Parent Privacy Notice
1. Who we are
Verita International School I.K.E. (the School, Verita) is the data controller for personal data we hold about you and your child. Our registered seat is 13 Smirnis Street, Glyfada 165 62. The full Data Protection Policy is available on the Parent Portal and sets out the wider framework this notice draws on.
2. What we collect about your child
We collect what we need to provide your child’s education, to look after their welfare, and to meet our obligations as a school under Greek and EU law. In summary:
| Category | What it includes |
|---|---|
| Identity and family | Your child’s full name, date of birth, nationality, passport details, photographs, your contact details, family circumstances relevant to safeguarding. |
| Academic | Previous school records, assessments, IGCSE and A-Level results, attendance, reports, teacher observations, personalised learning plans. |
| Health and welfare | Medical history, allergies, medications, immunisation status, any learning support or SEN/SEND diagnoses, wellbeing observations. |
| Safeguarding | Welfare concerns, incident reports, disclosures, communications with statutory authorities where required. |
| Financial | Tuition fee payments, billing details, scholarships, bank transfer records. |
| Images | Photographs and video recordings taken in the course of school activities, used only in line with the consent you have given. |
| Communications | Email correspondence, attendance at events, newsletter engagement. |
3. The lawful bases we rely on
Under GDPR Article 6 every use of personal data needs a lawful basis. Under Article 9 special category data (such as health information) needs an additional condition. For your child’s data we rely on:
- Contract (Article 6(1)(b)) for everything necessary to deliver the educational programme set out in the Parent Agreement: enrolment administration, teaching, assessment, billing, communication with you about your child.
- Legal obligation (Article 6(1)(c)) for matters required by Greek education law, tax law, immigration requirements, and mandatory reporting, including safeguarding disclosures.
- Vital interests (Article 6(1)(d)) where processing is necessary to protect life or physical safety, for example sharing medical information with emergency services.
- Legitimate interests (Article 6(1)(f)) for internal administration, school security including CCTV, network and IT system monitoring, and alumni engagement, in each case balanced against your rights and interests.
- Consent (Article 6(1)(a)) for uses that go beyond what is necessary for the educational contract, in particular publishing your child’s image in marketing or social media. You can withdraw consent at any time.
For health, medical, and SEN/SEND data we additionally rely on Article 9(2)(a) (explicit consent), 9(2)(c) (vital interests), 9(2)(g) (substantial public interest, particularly safeguarding), and 9(2)(h) (provision of health or social care), depending on the context.
4. Who we share information with
We share your child’s personal data only where we have a lawful basis to do so. The categories of recipient are:
- School staff on a need-to-know basis, in line with their role.
- You and the other person with parental responsibility, unless a court order or written instruction directs otherwise.
- Educational service providers and processors, including our learning platforms (Google Workspace for Education, Managebac, Seesaw), examination boards (Pearson/Edexcel for IGCSE and A-Levels), and our communication, finance, and HR systems. Each of these is bound by a Data Processing Agreement under GDPR Article 28.
- Health and emergency services where necessary to protect life or safety.
- Statutory authorities where required by law: the Greek Ministry of Education and Religious Affairs, child protection services, police, and similar bodies.
- Accreditation bodies, in particular the Council of British International Schools (COBIS) in connection with our Patron’s Accreditation.
- Receiving educational institutions when your child transitions to another school, with appropriate consent or legal authority.
- Professional advisors (lawyers, accountants, auditors) who are bound by professional confidentiality.
We do not sell or rent personal data to anyone, and we do not use your child’s data for marketing without explicit consent.
5. International transfers
Some of our providers are based outside the European Economic Area, principally in the United States. Where personal data is transferred outside the EEA, we rely on a transfer mechanism permitted under Chapter V of GDPR (such as an adequacy decision by the European Commission, or Standard Contractual Clauses). Details of the specific mechanism for any provider are available from the DPO.
6. How long we keep records
We keep personal data only as long as is necessary, in line with the Retention and Disposal Schedule at Annex A of our Data Protection Policy. The principal periods relevant to families are:
- Admission files: duration of enrolment, plus 7 years.
- Academic transcripts: held as a permanent archive (a core record of your child’s education).
- Health and medical records: until your child reaches the age of 25, or 8 years after they leave the School, whichever is longer.
- Safeguarding files: until your child reaches the age of 25, or 10 years from the incident date, whichever is longer.
- Financial and billing records: 10 years from the date of transaction.
- CCTV footage: 30 days, unless required for an investigation.
7. Your child’s rights, and yours
Both you and your child have rights under GDPR. While your child is below the age at which they exercise these rights themselves, you exercise them on their behalf. From age 15 (the digital consent age under Greek Law 4624/2019), your child exercises certain rights independently; we will tell you how this works at the appropriate stage. The rights are:
| Right | What it means |
|---|---|
| Access (Art. 15) | You can ask for a copy of the personal data we hold about you or your child. |
| Rectification (Art. 16) | You can ask us to correct data that is inaccurate or incomplete. |
| Erasure (Art. 17) | You can ask us to delete data where it is no longer needed. This right is balanced against our legal obligations to retain certain records. |
| Restriction (Art. 18) | You can ask us to limit how we use data in particular circumstances. |
| Portability (Art. 20) | For data processed by automated means under consent or contract, you can ask for a structured, machine-readable copy. |
| Objection (Art. 21) | You can object to processing based on legitimate interests. |
| Withdraw consent (Art. 7(3)) | Where we rely on consent (for example, image use), you can withdraw it at any time without affecting processing carried out before withdrawal. |
We will respond to any request within one month. For complex requests we may extend by a further two months, in which case we will tell you within the first month. To make a request, contact the DPO.
8. Image consent
Photographs and video of your child are personal data, and where your child is identifiable they may also count as biometric special category data. We will not use your child’s image in any external communication, publication, website, or social media without your explicit written consent. Consent is sought separately at enrolment, can be updated at any time in writing, and can be withdrawn. Withdrawal applies to future use; we cannot retroactively recall printed materials already distributed.
9. Safeguarding
Verita has a legal and ethical obligation to protect children from harm. Where we receive information that raises a safeguarding concern, we may be required to share personal data with statutory authorities (child protection services, police, social welfare) regardless of your wishes. We act under legal obligation and, where necessary, vital interests. Our Safeguarding Policy should be read alongside this notice.
10. Security
We apply technical and organisational security measures appropriate to the risk, including role-based access controls, encrypted storage, secure cloud platforms governed by Data Processing Agreements, physical access restrictions, encrypted portable devices, firewalls, and regular patching. Staff are trained on data protection on induction and at least annually. The full security framework is set out in Section 11 of the Data Protection Policy.
11. If something goes wrong
If we become aware of a personal data breach that affects your or your child’s rights, we will notify the Hellenic Data Protection Authority within 72 hours where required, and we will notify you without undue delay if the risk to you is high, in line with GDPR Articles 33 and 34.
12. How to contact us, and how to complain
Data Protection Officer
Romina Pici
Email: dpo@veritaschool.gr
Phone: +30 211 419 9994
Post: Data Protection Officer, Verita International School, 13 Smirnis Street, Glyfada 165 62, Athens, Greece
If you are not satisfied with how we have handled a data protection matter, you have the right to lodge a complaint with the Hellenic Data Protection Authority:
Supervisory Authority
Hellenic Data Protection Authority (HDPA)
Website: www.dpa.gr
Email: contact@dpa.gr
Phone: +30 210 6475600
Address: Kifissias 1-3, Athens 115 23, Greece
13. Where data is processed
The School operates from four campuses, all in the Athens area:
- Early Years Campus, 30 Irakliou Street, Glyfada 166 75 (Nursery, Reception, Year 1)
- Primary Campus, 13 Smirnis Street, Glyfada 165 62 (Years 2 to 6) — registered seat
- Middle Years Campus, 4 Marinou Antipa, Alimos 165 62 (Years 7 to 9)
- Secondary School, 4 Marinou Antipa, Alimos 165 62 (Years 10 to 13)
14. Changes to this notice
We review this notice regularly and may update it. Where any change materially affects how we use your or your child’s personal data, we will give reasonable notice. Earlier versions are available from the DPO on request.
Parent Privacy Notice · v1.0 · May 2026
Compliant with GDPR (EU) 2016/679 and Greek Law 4624/2019