GENERALATE OF THE
INSTITUTE OF THE BROTHERS OF THE CHRISTIAN SCHOOLS – LA SALLE INTERNAL DATA PROTECTION REGULATIONS

I.   INTRODUCTION

The INSTITUTE OF THE BROTHERS OF THE CHRISTIAN SCHOOLS is a congregation of canonic right; it is a non-profit religious-educational organization.

The GENERALATE, located in Rome, Via Aurelia 476, is the headquarters of this institution spread over 80 countries of the five continents.

Both the Generalate and the social, cultural, educational and religious institutions that make up the Institute of the Brothers of the Christian Schools recognize the importance of the security, privacy and confidentiality of the personal data of their members, as well as that of their students, parents, workers, clients, suppliers, beneficiaries and, in general, of all the persons with respect to whom they process personal information. Therefore, in compliance with current legislation, it has drawn up this document containing its policies for the processing and protection of personal data, for all activities involving the processing of personal information in the Italian sphere, as well as the processing of personal data in the international sphere in accordance with legislation, international agreements and treaties.

II.   PURPOSE

The internal data protection regulations of the Generalate of the Institute of the Brothers of the Christian Schools respond to the following objectives:

  1. To safeguard and protect the personal data of members, former members of the Institute, and all persons whose data are collected by the Institute, in order to guarantee their right to the protection of their personal data. Personal data is any information concerning an identified or identifiable natural person.
    1. To apply the International regulations, those of the European Union and the General Decree of the Italian Episcopal Conference in force, on the protection of personal data within the scope of the purposes and activities of the Generalate.
    1. To establish the rules concerning the purposes and procedures for the processing of personal data with regard to their collection, storage, modification, consultation, communication and cancellation.

III.   TERMINOLOGY GLOSSARY

Personal Data: Any information linked to or that may be associated with one or more specific or determinable natural persons.

Private Personal Data: Those whose knowledge is restricted to the general public.

Sensitive Data: They are those that affect the privacy of the Proprietor or whose improper use can generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership of trade unions, social organizations, or that promotes the interests of any political party or that guarantees the rights and guarantees of opposition political parties as well as data relating to health, sex life and biometrics, including still or moving image capture, fingerprints, photographs, iris, voice recognition, facial or palm recognition, etc.

Public data: Data that is not private or sensitive, which can be processed by any person, without the need for authorization to do so. Among others, the data contained in the civil registry of persons and those contained in public documents are public.

Holder of the Information: Natural person whose personal data are object of Treatment.

Database: Organized set of personal data that is subject to processing.

Data Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.

Data controller: A natural or legal person, public or private, who, by himself or in association with others, decides on the database and/or the Processing of the data.

Data Protection Officer (DPO): A natural or legal person, public or private, who by himself or in association with others, performs the Processing of personal data on behalf of the Data Controller.

Authorization: Prior, express and informed consent of the Holder to carry out the Processing of personal data. Consent may be given in writing, orally or through unequivocal conduct of the Registrant that allows to conclude that the authorization was granted.

Privacy Notice: verbal or written communication whose purpose is to inform the owner of the data about the existence of a policy of treatment of personal data that will be applicable to the processing of your information.

IV.   GENERAL AND SPECIFIC PRINCIPLES

4.1  General principles

  • The Institute of the Brothers of the Christian Schools promotes the protection of rights such as Habeas Data, privacy, intimacy, good name, honour and personal image. To this end, all actions will be governed by the postulates of good faith, legality, computer self- determination, freedom and transparency.
    • The Institute recognises that its legitimate right to the processing of the personal data of the holders of information must be exercised within the specific framework of legality, the consent of the holder and the specific instructions given by the Data Officer when appropriate, endeavouring at all times to preserve the balance between the rights and duties of the holders, the data officers and other data officers linked to its operation.
  • Whoever, in the exercise of his activity, provides any type of information or personal data to the Institute of the Brothers of the Christian Schools in his capacity as data controller or data officer, may exercise his rights as data controller to know, update and rectify the information in accordance with the procedures established in the applicable law and this policy.

4.2  Specific principles

The Generalate of the Institute of the Brothers of the Christian Schools shall apply the specific principles set forth below, which constitute the rules to be followed in the collection, handling, use, treatment, storage, exchange, and deletion of personal data:

  1. Principle of legality: In the collection, use and treatment of personal data, the norms governing the treatment of personal data and other related fundamental rights will be applied.
  2. Principle of freedom: The collection, use and processing of personal data may only be carried out with the prior, express and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior consent.
  3. Principle of purpose: The collection, use and treatment of personal data to which it has access and which are collected in the development of the activities of the Institute, will obey to a legitimate purpose of which the respective holder of the personal data must be informed.
  4. Principle of truthfulness or quality: The information related to the collection, use and treatment of personal data must be truthful, complete, exact, updated, verifiable and comprehensible. The processing of incomplete or misleading data is prohibited.
  5. Principle of transparency: In the processing of personal data, the Holder’s right to obtain from the Generalate, at any time and without restrictions, information about the existence of any type of information or personal data that is of interest to him or her or of which he or she is the holder, must be guaranteed.
  6. Principle of access and restricted circulation: The personal data, except those whose character is of public information, will not be able to be available in Internet or other means of disclosure or massive communication, except that the access is technically controllable to offer a restricted knowledge only to the Holders or authorized third parties.
  7. Principle of security: The personal data and information collected, used and subject to treatment in the development of the activities of the Generalate shall be subject to protection to the extent that the technical resources and minimum standards so permit, through the adoption of technological protection measures, protocols, and all types of administrative measures that are necessary to offer security to the physical and electronic registers and repositories, avoiding their adulteration, modification, loss, consultation and, in general, against any unauthorized use or access.
  8. Principle of confidentiality: Each and every person who manages, modifies, updates or has access to information of a personal nature at the Generalate undertakes to keep and maintain strictly confidential and not to reveal to third parties the personal, accounting, technical or any other type of information supplied in the execution and exercise of their functions. This duty extends to all third parties who are allies, collaborators or related parties who relate through any conventional or contractual relationship with the Generalate.
  1. Systematic Incorporation: The principles of Personal Data Protection will be implemented and applied in all the processes and procedures of this Generalate of the Institute of the Brothers of the Christian Schools.

V.   PERSON IN CHARGE AND RESPONSIBLE FOR THE PROCESSING OF INFORMATION

PDO:

The Generalate of the Institute of the Brothers of the Christian Schools shall act as the officer of personal data whenever, for the development of its activities, it makes use of or processes personal information on behalf of a third party who is responsible for the data processed.

While the Institute of the Brothers of the Christian Schools has autonomy in making decisions about personal information, it may not decide or dispose of the databases themselves or the manner of their processing (deletion, sharing or disclosure of the database) without consent or

prior authorisation from the data controller or data holder. It shall be the responsibility of whoever holds the title of Data Controller to collect and provide the necessary proof of authorisation for the processing of the data supplied.

Responsible:

The Generalate of the Institute of the Brothers of the Christian Schools will act as Responsible for the treatment of personal data whenever for the development of its activities it makes use or treatment of personal information in a direct way, mediating for it only the authorization on the part of the holder of the information or the express legal authorization.

The legal relationship (contract) existing between the Generalate and the workers or collaborators linked to its activity, as well as with those providers who provide its services, allows the Generalate to have the power to decide or dispose of the information in the databases associated with this type of holder, as well as the form of its treatment, this power being subject to the consent of the holder of the information and the applicable legal restrictions.

VI.   RIGHTS, DUTIES AND OBLIGATIONS OF PROCESSING

6.1  Rights of the owners.

In accordance with the applicable regulatory provisions, the Information Owner holds the following rights:

  1. To know, update and rectify their personal data with regard to the Data Officers.
  • Request proof of the authorization granted.
  • To be informed, upon request, regarding the use that will be given to their personal data.
  • Revoke the authorization by submitting a request. This does not apply when the Holder has a legal or contractual duty to remain in the database.
  • Consult your personal data free of charge, at least once every calendar month and each time there are substantial changes in the policies of Information Processing.

6.2  Duties of the Institute of the Brothers of the Christian Schools and its Generalate.

As responsible for the processing of information, the Generalate of the Institute of the Brothers of the Christian Schools assumes the following duties:

  1. To guarantee to the Titular, at all times, the full and effective exercise of the right of habeas data.
  • To request and keep a copy of the respective authorization granted by the titular.
  • To duly inform the titular about the purpose of the collection and the rights that assist him by virtue of the authorization granted.
  • Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
  • Guarantee that the information provided to the data officer is truthful, complete, exact, updated, verifiable and understandable.
  • Update the information, communicating in a timely manner to the person in charge of the treatment, all the novelties with respect to the data previously provided to him and adopt the other necessary measures so that the information supplied to him is kept updated.
  • To rectify the information when it is incorrect and to communicate the pertinent thing to the person in charge of the treatment.
  • To provide the Data Officer, as the case may be, with only data the Processing of which has been previously authorised.
  1. Demand from the Data Officer, at all times, respect for the conditions of security and privacy of the data subject’s information.
  • Process queries and complaints.
  • Inform the Data Officer when certain information is under discussion by the Registrant, once the complaint has been submitted and the respective procedure has not been completed.
  • Inform at the request of the Registrant about the use given to their data.
  • Inform the data protection authority when there are security code violations and there are risks in the administration of the information of the Data Subject.

In its capacity as the Officer of personal information, it assumes the following duties:

  1. Inform the data controllers of any situation or requirement that implies or requires the availability of the database or its processing.
  • Inform and support the data controller in the management of queries or complaints received directly from information holders or channelled through the data controller.
  • Inform and support the person in charge in the management of information security incidents involving personal information of which he or she is aware or which are reported by the person in charge.
  • Support the responsible with the provision of information for the completion of the Registration of the Personal Database, providing the information required to facilitate this process of legal compliance.

VII.   PROCESSES

7.1 a – Collection of data from the members of the Institute:

  1. The first collection of personal data by the Generalate of the Institute takes place at the moment a candidate is admitted to the Novitiate (CDC, 645).
    1. At that time, the N-1b form on the Institute’s WEBSITE is completed and, after obtaining the consent of the person concerned for the processing of their data, sent to the personnel office of the Generalate.

This form contains:

  • The request for the following personal data: Full name, date and place of birth, father’s and mother’s name, educational qualifications, languages spoken and details of identity document.
    • The authorization given to the Institute, on the part of the Holder, for the collection, conservation, consultation, modification, communication and cancellation of his personal data in any computer support, paper or analogical, necessary for the fulfillment of the ends of the Institute according to the own right, the internal Regulation in matter of protection of data and the fulfillment of the legal obligations.
    • The Novice’s signature, the date and place where the form has been signed. This form must be sent to the Secretariat of the Generalate in Rome either by computer or by post. In both cases it must include an updated passport type photograph.
    • At the time of First Profession a new photograph will be provided and the personnel office will assign the new Brother a registration number and record the date and place of that First Profession. At the time of Perpetual Profession the date and place will be added.
    • Each year the assignments to the mission community, the institutional or professional responsibilities acquired and the degrees of studies will be attached.
  • All these data will be included in the form that will be opened to each Brother in the Database of the Institute, once he has made his first profession.
    • Letters or other personal communications arriving at the Generalate will be treated with absolute discretion and for the purposes for which they are sent.

7.1 b – Collection of data from Non-SSC personnel:

  1. Data on persons hired by the Generalate or by the various Districts in which the Institute of the Brothers of the Christian Schools is organized are collected at the time of the signing of an employment or collaboration contract between these institutions and the persons concerned.
    1. These data will be, fundamentally, those which appear on your identity document, in addition to your address, telephone number and e-mail address which you use for professional matters, your studies, the languages you speak and data relating to your employment contract.
    1. These data will be included in the Institute’s database.
    1. The data of people who attend the Generalate for attending courses, meetings, conferences, etc., will be limited to the name and organization of which they are a part.

7.2   – Conservation:

  1. The conservation of personal data is subject to the concept of privacy to guarantee the rights of its members and ex-members, as well as to the concept of usefulness to serve the purposes of the Congregation.
    1. The data collected is recorded in the “La Salle Program” which constitutes the Institute’s Database.
    1. This digital support allows for the creation of various lists: of all the Brothers, of the Brothers by Regions, by Districts and Delegations, by age, etc. and other possible lists that are considered interesting at the internal level.
    1. The dossiers of the Brothers who leave the Institute are kept, in paper format, in the Archives of the Brother Procurator General. Since it may contain sensitive data, this Archive will be suitably protected and insured. The access is reserved to the Superior General and the Procurator General.
    1. The digital records are kept in the “La Salle Program”, the Institute’s Database, housed in servers in Paris through the company:

Cooperative Society for Research and Technological Development
C/ Roman Riva nº 9 39600 Alto Maliaño Cantabria, Spain
Fiscal code: F39835608 For Europe: ESF39835608
Data controller: José Sugasaga

  • A user account and password are required to access the database.

7.3.- Modification:

  1. A Brother or the District Secretary may request the modification of inaccurate data in order to correct the error or to update the existing data. In this case, the General Secretariat or the personnel office should be contacted in writing and a request for modification should be made.
    1. It is forbidden to make any modification to the existing data in the Archives and in the digital Program “La Salle” if it does not correspond to the principle of accuracy.

7.4.- Consultation:

  1. It is the Brother Superior General and his Council who approve the Internal Protocol on Data Protection of the Generalate and may introduce corrections for updating, improvement or adaptation to new internal and external official regulations.
  2. The direct data controller is the Secretary General. He may have some collaborator of the Secretariat (personnel office) as a person authorised to process data, who will be under his authority.

7.5.- Communication:

  1. To fulfill the purposes of the Congregation, the Generalate shares personal data of members or former members of the Congregation with the Districts and Delegations belonging to the Congregation, guaranteeing, through the Provincial Visitors and Secretaries of the Districts, personal data protection rights. The exchange of reports is necessary:
    1. To fulfill the conditions required for admission to first vows, temporary vows and perpetual vows.
    1. To comply with the provisions of the Administrative Directory, chapter 8, articles 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60 and 61, concerning pardons of leave of absence, exclaustration, secularization, expulsion of a member, etc.
  2. The personal data of the members and former members of the Institute who are treated or safeguarded in the Generalate, as well as that of collaborators and contracted personnel, cannot be transferred to third parties for commercial purposes.
  3. In accordance with the regulations in force concerning legal obligations, the Generalate is obliged to communicate personal data for:
  4. the execution of a contract to which the interested party is a party,
  5. comply with a legal obligation to which the data controller or data Officer is subject,
  6. protect the vital interests of the data subject or of another natural person,
  7. the performance of a function carried out in the public interest or in the exercise of public powers conferred on the controller,
  8. the processing necessary for the legitimate interests pursued by the controller or by a third party.
  • Respecting the limits of privacy and within the framework of the aims of the Congregation, some personal data may be used in institutional publications such as the Congregation’s website, information sheets, books, etc.
  • For consultation of the General Archives of the Congregation located at the Generalate in Rome by a member of the Congregation, you should contact the General Secretariat or the person responsible for the Archives and request the desired information. If they are documents or sensitive or classified subjects, or if you wish to publish them, you must have the express authorization of Brother Superior General.
  • If the request for consultation or information comes from persons outside the Congregation, a written authorization from the Secretary General is required.
  • The section of the Historical Archive which contains the personal data of the Brothers, their correspondence, chapters of vows, etc., will not be accessible, in the normal way, until 50 years have passed since their death.

The Institute of the Brothers of the Christian Schools and its Generalate reserve the right to modify this regulation concerning their data protection policy by making it public with due notice.

Rome, 7 October 2019

Signed: Bro. Robert Schieler
Superior General