General Privacy Policy

In this Privacy Notice, the following terms are used with their respective meaning:

"Personal Data"	any information in any form concerning an identified individual, or an individual who can, directly or indirectly, be identified by reference, in particular, to his or her personal identification number, or by reference to one or more factors specific to his or her physical, physiological, intellectual, cultural, economic, or social identity.
"Sensitive Data"	any personal information revealing – directly or indirectly about an individual's race, ethnical origin, political or philosophical opinions, religious beliefs, affiliation to union, personal criminal record, or any information in relation to his health or sexual status.
"Data Subject"	means the person or individual subject of data i.e. Students or Prospective Students or Students' Representatives whichever is applicable as per law;
"Data Processing"	means any operation or set of operations which is performed upon personal data, whether or not by automatic means, including collecting, recording, organizing, classifying into groups, storing, adapting, altering, retrieving, using, disclosing by transmission, dissemination, transference or otherwise making available for others, or combining, blocking, erasing or destructing such data.
"Personal Data Protection Law"	refers to the Data Protection Law of the Kingdom of Bahrain, 2018 ("PDPL");
"Students"	refers to the individuals (considered children whenever under 18 years old and considered youth whenever exceeding 18 years old) enrolled in Academic and non-academic courses, extracurricular activities or services rendered by the Data Controller.
"Prospective Students"	refers to Prospective Students who will potentially be enrolled at the School;
"Students' Representative"	refers to the individual(s) legally responsible for the Student(s) or Prospective Student(s) i.e. the Student's parent or legal guardian;
"Consent"	means consent granted by Data Subject with full legal capacity; and should be written, explicit, clear, and specific to the processing of certain data; freely given by the Data Subject after being advised of the intended purpose or purposes of the processing. Consent will be provided by the Student's Legal representative when the Student is a child. Consent shall be provided solely by the Student who is youth i.e. above 18 years old.
"Online Platform"	means any website and/or online platform;
"The School"	means School's exact name (Amwaj Educational Company W.L.L, a limited liability Provider established in the Kingdom of Bahrain with commercial registration number 51209-1 operating as the International School of Choueifat in Kingdom of Bahrain); a company incorporated under Bahrain law to provide educational services to students enrolled at the School;
"Personal Data Breach"	means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
"Data Controller"	The School, its subsidiaries or affiliates.

 

 

For the purposes described in this Privacy Notice, the Data Controller shall be taken as the legal person responsible for determining the purposes and means of the Personal Data that had been submitted by Students, Prospective Students, Students' Representatives, and may be identified and contacted through the channels below:

• School's address: Bldg 110, Road 59, Area 257, Qalali, Kingdom of Bahrain.
• Data Controller Officer E-mail: privacy@sabis.net
• Telephone Number: +973 1603 3333

 

 

As part of its educational activities, the Data Controller will collect and process the Personal Data identified below, with the following purpose and legal basis:

Legal Basis: The Data Controller will process relevant Personal Data and Sensitive Personal Data based on the School's legitimate interests in delivering educational services, managing its operations, and fulfilling its responsibilities to students and their families. Processing is also necessary for the performance of the enrollment agreement with the Parent, including the provision of educational, administrative, and support services to the Student. In specific cases where required by applicable data protection laws processing will be based on the explicit consent of the Data Subject.

 

Student, Prospective Student, and Students' Representatives' Identification Data: Types of data that enable the identification of the Data Subject who has any legal bond with the Data Controller – Students, Prospective Students, Students' Representatives – consisting, for example, of full name, date of birth, nationality, place of birth, profession, home address, E-mail address, postal code, and telephone and/or cell phone number(s) along with vital statistics, vaccinations, passport copies.

Purpose: The Personal Data is collected in order to enable the proper identification of Students, Prospective Students, Students' Representatives, that either have established or will establish a contractual relationship with the School or Data Controller.

 

Students' Representative Financial Data: Personal Data necessary for the School or Data Controller to process bank collections or payments related to educational services, student registration, or Prospective Student enrollment. This may include, but is not limited to, the bank details, payment information, and credit card details of the Student's Representative.

Purpose: Student's Representative Financial Data is collected to enable the Data Controller to properly and securely charge for its services.

 

Data Concerning Health: Personal Data relating to certain health conditions of Students and Prospective Students. Including vaccination records where applicable.

Purpose: Data concerning the health of Students, Prospective Students is collected to enable the Data Controller to render appropriate medical treatment when and if necessary, either during or before the execution of the enrollment contract, as a preparatory measure by the Data Controller for the timely provision of services.

 

Student Performance Data: Data related to the Student's pedagogical performance, consisting, for example, of disciplinary and educational observations, evaluations, tests, reports of grades, and absences.

Purpose: Performance Data is collected to allow Students, their Representatives, and the Data Controller to be aware of the Student's pedagogical performance. Amongst the intended purposes are (i) supporting Student learning; (ii) monitoring Student learning performance; (iii) managing the educational services provided by the Data Controller to Students; and (iv) compliance with legal and regulatory obligations, which determine, for example, the measurement of Student grade averages and attendance.

 

Photography and Filming: Images of Students’ and Prospective Students’.

Purpose: The images are collected in order to allow the Data Controller to properly identify its Students, Prospective Students during or prior to the provision of educational services, as well as to implement appropriate security measures on the Data Controller premises, via the CCTV system and others. Images of Students, Prospective Students will be processed by the School when at least one of their “Representatives" grants consent to do so.

 

Direct Marketing: Students, Prospective Students, and their Representatives may be asked to provide Personal Data, such as their name and E-mail address, for the purpose of receiving marketing communications by E-mail.

Purpose: The Personal Data provided is used to provide Data Controller-related information to the Data Subject, who will be asked to affirmatively opt-in to E-mail marketing communications. The Data Subject shall receive marketing materials when at least one of their "Representatives" grants consent to do so.

 

The Data Controller shall only collect data for specific purposes and with a proper legal basis for processing. Data obtained for specific purposes will not be processed for purposes different from the ones specified in this Privacy Policy unless the Data Controller properly notifies Data Subjects in this regard.

The collection of Personal Data occurs in the following cases:

Data Provided by the Data Subject:

• Voluntary completion of registration forms, applications, or vacancy forms per Student's Representative;

• Direct contact by E-mail, telephone, or any other form of electronic correspondence and/or letters;

• The Student, Prospective Student or his/her Representative voluntarily creates a profile on any of the Data Controller's Online Platforms;

• Through the completion of electronic or paper forms, evaluations, reports, tests, simulations, notes, and attendance lists, as well as taking part in interviews and meetings, all of which are deemed a necessary part for the educational services contracted and are submitted by the Student, the Student's Representative to one of the Data Controller’s agents.

• Location data for GPS Tracked School Vehicles.

Internet Trackers:

The Data Subject's personal information is electronically collected for statistical purposes and for the improvement of the Data Controller website, using cookies (files stored in the Data Subject's browser). The Data Controller and its service providers may also use other tracking technologies for website management and user tracking.

Online Platforms:

The Data Controller uses Online Platforms during the rendering of its educational services and, therefore, provides its students access to software that is not operated by the Data Controller. Please note that this Privacy Policy does not apply to third-party software. This Privacy Policy does not govern the practices of third parties, including the Data Controller's partners, third-party service providers, and/or advertisers, even when those services are branded as or provided on behalf of the Data Controller.

Third Parties:

This consists of the collection of Personal Data that is provided by and/or shared with authorized third parties or government agencies, including:

• Doctors, therapists, speech therapists, and other health professionals, always with the consent of the Student's Representative and in his/her best interest;

• Other educational establishments;

• Government bodies and regulatory authorities.

In case of medical emergencies, the Personal Data of Data Subjects may be collected without consent and its processing will be carried out exclusively for the protection of the Data Subjects.

Personal Data from third parties will be properly analyzed by the Data Controller in order to ensure that the information has been collected and is being shared on a legal and/or regulatory basis and is accurate and up to date.

 

 

The Data Controller is not responsible for, nor does it hold any interference with, any filming or photographs made by Students, Prospective Students, and their Representatives during the regular Data Controller day activities or social events organized by the Data Controller.

However, in order to provide a healthy environment for its Students, the Data Controller will publicize guidelines among its students, and their representatives on sharing images and footage of minors, reminding all those participating in the Data Controller environment of the provisions in this Privacy Notice, including:

• Reminding Students' and their Representatives about their option of updating their consent preferences for any data processing operation involving the Students.
   
• Requesting that photographs and footage of Students that are taken during the Data Controller's social events must not be shared on social media without prior authorization from the Student's Representative.
   
• Reminding Students and their Representatives about the terms of this Privacy Notice.

 

The Data Controller recognizes the need to safeguard the Personal Data and the privacy of its Students and both at Data Controller and on social media.

Under the terms of the enrollment contract signed between the Data Controller and the Student(s)' Representative(s), the Data Controller is authorized to use the Student's image, by means of photographs, videos, and/or recordings, for the purpose of publicizing the educational services provided on Online Platforms and general media, always in the best interest of the Student and the legitimate interest of the Data Controller.

The Data Controller recognizes the need to protect the Personal Data and privacy of its Students, both at Data Controller and on social media, and, therefore, will only use the image of Students with the consent of their Representative(s), which will be collected from at least one of the Representatives through a specific form.

 

By providing your Personal and Sensitive Data, the Data Subject hereby consents to the Data Controller for collecting, processing, storing, and using information in accordance with this Privacy Policy and applicable data protection laws, including the Bahrain Personal Data Protection Law (PDPL). The data may be used for service delivery, communication, compliance, and security purposes and so on as per Clause 3 above, and will not be shared with unauthorized third parties, except where required by law.

 

Access to the Personal Data of Students, Prospective Students, and their Representatives will be restricted to Data Controller's employees and agents assigned to the specific function of developing the process of enrollment, selection, and rendering of educational services provided by the Data Controller.

 

The Data Controller takes advanced administrative, technical, organizational, and physical measures to protect the Personal Data under its control. These measures include computer protection mechanisms and secure files and facilities. In turn, once the purpose of the data processing is fulfilled, the Data Controller adopts appropriate measures to securely delete or permanently dissociate the Personal Data, depending on the applicable legislation and compliance with the minimum data retention principle.

The Data Controller will retain your Personal Data and Sensitive Personal Data for as long as necessary to fulfill the purposes for which it was collected, and in accordance with any applicable legal or regulatory requirements. The personal Data including sensitive data will be retained for the duration of the Student’s enrollment and for a period of 25 years thereafter. This retention period ensures that the Data Controller is able to provide the student(s) with academic records such as transcripts, certificates, and attestations upon request, even after their departure.

Where appropriate, the data will be anonymized and/or stored in an encrypted format to ensure its continued security and confidentiality. You have the right to request deletion of your data if you no longer wish for it to be stored or processed by us. To do so, please reach out using the contact details provided herein

The Data Controller reserves the right to contract third parties – Processors – to carry out the storage of Personal Data under its custody, in which case these agents will have to process the Personal Data of prior written instructions determined by the Data Controller and to ensure the confidentiality and security of Personal Data.

 

The Data Controller does not share Personal Data with any third parties, unless in the following situations:

• With public regulatory or executive authorities, courts, and government agencies to comply with legal orders, legal or regulatory requirements;
   
• With Service Providers ("Processors"), regulatory authorities, and government agencies to detect and prevent fraud or other criminal activity and to protect the rights of the Data Controller or others;
   
• With “Processors" for the execution of contracts and business development at the request of the Data Controller.

When Personal Data of Students, Prospective Students, Representatives and has to be shared with third parties other than as described above, the Data Controller will notify the Data Subject to obtain consent for that purpose, subject to exceptions provided in applicable law.

Accordingly, the Data Controller reserves the right to store Personal Data under its custody with Processors who may or may not be located in the Kingdom of Bahrain. When Personal Data is transferred to other jurisdictions, the recipient of such information will always be countries or international organizations capable of providing an adequate degree of protection as may be approved by the laws of Kingdom of Bahrain.

As the Data Controller is a member of the SABIS^® School Network, the Personal Data may be transferred outside the territory of the Kingdom of Bahrain:

• The Personal Data is securely replicated to the databases located in Microsoft Cloud Services in Ireland and SABIS Educational Systems Inc. in the United States (SES Inc). This allows the School to use SABIS^® software, applications, and platforms to operate and provide educational services. Additionally, it enables Parents/Guardian and Students to access SABIS^® application/software/platform hosted in these locations. SABIS^® application/software/platform support students' learning by monitoring and following up on their academic and non-academic performance, including but not limited to, exam results, attendance and discipline records, Data Controller calendar, study material, and Student Life Organization (SLO) participation. The replicated Personal Data will also be used to run analytics/statistics on Students, sections, classes, and overall Data Controller’s academic performance.
   
• Further to the Data Controller’s requests and instructions, Authorized employees in SABIS Educational Services S.A.L. Adma, Lebanon (SES Leb), and SABIS Educational Systems Inc. have access to the replicated data in order to operate, develop, improve, deliver, or troubleshoot the Online Platform and provide and support the Data Controller with various technical and educational services.
   
• The Data Controller utilizes OneDrive and SharePoint storage in Azure Europe to store and back up its data. A copy of the Data Controller's backup is also transferred to SES Leb SharePoint storage in Azure USA every week for data availability and disaster recovery purposes. The data stored on SharePoint is encrypted and can only be accessed by authorized IT personnel from SES Leb, which is strictly for disaster recovery. Furthermore, the Data Controller’s data stored in Azure Cloud is backed up using the Azure backup tool and stored in Azure. In addition, the Data Controller’s data stored in SES Inc. is backed up locally in the US Data Center and online via the Barracuda Cloud Backup service. The latter is a cloud backup solution using Azure and Amazon AWS cloud infrastructure in the US.

 

According to the PDPL, Data Subjects have rights in relation to the processing of their Personal Data, among them:

• To be informed of the use to which their personal data is to be put;
• To access their personal data in custody of data controller or data processor;
• To object to the processing of all or part of their personal data;
• To correction of false or misleading data;
• To deletion of false or misleading data about them.
• To withdraw the consent at any time.

If the Data Subjects choose to exercise any of the rights described above, or if they have any questions about how the processing of their Personal Data flows, they may contact the Data Controller's Data Protection Officer through the channels highlighted in Item 2 of this General Privacy Notice.

The Student’s, Prospective Students and the Student's Representative(s) is (are) responsible for the accuracy of the information provided during the registration process with the Data Controller.

The Data Controller reserves the right to amend or modify this General Data Privacy Notice at any time, considering, but not limited to, legislative, regulatory, and case law updates.

In the event of a change to the terms set forth herein, the Data Controller will notify the Student, Prospective Student and their Representatives, detailing the changes and, if applicable, requesting an update of consent for the processing of Student's data.

If you have any questions, please contact us through the channels provided in Item 2 of this Privacy Notice.