Kids&Us - GDPR Policy

PRIVACY POLICY AND PROCESSING OF INFORMATION

Kids&Us - GDPR Policy

1. RIGHT TO INFORMATION

In application of the provisions of Article 11 of Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD) and Article 13 of the General Data Protection Regulation 2016/679 (GDPR), below we explain how personal data is processed at Kids&Us.

1.1 Definitions

For the purposes of this Privacy Policy, the following definitions shall apply:

1) Personal data: any information relating to an identified or identifiable natural person (the data subject). An identifiable natural person is any person whose identity can be established, directly or indirectly, by using an identifier, such as a name, an identification number, location data, an online identifier or one or more elements of that person’s physical, physiological, genetic, mental, economic, cultural or social identity.

2) Processing: any operation or set of operations which is performed on personal data or on a set of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

3) Profiling: any form of automated processing of personal data consisting of using this data to evaluate personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that person’s professional performance, financial situation, health, personal preferences, interests, reliability, behaviour, location or movements. Kids&Us’ own Artificial Intelligence will be used to create some of these profiles.

4) Pseudonymisation: processing of personal data in such a way that they cannot be attributed to a data subject without the use of additional information, provided that this information is separated and subject to technical and organisational measures designed to ensure that the personal information is not attributed to an identified or identifiable natural person.

5) File: this is a structured set of personal data accessible according to specified criteria, whether centralised, decentralised, functionally or geographically distributed.

6) Data Controller: the natural or legal person, public authority, service or any other body which, alone or jointly with others, determines the aims and means of the processing.

7) Data Processor: the natural or legal person, public authority, service or any other body processing personal data on behalf of the Controller.

8) Recipient: the person to whom personal data are disclosed, whether a third party or not. However, public authorities that can receive personal data in the framework of a specific investigation should not be considered as recipients.

9) Third party: a natural or legal person, public authority, service or body other than the data subject, the Data Controller, the Data Processor and the persons authorised to process personal data under the direct authority of the Data Controller or the Data Processor.

10) Consent of the data subject: any freely given, specific, informed and unambiguous indication of the data subject’s agreement, by means of a clear affirmative statement or action, to the processing of personal data relating to him or her.

11) Supervisory authority: the independent authority established by a Member State of the European Union, the operating regime of which is regulated in Article 51 of the GDPR.

12) Cross-border processing:

  • The processing of personal data carried out in the context of the activities of establishments in more than one Member State of a Data Controller or Data Processor in the European Union, if the Data Controller or Data Processor is established in more than one Member State, or
  • Processing of personal data performed in the context of the activities of a single establishment of a Data Controller or a Data Processor in the EU, but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

13) International transfer: transfer of data to a third party outside the EU or an international organisation.

14) Artificial Intelligence: A combination of algorithms designed for the purpose of creating machines that deliver services with the same capabilities as human beings.

  1. MyWay space: Educational application for Kids&Us students that complements the work done in the classroom and provides personalised learning pathways to ensure that each student achieves the communicative objectives of the course.

1.2. What personal data are collected?

In broad terms, the personal data to which Kids&Us will have access in the MyWay application will be those that the user has previously provided voluntarily. Accordingly, users must understand that personal data will be requested in order to access the services of MyWay to identify and monitor system users. If the requested data is not provided you will not be able to access or use these services and content. All the fields that appear on the forms must be completed, and the omission of any of the data requested may result in the inability to meet a claim or request.

Furthermore, MyWay collects information about the user, their progress by means of general monitoring reports (activity and audio) or the results of the exercises, as well as other data relating to the student’s behaviour, learning, motivation and performance. In addition, the app may automatically collect other information, such as the type of mobile device, the User’s country, IP addresses, the mobile device’s operating system and information about how the app is used. This data will not be transferred to third parties by Kids&Us.

Kids&Us uses Artificial Intelligence technology that analyses how students use the applications, which allows us to personalise the services offered and optimise academic results. In summary, this intelligence does what a human teacher would do, but in an automated way because it is faster, more effective and efficient. It analyses the results of the different exercises given to the student and suggests more exercises to reinforce the subjects that they need to study further, allowing them to progress in a personalised manner. The information and data are pseudonymised. The User is identified by a code so that, in the event of hacking, their information cannot be accessed without adding additional information that is separate from the main information.

1.3. Who decides on the use to be made of the data and the means to be used to carry out the processing?

The Data Controller is:

KIDS&US ENGLISH, S.L.

Tax ID number (NIF) B-64622087

Registered address at Av. Tudela no. 12

08242, Manresa, Barcelona (Spain)

Tel. no. +34 93 875 33 45

E-mail [email protected]

1.4. Who ensures that all the rules governing the processing of information by Kids&Us are correctly applied?

The data protection officer is CIPDI Tratamiento de la información, S.L., with registered office in Mataró (Barcelona), C/ Sant Agustí no. 1, 1-1, [email protected].

1.5. For what purposes will we use your data? What is the legal basis for this processing and how long will the data be kept?

The contractual relationship between the customer and Kids&Us and our legitimate interest for the students to progress as quickly and efficiently as possible are the legal bases that legitimise this data processing.

The data will be kept for 5 years from the end of the contractual relationship with the school.

1.6. Do we carry out any processing of your images?

The app does not collect images of students.

1.7. Who will be able to access and know the content of your data?

In order to fulfil the above purposes, the persons and entities listed below may have access to the personal data. Their access shall be limited to the data necessary for the performance of the Data Controller’s tasks. Confidentiality agreements and/or specific agreements regulating access to information, security measures and the use that can be made of the data have been signed with all the entities and persons to whom the data is addressed. The following can access the data:

  • Personnel duly authorised by the Data Controller.
  • The KIDS&US ENGLISH, S.L. franchise network can be consulted on the website.
  • Suppliers necessary to fulfil the services requested or to fulfil legal and contractual obligations. These suppliers may be located in the European Union or outside the European Union.
  • Public administration within the scope of its purview.

You can obtain further information from the Data Protection Officer.

1.8. Is cross-border data processing carried out?

The Data Controller uses the following platforms, which involve transfer of data outside the European Economic area:

  • Microsoft as a data hosting platform. Usually, the primary storage location is in Europe, but often with a backup in a data centre in another region. Storage locations are selected for their efficient operation, to improve performance and create duplication. This is done to protect data in the event of an outage or other problem. The measures for processing the data come under the privacy statement and are in accordance with the provisions of the privacy statement and the applicable law requirements. This policy can be viewed on the following link: https://privacy.microsoft.com/es-es/privacystatement.

When Microsoft transfers personal data from the European Economic Area, the United Kingdom and Switzerland to other countries, the transfer will be made using the appropriate safeguards set out in Article 46 of the GDPR. These are the standard contractual clauses published by the European Commission under Commission Implementing Decision 2021/914 to help protect your rights and enable protection when your data is moved.

  • The development of Artificial Intelligence has been contracted with LIGHTHOUSE DISRUPTIVE GROUP EUROPE, S.L., with Tax ID number (CIF) B-1683994, address at Calle Tres d’Abril 20, 2-3, Sant Boi de Llobregat 08830, Barcelona. This company is owned by LIGHTHOUSE DISRUPTIVE INNOVATION GROUP, LLC, a company legally incorporated in the state of Delaware (United States), so people located in the United States will have access to your personal data. The transfer will be made using the appropriate safeguards provided for in Article 46 of the GDPR as standard contractual clauses published by the European Commission under Commission Implementing Decision 2021/914.

1.9. What rights do data subjects and data owners have?

Right of access. This is regulated in Article 15 of Regulation 2016/679, known as the GDPR. This means asking the Data Controller in order to obtain, free of charge, all the information it holds regarding the personal data itself and the communications that have been made, or are planned to be made.

Right of amendment. This is regulated in Article 16 of Regulation 2016/679, known as the GDPR. This is a request to the Data Controller to change the content of information about you and your data, on the instructions of the data subject.

Right of deletion. This is regulated in Article 17 of Regulation 2016/679, known as the GDPR. This consists of asking the Data Controller to erase any information about the data subject’s person. Deletion means blocking all data and keeping them at the disposal of public administrations for the period of time foreseen for the right to take legal action to lapse.

Right to restrict processing. This is regulated in Article 18 of Regulation 2016/679, known as the GDPR. It involves asking the Data Controller to restrict the processing of your data when one of the following conditions is met:

  • The personal data are inaccurate.
  • The processing is unlawful.
  • The Data Controller no longer needs to process the data.
  • When the reasons for ceasing to process the data alleged by the data subject prevail over those of the Data Controller.

Right to transfer the information. This is regulated in Article 20 of Regulation 2016/679, known as the GDPR. This consists of requesting the Data Controller to provide the data subject’s personal data in a structured, commonly used and machine-readable format for the purpose of transfer to another Data Controller where the processing is carried out automatically and is based on explicit consent.

Right to object. This is regulated in Article 21 of Regulation 2016/679, known as the GDPR. This is a request to the Data Controller to process the data according to specific instructions given by the data subject.

Right to withdraw consent. This is regulated in Article 13.2.c) of Regulation 2016/679, known as the GDPR. It is an order given by the data subject to the Data Controller notifying them that they withdraw their consent to the processing of their data.

The right to be excluded from automated individual decisions. The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects on him or her or similarly significantly affects him or her.

To exercise the above rights, you may write to the address of the Data Controller, or send an email to the Data Protection Officer, [email protected] with “Data Protection” written in the subject line and attaching a photocopy of your National ID document (DNI), Foreigner’s ID document (NIE) or passport.

1.10. How can I make a complaint?

You can contact the internal compliance officer using the whistleblowing channel on the website: https://denuncias.cipdi.com/kidsandus/en/.

If you consider that your rights have been infringed, the competent body for the correct application of the rules on the processing of information is the Spanish Data Protection Agency, located at Calle Jorge Juan no. 6, Madrid.

1.11. What obligations do I have as a data subject?

The data subject must provide truthful and up-to-date information in all data collection processes, and is responsible for this obligation in the event of a breach.

Depending on the request made by the data subject, the data that are mandatory are already marked on the collection forms. Failure to provide the mandatory data may undermine the right to participate in the activity or prevent the provision of the requested service or performance.

1.12. Can the Data Controller perform profiling?

In order to provide a more personalised, careful and efficient service to the user, it is necessary to perform profiling of the recipients of the services. These profiles are created using proprietary Artificial Intelligence.

2. SECURITY

The general database is equipped with the required security document and has all the technical means at its disposal to prevent the loss, misuse, alteration, unauthorised access or theft of the data you provide us with. The processing of personal data is in accordance with the provisions of Organic Law 3/2018 on data protection and guarantee of digital rights and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.

Kids&Us - GDPR Policy