PERSONAL DATA PROTECTION POLICY

(In accordance with Law 81 of March 26, 2019)

Liceo Francés Internacional de Panamá

‍

1. Applicable legal framework

This Personal Data Protection Policy is based on Law 81 of March 26, 2019 “On Protection of Personal Data” of the Republic of Panama and its regulations, as well as other complementary regulations and resolutions issued by the National Authority for Transparency and Access to Information (ANTAI) in its capacity as regulatory authority for the protection of personal data.

The purpose of this policy is to establish the guidelines by which the French Lyceum of Panama (hereinafter, “the Institution”) collects, stores, uses, processes and protects the personal data of students, parents, legal representatives, teaching staff, administrative staff, suppliers, website visitors and any other person whose data is processed by the Institution.

2. Principles of processing personal data

The processing of personal data by the Institution is governed by the following principles, in accordance with Law 81 of 2019:

• Principle of loyalty: personal data is collected and treated in good faith and in a loyal manner, respecting the rights of the owner at all times.
• Principle of purpose: personal data is collected for specific, explicit and legitimate purposes, and is not treated in a way that is incompatible with those purposes.
• Principle of proportionality: only data that is adequate, relevant and not excessive in relation to the purposes for which they are processed are collected and processed.
• Principle of veracity and accuracy: the Institution undertakes to keep personal data updated and accurate, taking the necessary measures to correct or eliminate inaccurate data.
• Data security principle: the necessary technical and organizational measures are implemented to ensure the security and integrity of personal data.
• Principle of transparency: the Institution informs data subjects about the conditions of the processing of their personal information in a clear and accessible manner.
• Principle of confidentiality: people who are involved in the processing of personal data are subject to the obligation of confidentiality, even after ending their relationship with the Institution.

3. Rights of the data subject

In accordance with Law 81 of 2019, anyone whose personal data is processed by the Institution has the following rights:

‍

a) Right of access

The owner has the right to know if their personal data is being processed by the Institution and, if so, to obtain information about the purposes of the processing, the categories of data processed, the recipients to whom the data have been or will be communicated, and the expected period of conservation.

‍

b) Right to rectification

The owner has the right to request the correction of their personal data when they are inaccurate, incomplete or not up to date. The Institution will proceed to make the appropriate corrections as soon as possible.

‍

c) Right of cancellation

The owner has the right to request the deletion of their personal data when they are no longer necessary for the purpose for which they were collected, when they withdraw their consent or when they consider that their data has been processed illegally. This right is subject to the exceptions provided by law, such as the fulfillment of legal obligations or the defense of claims.

‍

d) Right of opposition

The owner has the right to object to the processing of their personal data under certain circumstances, including processing for direct marketing purposes or when there are legitimate reasons related to their particular situation. The Institution will stop processing the data unless it proves legitimate reasons that prevail over the interests of the owner.

4. Applied security measures

The Institution implements technical, administrative and physical security measures designed to protect personal data against unauthorized access, loss, alteration, destruction or misuse. These measures include, but are not limited to:

• Use of data encryption in transit and at rest.
• Role-based access control, ensuring that only authorized personnel have access to personal data.
• Regular training of staff in the field of personal data protection and information security.
• Use of firewalls, intrusion detection systems and up-to-date antivirus software.
• Data backup and recovery procedures
• Regular risk assessments and security audits.

The Institution continuously reviews and updates these security measures to adapt them to technological advances and best practices in the area of data protection.

5. Procedure for exercising rights

Personal data holders can exercise their rights of access, rectification, cancellation and opposition through the following procedure:

‍

Step 1: Submit the request

The owner must send a written request to the Institution's data protection officer, through the following means:

• Email: info@lfpanama.edu.pa
• Mailing Address: Calle A, Panamà Pacifico

‍

Step 2: Content of the request

The request must include:

• Full name of the owner and contact details.
• Copy of a valid identity document of the owner or, where appropriate, of the duly accredited legal representative.
• Clear and precise description of the right you wish to exercise.
• Any document or information that facilitates the location of the personal data subject to the request.

‍

Step 3: Answer

The Institution will acknowledge receipt of the request and will respond within thirty (30) calendar days from the receipt of the complete request, in accordance with Law 81 of 2019. If the request proves to be appropriate, the Institution will adopt the corresponding measures within fifteen (15) calendar days following the communication of the response.

‍

Step 4: Resource

If the owner considers that his request has not been satisfactorily addressed, he may file a complaint with the National Authority for Transparency and Access to Information (ANTAI), in accordance with the procedures established in Law 81 of 2019.

6. Responsibility of the owner of the site

The French Lyceum of Panama, in its capacity as responsible for the processing of personal data, undertakes to:

• Comply with all the provisions of Law 81 of 2019 and its applicable regulations.
• Ensure that the processing of personal data is carried out in accordance with the principles established in this policy.
• Designate a person or area responsible for dealing with requests related to the protection of personal data.
• Implement and maintain the necessary security measures to protect personal data.
• Inform data subjects about any security incident that may affect their personal data, in accordance with current legislation.
• Ensure that third parties who have access to personal data by virtue of a contractual relationship comply with the data protection obligations established in this policy and in the law.
• Cooperate with the National Authority for Transparency and Access to Information (ANTAI) in the exercise of its supervisory and control functions.

7. Update to the policy

The Institution reserves the right to update, modify or supplement this Personal Data Protection Policy at any time, in order to adapt it to legislative, regulatory, jurisprudential or technological changes.

Any changes will be published on the Institution's website with an indication of the date of the last update. In the event of substantial changes affecting the processing of personal data, the Institution may notify the owners through the means of communication it deems most appropriate.

Users and data subjects are recommended to periodically review this policy to stay informed about how the Institution protects their personal information.

‍