1. POLICY PURPOSE
Associação Escola Graduada de São Paulo ("Graded", "Institution", or "we") is committed to raising awareness of its community, especially its employees and students ("Employees" and "Students") regarding the personal data collected, used, stored, or otherwise processed in the context of the relationship established with Graded.
This Policy applies to the processing of personal data of students, employees, third parties, and legal guardians or legal representatives of Students, as necessary or required by law ("Guardians") (hereinafter referred to as "Owners").
Thus, this document aims to objectively present the characteristics and hypotheses of processing their personal data. For more information about the processing of personal data, contact the Data Protection Officer via email at email@example.com.
2. APPLICABLE RULES AND DOCUMENTS
Law 13.709/18 – General Personal Data Protection Law.
This Policy applies to all of Graded School's students, their legal representatives, employees, and contractors.
4. WHO IS THE CONTROLLER OF YOUR PERSONAL DATA?
Graded is the controller of your personal data in the context of the relationship established with you. For applicable legislation, the controller is responsible for decisions regarding the processing of personal data.
5. WHICH PERSONAL DATA ARE PROCESSED?
To the extent permitted by applicable law, Graded may process the personal data described below.
5.1. Employee Data:
5.1.1. Identification, registration, and contact data: full name; birth date; genre; email address; home address; telephone(s); RG, CPF, CNH number, as applicable;
5.1.2. Copy of documentation: copy of identification document(s) (such as RG, CPF, CNH, as applicable); copy of birth certificate; copy of proof of income; copy of income tax return; proof of address; payslip, as necessary to fulfill the purposes listed herein.
5.1.3. Vehicle information: License plate of the vehicle that will enter Graded's premises.
5.1.4. Sensitive data: Race/ethnicity, health information (e.g., proof of vaccination, disability, medical proof of leave, etc.), and biometrics.
5.2. Students' Data:
In addition to the personal data listed above, Graded may process:
5.2.1. Additional information: Passport number; filiation; nationality; place of birth;
5.2.2. Academic information: Year of leaving the last school; full name of the educational institution they studied; state and address of the institution; type of institution;
5.2.3. Photo and copy of documentation: Student photo; copy of academic transcript; copy of language competence certificate (TOEIC, TOEFL); letter of recommendations, among other documents;
5.2.4. Student Information at Graded: Registration number; year/course/class in which they are enrolled; monthly fee; performance information (e.g., grades, attendance, behavioral history, etc.); information about the end of the relationship with Graded (e.g., date of completion of the Pre-primary, Lower School, Middle School, or High School stages, date of issue of the diploma, etc.);
5.2.5. Sensitive data: Race/ethnicity, health information (e.g., proof of vaccination, disability, medical proof of leave, etc.), and biometrics.
5.3. Data from the Students' Legal Guardians:
5.3.1. Identification, registration, and contact data: full name; birth date; gender; email address; home address; telephone(s); RG, CPF, CNH number, as applicable;
5.3.2. Copy of documentation: Copy of identification document(s) (such as RG, CPF, CNH, as applicable); copy of the birth certificate; copy of proof of income; copy of income tax return; proof of address; payslip, as necessary to fulfill the purposes listed herein;
5.3.3. Vehicle information: License plate of the vehicle that will enter Graded's premises.
5.3.4. Sensitive data: Race/ethnicity, health information (e.g., proof of vaccination, disability, medical proof of leave, etc.), and biometrics.
5.4. Third-Party Data:
5.4.1. Identification, registration, and contact data: full name; birth date; genre; email address; home address; telephone(s); RG, CPF, CNH number, as applicable;
5.4.2. Vehicle information: License plate of the vehicle that will enter Graded's premises.
5.4.3. Sensitive data: Proof of vaccination against Covid-19 to comply with health protocols aimed at preventing the spread of the new coronavirus.
Please note that the personal data listed above will be collected by Graded and further processed only as necessary to achieve the purposes set forth herein.
In order for Graded to provide its educational services on Graded, it is necessary to process personal data. In order to follow the precepts of the Institution itself and the applicable legislation, the processing of personal data will be carried out in your best interest and to the extent permitted by the Guardians and/or applicable law.
6. WHY DO WE COLLECT AND PROCESS YOUR PERSONAL DATA?
We use personal data for the purposes listed in this Chapter always as permitted by applicable law.
6.1. We will process the personal data of the Students' legal guardians to formalize the contracting of educational services provided by Graded and subsequent management of the established legal relationship.
Accordingly, as necessary, we may process the personal data of Students and Guardians to:
6.1.1. Accept the Student's enrollment at Graded;
6.1.2. Respond to any queries and requests for information from Students or Guardians;
6.1.3. Send institutional communications about Graded;
6.1.4. Manage the amounts paid by the Owners in consideration for the educational services provided by Graded;
6.1.5. Control any pending issues of the Owners related to the donations made by them and assist in the registration and resolution of problems, as necessary;
6.1.6. Perform collection of late tuition payments, as necessary;
6.1.7. Control the entry and exit of Students and who is responsible for picking them up;
6.1.8. Evaluate all scholarship requests and award to certain Students, considering Graded's internal criteria and policies;
6.1.9. Support the Owners at the time of re-enrollment and monitor the Students who may have pending issues;
6.1.10. Terminate the relationship with certain Students (for example, when a Student graduates).
6.2. We will process the Student's personal data to monitor the relationship with Graded
Accordingly, as necessary, we may process personal data to:
6.2.1. Know the Student and their dynamics and difficulties;
6.2.2. Grant access to the teaching portal used by Graded, as well as to the Institution's other systems and computers;
6.2.3. Grant access to Graded's buildings;
6.2.4. Produce the student ID card after enrollment to identify the Student at the institution and elsewhere;
6.2.5. Monitor the performance of the Student throughout their academic career with Graded;
6.2.6. Track the Student's attendance in classes;
6.2.7. Make the grades and results available in the Graded system, as well as monitor the performance of extracurricular activities and mandatory complementary hours for the conclusion of the year;
6.2.8. Provide resources and travel for activities related to Students' academic works and researches;
6.2.9. Control the issuance of diplomas in an appropriate way for all graduates of the academic periods of the year;
6.2.10. Provide appropriate care for Students with special needs;
6.2.11. Execute the registration process for Students interested in continuing their course abroad.
6.3. We will process your personal data as necessary to keep Graded, the Owners, and third parties safe, to ensure compliance with the contractual obligations assumed by the Institution with third parties, and to defend Graded's interests in judicial, administrative, or arbitration proceedings.
Accordingly, as necessary, we may process personal data:
6.3.1. To ensure the physical integrity of Owners and third parties on Graded's premises, as well as the patrimonial integrity of such premises (such as, for example, through the use of closed-circuit television cameras);
6.3.2. To defend Graded's interests in judicial, administrative, or arbitration proceedings;
6.3.3. In the context of negotiations of possible mergers, acquisitions and incorporations.
6.4. We will process your personal data when Graded has legal and regulatory obligations that require such treatment.
Accordingly, as necessary, we may process personal data:
6.4.1. In contexts related to the fulfillment of legal obligations established by Brazilian legislation or regulations, such as obligations established by the competent authorities regarding education in Brazil (for example, registration of Students in systems maintained by such authorities);
6.4.2. By legal determination.
6.5. We may process your personal data for other purposes related to Graded's legitimate interest.
Accordingly, as necessary, we may process personal data to:
6.5.1. Organize or sponsor events;
6.5.2. Send communications about new Graded courses or other institutional communications that are not essential for the provision of services;
6.5.3. Enable activities necessary for the maintenance of the institution (such as control of objects found and delivered in the "Lost and Found" sector, management of IT equipment lend by Graded, etc.);
6.5.4. Student assistance in requesting financing from financial institutions;
6.5.5. Carry out the retention plan for Students in the courses.
7. WITH WHOM DO WE SHARE YOUR PERSONAL DATA?
When necessary to achieve the purposes described in the previous Chapter above, Graded may share your personal data with third parties, according to this Chapter 7.
7.1. Graded may share your personal data with:
7.1.1 Providers of cloud computing services and other information technologies to manage the provision of educational services;
7.1.2 Service providers such as SPTrans, BOM, or AESA for the registration of Students enrolled with Graded so that they can enjoy benefits in public transport;
7.1.3 Companies that hire interns who study at Graded or partner entities that help in the promotion of vacancies for Students of the Institution;
7.1.4 International educational institutions when the Student expresses interest in continuing their course abroad;
7.1.5 Collection companies and credit bureaus in the event of default;
7.1.6 Other service providers that can be called upon as necessary in the specific case (such as providers responsible for producing diplomas, organizing graduation, graphic and printing services, etc.).
7.1.7 Companies or individuals acting as acquirers in an eventual due diligence phase, in the face of possibilities involving consolidation, acquisition, or merger of the Institution.
7.2. Graded may also share your personal data with other third parties, including public administration bodies and competent authorities, in order to:
7.2.1. Respond to complaints, investigations, legal measures, and legal proceedings;
7.2.2. Comply with legal and regulatory obligations (for example, accountability to the Ministry of Education or INEP);
7.2.3. Investigate, prevent or take action related to illegal activities, suspected fraud, or situations involving potential threats to the physical safety of any person, or if otherwise required by law, to the extent permitted by applicable law.
8. TRANSFERS OF YOUR PERSONAL DATA OUTSIDE BRAZIL
Graded may transfer some of your personal data to service providers located abroad, including cloud service providers, and other educational institutions in the case of international programs, or for the issuance of international degrees. When your personal data is transferred outside of Brazil by the Institution, we will take appropriate measures to ensure adequate protection of your personal data following the requirements of applicable data protection legislation, including by entering into appropriate data transfer agreements with third parties when necessary.
9. HOW LONG WILL WE RETAIN YOUR PERSONAL DATA?
We store and maintain your information:
- for the time required by law;
- until the end of the processing of personal data, as mentioned below;
- for as long as necessary to preserve Graded's legitimate interest, as the case may be;
- for the time necessary to protect the regular exercise of the Institution's rights in judicial, administrative, or arbitration proceedings. Thus, we will process your data, for example, during the applicable limitation periods or while necessary to comply with a legal or regulatory obligation.
The end of the processing of personal data will occur in the following cases:
9.1. When the purpose for which the personal data of the Owner or Guardian was collected is achieved and/or the personal data collected is no longer necessary or relevant to the scope of that purpose;
9.2. When the Owner or Guardian is entitled to request the end of the treatment and the deletion of their personal data and they do so; and
9.3. When there is a legal determination to do so.
10. YOUR RIGHTS REGARDING THE PERSONAL DATA WE PROCESS ABOUT YOU
You have several rights concerning your personal data. Such rights include, but are not limited to:
10.1. Receiving clear and complete information about the processing of your personal data, including further details on the chances of sharing your personal data with third parties, according to Chapter 7 of this Policy;
10.2. Requesting access to your personal data and confirmation of the existence of personal data processing by Graded;
10.3. Requesting that we rectify any inaccurate, incomplete, and out-of-date personal data;
10.4. Opposing processing activities, requesting anonymization and deletion of personal data, in specific circumstances;
10.5. Requesting the portability of your personal data;
10.6. Revoking consent at any time, when Graded, exceptionally, processes your personal data based on consent;
10.7. Petitioning before the National Data Protection Authority, provided that your request is not met by the controller of the personal data.
There are legal circumstances that may not authorize the exercise of certain rights set forth above, or when the provision of information may reveal any of the Institution's business secrets. Graded will respond to your requests to the greatest extent possible.
You may exercise such rights by contacting the Data Protection Officer at firstname.lastname@example.org. When the Student is a minor, the Guardian may represent them and request the exercise of the above rights on behalf of the minor. As a condition for exercising the rights set forth herein, we will request proof of your legitimacy and your identity.
11. PROTECTION OF PERSONAL DATA
Graded uses appropriate technical and organizational measures to protect your personal data against unauthorized or illegal treatment and accidental loss, destruction, or damage to it. Your personal data is stored securely on protected equipment. Only a limited number of people will have access to such equipment and only individuals with legitimate reasons will have access to your personal data.
Data Protection Officer (DPO)
The Data Protection Officer (DPO) is responsible for acting as a communication channel between Graded, data subjects, and the National Data Protection Authority (ANPD).
Officer - DPO as a Service
GRADED - THE AMERICAN SCHOOL OF SÃO PAULO
Av. José Galante, 425
São Paulo, SP - Brazil - 05642-000
General Data Protection Law, art. 5, item VIII
Art. 41, §2, of the General Data Protection Law:
I – accept complaints and communications from the holders, provide clarifications and adopt measures;
II – receive communications from the national authority and adopt measures;
III – guide the entity's employees and contractors about the practices to be adopted regarding the protection of personal data; and
IV – perform other assignments determined by the controller or established in supplementary rules.