The Olive Tree School, S.L. is committed to protecting and respecting the privacy of parents, guardians and pupils. In this privacy notice, references to “we”, “us” or “our” refer to The Olive Tree School, S.L. and the school which your child is attending, may attend or has attended.

This privacy notice sets out the basis on which any personal data we collect from you or your child, or that you provide to us, is handled by us. We also have separate privacy notices for our staff and pupils, available on request from the school office.

This notice should be read alongside our Cookie Policy, available at: www.theolivetreeschool.es/cookie-policy/

This policy is governed by the General Data Protection Regulation 2016/679 (“GDPR”) and the Spanish Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights (LOPD-GDD), together with any other applicable data protection legislation in force in Spain.

The data controller for the purposes of GDPR and LOPD-GDD is:

The Olive Tree School, S.L.

C/ Modistes 8

08812 Sant Pere de Ribes

Barcelona, Spain

CIF: B65365280

Right of Information

In accordance with Article 13 of the GDPR and Article 11 of the LOPD-GDD, we inform you of the following:

The Olive Tree School, S.L., C/ Modistes 8, 08812 Sant Pere de Ribes, Barcelona, Spain (CIF B65365280), is responsible for the processing of your personal data.

The school’s Data Protection Officer (DPO) is:

James Hoyle

Email: dpo@olivetreeschool.cat

Telephone: +34 931 88 62 15

The data that you provide using forms on our website, or that you send to us by email or post, will be used to manage the services you request, respond to your enquiries, and provide information about school activities.

Recipients of the information may include authorised school staff and third parties who work with the school in order to fulfil its legal or operational obligations. Where required by law, your data may be provided to public authorities within the scope of their legal powers.

You are required to provide the personal data requested where necessary to process your request or provide services. If you refuse to provide this information, we may be unable to assist you appropriately.

The data provided will be stored until you withdraw your consent or until it is no longer required for the purposes for which it was collected.

Legal Framework

This privacy notice is issued in compliance with:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation – GDPR)
• Spanish Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights (LOPD-GDD)
• Any other applicable national or European data protection legislation

Where Spanish law imposes additional requirements beyond those set out in the GDPR, the school complies with those requirements. In particular, under Spanish law, the age of digital consent is 14 years. For pupils under the age of 14, parental or guardian consent is required before the school can process personal data in connection with digital services.

User Consent

Users will be deemed to accept the conditions of this privacy notice by clicking the “ACCEPT” button on data collection forms on our website or by sending information to the contact addresses published on the website.

Where consent is relied upon as the lawful basis for processing, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal. To withdraw consent, please contact the DPO using the details above.

Security

Personal data collected by the school is stored within secure systems and databases operated by the school and its authorised service providers. These systems implement appropriate technical and organisational measures designed to ensure the integrity and security of personal data and to prevent loss, misuse, alteration, unauthorised access or disclosure.

However, you should be aware that transmission of information over the internet cannot be guaranteed to be completely secure.

The processing of personal data is carried out in accordance with the requirements of the General Data Protection Regulation and the LOPD-GDD.

Data Breach Notification

The school has procedures in place to detect, investigate and report personal data breaches. In the event of a data breach that is likely to result in a risk to the rights and freedoms of individuals, we are required to notify the Agencia Española de Protección de Datos (AEPD) within 72 hours of becoming aware of the breach.

Where a breach is likely to result in a high risk to the rights and freedoms of affected individuals, we will also notify those individuals directly without undue delay.

All data breaches, whether or not they are reportable, are logged internally by the school.

Information We Collect About You and Your Child

You may provide personal data to us in several ways, including:

• using, visiting or interacting with our website (for example by completing online forms)
• visiting the school
• corresponding with us by telephone, email or post
• providing information directly to us when completing admission forms, contracts or other school documentation

The information you provide may include:

• full name of parents and child or children
• date of birth and year group of the child or children
• contact details (including home address, email address and telephone numbers)
• permissions or consent information submitted via online forms
• financial information necessary for the administration of school fees
• photographs of pupils
• passport details, NIE, nationality and immigration-related information
• educational and health records, including special educational needs or medical information
• previous educational records and achievements
• relevant family circumstances
• race, religion or ethnicity (where voluntarily provided)

Information We Receive From Other Sources

We may receive information about you or your child from third parties including:

• previous or future schools
• medical practitioners
• photographers
• local authorities
• educational authorities
• business partners
• payment or service providers
• legal representatives or credit reference agencies

As processors with respect to the personal data we receive from external third parties, we ensure compliance with the applicable technical and organizational security measures, in accordance with the provisions of the GDPR and the LOPD‑GDD. Such processing is always carried out under duly formalized Data Processing Agreements with the corresponding third parties.

Lawful Basis for Processing

Under GDPR, we must identify a lawful basis before we can process personal data. The table below sets out the primary lawful basis we rely on for different categories of processing activity.

Delivering educational services to your child – Lawful basis: Contract / Legal obligation

Maintaining pupil records, attendance and safeguarding files – Lawful basis: Legal obligation

Administering school fees and financial records – Lawful basis: Contract

Using pupil photographs for internal identification – Lawful basis: Legitimate interests

Organising extracurricular activities and school events – Lawful basis: Legitimate interests / Contract

Sending surveys and school improvement communications – Lawful basis: Consent (you may opt out at any time)

Fraud prevention and credit risk reduction – Lawful basis: Legitimate interests

Responding to enquiries submitted via our website – Lawful basis: Consent / Legitimate interests

Where we rely on legitimate interests as our lawful basis, we have assessed that those interests are not overridden by your rights and interests. You may request further information about this assessment by contacting the DPO.

Where we rely on consent, you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing that took place before the withdrawal.

Sensitive Personal Data

Sensitive personal data (also referred to as special category data) includes information relating to health, ethnicity, religion, or other categories listed in Article 9 of the GDPR.

The school may process such data where necessary for

• social security or social protection obligations
• medical diagnosis or provision of healthcare
• protection of vital interests
• equal opportunities monitoring
• dietary requirements
• facilitating religious practices or customs

Whenever sensitive personal data is collected, the school will inform you and request appropriate consent where required by law.

Information We Collect From Our Website

We use information collected through our website for the following purposes:

• informing families about future school places
• administering the website and conducting internal analysis
• improving the website and user experience
• enabling interactive features such as virtual learning environments
• maintaining the security of the website

Information submitted through website forms is stored within the secure database of the school’s website platform and is accessible only to authorised staff responsible for admissions and communications.

For full details of how we use cookies on our website, including the types of cookies used and how you can manage your preferences, please refer to our Cookie Policy, available at:

www.theolivetreeschool.es/cookie-policy/

Transmission of Personal Information Outside the EEA

In some circumstances personal data may be transferred to, or stored at, locations outside the European Economic Area (EEA), for example where service providers operate international data centres.

Where such transfers occur, the school will ensure appropriate safeguards are in place, including:

• EU-approved Standard Contractual Clauses
• equivalent data protection mechanisms
• transfers to countries recognised by the European Commission as providing adequate protection

Your Rights

Under the GDPR and LOPD-GDD, you and your child have the following rights in relation to your personal data:

Right of Access – You may request a copy of the personal data we hold about you.

Right to Rectification – You may request that inaccurate personal data is corrected.

Right to Erasure (‘Right to be Forgotten’) – You may request deletion of personal data where it is no longer required, where consent has been withdrawn, or where processing is unlawful.

Right to Restriction – You may request that processing of your personal data is limited in certain circumstances.

Right to Data Portability – You may receive your personal data in a structured, commonly used and machine-readable format.

Right to Object – You may object to certain types of processing, including processing based on legitimate interests or for direct marketing purposes.

Right Not to be Subject to Automated Decision-Making – You have the right not to be subject to decisions based solely on automated processing which produce significant effects for you.

Right to Withdraw Consent – Where processing is based on consent, you may withdraw that consent at any time.

Right to Complain – You have the right to lodge a complaint with the Spanish supervisory authority.

To exercise any of these rights, please contact the DPO:

Email: dpo@olivetreeschool.cat

Telephone: +34 931 88 62 25

Right to Object to Marketing – If you do not wish to receive marketing communications, please contact: marketing@olivetreeschool.cat

Supervisory Authority

The competent supervisory authority for data protection in Spain is:

Agencia Española de Protección de Datos (AEPD)

C/ Jorge Juan 6

28001 Madrid

www.aepd.es

You have the right to lodge a complaint with the AEPD at any time if you believe your personal data has not been handled in accordance with applicable law. We would, however, appreciate the opportunity to address your concerns directly before you approach the AEPD, and encourage you to contact our DPO in the first instance.

How Long We Keep Personal Information

Personal data will not be retained longer than necessary for the purposes for which it was collected.

As a general rule, pupil education records are retained for the duration of the contractual relationship with the school and for six years afterwards, unless a longer retention period is required by law.

Access to archived records is restricted and files are securely destroyed when retention periods expire.

Third-Party Service Providers

The school works with carefully selected third-party organisations to deliver its services. Where these organisations process personal data on our behalf, they do so as data processors under written data processing agreements that require them to:

• process data only on our documented instructions
• implement appropriate technical and organisational security measures
• assist us in fulfilling data subject rights requests
• delete or return data at the end of the relationship

We do not sell personal data to third parties.

Use of Our Website

Where passwords are used to access restricted areas of our website, users are responsible for keeping those passwords confidential.

Although we take reasonable steps to protect personal data transmitted through the website, transmission over the internet cannot be guaranteed to be completely secure.

For information about links to external websites, please be aware that this privacy policy applies only to the school’s own website. The Olive Tree School does not accept responsibility for the privacy practices of external sites accessed via links from our website.

Changes to This Privacy Notice

Any future changes to this privacy notice will be published on the school website and, where appropriate, notified to you by email. We encourage you to review this notice periodically.

This notice was last updated in March 2026.

Contact Us

Questions, comments or requests regarding this privacy notice should be addressed to the Data Protection Officer:

James Hoyle – Data Protection Officer

Email: dpo@olivetreeschool.cat

Telephone: +34 931 88 62 15

The Olive Tree School, S.L.

C/ Modistes 8

08812 Sant Pere de Ribes

Barcelona, Spain

Barcelona, España