EU General Data Protection Regulation Compliance Policy

Modified: 17 May 2021

To the extent that International Schools Services (“ISS”) “processes personal data” on behalf of certain clients, as the term “processes personal data” is defined and used in Article 28 of the EU General Data Protection Regulation (EU 2016/679) (the “GDPR”), ISS, in compliance with Article 28 of the GDPR, has implemented the following safeguards to ensure that such data is protected in a manner consistent with the requirements of the GDPR:

All capitalized terms not specifically defined herein shall have the same meaning as in the definitions and rules of construction set forth in Article 4 of the GDPR.

1. Confidentiality. ISS shall take appropriate measures to ensure the ongoing confidentiality, integrity, availability and resilience of Processing Personal Data, including implementing, the following safeguards:

a. having all necessary systems in place to ensure the ongoing confidentiality, integrity, availability and resilience of Processing Personal Data;

b. having all necessary access controls in place to include authentication and authorization for access to Personal Data to ensure its security and confidentiality;

c. having the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and

d. having a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Personal Data.

2. Processing. ISS shall only Process Personal Data in accordance with a written agreement entered into between ISS and the Controller. Such an agreement will set out the subject-matter and duration of the processing, the nature and purpose of the processing, and the type of Personal Data and categories of data.

3. Access. ISS shall ensure that only persons authorized to Process the Personal Data have access to such data and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4. Disclosures Required by Law. ISS will not divulge Personal Data to unauthorized third-parties except if it is required by law or regulation.

5. Third-Party Processors. ISS shall not engage another Processor without prior specific or general written authorization from the Controller. In the case of general written authorization, ISS shall inform the Controller of any intended changes concerning the addition or replacement of other Processors; thereby giving the Controller the opportunity to object to such changes.

6. Completion of Assignment. Upon the Completion of any assignment between ISS and the Controller, ISS shall, at the choice of the Controller, delete or return all Personal Data to the Controller at the end of the provision of services relating to the Processing, and delete existing copies subject to any European Union or EU Member State law requirements.

7. Availability. Upon request, and within a reasonable time period, ISS shall make available to the Controller all information necessary to demonstrate compliance with the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or a third-party auditor mandated by the Controller.

8. Breach of Personal Data. ISS evaluates and responds to incidents that create suspicion of unauthorized access to or use of Personal Data. In such instances, ISS will inform the Controller of the incident and, depending on the nature of the activity, a response team will be assigned to address the incident. ISS will work with the Controller, appropriate technical teams and, where necessary, with outside law enforcement to respond to the incident. The goal of the incident response is to restore the confidentiality, integrity, and availability of the Personal Data, and to establish root causes and remediation steps.

These guidelines have been implemented to assist the Controller in providing ISS access to Personal Data and allowing Data Subjects to exercise their rights under the GDPR.