Privacy Policy of the Freies Gymnasium Zürich
Privacy Policy of the Freies Gymnasium Zürich
1. What is this Privacy Policy about?
Freies Gymnasium Zürich (“FGZ”) and its affiliated association of former students of Freies Gymnasium Zürich (“Alumni FGZ”) (hereinafter collectively also referred to as “we”, “us”) collect and process personal data, in particular personal data concerning students, parents, affiliates, contracting parties, association members, visitors to our Website, participants in events, recipients of newsletters and other bodies or their liaisons and employees (hereinafter also “you”). In this Privacy Policy, we provide information about that data processing. In addition to this Privacy Policy, we may inform you separately about the processing of your data (for instance, in the case of forms or contractual terms and conditions).
If you disclose data to us about other persons (e.g. family members), we assume that you are authorised to do so and that the data is correct and that you have ensured that such other persons are informed of this disclosure, insofar as a legal duty to provide information applies (e.g. by making them aware of this Privacy Policy in advance).
2. Who is responsible for processing your data?
The following persons are responsible under data protection law for the processing described in this Privacy Policy:
School Association for Freies Gymnasium Zürich
Arbenzstrasse 19
8008 Zurich
datenschutz@fgz.ch
The following persons are responsible for the association of former students of Freies Gymnasium Zürich under data protection law:
Association of former students of Freies Gymnasium Zürich (Alumni FGZ)
Arbenzstrasse 19
8008 Zurich
datenschutz@fgz.ch
3. What categories of data do we process?
We process various categories of your personal data. The main categories are as follows:
Master data: These are general personal data such as your name, contact details, personal data, photos, customer history, powers of attorney, declarations of consent as well as information about your relationship with us (e.g. pupil, parents, suppliers) as well as information about third parties (e.g. contact persons, family details).
Contract and financial data: These are data that we collect and process in the course of providing our services and when concluding contracts, such as data on contractual services or concerning the provision of services, information on reactions (e.g. information on satisfaction) and processing (e.g. invoicing) as well as data in connection with the initiation and conclusion of contracts or financial data.
Educational provision and school data (only FGZ): These are data that relate to educational provision and arise in that context, such as school performance and behaviour, but also health data (e.g. allergies) or preferences (e.g. food wishes). As a rule, this is data about pupils, but may also concern data about parents or other third parties (e.g. other caregivers). Such data may also include health data.
Communications data: This is data collected in connection with communications between us and third parties (e.g. by e-mail, telephone, letter or other means of communication). This includes, for example, the content of e-mails or letters, your contact details, communications metadata or even image and audio recordings of (video) telephone calls.
Registration data: These are data that we collect in the course of a registration (e.g. parents' portal, alumni portal, newsletter) or that you provide to us (e.g. user name, e-mail). This also includes access data as part of access controls.
Technical data: This is data collected in connection with the use of our electronic presence (e.g. website, login areas), such as e.g. IP address, information about the operating system of your end device, the region and the time of use. Technical data alone do not enable any inferences to be drawn about your identity. However, they may be linked to other data categories (e.g. registration data) and thus possibly also attributed to you personally.
Behavioural and preference data: This includes data about your behaviour and preferences, such as your reactions to electronic messages, navigation on our website and interactions with our social media profiles, and we may also supplement and link these with information from third parties (e.g. publicly available sources).
Applicant data: This is data that we process as part of an application submitted to us and includes, inter alia, the information contained in your application documents (e.g. professional background, professional training and continuing education courses, references). We may also obtain data from public sources, such as professional social networks, the internet or the media.
Other data: This includes, in particular, data processed in connection with official or court proceedings (e.g. files, evidence, etc.), data collected for the purpose of safeguarding public health (e.g. protective concepts), photos, video or sound recordings that we make or receive from third parties and on which you are recognisable (e.g. at events, etc.), access data or rights (e.g. visitor lists), participation in events.
4. What are the purposes for which we process your data?
If you or your child visits our school, www.fgz.ch, our login areas (e.g. parents' portal, alumni portal) or any of our other websites (hereinafter collectively referred to as the “Website”), or if you are an association member or have dealings with us in any other way, we process various categories of your personal data (see Section 3). We may collect and process these data in particular for the following purposes:
Management of the association and implementing the objects of the association: As part of the management of the association, we collect and process the data of association members and/or the data of their representatives in the association, but also of other third parties who come into contact with us. This includes, in particular, the organisation of the bodies of the association and persons performing duties for it, the management of the association, the admission and administration of association members and the support of members or their representatives (e.g. responding to administrative or technical enquiries).
Communications: We process your data in order to communicate with you and with third parties by e-mail, telephone, letter or other means (e.g. to respond to enquiries, as part of a consultation or to initiate or perform a contract). This may also include image and audio recordings of (video) telephone calls, for example for quality assurance purposes. In the case of an audio or video recording, we will advise you of this separately and you are free to inform us if you do not wish a recording to be made, or you may terminate the communication. If we need or wish to establish your identity, we collect additional data (e.g. a copy of an ID document).
Initiation, conclusion, management and performance of contracts and in connection with the provision of our services (particularly school instruction): We process personal data in connection with the provision of our services (e.g. school instruction) or the initiation, conclusion, administration or performance of contracts with you as a parent or legal guardian or other contractual parties (e.g. suppliers, service providers, project affiliates). This includes, in particular, processing undertaken for purposes of educational provision and for providing and requesting contractual services (which also includes the involvement of third parties). This also includes the enforcement of legal claims arising under contracts (collections, court proceedings, etc.), accounting, termination of contracts and public communications.
Relationship management: We also process your personal data for relationship management purposes, such as in order to send our customers, other parties with whom we contract and other interested parties personalised advertising (e.g. on our Website, as printed material, by e-mail or via other channels) about services and other news from us and third parties. You may decline such contacts at any time or refuse or withdraw your consent to being contacted by us for advertising purposes by notifying us (see contact details in Section 2).
Market research, improving our services and operations as well as product development: In order to continuously improve our products and services (including our Website and login areas), we collect data about your behaviour and preferences, for example by analysing how you navigate through our Website or how you interact with our social media profiles or which products are requested and used by which groups of people. Where necessary, we may supplement this information with data from third parties (including from publicly available sources).
Operation of our Website and login areas (parents' and alumni portal): We also process personal data in order to be able to operate our Website and our login areas (such as the parents' portal and alumni portal) in a secure and stable manner. This applies in particular to technical data and registration data. In doing so, we may also evaluate how our Website and the login areas are used in order to further develop these areas and ensure reliable operations of our internet presence. For further information, see Section 9.
Registration: In order to avail yourself of certain offerings and services (e.g. login areas such as the parents' and alumni portal, free Wi-Fi, newsletters), you must register (directly with us or via our external login service providers). For this purpose, we process the data provided in the course of each user's registration. In addition, we may also collect personal data about you when you use the offering or service.
Security purposes and access controls: We collect and process personal data in order to ensure and continuously improve the appropriate security of our IT and other infrastructure (e.g. buildings). This includes, for example, monitoring and controlling electronic access to our IT systems as well as physical access to our premises, analyses and tests of our IT infrastructures, system and error checks and the creation of backup copies. For documentation and security purposes (for prevention purposes and to investigate incidents), we also keep access logs and visitor lists in relation to our premises.
Compliance with laws, directives and recommendations of authorities and internal rules (“Compliance”): We may process personal data to comply with the law (e.g. tax obligations or in order to implement health security concepts). In addition, data processing may take place in the case of internal and external investigations (e.g. by a law enforcement or supervisory authority or an authorised private body). These legal obligations may relate to Swiss law but may also include self-regulation provisions, industry standards, and our own corporate governance, as well as directions and requests from official bodies.
Risk management and corporate governance: We collect and process personal data as part of our risk management (e.g. to guard against criminal activity) and corporate governance. This includes inter alia our operational organisation (e.g. resource planning) and corporate development (e.g. purchase and sale of business units or companies).
Job applications: If you apply for a position with us, we collect and process the relevant data for the purpose of examining your application, conducting the application process and, in the case of successful applications, preparing and concluding a corresponding contract.
Other purposes: Other purposes include e.g. training and educational purposes, administrative purposes (e.g. accounting) or the holding of events. We may also process personal data for the organisation, in order to conduct and follow up on events, such as by compiling lists of participants, recording the contents of speeches and discussions, as well as making image and audio recordings during these events. Safeguarding other legitimate interests is also one of the other purposes that cannot be defined exhaustively.
5. Where does the data come from?
From you: You yourself disclose (or your end device discloses) many of the data processed by us (e.g. in connection with our services, the use of our Website and apps, or in communications with us). You are not obliged to disclose your data, with exceptions in individual cases (e.g. legal obligations). However, if you wish to conclude contracts with us or to use our services, for example, you must disclose certain data to us.
From third parties: We may also obtain data from publicly available sources (e.g. debt collection registers, land registries, commercial registers, media or the internet including social media) or from (i) public authorities, (ii) your employer or client who is either in a business relationship with us or otherwise has dealings with us, as well as (iii) other third parties (e.g. credit reference agencies, address brokers, associations, parties contracting with us, other schools from which transfers to our school are possible, internet analysis services). This includes in particular the following categories: General personal data (master data), contract data and other data, but also all other data categories pursuant to Section 3, as well as data from correspondence and discussions with third parties. If you work for an employer or client or another person who has a business relationship or some other relationship with us, they may also provide us with information about you.
6. Who do we disclose your data to?
In connection with the purposes listed in Section 4, we may transmit your personal data to the following categories of recipients in particular:
Affiliated associations: The associations affiliated with the FGZ (including in particular the “Alumni FGZ” Association) and the FGZ may disclose personal data to each other. Affiliated associations may use your data for the same purposes as described in this Privacy Policy (see Section 4). The recipients generally process the data on their own responsibility.
Service Providers: We work with service providers in Switzerland and abroad who act (i) on our behalf (e.g. IT providers), (ii) on our joint responsibility or (iii) on their own responsibility to process data that they receive from us or have collected for us. Those service providers include e.g. IT providers, advertising services, banks, insurance companies, debt collection agencies, credit bureaus, address verifiers, consulting firms or lawyers). We generally enter into agreements with these third parties regarding the use and protection of personal data.
Customers and other contracting parties: This refers first and foremost to customers and other parties with whom we contract and to whom a transfer of your data results from the contract (e.g. because you work for a contracting party or it provides services for you). This category of recipients also includes contracting parties with whom we cooperate, such as other schools from which transfers to our school are possible. These recipients generally process the data on their own responsibility.
Public authorities: We may disclose personal data to offices, courts and other authorities in Switzerland and abroad if we are legally obliged or entitled to do so or if this appears necessary to safeguard our interests. These recipients process the data on their own responsibility.
Other individuals: This refers to other cases where the involvement of third parties follows from the purposes set out in Section 4. This applies, for example, to the delivery addressees or payment recipients specified by you, third parties in the context of agency relationships (e.g. your lawyer or your bank) or persons involved in official or court proceedings. If we collaborate with the media and share this material (e.g. photos) with them, you may also be affected. As part of our business development, we may sell or acquire businesses, parts of business, assets or companies or enter into partnerships, which may also result in the disclosure of data (including from you, e.g. as a customer or supplier or as their representative) to the persons involved in these transactions. In the course of communicating with our competitors, industry organisations, associations and other bodies, data concerning you may also be exchanged.
All of these categories of recipients may, in turn, involve third parties so that your data can also be accessible to them. We may restrict processing by certain third parties (e.g. IT providers), but not by other third parties (e.g. public authorities, banks, etc.).
We also enable certain third parties to collect your personal data on our Website and at our events on their own responsibility (e.g. media photographers, providers of tools that we have integrated on our Website, etc.). To the extent we do not play a decisive role in these data collection activities, these third parties are solely responsible for them. If you have any concerns and to assert your data protection rights, please contact these third parties directly. We have listed them in Section 9.
7. Are your personal data also shared outside Switzerland?
We process and store personal data primarily in Switzerland and the European Economic Area (EEA), but potentially in any country in the world in exceptional cases – for example through sub-contracted processors of our service providers.
If a recipient is located in a country lacking adequate data protection, we contractually oblige the recipient to comply with an adequate level of data protection (for this purpose we use the revised standard contractual clauses of the European Commission, which are available here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=en? for downloading; including the supplements necessary for Switzerland), unless it is already subject to a legally recognised set of rules to safeguard data protection and we are unable to rely on an exception. An exception may apply in particular in legal proceedings abroad, but also in cases of overriding public interest if the performance of a contract that is in your interest requires such disclosure, if you have consented, or it is not possible to obtain your consent within a reasonable period and disclosure is necessary to protect your life or physical integrity or that of a third party or if the data in question is made publicly available by you and you have not objected to the processing of it.
8. What rights do you have?
You have certain rights in connection with our data processing. Under applicable law, you may in particular request information about the processing of your personal data, request the correction of inaccurate personal data, request the erasure of personal data, object to data processing, request the surrender of certain personal data in a commonly used electronic format or its transfer to other controllers.
If you wish to exercise your rights vis-à-vis us, please contact us; our contact details can be found in Section 2. In order to be able to rule out fraud, we must identify you (e.g. by means of a copy of your identification document, if necessary).
Please note that these rights are subject to prerequisites, exceptions or restrictions (e.g. to protect third parties or business secrets). We reserve the right to redact copies for reasons of data protection law or confidentiality or to deliver them only in excerpted form.
9. How do our Website and other digital services use cookies, similar technologies and social media plug-ins?
When you use our Website (including newsletters and other digital content), data is generated that are stored in logs (in particular technical data). In addition, we may use cookies and similar techniques (e.g. pixel tags or fingerprints) to recognise Website visitors, evaluate their behaviour and recognise preferences. A cookie is a small file that is transmitted between the server and your system and enables a particular device or browser to be recognised.
You can configure your browser so that it automatically rejects, accepts or deletes cookies. You can also deactivate or delete cookies in individual cases. You can find out how to manage cookies in your browser in the help menu of your browser.
Neither the technical data collected by us nor the cookies generally contain any personal data. However, personal data that we or third-party providers engaged by us store about you (e.g. if you have a user account with us or those providers) may be associated with the technical data or with the information stored in and obtained from cookies and thus possibly associated with you personally.
We also use social media plug-ins, which are small software modules that establish a connection between your visit to our Website and a third-party provider. The social media plug-in informs the third-party provider that you have visited our Website and may transmit cookies to the third-party provider that the latter has previously placed on your web browser. Further information on how these third-party providers use your personal data collected through their social media plug-ins can be found in their respective privacy policies.
In addition, we use our own tools as well as third-party services (which in turn may use cookies) on our Website, in particular to improve the functionality or content of our Website (e.g. integration of videos or maps) and to generate statistics.
Currently, we may use offers from the following service providers and advertising partners in particular, although their contact details and further information on their individual data processing operations can be found in the relevant Privacy Policy:
Google Analytics
provider: Google Ireland Ltd.
Privacy Policy: policies.google.com/privacy und support.google.com/analytics/answer/6004245Google Ads
provider: Google Ireland Ltd.
Privacy Policy: policies.google.com/privacyGoogle Tag Manager
provider: Google Ireland Ltd.
Privacy Policy: policies.google.com/privacyGoogle Fonts
provider: Google Ireland Ltd.
Privacy Policy: policies.google.com/privacyGoogle Maps
provider: Google Ireland Ltd.
Privacy Policy: policies.google.com/privacyYouTube
provider: Google Ireland Ltd.
Privacy Policy: policies.google.com/privacyVimeo
provider: Vimeo.com, Inc.
Privacy Policy: vimeo.com/privacy
Some of the third-party providers used by us may be located outside Switzerland. Information on data disclosure abroad can be found in Section 7. In terms of data protection law, they are in some cases “only” processors for us, and in some cases they are controllers. Further information on this can be found in the Privacy Policy.
9.1 How does the FGZ process personal data in the parents' portal?
The FGZ operates a portal for parents and students in order to make information and documents available to parents and students online in a protected area. For this purpose, we rely on Microsoft SharePoint online. In order to access this information and documents, your existing Microsoft account or your e-mail address without an account will be assigned a one-time password authorising you to access the FGZ parents' and student portal. Upon first access, Microsoft will ask you to grant the FGZ certain permissions. On the one hand, your profile data such as name and e-mail address will be disclosed to us. On the other, we will be authorised to record and log your activities in the parents' and student portal and to process that data. We use the profile data to manage access to the parents' and student portal, to facilitate inquiries and to withdraw permissions. We only have access to activity data within the FGZ parents' and student portal. Activity data are technical data that we use in accordance with the terms of this Privacy Policy to ensure the security and functionality of the parents' and student portal and to further develop the portal.
9.2 How does the "Alumni FGZ" Association process personal data on the alumni portal?
The “Alumni FGZ” Association operates an alumni portal on the FGZ Website in order to make information available to its members online in a protected area. Each member receives a login for the alumni portal. The “Alumni FGZ” Association is responsible for the alumni portal. In addition to the data visible about you as a member, the alumni portal also processes technical data in accordance with the provisions of this Privacy Policy in order to guarantee the security and functionality of the alumni portal and to further develop the portal.
10. How do we process personal data on our pages in social networks?
We operate pages and other online presences on social networks and other platforms operated by third parties and process data about you in this context. In doing so, we receive data from you (e.g. when you communicate with us or comment on our content) and from the platforms (e.g. statistics). The providers of the platforms can analyse your use and process this data together with other data that they have about you. They also process this data for their own purposes (e.g. marketing and market research purposes and to manage their platforms) and act as their own data controllers for this purpose. For further information on processing by the platform operators, please refer to the privacy policies of the respective platforms.
We currently use the following platforms, whereby the identity and contact details of the platform operator can be found in the privacy policy:
Facebook
www.facebook.com
Privacy policy: www.facebook.com/privacy/policyInstagram
www.instagram.com
Privacy policy: https://privacycenter.instagram.com/policyYouTube
www.youtube.com
Privacy policy: https://policies.google.com/privacy?hl=deLinkedIn
www.linkedin.com
Privacy policy: de.linkedin.com/legal/privacy-policy
We are authorised, but not obliged, to check third-party content before or after it is published on our online presences, to delete content without notice and, if necessary, to report it to the provider of the platform in question.
Some of the platform operators may be located outside Switzerland. Information on the disclosure of data abroad can be found in section 7.
11. Can this Privacy Policy be amended?
This Privacy Policy is not part of any contract with you. We may amend this Privacy Policy at any time. The version published on this Website is the current version.