PRIVACY POLICY

within OLGA GUDYNN INTERNATIONAL SCHOOL S.R.L.

with regard to EU Regulation 2016/679 on the protection of natural persons concerning the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC

 

Updated on 06.05.2026

OLGA GUDYNN INTERNATIONAL SCHOOL S.R.L. (hereinafter referred to as “OGIS”) complies with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons concerning the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the “Regulation” or the “GDPR”), applicable from 25 May 2018.

As this is a European Regulation, it applies directly and uniformly in all Member States of the European Union, in order to strengthen and unify security policies in the online environment and to provide better protection for the data of all European citizens.

Respect for confidentiality and the protection of personal data are fundamental principles to which OGIS gives the necessary importance and attention, since without understanding, awareness and implementation of these principles, our current activity cannot comply with the requirements of the aforementioned European Regulation.

One of the fundamental principles of this Regulation is transparency, and through this Privacy Policy we wish to inform you about how we collect, use, transfer and protect your personal data.

OGIS reserves the right to update this Policy periodically. Any revised version will be published on the website www.olgagudynn.ro, indicating the date of revision. In the event of essential changes affecting the rights of data subjects, OGIS will ensure appropriate information through suitable means.

This Privacy Policy applies to:

1. All private pre-university educational units established by OLGA GUDYNN INTERNATIONAL SCHOOL S.R.L.:

1. “OLGA GUDYNN” BILINGUAL HIGH SCHOOL, with headquarters in Voluntari, 141 Pipera Boulevard, Ilfov County, with an extension in Voluntari, 5 Erou Iancu Nicolae Street, Ilfov County, identified by CIF 39700549;
2. “OLGA GUDYNN INTERNATIONAL SCHOOL” KINDERGARTEN, with headquarters in Voluntari, 82-84 Erou Iancu Nicolae Street, Ilfov County, identified by CIF 39700611;
3. “OLGA GUDYNN INTERNATIONAL SCHOOL” KINDERGARTEN, with headquarters in Bucharest, 6 Făgăraș Street, Sector 1, identified by CIF 39886205;
4. “OLGA GUDYNN INTERNATIONAL SCHOOL” KINDERGARTEN, with headquarters in Bucharest, 8 Ancuța Băneasa Street, Sector 2, identified by CIF 39935200;

1. All departments and all staff belonging to OLGA GUDYNN INTERNATIONAL SCHOOL S.R.L.;
2. All contractors, suppliers and other persons working on behalf of OLGA GUDYNN INTERNATIONAL SCHOOL S.R.L.

This Privacy Policy refers to personal data belonging to pupils, in their capacity as primary beneficiaries of education, candidates in the admissions process, parents and/or legal representatives, employees and candidates for positions within OGIS, persons who contact or visit us, representatives of our partners or collaborators, as well as potential collaborators.

The Policy covers data collected through the website www.olgagudynn.ro, through Schedule a Visit forms, educational or recruitment documents, email, direct interactions or during events organised by OGIS.

This Privacy Policy does not cover third-party applications and websites that persons may access by following links on our website. This is beyond our control. We encourage everyone to review the Privacy Policy of any website and/or application before providing personal data.

To the extent that OGIS uses official pages on social networks or external platforms, for example for organising online events, webinars or communication campaigns, the processing of data within those platforms is also carried out in accordance with the privacy policies of the respective providers, which generally act as independent controllers or joint controllers.

Before providing personal data through third-party applications or platforms, we recommend that data subjects consult the privacy policies and privacy settings available within those services.

Terms of the Regulation:

• Controller — in this case, OLGA GUDYNN INTERNATIONAL SCHOOL S.R.L. or any other private pre-university educational unit that processes or determines the purposes and means of processing personal data;
• Personal data — any information relating to an identified or identifiable natural person; an identifiable person is a person who can be identified, directly or indirectly, by reference to an identifier: surname/first name, address, personal identification number, email, telephone number, income, biometric data, image, IP address, or by reference to medical data, genetic data, data concerning ethnic or racial origin, political, religious, philosophical or cultural beliefs, or trade union membership;
• Data subject — any natural person whose personal data may be or are processed by the controller;
• Processing — any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1. GENERAL INFORMATION:

1.1. Who we are and how you can contact us:

OLGA GUDYNN INTERNATIONAL SCHOOL S.R.L. is a legal entity of Romanian nationality, with headquarters in Bucharest, 8 Ancuța Băneasa Street, Sector 2, registered with the Trade Registry Office attached to the Bucharest Tribunal under no. J2008006874403 and having unique identification code 13947805.

Data Protection Officer (DPO)

OGIS has appointed a Data Protection Officer (DPO), pursuant to Article 37 of Regulation (EU) 2016/679, considering the nature of its processing activities, which include data relating to minors, medical data and data processed by systematic means.

The DPO is the main point of contact for data subjects in all matters relating to data processing.

DPO contact details: dpo@olgagudynn.ro; Bucharest, 8 Ancuța Băneasa Street, Sector 2.

For the purposes of data protection legislation, we act as CONTROLLER when we process your personal data.

As we are always interested in hearing your opinions and in providing you with any additional information you may need regarding the processing of your personal data, we inform you that you may contact us at the email address dpo@olgagudynn.ro or directly by submitting a written request registered at our headquarters in Bucharest, 8 Ancuța Băneasa Street, Sector 2.

• Purpose of the General Privacy Policy:

When a natural person enters into any kind of relationship with us, they entrust us with their personal data.

The purpose of this General Privacy Policy is to explain to data subjects what data we process, why we process them and what we do with them, in our capacity as controller. We take confidentiality seriously and do not, in any form or under any circumstances, disclose personal data of any kind. Being fully aware that personal data belong to each natural person, we make every effort to store them securely and process them carefully. We do not provide information to third parties without informing the data subjects in advance or, where the situation requires it, without requesting their consent.

All information in this Privacy Policy is important. We hope it will be read carefully.

In accordance with applicable legislation, the natural person benefiting from our services or having any kind of relationship with OGIS is considered a “data subject”, namely an identified or identifiable natural person.

In order to ensure transparency regarding the processing of personal data and to allow the easy exercise, at any time, of the rights conferred by law, OGIS has implemented appropriate measures to facilitate communication between the data controller and data subjects.

• Processing of minors’ data:

With regard to minor pupils, the processing of data is based mainly on the performance of the Educational Contract, the fulfilment of OGIS’s legal obligations in the field of education, as well as the performance of tasks carried out in the public interest, and not on consent.

If you are under the age of 16, you will need the consent of your parents or legal representatives before providing us with any personal data for registration purposes or other online activities.

If you have any questions regarding the information available on this website, we recommend that you seek the support of your parents or legal representatives.

OGIS does not process data of minors under the age of 16 on the basis of the minor’s own consent.

If you are a minor and have not obtained parental consent, please do not provide personal data on our website.

Any processing of minors’ personal data is carried out exclusively under the conditions and in compliance with the applicable legal provisions.

OGIS does not make the provision of educational services conditional upon consent for additional processing that is not necessary for the conduct of the educational relationship or for the fulfilment of legal obligations.

• Commitment of OLGA GUDYNN INTERNATIONAL SCHOOL S.R.L.:

The protection of the personal data of data subjects is a priority for us. In this respect, we undertake to comply with the provisions of Regulation (EU) 2016/679, as well as the applicable national legislation in this field, taking into account the following principles:

• Lawfulness, fairness and transparency:

We process personal data lawfully and fairly. We are always transparent regarding the personal data we process, and the data subject is properly informed.

• Control belongs to the data subject:

Within the limits of the law, we provide the data subject with the opportunity to review, amend or delete the personal data they have shared with us and to exercise their other rights.

• Data integrity and purpose limitation:

We use data only for the purposes described at the time of collection or for new purposes compatible with the initial ones. In all cases, our purposes are compatible with the law. We take reasonable measures to ensure that personal data are accurate, complete and up to date.

• Security:

We have implemented reasonable security and encryption measures in order to protect information as effectively as possible. However, it should be noted that no website, application or internet connection is completely secure.

Access to personal data is granted exclusively to OGIS staff who need this information to perform their duties, based on role-based differentiated access rights and strict confidentiality obligations.

OGIS ensures that all persons processing personal data, whether employees or processors, are periodically trained regarding their obligations in the field of data protection and the applicable security measures.

1. CATEGORIES OF DATA SUBJECTS:

Within OGIS, personal data may be processed belonging to the following categories of data subjects:

1. Pupils — current, prospective and former pupils, in their capacity as primary beneficiaries of educational services;
2. Parents and/or legal representatives of pupils;
3. Candidates for employment within OGIS;
4. Employees and collaborators of OGIS and/or members of their families — for data processed for the purpose of managing employment and collaboration relationships and human resources;
5. Visitors to OGIS premises — for data processed for the purpose of ensuring the security of persons, premises and/or assets;
6. Legal representatives of legal entities with which OGIS comes into contact as partners / potential partners, collaborators and/or potential collaborators and/or suppliers;
7. Visitors to the website www.olgagudynn.ro.

III. RIGHTS OF THE DATA SUBJECT:

OGIS respects all rights of data subjects provided by the GDPR and undertakes to ensure appropriate means for exercising them, in accordance with the details set out below.

3.1. Right of access to personal data:

Any data subject has the right to obtain from OGIS, when it acts in its capacity as Controller, upon request and free of charge, confirmation as to whether or not data concerning them are being processed, and, where that is the case, information shall be provided regarding: the purposes of the processing; the categories of data concerned; the recipients or categories of recipients of the data, in particular recipients in third countries or international organisations; where possible, the period for which the personal data are expected to be stored or, if this is not possible, the criteria used to determine that period;

• The right to request rectification of inaccurate data or completion of incomplete data;

The data subject has the right to obtain from OGIS, without undue delay, the rectification of inaccurate personal data concerning them.

The data subject also has the right to obtain the completion of personal data that are incomplete, including by providing a supplementary statement.

• The right to erasure of data (“the right to be forgotten”), under the conditions provided by law;

The data subject has the right to obtain the erasure of personal data concerning them without undue delay, and OGIS has the obligation to erase the data without undue delay where:

• the data are no longer necessary for the purposes for which they were collected or processed;
• the data subject withdraws the consent on which the processing is based;
• the personal data have been unlawfully processed;
• the data subject exercises the right to object under the GDPR;

Personal data may be erased where this is necessary for compliance with a legal obligation to which the controller is subject; at the same time, OGIS, as data controller, may refuse an erasure request in the following situations:

• the processing is necessary for exercising the right of freedom of expression and information;
• the processing is necessary for compliance with a legal obligation applicable to the controller;
• the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, under the conditions of the GDPR, insofar as exercising the right could make impossible or seriously impair the achievement of the objectives of that processing;
• the processing is necessary for the establishment, exercise or defence of legal claims.

• The right to restriction of processing

The data subject has the right to obtain from OGIS restriction of processing in the following cases:

• the data subject contests the accuracy of the data, for a period enabling the controller to verify the accuracy of the data;
• the processing is unlawful, but the data subject opposes the erasure of the personal data and requests instead the restriction of their use;
• OGIS no longer needs the personal data for the purposes of processing, but the data subject requires them for the establishment, exercise or defence of legal claims;
• the data subject has objected to processing, for the period during which it is verified whether the legitimate grounds of the controller override those of the data subject.

• The right to object:

The data subject has the right:

• to object at any time, on justified and legitimate grounds relating to their particular situation, to data concerning them being processed, except where there are legal provisions to the contrary. In the event of a justified objection, the processing may no longer concern the data in question unless there are compelling legitimate grounds that justify the processing and override the rights of the data subject, or where the purpose is the establishment, exercise or defence of legal claims;
• to object at any time, free of charge and without any justification, to the processing of data concerning them for direct marketing purposes, including profiling related to such direct marketing.

• The right to data portability

The data subject has the right:

• to receive the personal data concerning them which they have provided to OGIS in a structured, commonly used and machine-readable format and to
• transmit those data to another controller without hindrance from OGIS to which the personal data have been provided, where: (a) the processing is based on consent or on a contract; and (b) the processing is carried out by automated means.

In exercising their right to data portability, the data subject has the right to have their data transmitted directly from one controller to another, where technically feasible.

3.7. The right to withdraw your consent:

Consent may be withdrawn at any time, without affecting the lawfulness of processing carried out before its withdrawal. Withdrawal does not affect processing carried out on the basis of other legal grounds.

Methods for withdrawing consent:

• Written request sent to: dpo@olgagudynn.ro;
• The “unsubscribe” option in the electronic communications received;
• Written request submitted at the OGIS headquarters.

3.8. The right not to be subject to automated decision-making:

OGIS does not carry out automated profiling and does not make decisions based solely on automated processing. All decisions concerning pupils, parents or employees are made by authorised staff, with human involvement, in accordance with Article 22 of the GDPR.

3.9. The right to address the competent courts:

The data subject has the right to address the competent courts for the protection of their rights.

3.10. The right to lodge a complaint with ANSPDCP

The data subject may lodge a complaint with the National Supervisory Authority for Personal Data Processing (A.N.S.P.D.C.P.) through the website www.dataprotection.ro.

1. PURPOSES OF PROCESSING ACTIVITIES WITHIN OGIS:

OGIS processes personal data for the following purposes, as set out below:

4.1. Managing the application and admissions process within OGIS — The processing of personal data is carried out at the pre-contractual stage, before the conclusion of the Educational Contract and the Financial Agreement, for the purpose of managing the application and admissions process within OGIS, including but not limited to:

• assessing the pupil’s eligibility for the chosen educational programme;
• analysing compatibility with the school’s academic profile;
• organising interviews and, where applicable, academic testing;
• checking the submitted school documents, as well as the legal situation regarding the exercise of parental authority, where applicable;
• communicating the final admissions decision, whether admitted or rejected;
• managing all administrative aspects preceding the conclusion of the Educational Contract.

• Providing educational services — for the proper conduct of the contractual relations established through the Educational Contract and the Financial Agreement, including but not limited to: carrying out the enrolment and re-enrolment process, preparing and assessing pupils, assigning them to classes, drafting and implementing the calendar of educational, artistic and extracurricular activities, organising and conducting the teaching and learning process, as well as administering internal and public examinations;

• Organising internal and international assessments;

• Managing educational platforms;

• Collaboration with international educational bodies: the processing of personal data is carried out for the purpose of managing institutional and academic relations with international educational bodies, such as Cambridge Assessment International Education and the International Baccalaureate Organization, including for: registering and enabling pupils to participate in international programmes and assessments, managing examinations and certifications, reporting academic results, as well as fulfilling administrative and compliance obligations imposed by these bodies;

• Providing auxiliary educational services: personal guidance, orientation towards areas of interest and personal counselling, library services, extracurricular activities, school trips, publications and projects belonging to OGIS.

• Human resources activities — data processing is carried out for the purpose of recruitment and selection processes, including but not limited to communication with candidates for positions offered by OGIS, the conclusion and performance of individual employment contracts, management of employment relationships, fulfilment of related legal obligations, such as tax, occupational health and safety obligations, and for internal administrative purposes.

• Managing financial obligations, the relationship with data subjects and defending OGIS’s rights: The processing of personal data is carried out for the purpose of managing financial obligations, including invoicing, payment processing, collection of all fees, debt collection and activities related to the recovery of receivables, through banking institutions or other payment service providers, as well as for fulfilling applicable accounting and tax obligations. Data may also be processed for the purpose of managing and resolving complaints and notifications, as well as for establishing, exercising or defending the rights and legitimate interests of OGIS before the competent authorities and/or courts.

• Administration of IT platforms and the website: Data processing is carried out for the purpose of administering, operating and securing OGIS information systems and website, including for: managing user accounts, where applicable, ensuring the technical functionality of the website, improving the user experience, analysing traffic and preventing abusive or fraudulent use of information systems.

• Communication with website visitors and interested persons: Data processing takes place for the purpose of managing requests submitted through contact forms, email or other means of communication, including for providing information regarding the educational offer, the admissions process or other services provided by OGIS.

• Fulfilling legal and compliance requirements: Data processing takes place for the purpose of complying with OGIS’s legal obligations, including in the fields of education, tax, accounting and archiving, as well as for convening and informing members of management bodies, resolving various requests, communicating or reporting to public authorities or competent public institutions/agencies, both in Romania and in the European Union.

• Ensuring the security of persons, premises and assets: Data processing is carried out for the purpose of ensuring the physical security of persons and assets, including through the use of video surveillance systems, access control and other technical and organisational measures aimed at preventing and managing security incidents.

• Marketing and promotional activities: Data processing is carried out for the purpose of promoting the educational services offered by OGIS, including by sending informational communications, newsletters, event invitations, educational campaigns, publishing photo-video materials and other institutional communication activities, under the conditions of the law and, where applicable, based on the consent of the data subjects. Direct marketing communications, such as newsletters, event invitations and educational campaigns, sent by email, SMS or other electronic channels, take place exclusively on the basis of the prior consent of the data subject, in accordance with Article 6(1)(a) GDPR and legislation on electronic communications.

Consent for marketing communications is not a condition for concluding or performing the Educational Contract, and refusal or withdrawal of consent does not affect in any way the quality of the educational services provided by OGIS.

Data subjects may withdraw their consent for marketing communications at any time by using the unsubscribe option in each message, by sending a request to dpo@olgagudynn.ro or by submitting a written request directly at the OGIS headquarters, without any cost and without negative consequences.

• Institutional communication with parents — sending various messages related to pupils and OGIS activities by any means of communication;

• Organising educational events and extracurricular activities: The processing of personal data is carried out for the purpose of organising and conducting school and extracurricular events, including but not limited to: fundraising activities, concerts, theatre performances, talent shows, charitable and ecological actions, trips, camps, international exchanges; collaboration with international bodies, such as Cambridge Assessment International Education and the International Baccalaureate Organization; as well as any other educational and community events. Data may also be processed for the purpose of communications related to these activities, including informational and marketing communications regarding events and fundraising campaigns organised by OGIS, under the conditions of the law.

• Providing medical care and support services: The processing of personal data is carried out for the purpose of ensuring the health and safety of pupils, including for providing medical care, managing emergency situations, monitoring health status, as well as providing psychological or specialist counselling services, under the conditions of the law and in compliance with the confidentiality of sensitive data.

• Resolving and managing disputes: The processing of personal data may take place for the purpose of preventing, managing and resolving disputes, including for establishing, exercising or defending the rights and legitimate interests of OGIS before the competent authorities, courts or other entities involved.

1. CATEGORIES OF PERSONAL DATA:

Depending on the purposes mentioned above, OGIS processes the following categories of personal data, without being limited to them:

5.1. Identification data of parents/legal representatives, as well as of other persons who may be contacted in case of emergency: surname, first name, citizenship, nationality, domicile/residence, data contained in identity documents, identity card/passport, including photograph, as well as other information necessary for identifying and contacting them;

5.2. Identification data of pupils: surname, first name, date and place of birth, domicile/residence, citizenship, nationality, gender — according to the birth certificate and/or passport or national identity card for pupils who have reached the age of 14, data from identity documents, including photograph;

5.3. Contact details of pupils, parents/legal representatives: telephone number, email and any other data necessary for communication in the context of providing educational services;

5.4. Information regarding the family and family environment: language spoken within the family, parents’ profession and workplace, their marital status, as well as any other data relevant to the pupil’s educational context;

5.5. Exercise of parental authority — where there is additional information resulting from court decisions or other official documents made available to OGIS, including any restrictions or conditions regarding the exercise of parental rights;

5.6. Medical data relevant to schooling, such as data from the medical file, medical history, allergies, immunisation/vaccination data, psychomotor conditions, medical examination results and any other data necessary to ensure the health and safety of pupils;

5.7. Academic data and school results — academic results, assessments, disciplinary records or any other related information, academic references, special educational needs, hobbies, assessment test results, feedback, as well as any other information regarding the pupil’s educational pathway;

5.8. Behavioural data and preferences: information regarding pupils’ behaviour, interests and preferences, relevant to the educational process;

5.9. Special categories of data:

In carrying out its educational activity, OGIS also processes special categories of data within the meaning of Article 9(1) of Regulation (EU) 2016/679, namely data concerning pupils’ health, such as allergies, vaccinations, medical conditions, psychological data and medical history.

This processing is carried out exclusively on the basis of:

• Article 9(2)(c) GDPR — protecting the vital interests of the data subject or of another natural person, where the data subject is physically or legally incapable of giving consent;
• Article 9(2)(g) GDPR — reasons of substantial public interest, on the basis of Union law or national law, in particular educational and health legislation applicable to educational units.

Pupils’ medical data are processed exclusively by authorised staff, such as management, medical staff or designated counselling staff, and are not disclosed to third parties without an appropriate legal basis.

5.10. Photographs and video recordings — photographs and video recordings taken during school, educational or extracurricular activities;

5.11. Data concerning the use of educational platforms and information systems: authentication data, platform access history, activity carried out within them, as well as other information generated through the use of information systems made available by OGIS;

5.12. Financial and banking data: data necessary for managing contractual relations and financial obligations, including bank account (IBAN), account holder name, information regarding payments made, such as amounts paid and payment history, records of outstanding debts, transaction details, as well as other information necessary for payment processing, invoicing, accounting, debt recovery and fulfilment of legal tax obligations.

5.13. Data collected through the website and online information systems: IP address, data regarding the device used, such as device type, operating system and browser, online identifiers, cookies and similar technologies, website browsing data, such as pages accessed, duration of visit and actions performed, as well as other information automatically generated through the use of the OGIS website or online platforms, used for technical operation, security, analysis and improvement of the services provided.

5.14. Personal data belonging to employees – OGIS processes, for the purpose of managing employment relationships and fulfilling legal obligations, the following categories of personal data of employees, without being limited to them:

1. a) Identification and contact data: surname, first name, personal identification number, date and place of birth, nationality, citizenship, domicile/residence address, data from the identity card/passport, including photograph; telephone number, email address and other contact details;
2. b) Data regarding personal situation: marital status and, where applicable, information regarding dependants or designated beneficiaries;
3. c) Financial and remuneration data: information regarding salary, compensation, bonuses, incentives and other financial benefits, including amounts paid, frequency and method of payment, as well as data necessary for social and tax contributions;
4. d) Data regarding benefits granted: information relating to insurance, including health insurance, pension contributions and other benefits offered, including data regarding beneficiaries;
5. e) Data regarding professional and educational background: professional history, studies, qualifications, certifications and other information relevant to the work performed;
6. f) Data regarding professional performance: evaluations, activity reports and other records regarding employee performance;
7. g) Organisational data: position held, department, length of service and other information related to internal organisation;
8. h) Data regarding the use of IT systems: authentication data, username, access rights, activity in information systems and other data associated with the use of OGIS IT resources;
9. i) Image and audio-video data: image captured through video surveillance systems or during activities organised by OGIS;
10. j) Other data provided by the employee: any other information voluntarily communicated by the employee in the context of the employment relationship.

5.15. Signature:

1. a) For pupils and parents/legal representatives – signature data – handwritten and/or electronic signature of pupils, where applicable, as well as of parents/legal representatives, used in educational, contractual documents, declarations, agreements and other official documents, for their acknowledgement and validation.
2. b) For employees – signature data – handwritten and/or electronic signature used in the individual employment contract, human resources documents, internal documents, declarations and other documents related to the employment relationship.

5.16. Personal data belonging to legal representatives of private paying entities

OGIS processes, for the purpose of managing contractual and financial relations with private paying entities, the following categories of personal data of their legal representatives, without being limited to them:

1. a) Identification data: surname, first name, position/role within the entity, data contained in identity documents, where applicable;
2. b) Contact details: telephone number, professional and/or personal email address, as well as other data necessary for communication;
3. c) Data regarding the contractual relationship: information necessary for concluding and performing contracts, including handwritten and/or electronic signature, correspondence, payment instructions and other information relevant to the conduct of the contractual relationship;
4. d) Associated financial data, where applicable: information regarding payments made or to be made on behalf of the entity, to the extent that such information is communicated or managed through the legal representative;
5. e) Other data provided directly: any other information communicated by legal representatives in the context of the relationship with OGIS.

5.17. Personal data of legal representatives of partners and collaborators

OGIS processes, for the purpose of initiating, conducting and managing contractual or collaboration relationships, personal data belonging to legal representatives and/or contact persons designated by partners, collaborators or suppliers, without being limited to them:

1. a) Identification data: surname, first name, function/position within the entity;
2. b) Contact details: telephone number, professional email address and/or other data necessary for communication;
3. c) Data regarding the contractual or collaboration relationship: information necessary for concluding and performing contracts or agreements, including handwritten and/or electronic signature, professional correspondence, operational instructions and other data relevant to the conduct of the relationship;
4. d) Associated financial data, where applicable: information regarding payments made or to be made within the contractual relationship, to the extent that such information is communicated through the contact persons;
5. e) Other data provided directly: any other information communicated by representatives of partners, collaborators or suppliers in the context of the relationship with OGIS.

5.18. Source of personal data:

OGIS collects personal data from the following sources, depending on the method of processing:

1. a) Directly from data subjects — through enrolment forms, educational contracts, agreements, correspondence, email, telephone, online platforms or direct interaction with OGIS;
2. b) From parents or legal representatives — in the case of pupils, data are provided mainly by parents or legal representatives during the admissions and enrolment process and throughout the educational relationship;
3. c) From official documents — such as birth certificates, identity documents, school documents, medical documents or court decisions made available to OGIS;
4. d) From interaction with the systems and platforms used — including educational platforms, internal information systems or the OGIS website, for example authentication data, online activity and technical data such as IP address;
5. e) From institutional partners or educational organisations — such as international bodies, for example educational programmes, to the extent that this is necessary for the provision of educational services;
6. f) From third parties on the basis of contractual or legal relationships — such as suppliers, partners, collaborators or public authorities, under the conditions of the law;
7. g) Through the use of the website and similar technologies — including cookies and other tracking technologies, in accordance with the applicable cookie policy available on the website olgagudynn.ro

The use of cookies and similar technologies on the OGIS website and online platforms is detailed in the Cookie Policy.

Cookies strictly necessary for the operation of the website are used without consent, on the basis of OGIS’s legitimate interest in ensuring the functionality and security of IT systems, while analytical or marketing cookies are used only on the basis of the visitor’s freely given consent, obtained through the consent banner.

Data subjects may change their cookie options at any time through their browser settings or through the consent management interface available on the OGIS website.

VI. LEGAL BASIS FOR PROCESSING OPERATIONS REGARDING PERSONAL DATA:

6.1. OGIS processes personal data on the basis of one of the following legal grounds, expressly provided by the GDPR — Article 6:

1. a) Consent of the data subject — where the data subject has given consent to the processing of their personal data for one or more specific purposes — Article 6(1)(a) of Regulation GDPR 2016/679;
2. b) Performance of a contract and pre-contractual steps — where processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract, for example the admissions process — Article 6(1)(b) of Regulation GDPR 2016/679;
3. c) Compliance with a legal obligation — where processing is necessary for compliance with legal obligations to which OGIS, as data controller, is subject — Article 6(1)(c) of Regulation GDPR 2016/679;
4. d) Protection of vital interests — where processing is necessary in order to protect the vital interests of the data subject or of another natural person, for example in medical emergencies — Article 6(1)(d) of Regulation GDPR 2016/679;
5. e) Performance of a task carried out in the public interest — where processing is necessary for the performance of tasks serving the public interest or arising from legal responsibilities specific to the field of education — Article 6(1)(e) of Regulation GDPR 2016/679;
6. f) Legitimate interest of the controller – where processing is necessary for the purposes of the legitimate interests pursued by OGIS, provided that these interests are not overridden by the fundamental rights and freedoms of the data subject, especially where the data subject is a child — Article 6(1)(f) of Regulation GDPR 2016/679;
7. g) Substantial public interest in conjunction with national legislation applicable to educational units — Article 9(2)(a) and (g) of Regulation GDPR 2016/679 — in the case of health data.

6.2. Procedure for withdrawing consent:

Data subjects have the right to withdraw, at any time, the consent given for the processing of personal data for the purposes for which it was granted, without affecting the lawfulness of processing carried out before the withdrawal.

Withdrawal of consent may be carried out through the following means:

• sending a written request to the OGIS email address indicated in this policy;
• using the unsubscribe option available in the electronic communications received — in the case of newsletters;
• submitting a written request at the OGIS headquarters.

OGIS will process the request to withdraw consent as soon as possible, but no later than 10 working days from receipt.

After the request has been processed, the data subject will receive confirmation of the withdrawal of consent.

Withdrawal of consent does not affect processing carried out for other purposes, on the basis of other legal grounds, for example performance of a contract or compliance with legal obligations.

VII. TRANSFERS:

7.1. Considering its status as an educational institution with an international profile, certified to deliver Cambridge and International Baccalaureate (IB) programmes, OGIS collaborates with educational partners, specialised providers and competent authorities in Romania and abroad.

7.2. The personal data held by OGIS have been provided directly by parents or have resulted from the interaction of parents and pupils with OGIS institutions.

7.3. In this context, certain personal data may be communicated to strictly determined third parties, exclusively to the extent necessary for achieving educational, administrative or organisational purposes and only on the basis of an applicable legal ground, while respecting the principles of minimisation, proportionality and confidentiality.

7.4. OGIS confirms that the personal data obtained are stored securely or destroyed, and in this regard we inform data subjects that data processing agreements exist with the software provider(s), through which they have in turn assured us that they comply with the GDPR.

OGIS may disclose the data of data subjects, in compliance with applicable law, to business partners or other third parties, such as its own processors.

7.5. We constantly make reasonable efforts to ensure that these third parties have implemented appropriate protection and security measures. We have contractual clauses with these third parties so that the data of data subjects are protected.

7.6. Data may be transmitted, where applicable, to the following categories of recipients:

1. a) international educational bodies, such as Cambridge Assessment International Education and the International Baccalaureate Organization (IB), for the purpose of registering pupils in international academic programmes, managing examinations, validating results and issuing internationally recognised certificates. Transfers are carried out in accordance with the provisions of Regulation (EU) 2016/679, on the basis of appropriate safeguards, such as standard contractual clauses or other applicable legal mechanisms, and with additional protection measures;

In relation to international educational bodies, Cambridge Assessment International Education and the International Baccalaureate Organization, OGIS acts mainly as an independent data controller, while these organisations generally act as independent controllers for their own processing activities.

In certain educational programmes or projects, Cambridge Assessment International Education and/or the International Baccalaureate Organization may act as joint controllers, in which case the respective responsibilities are established in accordance with Article 26 GDPR and communicated to data subjects, where applicable.

Detailed information regarding the processing of data by Cambridge Assessment International Education and the International Baccalaureate Organization may be consulted in the privacy policies published by these bodies, which apply in addition to this Policy.

1. b) IT service providers and educational platforms for the administration of the digital infrastructure, platforms and information systems used in the educational process. These providers act, where applicable, as data processors of the controller, on the basis of contracts concluded in accordance with Article 28 GDPR, which include strict obligations regarding data security and confidentiality;
2. c) travel agencies and transport providers in the case of organising trips, camps or educational exchanges, exclusively for the data necessary for making bookings, ensuring transport and managing the related logistics;
3. d) external consultants, including tax, legal and accounting consultants and lawyers, strictly to the extent that access to data is necessary for providing specific services, defending our rights in court or fulfilling our legal obligations, such persons being bound by strict confidentiality obligations;
4. e) photo-video service providers during school events, competitions, educational projects or public events organised by OGIS, for documenting and reflecting the institution’s activities, under the conditions of the consent expressed and on the basis of contractual confidentiality obligations;
5. f) banking institutions and payment service providers, for the purpose of processing payments, collecting fees and managing financial operations related to the contractual relationship, exclusively for the data necessary for carrying out the transactions;
6. g) public authorities and institutions where there is a legal obligation or an official request made pursuant to the powers provided by law, for example educational authorities, tax authorities and courts, within the limits established by the applicable legal framework.

7.7. Transfers of personal data to international educational partners are carried out in strict compliance with the requirements set out in Articles 44-49 of Regulation GDPR 2016/679. Thus, transfers to Cambridge Assessment International Education (United Kingdom — third country post-Brexit) are based on the European Commission’s adequacy decision regarding the United Kingdom or on the standard contractual clauses adopted by Decision (EU) 2021/914, as applicable, while transfers to the International Baccalaureate Organization (Switzerland — third country with an adequacy decision) are carried out on the basis of appropriate safeguards. In addition, before any transfer to a third country, OGIS carries out a Transfer Impact Assessment (TIA), analysing whether the legal framework of the recipient country ensures a level of protection essentially equivalent to that in the European Union, including from the perspective of public authorities’ access to the transferred data, in accordance with EDPB Recommendations 01/2020.

VIII. AUDIO-VIDEO SURVEILLANCE OF EXAMINATIONS:

8.1. In accordance with the provisions of Law no. 198/2023 on pre-university education, as well as with the specific regulations of the normative acts applicable to the organisation of national and international examinations, including Cambridge Assessment International Education and the International Baccalaureate Organization, OGIS may use audio-video surveillance systems during certain assessments, written tests or official examinations.

8.2. Audio-video surveillance has the following purposes:

1. a) ensuring the integrity and fairness of the examination process;
2. b) preventing and deterring fraud;
3. c) eliminating suspicions regarding the favouring or disadvantaging of candidates;
4. d) protecting the security of participants and staff involved;
5. e) ensuring procedural traceability in cases of appeals or checks.

8.3. The processing of data resulting from audio-video surveillance is carried out on the basis of:

1. a) Article 6(1)(c) GDPR — legal obligation provided by educational legislation;
2. b) Article 6(1)(f) GDPR — legitimate interest regarding fraud prevention and protection of the integrity of examinations.

8.4. Surveillance systems are configured so that:

1. a) they cover exclusively the space necessary for conducting the examination;
2. b) they do not aim to intrude into the private life of data subjects;
3. c) they do not aim to collect special categories of data.

8.5. Access to recordings is strictly limited to authorised persons, such as management, the examination committee and designated responsible persons, and the storage period is limited to the period necessary to fulfil the purpose for which they were collected or according to applicable legal obligations.

8.6. Data resulting from examination surveillance are not used for commercial purposes and are not made public.

9. SAFETY OF EDUCATIONAL PREMISES AND ACCESS MONITORING:

9.1. For the protection of pupils, staff and the institution’s assets, OGIS implements appropriate security measures within its premises. In this respect, school premises are monitored through video surveillance systems, and access to the premises is managed through appropriate control measures. Consequently, when present on OGIS premises, whether as a pupil, parent or legal representative of a pupil, personal data may be processed, including images resulting from surveillance systems.

9.2. The processing of these data is carried out on the basis of the controller’s legitimate interest, pursuant to Article 6(1)(f) of Regulation (EU) 2016/679 (GDPR), with the purpose of ensuring a safe educational environment, preventing incidents and protecting the school community.

9.3. Recorded images are stored for a maximum period of 21 days from the date of capture, after which they are automatically deleted, except where their retention is necessary for resolving incidents or fulfilling a legal obligation.

9.4. Monitoring systems are configured in a proportionate manner, covering exclusively the areas necessary for ensuring security, without affecting the private life of data subjects.

10. PERSONAL DATA STORAGE PERIOD

10.1. OGIS retains personal data exclusively for the period necessary to fulfil the purposes for which they were collected, as well as in accordance with the legal obligations applicable to educational units, as follows:

1. a) academic data, such as school registers, academic records, assessment results, diplomas and documents relating to the educational pathway, are retained in accordance with the educational legislation in force, some of them being subject to indefinite archiving;
2. b) contractual and administrative data are stored throughout the contractual relationship and subsequently for a period of 5 years after its termination, taking into account statutory limitation periods and tax and accounting obligations;
3. c) images used for promotional purposes, such as photographs and video materials taken during school events, are retained for a maximum period of 5 years from the date they were taken or until consent is withdrawn, if this occurs before the expiry of that period. Upon expiry of this period, the materials will be deleted or anonymised;
4. d) data resulting from video surveillance are stored for a maximum period of 21 days from the date of recording, after which they are automatically deleted, except where their retention is necessary for investigating incidents, resolving complaints or fulfilling a legal obligation.

10.2. OGIS periodically reviews data retention periods to ensure that data are not kept longer than necessary and that the principles of minimisation and storage limitation provided by Regulation (EU) 2016/679 are respected.

11. METHODS FOR EXERCISING RIGHTS. ADDITIONAL INFORMATION

11.1. OGIS informs each data subject that:

1. a) if they wish to exercise their rights, they may do so by submitting a written request at the OGIS headquarters in Bucharest, 8 Ancuța Băneasa Street, Sector 2, marked “For the attention of the DPO”, or at the email address: dpo@olgagudynn.ro;
2. b) the rights listed above are not absolute and may be subject to exceptions; therefore, each request received will be analysed individually, and the data subjects will be informed of the solution adopted;
3. c) OGIS will respond to your request within a maximum of 30 days. However, this period may be extended depending on the complexity of the request, the large number of requests received or the inability to identify the applicant within a useful timeframe;

OGIS does not carry out automated profiling and does not make decisions based solely on automated processing of personal data, including through the digital educational platforms it uses. All decisions concerning pupils, parents or employees are made by authorised OGIS staff, with human involvement, in accordance with Article 22 of Regulation (EU) 2016/679. Data generated through the use of digital platforms are processed exclusively for technical, educational and administrative purposes, without being subject to automated decision-making processes.

In the event of a security breach involving personal data, OGIS will notify the National Supervisory Authority for Personal Data Processing within a maximum of 72 hours from becoming aware of it, in accordance with Article 33 of Regulation GDPR 2016/679. The notification will include, to the extent that the information is available, the nature of the breach, the categories and approximate number of affected data subjects, the likely consequences, as well as the measures taken or proposed to remedy the situation. Where the breach is likely to result in a high risk to the rights and freedoms of data subjects, OGIS will also inform the affected persons directly, without undue delay, pursuant to Article 34 of Regulation GDPR 2016/679, in order to allow them to take the necessary protective measures.

OGIS has appointed a Data Protection Officer (DPO), pursuant to Article 37 of Regulation (EU) 2016/679, considering the nature of its processing activities, which include data relating to minors, medical data and data processed by systematic means. The DPO is the main point of contact for data subjects in all matters related to the processing of personal data and may be contacted at dpo@olgagudynn.ro or directly at the OGIS headquarters in Bucharest, 8 Ancuța Băneasa Street, Sector 2.

12. TABLE OF PROCESSING ACTIVITIES:

The table below correlates the purposes of processing with the categories of data, data subjects, legal bases and retention periods, in accordance with Articles 13-14 of Regulation (EU) 2016/679.

Purpose of processing	Categories of data processed	Data subjects	Legal basis (Article 6 GDPR)	Retention period
I. PUPILS AND PARENTS / LEGAL REPRESENTATIVES
Managing the application and admissions process	Identification data of pupils and parents, school documents, data regarding parental authority	Pupils, current/prospective, parents/legal representatives	Article 6(1)(b) — contract Article 6(1)(e) — public interest	For the duration of the admissions process; files of admitted pupils — for the duration of schooling + 5 years
Providing educational services	Identification data, academic data, relevant medical data, contact details, signature	Pupils, parents/legal representatives	Article 6(1)(b) — contract Article 6(1)(c) — legal obligation Article 6(1)(e) — public interest	For the duration of the Educational Contract; academic documents — indefinitely, in accordance with the law
Organising internal and international assessments (Cambridge, IB)	Identification data, academic data, assessment results	Pupils	Article 6(1)(b) — contract Article 6(1)(c) — legal obligation Article 6(1)(e) — public interest	According to Cambridge/IB requirements + national legal obligations
Managing digital educational platforms	Authentication data, platform activity, IT usage data	Pupils, parents, employees	Article 6(1)(b) — contract Article 6(1)(f) — legitimate interest	For the duration of the contractual relationship; technical logs — maximum 12 months
Providing auxiliary services, counselling, library, extracurricular activities	Identification data, preferences, behavioural data, medical data, where applicable	Pupils, parents/legal representatives	Article 6(1)(b) — contract Article 6(1)(a) — consent, special data	For the duration of the contractual relationship or until consent is withdrawn
Providing medical care and psychological support services	Medical data, health history, allergies, vaccinations, psychological data	Pupils	Article 6(1)(d) — vital interests Article 9(2)(c) — protection of vital interests Article 9(2)(g) — substantial public interest	For the duration of schooling + 5 years or according to applicable health regulations
Institutional communication with parents	Contact details, telephone, email, data regarding the pupil	Parents/legal representatives	Article 6(1)(b) — contract Article 6(1)(c) — legal obligation	For the duration of the Educational Contract
Organising educational events and extracurricular activities	Identification data, photographs/videos, contact details, medical data, emergencies/trips	Pupils, parents/legal representatives	Article 6(1)(b) — contract Article 6(1)(a) — consent, photo/video	Promotional photo/video — maximum 5 years or until consent is withdrawn
II. EMPLOYEES AND CANDIDATES FOR EMPLOYMENT
Recruitment and staff selection	CV, cover letter, identification data, professional references, criminal record, certificates	Candidates for employment	Article 6(1)(b) — pre-contractual steps Article 6(1)(c) — legal obligation	Selected candidates — for the duration of the employment relationship; rejected candidates — maximum 6 months, or with consent
Performance of the individual employment contract and management of the employment relationship	Identification data, personal identification number, financial/salary data, performance, IT data, CCTV image	Employees	Article 6(1)(b) — contract Article 6(1)(c) — legal obligation Article 6(1)(f) — legitimate interest	For the duration of the contract + 5 years; tax/accounting documents — 10 years
Fulfilment of legal obligations, occupational health and safety, tax, reporting	Identification data, personal identification number, medical data, occupational medicine, financial data	Employees	Article 6(1)(c) — legal obligation Article 9(2)(b) — obligations in the field of employment	According to specific legal terms, occupational health and safety files — 5 years; payroll records — 50 years
III. SECURITY, WEBSITE AND MARKETING
Video surveillance of educational premises (CCTV)	Video image, recordings, data regarding access to the premises	Pupils, parents, employees, visitors	Article 6(1)(f) — legitimate interest, security	Maximum 21 days, except for incidents under investigation
Audio-video surveillance of examinations	Image and sound recorded in the examination room	Pupils/candidates, invigilators	Article 6(1)(c) — legal obligation Article 6(1)(f) — legitimate interest, examination integrity	For the period necessary to resolve appeals or according to Cambridge/IB regulations
Administration of the website and IT systems	IP address, cookies, browsing data, device/browser type, online identifiers	Website visitors, platform users	Article 6(1)(f) — legitimate interest, IT security Article 6(1)(a) — consent, non-essential cookies	Essential cookies — session; analytical cookies — maximum 13 months; technical logs — maximum 12 months
Marketing and institutional promotion activities	Contact details, photographs/videos from school activities, data regarding preferences	Pupils, parents, potential clients, website visitors	Article 6(1)(a) — consent	Until consent is withdrawn; photo/video materials — maximum 5 years
IV. PARTNERS, COLLABORATORS AND FINANCIAL OBLIGATIONS
Managing relationships with partners, collaborators and suppliers	Identification and contact data of representatives, contractual data, signature	Legal representatives of partners/suppliers	Article 6(1)(b) — contract Article 6(1)(f) — legitimate interest	For the duration of the contractual relationship + 5 years
Managing financial obligations, invoicing, payments, debt recovery	Identification data, IBAN, payment history, outstanding debts, tax data	Parents/payers, representatives of private entities	Article 6(1)(b) — contract Article 6(1)(c) — legal obligation, tax/accounting	10 years according to accounting and tax legislation
Fulfilling legal requirements and reporting to authorities	Identification data, academic data, financial data, any data legally requested	All categories of data subjects	Article 6(1)(c) — legal obligation Article 6(1)(e) — public interest	According to the specific legal terms for each reporting obligation
Resolving disputes and defending rights in court	Any data relevant to the disputed matter	All categories of data subjects involved	Article 6(1)(f) — legitimate interest Article 6(1)(c) — legal obligation	For the duration of the dispute + 5 years from final resolution

Relevant electronic correspondence, emails and other official communications exchanged with parents, pupils, candidates, partners or authorities is generally retained for the period necessary to resolve the requests or matters discussed and subsequently for a maximum period of 5 years, taking into account the applicable limitation periods and OGIS’s legitimate interest in defending its rights and interests.

Data provided through visit scheduling forms, where they do not lead to the conclusion of an Educational Contract, are retained for a maximum period of 12 months from the last interaction, after which they are deleted or anonymised, except where there is a legal basis for retaining them for a longer period.

SUPERVISORY AUTHORITY AND POLICY UPDATES:

We inform you that, in Romania, the authority competent in the field of data protection is the National Supervisory Authority for Personal Data Processing (“A.N.S.P.D.C.P.”). If you consider that your rights have been infringed, you may lodge a complaint through the official website www.dataprotection.ro

This Privacy Policy has been adopted by decision of the management of OLGA GUDYNN INTERNATIONAL SCHOOL S.R.L. and enters into force on the date of its publication on the website www.olgagudynn.ro. OGIS reserves the right to revise, update or amend this Privacy Policy whenever necessary, including as a result of legislative changes, decisions of supervisory authorities or changes in processing activities. The updated version will be published on the OGIS website, indicating the revision date and version number. In the event of essential changes affecting the rights of data subjects, OGIS will ensure that they are informed through appropriate means, in accordance with the principle of transparency provided by Article 5(1)(a) of Regulation (EU) 2016/679.