GDPR

PRIVACY NOTICE

The personal data Controller, International School of Music and Fine Arts, s.r.o. – Soukromá základní umělecká škola, s.r.o., whose registered office is at Příběnická 972/16, 130 00 Praha 3 – Žižkov, Reg. No. (IČ): 271 92 571, registered in the Commercial Register maintained by the Municipal Court in Prague, Section C, Entry No. 103352 (the “Controller”), hereby issues this Privacy Notice in accordance with the General Data Protection Regulation of the European Parliament and of the Council No. 2016/679 of 27 April 2016 (the “GDPR”):

1. Definitions
Personal data. Personal data means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly. The following information may be regarded as personal data: name, surname, date of birth, personal number, and address of residence, email address, telephone number, photograph or another recording of appearance.
Compliance with legal obligations. This includes, in particular, compliance with the obligations imposed on the Controller by the applicable labour law, accounting or tax regulations, i.e. transfer of personal data to financial administration authorities, or to other public bodies and authorities in accordance with the applicable laws and regulations, and keeping of files, records and personal files in accordance with laws and regulations, including compliance with obligations relating to employees.
Performance of a contract. This means, in particular, performance of the study contract (Art Education Contract) executed between the student and the Controller.
Controller. The personal data controller means the entity which, alone or jointly with others, determines the purposes and means of the processing of personal data and is liable for such processing. In this case, the Controller is International School of Music and Fine Arts, s.r.o. – Soukromá základní umělecká škola, s.r.o.
Data subject. The data subject is an identified or identifiable natural person. In this case, it means namely students or potential students/candidates and associates of the Controller, etc.
Administration of requests sent electronically. This means in particular the communication with students and potential students using the email address info@musicschoolprague.com.
Sending of commercial communications and offer of services. The Controller may send commercial communications or newsletters to you, in particular those relating to the offer of art education, information about and recommendations of art events – concerts, etc., using email or another similar means of electronic communication.
Processor. The personal data processor means an entity which processes personal data for the Controller.
Special categories of personal data. Special categories of personal data mean the personal data revealing racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, data concerning health or data concerning sex life or sexual orientation of a natural person, genetic data and biometric data. The Controller does not collect or process such data.

2. Scope and Purpose of Personal Data Processing
The Controller processes the personal data in the scope provided to the Controller by the respective data subject in connection with a contractual or another legal relation with the Controller where the data subject grants his/her consent to such processing or which are being collected and processed by the Controller in any other manner in accordance with the applicable laws and regulations or to comply with the Controller’s legal obligations.
If you enter into a study contract with the Controller, the Controller needs your data for your identification as a Contracting Party and for any subsequent performance of the contract. Also, the Controller needs your email address and telephone number for the purpose of organising instruction and notifying you about lessons, or about any changes in the schedule of instruction so that you can be contacted and notified of any changes. The Controller may provide such personal data to a lecturer who will process such data for the purpose of conducting the selected lessons.
If you contact the Controller electronically, in particular via email info@musicschoolprague.com or in a similar manner, the Controller will be also processing your personal data contained in such communication.
Beyond the information specified above, the Controller may also process your personal data for a legitimate interest, including, in particular, enforcement of legal claims or defence against legal claims raised in relation to the study contract.
Below please find the scope of the personal data processed by the Controller and individual purposes of processing:

Personal data of the data subject Purposes of processing
Name and surname performance of the contract, compliance with legal obligations, sending of offers and information about art events, protection of the Controller’s legitimate interest, administration of requests sent electronically
Contact address performance of the contract, compliance with legal regulations, protection of the Controller’s legitimate interest
Email performance of the contract, compliance with legal obligations, sending of offers and information about art events, protection of the Controller’s legitimate interest, administration of requests sent electronically
Telephone number performance of the contract, compliance with legal obligations, sending of offers and information about art events, protection of the Controller’s legitimate interest, administration of requests sent electronically
Account number and other transaction details performance of the contract, compliance with legal regulations, protection of the Controller’s legitimate interest
Date of birth, personal number (personal ID) performance of the contract, compliance with legal obligations (e.g. in connection with employment at the Controller)
Any other information pertaining to a student performance of the contract, compliance with legal regulations, protection of the Controller’s legitimate interest

If you provide the Controller with third-party personal data, you are required to notify the person concerned thereof, and arrange this person’s consent to these privacy conditions.

3. Sources of Personal Data
The Controller processes the personal data from the following sources:
– directly from data subjects, i.e. mostly from you,
— publicly accessible registers, lists and records (e.g. Commercial Register, Trade Register, etc.).

4. Categories of Data Subjects
The Controller processes personal data of the following data subjects:
– students or potential students,
– employees and associates of the Controller,
– job candidates at the Controller or those interested in cooperating with the Controller,
– other persons having a contractual relation with the Controller.

5. Categories of Personal Data Recipients
The Controller will provide access to your personal data to the following recipients:
– lecturers for the purpose of performing the contract – conducting lessons,
– banks and other financial institutions for the purpose of settling financial transactions,
– state and other bodies and authorities as part of compliance with legal obligations laid down by the applicable laws and regulations or as part of reporting criminal activities.

In order to perform the contractual relation, personal data may be transferred and transmitted to third parties, in particular to cooperating educational institutions and companies from the Controller’s group, including, without limitation:
– MUSIC – DANCE – ART SCHOOL PRAGUE, s.r.o., Reg. No. (IČ): 247 51 782
– European Music School, s.r.o., Reg. No. (IČ): 289 97 409
– Prague Music School, s. r. o., Reg. No. (IČ): 033 15 592
– School of Music and Dance, s.r.o., Reg. No. (IČ): 033 75 978
– Music Learning Centre, s. r. o., Reg. No. (IČ): 033 13 956
– Music and Dance Academy, s.r.o., Reg. No. (IČ): 033 24 532
– Music and Dance Education, s.r.o., Reg. No. (IČ): 033 22 041
– Performing Arts Learning Centre, s.r.o., Reg. No. (IČ): 033 61 489
– Dance, Music and Visual Arts, s.r.o., Reg. No. (IČ): 034 77 398
– School of Performing Arts, s.r.o., Reg. No. (IČ): 045 25 337
– ISMFA Education, s.r.o., Reg. No. (IČ): 045 13 398
– KIDS MUSIC SCHOOL, s.r.o., Reg. No. (IČ): 272 55 425
– Unique Art Education, s.r.o., Reg. No. (IČ): 045 22 036

6. Manner of Personal Data Processing and Protection
The personal data is being processed by the Controller. The processing takes place in the Controller’s establishments, branches and registered office and the data is being processed by the Controller’s designated employees and associates, or by the processor on the basis of a written personal data processing agreement. The processing takes place by means of computer technology or manually in case of personal data in the paper format while complying with any and all security principles applicable to the administration and processing of personal data. To this end, the Controller has adopted technical and organisational measures to secure personal data protection, in particular measures preventing any unauthorised or accidental access to the personal data, any alteration, destruction or loss, unauthorised transfer, unauthorised processing or any other abuse of the personal data.

Any and all entities that may have access to the personal data respect the right of the data subjects to privacy and are obliged to comply with the applicable laws and regulations relating to the personal data protection.

7. Duration of Personal Data Processing
The Controller will process and store your personal data for a period that is necessary to ensure all rights and obligations arising from the respective contractual relation and for a period for which the Controller is obliged to keep such personal data under the general binding laws and regulations or for which you have granted your consent to the processing by the Controller. In other cases, the duration of processing is based on and must be reasonable with respect to the purpose of processing, or it is laid down by the laws and regulations pertaining to the protection of your personal data.

Purpose of processing Processing period
Performance of a contract during the term of the contractual relation and for a period of four (4) years after the termination of the contractual relation
Compliance with legal obligations for a period laid down by the applicable law or regulation
Your consent for the term of your consent to the personal data processing or until the consent is withdrawn respectively
Protection of the Controller’s legitimate interest for a maximum period of three (3) years from the beginning of personal data processing unless a special regulation sets out otherwise in a particular case, or unless a need emerges in a justified case to keep or process personal data for a longer period of time
Administration of requests sent electronically for a period necessary to administer the respective request

8. Your Rights
In connection with the processing of your personal data by the Controller, you have rights arising from laws and regulations which may be exercised at any time. They include the right (i) of access to the personal data, (ii) of rectification of inaccurate data and to have incomplete personal data completed, (iii) erasure of the personal data if the personal data is no longer necessary for the purposes for which it is collected or otherwise processed, or if it is established that the personal data has been unlawfully processed, (iv) of restriction of personal data processing, (v) of data portability, (vi) the right to raise an objection (to object) after which the personal data processing will be stopped unless it is demonstrated that there are compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, in particular if such grounds include any enforcement of legal claims, (vii) the right to turn to the Office for Personal Data Protection, (viii) the right to withdraw the consent to the personal data processing at any time and other rights.

  • Right of access to personal data: If you want to know whether the Controller processes your personal data, you have the right to obtain information about it, and if it is the case, you have the right to obtain access to your personal data. In the event of unjustified, unreasonable or repeated requests, the Controller has the right to charge a reasonable fee for a copy of the provided personal data or to reject such request (this applies by analogy to exercising the rights specified below).
  • Right of rectification of incomplete data and to have incomplete personal data completed: If you feel that the Controller processes inaccurate or incomplete personal data about you, you have the right to request rectification and completion of such data. The Controller will rectify or complete your personal data without undue delay but always considering its technical possibilities.
  • Right of erasure: If you request erasure, the Controller will erase your personal data if (i) such data is no longer necessary for the purposes for which it has been collected or otherwise processed, (ii) the processing is unlawful, (iii) you object to the processing and there are no overriding compelling legitimate grounds to process your personal data, or if (iv) the legal obligation to the processing no longer exists.
  • Right to restriction of personal data processing: If you request restriction of processing, the Controller will disable access to your personal data, temporarily remove or store such data or will make other acts necessary for the due performance of the right exercised by you.
  • Right of data portability: If you want the Controller to transfer the personal data processed by the Controller about you electronically under a contract or consent to a third person, you can use your right of data portability. Should the exercising of this right adversely affect the rights and freedoms of other persons, the Controller cannot act on your request.
  • Right to object: The right to object to the processing of the personal data processed for the purposes of protecting the Controller’s legitimate interests. If the Controller fails to demonstrate that there is a compelling legitimate ground for processing which overrides your interest or your rights and freedoms, the Controller will stop the processing without undue delay based on your objection.
  • Right to withdraw consent: If the Controller processes your personal data on the basis of your consent, you have the right to withdraw this consent at any time without prejudice to the lawfulness of processing based on the consent given prior to its withdrawal.

In case of repeated or manifestly unfounded requests to exercise the rights specified above, the Controller may charge a reasonable fee for the implementation of the given right, or to reject its implementation. The Controller will notify you in advance of any such procedure.
The Controller also points out that you can lodge a complaint with a supervisory authority with regard to the processing of your personal data or a failure to perform the duties of the Controller arising from the general binding laws and regulations. In the Czech Republic, the supervisory authority is the Office for Personal Data Protection (in Czech: Úřad pro ochranu osobních údajů), whose registered office is at Pplk. Sochora 27, 170 00 Praha 7, www.uoou.cz.
The Controller may be contacted in writing at Příběnická 972/16, Žižkov, 130 00 Praha 3 or by an email sent to info@musicschoolprague.com. The Controller may request a proof of identity for the purpose of preventing access of unauthorised persons to your personal data. The Controller has not appointed a data protection officer.

9. Facebook and Twitter
The Controller also operates its accounts on the social media platforms (Facebook and Twitter)(https://cs-cz.facebook.com/MusicSchoolPrague; https://twitter.com/musicschoolprg)
The data is transferred only in case if you are logged in your user account of the respective social media service.
The following entities are exclusively liable and responsible for the social media services:
– for Facebook and its Internet presentation: Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA;
– for Twitter and its Internet presentation: Twitter Inc., 1355 Market St, Suite 900, San Francisco, CA 94103, USA
Additional information regarding the purpose and scope of the personal data acquisition, processing and use of your data by the respective social media service is available in the data privacy provisions of the respective services available at their websites (Facebook: https://www.facebook.com/about/privacy/ ; Twitter: https://twitter.com/privacy)

This Privacy Notice is valid from 25 May 2018.