[:en]English Domain’s Commitment

English Domain is committed to protecting all personal and sensitive data for which we are responsible, and to handle this data in line with local data protection legislation and the General Data Protection Regulations (GDPR).

The data protection principles as outlined by the Office of the Information and Data Protection Commissioner (IDPC) in Malta are available here: https://idpc.org.mt/en/Pages/dp/principles.aspx

The legal bases for processing data are:

  • Consent: the student, parent/guardian or member of staff has given consent for the institution to process their personal data for a specific purpose.
  • Contract: the processing is necessary for the contract. This includes staff employment contracts as well as student application forms.
  • Legal obligation: the processing is necessary for English Domain to comply with the law (not including contractual obligations).

All staff are required to treat all student information in a confidential manner and follow the guidelines of this policy. In addition, English Domain has a Data Protection Officer who is responsible for ensuring all staff and systems are compliant with the GDPR.

English Domain are committed to ensuring that all staff are aware of data protection policies, legal requirements and principles. Training is available to staff where required.

The requirements of this policy are mandatory for all staff employed by English Domain and any third party contracted to provide services within the institution.

Data Breaches

A personal data breach refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.

Every breach is assessed to determine whether it may result in a risk to the rights and freedoms of any person. In cases where this risk is identified, the IDPC and individual(s) concerned will be notified within 72 hours of the breach.

 

Personal and Sensitive Data

All data within English Domain’s control is identified as personal, sensitive, or both, to ensure it is handled in compliance with legal requirements and access to it does not breach the rights of the individual to whom it relates.

Personal data refers to any information relating to an identified or identifiable person, which is someone who can be identified, directly or indirectly, by reference to an identifier – such a name, location, or identification number – or individual factors. These individual factors include physical, physiological, genetic, mental, economic, cultural or social identity of a person. (General Data Protection Regulation 2016, Art. 4)

Sensitive personal data is data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation, and any processing of genetic or biometric data. (General Data Protection Regulation 2016, Art. 9)

The principles of the GDPR shall be applied to all data processed.

  • Ensure that data is fairly, transparently and lawfully processed
  • Process data only for specified purposes
  • Ensure that all data processed is adequate, relevant and not excessive
  • Ensure that data processed is accurate and up to date, as provided by the data subject
  • Not keep data longer than is necessary or as required by law
  • Process the data in accordance with the data subjects’ rights
  • Ensure that data is secure
  • Ensure that data is not transferred without adequate protection

Fair Processing and Privacy Notifications

English Domain will be transparent about the intended processing of data and communicate these intentions to staff, parents/guardians and students prior to the processing of the individual’s data.

Notifications shall be in accordance with regulations in terms of transparency, including where they are required to be issued to those defined as ‘Children’ under the legislation.

There may be circumstances where English Domain is required, either by law or in the best interests of students or staff, to pass information to external authorities. These authorities are also required to comply with the GDPR and have their own policies relating to the data protection. Any intention to share personal data to a third party organisation will be clearly defined within notifications, including details of the basis for sharing the data.

Data will be shared with third parties where it is a legal requirement to provide this information.

Staff and students will be notified of any proposed changes to data processing that may impact them.

Under no circumstances will English Domain disclose information:

  • that would cause serious harm to students, staff, or anyone else’s physical or mental health or condition.
  • that would allow another person to be identified, or identifies another person as the source, unless the person is an employee of the institution or a local authority or has given consent, or it is reasonable in the circumstance to disclose the information without consent. The exemption from disclosure does not apply if the information can be edited so that the person’s name or identifying details are removed.

Data Security

In order to assure the protection of all data being processed and inform decisions on processing activities, English Domain will undertake an assessment of the associated risks of data processing the impact on individual privacy. Risk assessments are conducted in accordance with the requirements of Article 32 of the GDPR.

Security of data is achieved through the implementation of proportionate physical and technical measures. Nominated staff are responsible for the effectiveness of the controls implemented, and the reporting on their performance.

The security arrangements of any third party organisation with which English Domain may share data will also be considered. Where necessary, these organisations will be required to provide evidence of the security of the data.

Data Access Requests

All individuals whose data is held by English Domain have a legal right to request access to their data, including information about what data is being held. We will respond to any such requests within one month. These should be made in writing to:

Data Protection Officer, Domain Group
Domain Building
102/104 Constitution Street
Mosta MST 9055
Malta

or

[email protected]

No charge is applied to this.

Personal data will not be disclosed to third parties without the consent of the student, parent/guardian or staff member, unless it is obligated by law or in the best interest of the individual. Data may be shared without consent in certain situations; for example, English Domain may be required to forward information to the police to aid a criminal investigation.

Every individual has the right to be forgotten. This means that, where personal data is no longer required for its original purpose, an individual can request that their personal data is erased. English Domain operates in accordance with the GDPR, and will erase data where it is requested and does not violate other requirements or legislation.

Photographs and Videos

Photographs and videos of staff and students may be captured at appropriate times as part of educational activities for use in institution only. Where photographs or videos may be used for publication and marketing, English Domain will always seek consent from staff and students.

Location of Information and Data

Hard copy data, including forms, records and personal information, are kept in secure storage. Personal information is not removed from the institution except where absolutely necessary, such as for audits, marking assessments or conducting off-site meetings.

The following guidelines, for all staff, reduce the risk of personal data being compromised:

  • Paper copies of data should not be taken off the institution site except where absolutely necessary. In that case, information should not be left unattended or in public view.
  • Unwanted paper that includes data or personal information should be destroyed.
  • Care must be taken to ensure that personal information is not left in printer trays.
  • If information is being viewed on a computer, staff must ensure that the window and documents are properly shut down or locked before leaving the computer unattended. Personal information should not be viewed on public computers.
  • If it is necessary for softcopy data to be taken offsite, it should be downloaded onto a portable storage device, and edited on and saved onto that device only. The information should not be copied onto any home or public computers.

These guidelines have been shared with all staff, and any issues or breaches of this policy will be addressed in accordance with the seriousness of the breach.

Data Disposal

English Domain recognises that the secure disposal of redundant data is integral to compliance with the requirements of the GDPR. All data held in any form (softcopy or hardcopy) shall be passed to a disposal partner with demonstrable competence in ensuring secure disposal services. All data shall be destroyed to agreed levels meeting recognised national standards.[:de]

Who we are

Our website address is: https://englishdomain.eu.

What personal data we collect and why we collect it

Comments

When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.

An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.

Media

If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.

Contact forms

Cookies

If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.

If you have an account and you log in to this site, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select "Remember Me", your login will persist for two weeks. If you log out of your account, the login cookies will be removed.

If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.

Embedded content from other websites

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.

Analytics

Who we share your data with

How long we retain your data

If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.

For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

What rights you have over your data

If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

Where we send your data

Visitor comments may be checked through an automated spam detection service.

Your contact information

Additional information

How we protect your data

What data breach procedures we have in place

What third parties we receive data from

What automated decision making and/or profiling we do with user data

Industry regulatory disclosure requirements

[:]