more information, please click on:

https://privacy.microsoft.com/es-es/privacystatement

  1. Google Workspace. For more information, please click on:

https://policies.google.com/privacy?hl=es

https://support.google.com/a/answer/2888485?hl=es

  1. Social networks that are advertised on our website.

In these cases, the transfer of data is carried out to countries considered adequate, due to their having an adaptation decision by the European Commission; or in accordance with the guarantees required by the GDPR, such as having standard data protection clauses approved by the European Commission.

All information about the rights of the Users who have allowed the digitalised processing can be found in the legal notices of the websites containing the software and applications. Since access is free, we consider the entire content of the notices to be reproduced. Given the extent of the contents of the published policies, you may request a copy by contacting the Controller or the Data Protection Officer at the addresses given in section 1.4 above.

1.9. What rights do data subjects and data owners have?

Right of access: this is regulated in Article 15 of the GDPR 2016/679, of 27 April 2016. This means asking the Controller in order to obtain, free of charge, all the information it holds regarding the personal data itself and on the communications that have been made, or are planned to be made.

Right of rectification: this is regulated in Article 16 of the GDPR. This is a request to the Controller to change the content of information about you and your data, on the instructions of the data subject.

Right of erasure: this is regulated in Article 17 of the GDPR 2016/679. This consists of asking the Controller to erase any information about the data subject’s person. Erasure means blocking all data and keeping them at the disposal of public administrations for the period of time foreseen for the right to take legal action to lapse.

Right to restrict processing: This is regulated in Article 18 of the GDPR 2016/679, of 27 April 2016. It involves asking the Controller to restrict the processing of your data when one of the following conditions is met:

  1. Personal data are not accurate.
  2. The processing is unlawful.
  3. The Controller no longer needs to process the data.
  4. When the reasons for ceasing to process the data alleged by the data subject prevail over those of the Controller.

Right to portability of information: this is regulated in Article 20 of the GDPR 2016/679, of 27 April 2016. This consists in requesting the Controller to provide the data subject’s personal data in a structured, commonly used and machine-readable format for the purpose of transmission to another Controller where the processing is carried out by automated means and is based on explicit consent.

Right to object: this is regulated in Article 21 of the GDPR 2016/679 of 27 April 2016. This is a request to the Controller to process the data according to specific instructions given by the data subject.

Right to withdraw consent: this is regulated in Article 13(2)(c) of the GDPR 2016/679, of 27 April 2016. It is an order given by the data subject to the Controller notifying him/her/it that he/she withdraws his/her consent to the processing of his/her data.

The right not to be subject to automated individual decisions: this is the request to the Controller that no decisions having legal effects be taken exclusively by machines.

To exercise the above rights you may write to the addresses of the Controller, or send an e-mail to info@kidsandus.com with the text “Data Protection” in the subject line and attaching a photocopy of your National ID document (DNI), Foreigner’s ID document (NIE) or passport.

1.10. How can I make a complaint?

You can contact the internal compliance officer using the whistleblowing channel on the website: https://denuncias.cipdi.com/kidsandus/en/

If you consider that your rights have been infringed, the competent body for the correct application of the rules on the processing of information is the Spanish Data Protection Agency, located at Calle Jorge Juan no. 6, Madrid.

1.11. What obligations do I have as a data subject?

The data subject must provide truthful and up-to-date information in all data collection processes, and is responsible for this obligation in the event of a breach.

Depending on the request made by the data subject, the data that are mandatory are already marked on the collection forms. Failure to provide the mandatory data may undermine the right to participate in the activity or prevent the provision of the requested service or performance.

1.12. Can the Controller perform profiling?

In order to provide a more personalised, careful and efficient service to the User, it is sometimes necessary to perform profiling of the recipients of the services. Profiling is not carried out without the direct involvement of a natural person.

2. USER CONSENT

It is understood that the User accepts the proposed conditions if he/she clicks on the “Accept” button found on the data collection forms, or if he/she sends a message by e-mail to the contact addresses given on the website.

Personal data are stored in the general administration database of the Controller, which, in any case, guarantees the technical and organisational measures to preserve the integrity and security of the information it processes.

3. SECURITY

The general database is equipped with the required security document and has all the technical means at its disposal to prevent the loss, misuse, alteration, unauthorised access or theft of the data you provide us with. The processing of personal data is in accordance with the provisions of Organic Law 3/2018 on data protection and guarantee of digital rights and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.

4. USE OF IP ADDRESSES

To make it easier to find resources that we believe are of interest to you, you can find links to other sites on this website.

This privacy policy only applies to this website. The Controller does not guarantee compliance with these rules on other websites, nor can it be held responsible for access made via links from this site.