Comprehensive GDPR Policy for The Little Peter After School Program
The Little Peter After School Program acts as the Data Controller for all personal data processed. If you have any questions, concerns, or requests regarding your personal data, you can contact us:
Data Protection Officer (DPO): Aleandro Mendes and Jairo Guzman
Email:
Phone: 083 3371592
We collect and process the following categories of personal data, tailored to our specific relationship with the data subject (student, parent/guardian, employee, or vendor):
Students and Parents/Guardians
Identification Details: Full name, date of birth, gender, school information. Contact Details: Address, phone numbers, email addresses.
Medical Data: Allergies, dietary restrictions, disabilities, special needs, immunization records.
Attendance and Academic Records: Drop-off and pick-up times, participation in activities, behavior reports.
Emergency Contact Information: Details of parents/guardians and alternative emergency contacts.
Employees and Volunteers
Personal Identification: Full name, date of birth, photo identification, Social Security Number (or equivalent).
Employment Details: Position, employment history, qualifications, references. Financial Information: Bank account details for payroll purposes. Background Checks: Records of criminal background checks, if applicable.
Vendors and Contractors
Business Details: Company name, registration details, contact information. Financial Information: Bank details for payment purposes.
We collect personal data through:
Enrollment Forms: Paper or online forms completed by parents/guardians. Direct Communication: Emails, phone calls, or in-person interactions. Employee Applications: Submitted CVs, resumes, and background check authorizations.
Attendance Systems: Digital or manual attendance logs.
Incident Reports: Written accounts of accidents or behavioral issues.
The Program processes personal data for the following purposes: Educational and Recreational Activities: Ensuring a safe, personalized, and engaging experience for all students.
Health and Safety Management: Addressing medical needs, allergies, and emergency situations.
Legal Compliance: Maintaining compliance with child welfare and employment laws.
Operational Efficiency: Managing schedules, billing, payroll, and communication systems.
Parental Communication: Updating parents/guardians on child progress, incidents, or program updates.
Program Improvement: Analyzing participation data to enhance activities and operations.
The Program processes personal data under these GDPR-recognized legal bases:
Consent: Where required, we obtain clear, explicit consent (e.g., using photographs for promotional purposes).
Contractual Obligation: Processing necessary to fulfill contracts (e.g., after-school care agreements).
Legal Obligation: Complying with health, safety, and child welfare laws. Legitimate Interests: Ensuring the efficient delivery of services while safeguarding individual rights.
We only share personal data with third parties when necessary and in line with GDPR requirements:
Emergency Services: Sharing medical or contact details during emergencies. Government Authorities: Complying with legal requests from regulatory or child welfare agencies.
Service Providers: Engaging secure third-party providers for payment processing, IT services, or professional support.
All third-party providers are required to adhere to GDPR standards through Data Processing Agreements (DPAs).
Personal data is retained only as long as necessary for the purposes outlined or as required by law:
Student Records: Retained for up to two years after the student exits the program.
Medical Records: Retained for two years, or as required by applicable health and safety laws.
Employee Records: Retained for two years after employment termination. Financial Records: Retained for 2 years for tax and auditing purposes.
Once the retention period expires, data is securely deleted or anonymized.
Under GDPR, data subjects have the following rights, which the Program fully
upholds:
- Right to Access: Obtain a copy of the personal data we hold.
- Right to Rectification: Request corrections to inaccurate or incomplete data.
- Right to Erasure ("Right to be Forgotten"): Request deletion of personal data,
subject to legal requirements. - Right to Restrict Processing: Request that processing of your data is limited in
specific circumstances. - Right to Data Portability: Receive data in a portable format or transfer it to
another controller. - Right to Object: Object to processing based on legitimate interests.
- Right to Withdraw Consent: Withdraw consent where it forms the basis of data
processing.
To exercise these rights, submit a request to our Data Protection Officer. We will
respond within one month, as required by GDPR.
We employ rigorous security protocols to safeguard personal data:
- Encryption: Sensitive data is encrypted during transmission and storage.
- Access Controls: Data is accessible only to authorized personnel.
- Physical Security: Secure storage of paper records in locked filing cabinets.
- Training: Regular staff training on GDPR compliance and data protection best
practices. - Incident Response Plan: Procedures to manage and report data breaches.
When processing personal data based on consent, we ensure:
Transparency: Clear explanation of how the data will be used.
Opt-In Mechanisms: No pre-checked boxes; explicit consent is required. Easy Withdrawal: Ability to withdraw consent at any time via email or written request.
Examples include:
Using photographs or videos for promotional materials.
Participation in optional surveys or programs.
In the event of a data breach:
Investigation: The incident will be promptly investigated to assess scope and impact.
Notification: Affected individuals will be notified within 72 hours if the breach poses a risk to their rights and freedoms.
Reporting: Relevant authorities, such as the Data Protection Authority, will be informed.
Last update: 22/01/2025
