Privacy policy

Privacy Matters

In compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR) and Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights, we provide the following information about the processing of personal data you may provide to us:

Data Controller

INTERNATIONAL SCHOOL COSTA BRAVA, S.L.
Our details are provided at the top of this legal notice.

Registry of Personal Data

In compliance with the GDPR and LOPD-GDD, we inform you that the personal data collected by INTERNATIONAL SCHOOL COSTA BRAVA, S.L. through forms on its pages will be incorporated and processed in our files to facilitate, expedite, and fulfill the commitments established between INTERNATIONAL SCHOOL COSTA BRAVA, S.L. and the User or to maintain the relationship established through the forms filled out by the User, or to respond to requests or inquiries. Additionally, in accordance with the GDPR and LOPD-GDD, unless the exception provided in Article 30.5 of the GDPR applies, a record of processing activities is maintained, specifying the processing activities carried out according to their purposes and other circumstances established in the GDPR.

Legal Basis for Processing

The legal basis for processing personal data is consent. INTERNATIONAL SCHOOL COSTA BRAVA, S.L. commits to obtaining the express and verifiable consent of the User for the processing of their personal data for one or more specific purposes.

The User has the right to withdraw their consent at any time. Withdrawing consent will be as easy as giving it and, as a general rule, will not affect the use of the Website.

In cases where the User must or may provide their data through forms to make inquiries, request information, or for reasons related to the content of the Website, they will be informed if filling out any of the forms is mandatory because they are essential for the correct execution of the operation.

Other Legitimate Bases include:

• Compliance with legal obligations.
• Legitimate interest: sending own advertising.

Categories of Data

The categories of data processed include both identifying data and special categories of personal data as defined in Article 9 of the GDPR.

Special categories include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data for uniquely identifying a natural person, data concerning health, or data concerning a person’s sex life or sexual orientation.

For the processing of special categories, explicit consent of the User will always be required for one or more specific purposes.

Source of Data

• Data provided by clients receiving services, by any means.
• Data provided by users through the various services offered on the website.
• Data included in the website forms.

Retention Period of Personal Data

Personal data will only be retained for the minimum time necessary for the purposes of processing and, in any case, only for the following period: The personal data provided will be retained for the strictly necessary time, i.e., while you are a user of our services or wish to continue receiving information, or until you request erasure, objection, or limitation of processing. However, certain identifying and traffic data will be retained for a maximum period of 2 years in case required by courts or to initiate internal actions resulting from misuse of the website.

At the time personal data is obtained, the User will be informed about the retention period or, if this is not possible, the criteria used to determine it.

Additionally, our retention policies comply with legal deadlines for statute of limitation purposes:

• General Rule: Under Article 30 of the Commercial Code, unless otherwise specified, all company documents and/or information will be retained for 6 years. This includes accounting, tax, labor, or commercial documentation, including correspondence.
• Specific Deadlines: Minimum retention periods apply depending on the type of data and statute of limitations, which must be observed by each department.

No decisions will be made based solely on automated processing that affects your data.

Purposes of Processing

The purposes of data processing include:

• Customer Management: To provide contracted services within the natural activity of the company and invoice them. Data will be retained while the commercial relationship lasts or for the years needed to comply with legal obligations.
• Quote Management: To send quotes for services/products to potential clients. Data will be retained until processing cessation is requested.
• Potential Customer Management: To send information related to products and services to individuals with legitimate interest by any means and invite them to events of interest. Data will be retained until processing cessation is requested and is collected with prior express consent.
• Promotional Mailing: If you are a client and the promotional policy applies, you will periodically receive promotional emails at the start of promotions, detailing products on offer, prices, and links to download promotional materials.

Recipients of Data

The User’s personal data will not be shared with third parties.

At the time data is obtained, Users will be informed of the recipients or categories of recipients of their personal data.

Personal Data of Minors

In accordance with Article 8 of the GDPR and Article 7 of Organic Law 3/2018, only individuals over 14 years old may lawfully consent to the processing of their personal data. For minors under 14, parental or guardian consent is required. Processing is lawful only if such consent has been given; otherwise, the legal representative must notify us as soon as possible.

Righs Derived from the Processing of Personal Data

Users may exercise the following rights against the Data Controller, as recognized in GDPR and Organic Law 3/2018:

The User may exercise before the Data Controller the following rights recognized in the GDPR and Organic Law 3/2018, of December 5th, on the Protection of Personal Data and Guarantee of Digital Rights:

Right of access: It is the User’s right to obtain confirmation as to whether INTERNATIONAL SCHOOL COSTA BRAVA, S.L. is processing their personal data or not and, if so, to obtain information about their specific personal data and the processing carried out or being carried out by INTERNATIONAL SCHOOL COSTA BRAVA, S.L., as well as, among other things, information available about the origin of such data and the recipients of communications made or planned with those data.

Right of rectification: It is the User’s right to have their personal data corrected when it is inaccurate or, considering the purposes of the processing, incomplete.

Right to erasure (“the right to be forgotten”): It is the User’s right, provided that the applicable legislation does not establish otherwise, to obtain the deletion of their personal data when such data is no longer necessary for the purposes for which it was collected or processed; the User has withdrawn their consent to the processing and there is no other legal basis for it; the User objects to the processing and there is no overriding legitimate reason to continue; the personal data have been processed unlawfully; the personal data must be erased in compliance with a legal obligation; or the personal data were obtained as a result of a direct offer of information society services to a child under 14 years of age. In addition to erasing the data, the Data Controller, taking into account available technology and the cost of implementation, shall take reasonable steps to inform other controllers processing the personal data about the User’s request to erase any links to such personal data.

Right to restriction of processing: It is the User’s right to restrict the processing of their personal data. The User has the right to obtain restriction of processing when they contest the accuracy of their personal data; the processing is unlawful; the Data Controller no longer needs the personal data but the User needs them to make claims; and when the User has objected to the processing.

Right to data portability: Where the processing is carried out by automated means, the User has the right to receive their personal data from the Data Controller in a structured, commonly used and machine-readable format, and to transmit it to another data controller. Whenever technically feasible, the Data Controller will transmit the data directly to that other controller.

Right to object: It is the User’s right that the processing of their personal data by INTERNATIONAL SCHOOL COSTA BRAVA, S.L. not be carried out or be ceased.

Right not to be subject to a decision based solely on automated processing, including profiling: It is the User’s right not to be subject to an individualized decision based solely on automated processing of their personal data, including profiling, except where otherwise established by applicable law.

Finally, data subjects have the right to lodge a complaint with the competent supervisory authority (AEPD) if the User considers that there is a problem or violation of the current legislation regarding how their personal data is being processed.

You may exercise the above rights by sending us a written request attaching a copy of an identification document to our postal address or email (which appear at the beginning of this document).