Genuine School Privacy and Personal Data Processing Policy

• For the processing of certain personal data, such as the collection of information from minors, images, voice recordings, or sensitive data, GS will request the express consent of the parent or legal guardian before proceeding with the processing.
• In the European Union, Article 8 of the GDPR establishes that the processing of personal data of children under the age of 16 requires the consent of their parents or guardians (or a lower age as determined by each Member State, but not less than 13).

Genuine School’s legitimate interests (Art. 6.1(f) GDPR):

• GS may use personal data to enhance our educational services, maintain system security, carry out statistical analyses, or prevent fraud, always ensuring that these actions do not infringe on individuals’ rights.
• In the US, the California Consumer Privacy Act (CCPA, Cal. Civ. Code 1798.100 et seq.) allows consumers to request information about the use of their data and object to unjustified processing.

Why We Process Personal Data

GS processes the personal data of students, parents, guardians, and collaborators for the following purposes:

• Managing academic and administrative activities: Enrollment, course assignments, progress tracking, certifications, and parent communication.
• Security and access control: Verifying identities on digital platforms and managing educational records.
• Compliance with legal regulations: Protection of data of minors in accordance with FERPA, COPPA and GDPR, Law 1581 of 2012.
• Improving the educational experience: We use data for learning tools, students’ performance statistics, and content customization.
• Answering queries and offering support: Respond to student and parent concerns about our privacy policy and services.

OVERVIEW OF PRIVACY LAWS

Genuine School is a private school registered in Florida State and operates under federal and state privacy and education laws. This includes the Family Educational Rights and Privacy Act (FERPA), the Protection of Pupil Rights Amendment (PPRA), the Children’s Online Privacy Protection Act (COPPA) and the Florida Statutes for Privacy and Education.

That said, we recognize that the strength and scope of privacy laws vary from state to state and across international jurisdictions. Therefore, we closely follow changes in data protection regulations across the United States, the European Union, and Latin America, ensuring that Genuine School’s personal data processing practices meet the highest standards of privacy.

As part of our ongoing commitment to data privacy and security, we’ve adopted best practices from leading privacy laws, including the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), in addition to Law 1581 of 2012. In this regard, we follow the key principles outlined in Article 5 of the GDPR, which set the foundation for how personal data should be processed:

• Lawfulness, fairness and transparency: All personal data we collect is processed lawfully, fairly, and in a transparent manner, always informing data subjects about the use and purpose of the data processing.
• Purpose limitation: Personal data is collected for specified, explicit, and legitimate purposes, and we don’t use it for any additional purposes without prior disclosure to the data subject.
• Data minimization: We only collect the data strictly necessary to fulfill the purposes set out in our privacy policy.
• Accuracy: We ensure that users’ personal information is accurate and up to date, and we provide ways to correct or delete it in the event of inaccuracy.
• Storage limitation: Personal data will be stored as long as needed to meet legitimate processing purposes, in full compliance with relevant laws.
• Integrity and confidentiality: We implement appropriate technical and organizational measures to ensure the security of personal data, protecting it against unauthorized access, loss, alteration, or improper disclosure.

While the U.S. doesn’t have a single federal data protection law, various sector-specific regulations offer similar rights to those under the GDPR. Genuine School follows these laws when processing the data of Data Subjects, such as:

• FERPA (Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g): It regulates access to and control of students’ academic data and grants parents rights over their children’s educational information.
• COPPA (Children’s Online Privacy Protection Act, 15 U.S.C. §§ 6501-6506): Protects the privacy of children under 13 on online platforms by requiring verifiable parental consent before collecting personal information.
• CCPA (California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq.): Provides California consumers with rights to access, delete, and control their personal data, including the right to know what data is collected and not to have it sold.
• FTC Act (15 U.S.C. § 41-58): Prohibits unfair or deceptive business practices, including the improper collection and processing of personal information.

By adopting these standards, Genuine School is committed to providing a secure and transparent environment for the processing of personal data, ensuring that our practices comply with the highest data protection standards in each jurisdiction where we operate.

SCOPE OF TERRITORIAL APPLICATION

Genuine School collects and processes personal data within the territorial scope of application that includes the European Union, the United States, certain countries in Asia and the Republic of Colombia, following the guidelines outlined in the “OVERVIEW OF PRIVACY LAWS.” In this sense, it is understood that:

The legislation on personal data protection applies to:

• This includes data processing related to Genuine School services;
• The processing carried out by data controllers or operators located outside Colombia—when Colombian laws or the applicable laws of the data subject’s country require it under international standards.

Data processing at an establishment in the EU: Applies to all data processing carried out within the framework of the activities of an establishment of the controller or operator located in the European Union, regardless of whether such processing is carried out within or outside the territory of the Union.

Processing personal data of data subjects residing in the EU: When the processing of personal data is carried out by controllers or operators not established in the European Union, the regulations will apply provided that the operations relate to:
The offer of goods or services to data subjects in the EU, whether or not payment is required;

The monitoring of the behavior of data subjects, to the extent that such monitoring takes place within EU territory.
Application by reason of public law: The regulations will also extend to processing carried out by controllers not established in the European Union, where the law of the Member States applies at the place where the processing takes place under public law.

TRANSFER OF PERSONAL DATA
In line with Law 1581 of 2012, Decree 1377 of 2013, and the guidelines set by Colombia’s Superintendency of Industry and Commerce (SIC)—as well as relevant regulations in the U.S. and the European Union—Genuine School ensures that the international transfer of personal data to third parties located outside of Colombia and to the United States complies with the principles of adequacy and respects the fundamental rights of the data subjects.

In accordance with Chapter V of the GDPR (Articles 44–50) and applicable U.S. regulations, Genuine School makes international transfers of personal data under the following protection mechanisms:

• European Commission’s security adequacy decision (Art. 45 GDPR): If the destination country guarantees an equivalent level of protection.
• Standard contractual clauses (Art. 46 GDPR): In the absence of an adequacy security decision, Genuine School signs contracts that guarantee data security.
• Binding corporate rules (Art. 47 GDPR): When it comes to transfers within the same business group.
• In the U.S., Genuine School adheres to CCPA and COPPA standards to ensure that transfers to third parties comply with required data protection requirements.

COMPLIANCE WITH THE PRINCIPLE OF ADEQUACY IN COLOMBIA

The adequacy principle in Colombia establishes that personal data may only be transferred to countries that provide levels of protection equivalent to or greater than those established in Colombian legislation. Genuine School applies the following measures to comply with this principle:

Evaluation of Protection in the United States:

Although the United States is not recognized by the SIC as offering an adequate level of data protection, Genuine School ensures that transfers to this jurisdiction comply with additional requirements through:

• Contracts that incorporate broad protection clauses.
• Compliance with regulations such as FERPA, COPPA, and the CCPA (California Consumer Privacy Act).

Limited Purpose and Informed Consent:

Transfers are made exclusively for legitimate purposes, previously informed to the data subject and authorized by express and informed consent. This includes notifying the data subject of:

• The identity of the recipient in the United States.
• The specific purpose of the transfer.
• The security measures applied to protect information.

All of which can be consulted in this document, in the section “Why We Process Personal Data.”

Compliance with Regulations

The United States regulates data protection through a sector-specific framework that includes specific laws applicable to the education and digital sectors, such as:

FERPA (Family Educational Rights and Privacy Act):

• It applies to federally funded educational institutions and ensures that student academic data is protected.
• Genuine School ensures that data transfers respect the rights of students and parents, preventing unauthorized disclosures without the required consent.

COPPA (Children’s Online Privacy Protection Act):

It regulates the processing of data from children under 13 years of age in digital services and requires:

• Verifiable parental consent before collecting or transferring personal data from minors.
• Strong security measures to prevent unauthorized access.

Genuine School applies these principles when collecting and processing information from minors, ensuring that any transfer to third parties complies with COPPA and Law 1581 of 2012.

CCPA (California Consumer Privacy Act):
Although it is a state law, Genuine School adopts its principles to ensure:

• The right to transparency in transfers of personal data.
• The right of data subjects to request information about the transfers made and, when appropriate, the deletion of the transferred data.

Retention and Deletion Regulations:

Genuine School complies with the retention periods established by FERPA, which requires maintaining educational records for specified periods of time, and ensures that transferred data is destroyed once its purpose has been fulfilled, as established by Section 11 of Decree 1377 of 2013.

CHANGES IN THE PRIVACY POLICY
We may update our privacy policy from time to time in response to legislative changes or advancements in data protection, and we encourage you to review this policy regularly for updates. Most of these updates will not change the types of personal data we process, the purpose, or our legal obligations for disclosure or retention requirements that would be considered a material change. If we make a material change to our Policy, we will post a thirty-day notice prior to any changes to our existing data collection and processing practices. The effective date of our most recent update is identified below, with a brief summary of the changes.

PERSONAL DATA DEFINITIONS AND TERMS

Data privacy terms and definitions may vary from state to state. For GS, the term Personal Data is defined as:
“Personal Data” means any information that identifies, relates to, describes or could reasonably be associated with or linked directly or indirectly to an individual.

Personal Data includes but is not limited to your name, phone number, email address, physical or postal address, student ID numbers, accounts and passwords, social security number, date of birth, place of birth, your device’s IP address, biometric data such as your photos or fingerprints, educational records, and any data associated with health or family financial information.
We also use the terms “aggregated data” and “anonymized data” when discussing educational reports, and statistical and research data requirements.

“Aggregated data” means that any data that could directly or indirectly identify an individual student has been removed (anonymized), and the remaining data was combined with data from multiple records to be used in reports and statistical research.

For example, the graduation rate in a class or school is combined with graduation rates from other Florida schools and districts to create statewide statistical reports. Statistics on student achievement and subgroups are published publicly to demonstrate the school, district and state educational performance and accountability but cannot directly or indirectly identify an individual student.

In the context of data protection, cross-border processing refers to operations that go beyond national boundaries and fall into two scenarios:

a) When the controller or operator has establishments in several Member States of the European Union, and data is processed as part of the activities conducted in each of those locations.

b) When the processing is carried out in a single establishment located in the European Union, but the operation significantly affects, or is expected to substantially affect, data subjects residing in different Member States.

DATA SOURCES
Personal Data includes data that is collected:

• Directly from you during registration and enrollment, when you upload data, create educational work products or when you contact us for inquiries or support.
• From your device when you connect to a GS website, application or service.
• From your previous school or primary school of record, acting on your behalf when you or your school initiates registration and enrollment with us.

PARENTAL CONSENT

We obtain and strictly enforce Parental or Legal Guardian Consent prior to setting up any account or service for all children, specifically children under the age of 13 in accordance with the Children’s Online Privacy Protection Act (COPPA), as well as for students under the age of 18 or who are otherwise not legally “eligible” under federal educational privacy laws to provide consent on their own behalf, as explained below.

Under the Family Educational Rights and Privacy Act (FERPA), an “eligible” student is a student who has reached 18 years of age or a student who has not yet reached 18 years of age but has graduated from high school and is attending a postsecondary institution. Eligible students may also include emancipated minors, regardless of whether they have reached 18 years of age. Upon reaching “eligible” status, all rights are transferred from the Parent to the student. Upon reaching “eligible” status, all rights transfer from the Parent to the student.

By agreeing to this Student Data Privacy Policy, we understand that you acknowledge and agree with the creation of accounts and services for the children you represent.

WHAT WE DON’T DO

• We do not sell your personal information.
• We do not use or share your information for advertising or marketing purposes that are not specifically related to educational services or school purposes, such as school-sponsored events, activities, communications, and announcements.
• We do not publish student photos, videos, audio recordings, or student work without written consent from the student and parent or legal guardian.
• We do not disclose “Directory Information,” as defined by the Family Educational Rights and Privacy Act (FERPA), to any outside entities, including military recruiters and universities.

We do not collect or process your data for any purpose other than what is legally required or necessary for a legitimate educational interest.

We do not store personal data beyond what is necessary to provide GS educational and support services, to comply with federal, state, and local educational records storage requirements or to comply with legal orders or storage requirements specified in a contract or similar agreement between your primary schools and GS.

VERIFICATION AND DATA STORAGE PROCEDURE.

In accordance with Law 1581 of 2012 and its Regulatory Decree 1377 of 2013, Genuine School guarantees that all processing of personal data of minors is carried out after obtaining the informed, express, and verifiable consent of their parents, guardians, or legal representatives. This consent is a mandatory requirement for creating accounts, enrolling in courses, accessing digital platforms, or participating in any activity involving the collection or processing of minors’ personal data.

PROCEDURE FOR VERIFICATION OF CONSENT

Parental consent will be obtained and verified through a rigorous process that includes the following stages:
Collection of Parent or Legal Guardian Information:

During the student enrollment process, the parent or guardian will be required to provide personal information, including their full name, ID number, relationship to the minor, email address, and contact phone number.

This information may be verified using cross-validation systems with official databases or through documents that prove legal representation (for example, the minor’s civil registry, sworn statements, or court rulings and resolutions).

Explicit Authorization:

• The parent or guardian must complete and sign a consent form, which may be physical or digital and it must include:
• The specific purposes for the processing of the minor’s personal data.
• The data subject rights and how they can to exercise them.

Express declaration that you understand and accept the processing in accordance with the Genuine School’s privacy policy.

Electronic Confirmation:

For digital consent, Genuine School will implement a two-factor authentication (2FA) mechanism via email or SMS to verify the parent or guardian’s identity and their intent to grant consent.

A one-time, time-limited link will be sent for final confirmation of consent.

Recording of Briefings (Optional):

In order to reinforce the obligation of transparency, Genuine School may hold virtual or in-person meetings with parents or legal guardians, explaining the purposes and scope of the processing of personal data. These meetings may be recorded as additional evidence of consent.

Storage and Retention of Authorizations

Genuine School will ensure the security and integrity of parental consent records through the following mechanisms:

Electronic Records:
Digital authorizations will be stored in an encrypted document management system protected by restricted access credentials.

Each record will include:

• A copy of the electronically signed form.
• Verification information, including the authentication codes used and the date and time of confirmation.
• Electronic records will be backed up periodically to prevent loss or alteration.

Physical Records (if applicable):

In the case of authorizations obtained physically, Genuine School will archive these documents in a secure location, using storage systems that allow controlled access only to authorized personnel.

An indexing system will be implemented to make it easy to access records while ensuring complete traceability of each consent given.

Retention Periods:

Authorizations will be retained for the time necessary to fulfill the purposes of the processing or as required by law, such as audits or administrative investigations. At the end of this period, the records will be securely deleted, ensuring physical or digital destruction in accordance with internal protocols.

Periodic Audits:
Genuine School will conduct internal and external audits to verify that the storage of consents complies with applicable legal and standards, ensuring their integrity and confidentiality.

Guarantees for Parents or Guardians
To strengthen trust in the processing of minors’ personal data, Genuine School offers parents or guardians the following guarantees:

Continuous access to consent records through a secure platform in which you can review the authorization granted and update it if necessary.

A direct channel to address concerns or file complaints related to the processing of the minor’s personal data.

WHAT WE COLLECT AND WHY

The types of data we process are organized in broad subject areas as detailed below in order to give you meaningful context about what data is collected, why we need it and how it is used. Please contact us through the methods mentioned in the “Contact Us” section if you wish to obtain further information about any type of personal data we process that may not be described here.

Cookies. When visitors or users connect to a GS website, application or technology within our environment, we automatically send “cookies” to your device. Cookies are small data files that our servers send to your device, known as “session cookies” and “persistent cookies”. Session cookies are deleted when you close your browser or session. Persistent cookies are stored on your device and are used to remember your preferences and settings, enable and optimize our website’s navigation and functionalities, and collect statistical information from your device about how the application or service is performing, which allows us to monitor performance, and manage and troubleshoot any service or functionality issues.

Persistent cookies used for statistics and analytics may contain information about your device and browser, such as your device ID and IP address, browser type and version, and device operating system. In specific cases, we may need to combine this information with additional records, such as your account login and session data, to help you troubleshoot technical issues. We do not use, disclose or share any of our cookies or analytics data for targeting advertising to students.

Do Not Track Signals. Do Not Track (DNT) is a privacy preference you can enable on your browser so that websites and online services cannot track you. Even though GS does not track you for advertising or marketing purposes, we respect DNT signals.
Application Usage Statistics. We collect general usage data about the number of visitors to our website and internal environment to view trends in infrastructure and application performance, load times, errors, and slow transactions. This data helps us ensure our infrastructure and applications perform appropriately during peak usage and normal traffic volume times, monitor and troubleshoot issues that degrade student LMS performance, and improve our educational applications, products, and services. This data may include the connect device’s manufacturer, the device types and versions, such as iOS 13.6.1 or Android 10, session IDs, device IP addresses, browser type and versions, and other version information.

Application Licensing Data. For users of our LMS system, we collect license usage logs that show license usage data by seat and by course. License usage data includes the student’s first and last name, LMS ID, email address and course usage information. This data is used for licensing and to compile course statistics and analysis data to ensure that students can access their courses and to address any licensing issues that prevent the students from taking the course or accessing it.

Application and Security Logs. When you are connected to a GS website, application or technology within our learning environment, we automatically collect information about your device, which may include: Your IP address, information about your operating system, browser information and version, your interactions with the website and usage activity. We may correlate this information with other relevant security logs if we need to investigate security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, and remove or prosecute those responsible for such activity. We store security-relevant log data for at least one year, but, if necessary, we may retain it for longer periods in the event of a security incident and investigations. Logs associated with security incidents or illegal activity may be shared with GS incident response service partners, law enforcement agencies, and legal personnel to investigate and prosecute illegal activity.

Assessments. We create, manage, and record information related to student assessments, including discussion-based assessments, module tests, quizzes, subject tests, observation data and state assessments such as Florida Standards Assessments (FSA), End-of-Course Assessments (EOC), Advanced Placement (AP) exams, and the data related to state assessments. The amount of personal data required will depend on the type of assessment but generally includes the student’s first and last name, grade level, gender, student ID(s), test date, course subject, school ID and district, and performance scores. Other tests, such as the Scholastic Achievement Test (SAT), will require the student to provide significantly more information, such as their race and ethnicity, Social Security Number, complete mailing address, email address, and phone number. We use assessment information to determine the students’ progress and needs, assist in placement determinations, record student achievements, and keep the accountability and performance reports that the Florida State Board of Education requires.

Attendance. For our students, we record daily and cumulative attendance. The Attendance Report data includes the student’s first and last name, student ID, date of birth, gender, grade level, daily and cumulative annual days present, daily and cumulative annual days absent, previous school, date of enrollment with GS, and date of withdrawal, if applicable. The Florida Department of Education requires all schools to keep and report students’ attendance and enrollment data, such as the absence or presence in class of each enrolled student during the prescribed time. Attendance data is used to confirm that the student has attended the minimum number of class days with the required hours per grade level to receive credit.

Communications. When visitors and guests who are not yet registered with GS contact us via phone calls, email, Facebook or Twitter messages, we request your first and last name, email address and/or phone number in order to respond and stay in contact with you until your question is answered, or the assistance is completed to your satisfaction. If you contact us using the ‘Request Information’ link to request data about our educational offerings, we also will ask if you are a parent, student, teacher, school administrator, or other interested visitor; what educational offerings you would like to learn more about; and what country and state you are located in to determine which educational offerings are right for you.

Conduct and Discipline. This section is about data related to the student’s conduct and disciplinary and behavioral information, from minor infractions to serious incidents, including suspensions and expulsions. Data associated with minor infractions includes the student’s name, grade level, course, teacher names, and incident details. As outlined in Florida Statute 1006.13, Florida has a zero-tolerance policy for crime and victimization. These incidents must be reported to the Florida Department of Education for each occurrence at any time of the day or year. We may also have to consult and report to law enforcement when incidents involve crimes or injuries. School Environmental Safety Incident Reporting (SESIR) includes: student(s) first and last name, gender, date of birth, grade level, student IDs, date and time of the incident, name of the officer reporting the incident, incident witness, incident details and codes, disciplinary action and duration, type of incident, case number, details of the report, affidavit or arrest, and names of victims or student identifiers when the incident involves victims. GS strictly follows the code of conduct under Florida Statutes 1006.13 and F.S.1006.07(2) to provide a safe and supportive learning environment for all students and staff, regardless of economic status, race, or disability.

Demography. We collect student demographic information that may be considered highly sensitive information about the student and their family. This information is strictly controlled and limited to the minimum number of personnel necessary to manage these educational programs and services. Demographic data includes the student’s first and last legal name, date of birth, grade level, gender, race and ethnicity, state and local student identification numbers, Florida educational identifier, state and county residency, district and school numbers, school year, student’s native language, student’s primary home language, student’s English proficiency status as an English Language Learner (ELL), student’s country of birth, date the student entered a U.S. school, migrant program eligibility, student’s graduation options (standard, accelerated, or optional curriculum). We are required by the U.S. Department of Education, federal and state laws, and by the boards of education to collect this information for eligibility and the accountability of every school, district, state, and federal educational program. This information is used to assess and ensure that students are treated equally regardless of race, ethnicity, or economic status and to enable program improvements for underserved and vulnerable populations.

Enrollment and Registration. When a parent/legal guardian or eligible student registers and enrolls with us, we collect data including parents/guardians and student contact information as described below, student demographic information, previous school documentation, birth certificates or other evidence to verify the student’s birth as required per Florida Statute 1003.21, verification of Florida county residency per Florida Statute 1009.21, vaccination certifications if required, enrollment dates and status, disability information necessary to provide personalized educational services or provide accommodations, as well as student’s courses and preferences information. This information is necessary to comply with verification and reporting requirements specified by Florida Statutes and to ensure that we can fulfill the student’s educational needs, preferences, and requirements.

Media Consent. GS students’ names, pictures and/or coursework will not be published in print, video or on our website without the written consent of the student and their guardian. We will specifically request your consent to use the student’s name, photos, or video for internal GS media and events, such as the yearbook, Honor Roll, and associated school publications and educational promotional or marketing materials.

Please note that the Family Educational Rights and Privacy Act (FERPA) defines “Directory Information” as “information that would not generally be considered harmful or an invasion of privacy if disclosed and that may also be disclosed to third parties without a parent’s prior written consent.” We do not disclose directory information to outside entities not affiliated with GS, including military recruiters and universities.

Parent/Legal Guardian and Student Contact Information. When a parent/legal guardian or eligible student registers with us, we collect: the student’s first and last name, email address, phone number, mailing or home address, username for setting up the student’s account, grade level, student type, school district, parent or legal guardian’s full name, the parent or guardian’s username account linked to the student’s account, their relationship to the student, email, phone number and contact preferences, including preferences to receive school communications via text message or not. We use this information to: answer questions or requests for support when you contact us; facilitate communications between students, parents, teachers, and support staff to improve the student’s personalized learning; publish school communications and announcements; notify you of school-sponsored events, activities and educational services, financial aids and scholarship opportunities you may be interested in; and provide you with features and updates to our learning platforms, applications, or educational content.

Parents/Legal Guardian IDs. This section refers to data related to GS Learning Management System (LMS) account identifiers, such as parents/legal guardians’ accounts linked to the student’s LMS account. Data associated with the Parent/Legal Guardian ID includes the parent’s contact information, email address, account username, password, and security questions. These accounts are used for parents/legal guardians to log in and monitor student progress, and communicate with teachers and staff to support their students’ learning needs.

Schedules. We collect information about courses students request by grade level and period to better organize needed courses and required courses with the teachers. This data includes the student’s first and last name, Florida Educational ID, course code, section/room, period, the corresponding teacher ID, and the student’s final grades.

Disability Information. We collect disability information that may contain highly sensitive information about the student and/or their family. This information is strictly controlled and limited to the minimum number of personnel necessary to manage these educational programs and services. This section is about information such as the student’s status and progress as an English Language Learner (ELL), low-income status, information about the student’s disabilities, data associated with the Individualized Education Plans (IEPs) or the Section 504 plan which may include medical conditions or health data, living situations such as Hospital/Residence, Homeless/Foster Care, immigration status, or other similar indicators. This information is essential for staff and teachers to provide accommodations and personalized educational plans to meet the student’s needs. Aggregate data related to Disability information is required to be reported to the Florida Department of Education for audit and accountability reporting under the Every Student Succeeds Act (ESSA) to improve educational outcomes, programs, and services for students with unique needs and/or disabilities, disadvantaged, and underserved student populations.
Student Identifiers. This section is about student numbers that directly identify the student. Each ID number is necessary to uniquely associate the student with their enrollment registration, schedules and courses, attendance, assessments, and records within the Learning Management System at the GS school, district, and state levels.

Student Programs Affiliation. This section is about information related to the student’s participation in clubs or activities, such as math clubs, literary clubs, musical bands, GDreams Incubator, or other multiple GS clubs. Data in this category includes the student’s full name, names of parents or legal guardians, consent forms signed by parents/guardians for participation in clubs, field trips, and events detailing the purpose of the consent, activity details, dates and locations, emergency contact, and medical clearance forms. Medical clearance forms may also be included if required for sports or other physical activities. Although participation in clubs is completely voluntary, students repeatedly say that participation in clubs and activities has enhanced their educational experience. The personal data discussed this section is deleted at the end of the student’s participation in the club or when they are no longer required.

Student Survey Responses. Student surveys are conducted several times per semester to obtain student feedback and assess the students’ experience in the course and with the teacher. The completed data includes the course name and course ID, the course term, period, teacher, questions and answers. All surveys are anonymous and aggregated to ensure that individual students cannot be identified. We use this information to evaluate student experience to improve courses and teaching approaches.

Student Work Products. This section consists of information created by students, such as assignments, notes or observations related to class activities, study materials, papers and essays, video or audio recordings and other data. Parents/legal guardians can only retrieve this material for the current year, as GS will delete the data at the end of each year when it is no longer needed.

Academic Records. We create and keep academic records. Permanent data kept on the record include: the student’s full legal name and any known changes due to marriage or adoption, authenticated birth certificate, place of birth, last known address, names of student’s parents/legal guardians, names and location of last school attended, number of days present and absent, date of enrollment, date of withdrawal, student’s educational ID and local ID numbers, period, grade level, course number, course sequence number, courses taken, achievements, final grades, credits earned, test scores, certifications and honors received, school year, school number and district number in which the credits were earned. This information is used to measure students’ progress, completion, and achievements toward their goals. The Florida State Law 1002.42(3)(a)2.a. identifies this information as being of clear educational importance and must be stored as a permanent record. It applies to the student’s cumulative record, whether before or after graduation or withdrawal.

WHO HAS ACCESS

Per federal and state laws, only the following people have access to student records:

• GS Board of Directors and School Board Members
• Executive Directors of Education and Staff
• GS President and CEO, and the administrative and professional staff of the school, such as teachers, instructional leaders, teaching interns and school counselors
• Service and technology providers who maintain and manage databases, applications, supporting technologies, educational content, assessments or teaching support as under the law and under contract or service agreements with GS
• The student and their parents or legal guardians

CONDITIONS FOR PUBLICATION OR DISCLOSURE

Parents of Eligible Students. Under the Family Educational Rights and Privacy Act, parents may request and access an “eligible student’s” records without the student’s consent if the student is dependent on them for tax purposes.

School Transference. When parents/legal guardians or eligible GS students submit a signed school history request to us, we will send the documents to the school or agency you have identified on your request. Please note that the email for document requests is academics@genuinelab.us

Legal Obligations. We may be required to disclose information about education records, including disciplinary records, in response to citations, court orders, ongoing legal actions or litigation, to the Department of Juvenile Justice and law enforcement authorities following legal orders or interagency agreements. We will make a reasonable effort to notify the parent or legal guardian (or school of record, if applicable) before complying with the intimation or court order unless the legal order specifies that disclosure or notification to the parent not be made.

Cybersecurity Incidents. We monitor GS system and application logs to prevent, detect, and investigate security events and incidents, protect against malicious, deceptive, fraudulent, or illegal activity, and remove or prosecute those responsible for such activities. In addition, we may provide evidence of incident investigations to law enforcement officials, including local police or the Federal Bureau of Investigation (FBI), and legal counsel to facilitate criminal investigations and prosecutions.
Emergencies. In emergencies, school officials may provide information from education records to law enforcement, medical personnel, or other state-designated health and safety officials in response to an extremely sensitive and specific threat or emergency affecting the health or safety of the student or others.

Financial Aid. If the parent/legal guardian or student has applied for or receives any financial aid or assistance, the officials from financial assistance programs may need to review the student’s records to determine their eligibility for the aid, the amount of aid to be received, verify conditions to receive the aid, to enforce terms and conditions or check their continued eligibility to the assistance program.

Audit and Evaluations. Federal or state government auditing officials and board of education authorities, as well as organizations that accredit elementary and secondary schools throughout the United States and internationally, such as Cognia, may need to see student records to complete audits and evaluations. Auditors may only request access to records necessary to evaluate education aspects and only for the time necessary to complete the audit.

State Responsibility Report. We create reports for the Florida Department of Education at the designated times or survey periods. These reports may include the student’s first and last name, student identifiers, grade level, projected graduation dates, student demographics, enrollments and withdrawals, schedules, and school history information. We also report on attendance, assessments, conduct and discipline, disability information, federal aid assistance, final grades, and assessment scores. This information, whether in its entirety or in aggregate form, is required by state performance and accountability statutes. The Florida Department of Education uses this information for auditing, monitoring, and evaluating educational programs at the school, district, and state levels, and to report federal statistics and information under the Family Educational Rights and Privacy Act (FERPA) statute. These records are kept by the Florida Department of Education for five years or until federal or state audit and evaluation activities are completed.

Data Anonymization for Research. We welcome requests from universities and associated educational research partners looking for teacher, classroom, and student data to evaluate and improve the effectiveness of educational content, teaching approaches, learning applications, and technologies. Our research team uses a comprehensive process to evaluate these requests and ensure that our students and staff’s data are strictly secured. This includes verifying that the requested data is anonymous or anonymized, meaning it cannot be associated or linked to you, either directly or indirectly. Research involving personal data. Under FERPA and state statutes for the Exemption for Research, we also welcome research proposals that request data on individual student or teacher information, or requests to survey our students or staff. These proposals are carefully reviewed considering several factors, specifically privacy considerations and requirements, as well as their potential impact on our students or staff. Compelling applications that offer clear benefits to our students’ educational achievements may be referred to our GS Research Committee for further review and consideration. If the Committee approves a proposal involving potentially sensitive and personally identifiable student data or requests for student surveys, we will contact you with details about the proposal and request your consent. If the proposal is approved, we will ask the Researcher to sign a Data Sharing Agreement to confirm that they will comply with all security and privacy requirements, including: verifying that all research participants have completed background and fingerprint checks in accordance with Florida statutes, making sure they will provide security protections to secure and restrict access to personal data, and securely delete or destroy the data upon completion of the research study.

Audit and Evaluations. Federal or state government auditing officials and board of education authorities, as well as organizations that accredit elementary and secondary schools throughout the United States and internationally, such as Cognia, may need to see student records to complete audits and evaluations. Auditors may only request access to records necessary to evaluate education aspects and only for the time necessary to complete the audit.

State Responsibility Report. We send reports during designated times or survey periods according to what is required by the Florida Department of Education. These reports may include the student’s first and last name, student identifiers, grade level, projected graduation dates, student demographics, enrollments and withdrawals, schedules, and school history information. We also report on attendance, assessments, conduct and discipline, disability information, federal aid assistance, final grades, and assessment scores. This data, whether in its entirety or aggregated, is required according to state laws regarding performance and accountability.

The Florida Department of Education uses this information to carry out audits and monitor and evaluate educational programs at the school, district, and state levels. In addition, the data is necessary to report federal statistics and information per the Federal Educational Rights and Privacy Act (FERPA). The Florida Department of Education keeps these records for five years, or until federal or state audit and evaluation activities are completed.

Data Anonymization for Research. We welcome requests from schools and associated educational research partners to provide teacher, classroom, and student data to evaluate and improve the effectiveness of educational content, teaching approaches, learning applications, and technologies. Our research team uses a comprehensive process to evaluate these requests and ensure that our students and staff’s data is strictly secured. This includes verifying that the requested data is anonymous or anonymized, meaning it cannot be associated or linked to you, either directly or indirectly.

Research involving personal data. Under FERPA guidance and state laws for the Exemption for Research, we also welcome research proposals that request data on individual student or teacher information, or requests to survey our students or staff. These proposals are carefully reviewed regarding several aspects, including privacy considerations and requirements, as well as potential impacts on our students or staff. Compelling applications that show clear benefits to our students’ educational achievements may be forwarded to our GS Research Committee for further review and consideration. If the Committee approves a proposal that involves potential students’ sensitive personally identifiable information or student surveys, we will contact you with details about the proposal to request your consent. If the proposal is approved, we will ask the Researcher to sign a Data Sharing Agreement to confirm that they will comply with all security and privacy protection requirements, including verifying that all research participants have completed background checks and fingerprinting per Florida Law and make sure they agreed to provide security measures to secure and restrict access to personal data and to securely delete or destroy the data upon completion of the research study.

DATA RETENTION AND DELETION

In compliance with Law 1581 of 2012, Decree 1377 of 2013, and the doctrine of the Superintendency of Industry and Commerce (SIC) on the protection of personal data, Genuine School establishes a comprehensive policy that regulates the data retention periods of personal data and the protocols for its secure deletion, guaranteeing respect for the principles of purpose limitation, data minimization, and fairness in the processing of information.

Data Retention Times

At Genuine School, personal data is stored based on its intended purpose and in accordance with applicable legal requirements. The following guidelines apply:

Student Academic Data:

• Purpose: To keep a record of students’ academic progress, certifications, and assessments.
• Data Retention Period: Up to 5 years after the end of the academic relationship with Genuine School, in accordance with Article 11 of Decree 1377 of 2013, unless other regulations require additional time.
• Exception: Academic records defined as permanent by local regulations, such as transcripts or final certificates, will be stored indefinitely.

Administrative Data:

• Purpose: Managing payments, registrations, applications, and general communications with students and their families.
• Data Retention Period: Up to 10 years from the end of the contractual relationship, in accordance with the deadlines established in the Commercial and Tax Code for accounting and tax purposes.

Data Related to Assessments and Attendance:

• Purpose: Ensure compliance with educational standards and legal reporting.
• Data Retention Period: Up to 5 years after the use of the information, in compliance with applicable state regulations.

Consent Data:

• Purpose: Keep records of authorizations for the processing of personal data, especially that of minors.
• Data Retention Period: While the contractual or academic relationship with the data subject persists, and for an additional period of 5 years for auditing and dispute resolution purposes.

Sensitive Data:

• Purpose: It’s processed exclusively for essential purposes and only with explicit authorization given by the data subject.
• Data Retention Period: Only for the time necessary to fulfill the informed purpose. Once completed, the data will be deleted immediately.

Secure Data Deletion Protocols

To ensure the security and confidentiality of personal data, Genuine School follows strict protocols that align with international data protection standards, such as ISO/IEC 27001. These protocols include:

Deletion of Electronic Data:
Electronic records will be deleted using secure erasure methods, such as multiple data overwrites or cryptographic erasure tools.

Genuine School will keep detailed records of the deletion process, including:

• Date of deletion.
• Person responsible for the operation.
• Type of data deleted.
• Confirmation that the data was successfully deleted.

Deletion of Physical Data:

Physical documents containing personal data will be destroyed using cross-cut shredding, ensuring that the fragments are neither readable nor reconstructable.

The deletion will be carried out in the presence of authorized personnel and documented by a report that will include:

Identification of the deleted document.
Date and time of erasure.
Identity of the personnel in charge of the process.

Periodic Review:

Genuine School will conduct quarterly audits to identify data that has been stored for longer than allowed. The identified data will be immediately deleted in accordance with established protocols.

Data Retention and Deletion Related Incidents:

If a breach in the data deletion process is detected, Genuine School will activate its incident response protocols, notify the Superintendency of Industry and Commerce, and take immediate corrective measures.

Management and Responsibility in Data Retention and Deletion
Administrative Data Protection Officer:

Genuine School will designate a data protection officer responsible for ensuring compliance with data retention timelines and overseeing proper data deletion procedures.

Staff Training:

Ongoing training will be provided to ensure that the administrative and technical staff involved in personal data management fully understand and comply with relevant regulations and protocols.

Guarantees for Data Subjects

• To foster trust and uphold the rights of data subjects, Genuine School will provide:
• Transparent Consultation: Data subjects will be able to access information about the status of their data and retention periods through a secure platform.
• Early Deletion Request: Data subjects may request early deletion of their data, provided there are no legal or contractual requirements requiring its storage.

HOW WE PROTECT PERSONAL DATA

GS uses industry standards and best practice policies, procedures and measures to ensure in-depth protection for our systems and your data. This includes, but is not limited to:

• We use next-generation application and network-based firewalls to prevent and detect a wide range of threats and vulnerabilities.
• We employ access control methods and techniques to limit access to student data to the minimum number of authorized personnel necessary to manage and provide educational services.
• We use identification and authentication controls and techniques for systems, devices and users.
• We adhere to strict personnel security procedures to ensure all GS employees, staff and contractors undergo background checks.
• We use a continuous process to detect and resolve newly discovered vulnerabilities.
• We enable system and security-relevant events logging at multiple levels and forward these logs for near real-time detection and monitoring of security events and incidents.
• We regularly perform full and partial system backups to ensure complete and timely restoration of systems, data and services following an outage, unexpected event or security incident.

RISK MANAGEMENT IN THE PROCESSING OF PERSONAL DATA

In compliance with Law 1581 of 2012 and Decree 1377 of 2013, as well as in observance of the principles of security, accountability, and restricted access, Genuine School has implemented a comprehensive risk management system to identify, assess, control, and monitor the risks related to personal data processing. This system is designed to ensure effective protection of personal data and prevent potential violations of individuals’ rights.

Risk Management Plan

Genuine School’s risk management system follows a structured, multi-stage approach:

Identification Stage

Objective: Identify and document the potential risks associated with the processing of personal data, considering the technological, administrative, and operational contexts of the institution.

Actions:

• Identify critical assets (databases, digital platforms, physical documents, etc.).
• Analyze processes involving data processing (collection, storage, transfer, deletion, etc.).
• Record previous security incidents to identify patterns or weaknesses.

Tools: It incorporates risk matrices covering both technological risks (e.g., cyberattacks, unauthorized access) and administrative risks (e.g., human errors, unclear procedures).

Measurement Stage

Objective: Evaluate the probability of the identified risks occurring and their potential impact on the data subjects and the institution.

Actions:

• Classify risks based on severity (low, medium, high) and probability of materialization. 
• Estimate the financial, legal and reputational consequences.

Specific Metrics:

• Technological Incident Index: Number of unauthorized accesses or security breaches detected per month.
• Mean Time to Detect (MTTD):  Time that elapses from the beginning of an incident until it is detected.
• Potential Financial Impact: Calculation based on data recovery costs, legal penalties, and loss of data subjects’ trust.

Control Stage 

Objective: Design and implement preventive and corrective measures to mitigate identified risks.

Actions:

• Implement technological controls such as data encryption, multi-factor authentication (2FA), and continuous platform monitoring.
• Develop operating manuals to regulate access to sensitive data and limit the number of people with administrative permissions. 
• Establish protocols for processing physical data securely, such as record-keeping systems for access to files and documents.

Examples of Controls:

Preventive: Advanced antivirus, regular cybersecurity training, and strong password policies.

Detection: Intrusion detection systems (IDS) and access audits.

Corrective: Incident response plans that include notification to data subjects and authorities, data recovery, and reinforcement of breached controls.

Monitoring Stage

Objective: Continuous monitoring is conducted to assess the effectiveness of implemented measures and track the development of identified risks.

Actions:

• Conduct regular internal and external audits to verify compliance with risk management policies.
• Review key performance metrics quarterly to adjust controls as needed.
• Implement an early warning system to detect potential threats in real time.

Monitoring Metrics:

Compliance Index:  Percentage of audited processes that comply with data protection policies.

Incident Response Rate:  Average time to resolve a security incident.

Roles and Responsibilities

Data Administrative Officer: Responsible for managing the implementation of the risk management system and coordinating all related audits.

Information Security Team: Responsible for monitoring technological incidents and reporting emerging risks.

Risk Assessment Committee: An Interdisciplinary group that reviews and approves action plans to mitigate significant risks.

SPECIFIC DEADLINES FOR INCIDENT REPORTING

Genuine School is committed to reporting any security incident that compromises personal data to the affected data subjects and to the Superintendency of Industry and Commerce within the legally required timeframes:

Notification to the Superintendency of Industry and Commerce:

Deadline: Within 15 business days of identifying the incident, as required by the SIC.

Contents of the Report:

• Description of the incident and its scope.
• Type of personal data compromised.
• Number of data subjects affected. 
• Cause of the incident. 
• Corrective actions implemented. 

How:  Submission through official channels established by the SIC, such as the incident reporting form available on its platform.

Notification to Data Subjects:

Deadline: Within 5 business days of determining the impact on personal data.

Contents of the Notification:

• Nature of the incident and its potential impact.
• Type of data compromised. 
• Measures taken to mitigate the damage.
• Tools available to data subjects to protect themselves from the impact of the incident.

How: Notifications will be sent via email, SMS, or phone call, based on the contact details provided by the data subjects.

In compliance with the GDPR (Art. 33 and 34) and U.S. regulations, Genuine School will notify security incidents that compromise personal data within the following timeframes:

• To the Data Protection Authority (DPA) in the EU: Within 72 hours of the incident being detected, in cases where the incident is a security breach involving data collected from EU citizens or databases containing or at risk of containing data collected from data subjects whose citizenship is within EU member states.
• To data subjects: If the incident represents a high risk, it will be reported immediately.
• In the U.S., under CCPA and FERPA: Data breaches affecting California residents should be promptly reported to the Attorney General’s Office and the affected data subjects.

YOUR RIGHTS

YOUR ACCESS RIGHTS.  You have the right to access, inspect and review your personal data.  For parents/legal guardians and eligible full-time GS students, your personal data is accessible from your GS account on the home page and the student records tab. If you are having trouble or need help accessing your records, please contact us using one of the contact options below for assistance.

RIGHT OF RECTIFICATION.  You have the right to request the correction or the addition of information to the content of an educational record if it is inaccurate, misleading, or violates your privacy rights.  Please contact us through one of the contact channels described below to request corrections or additions, with a clear description of the record and why it should be changed.  If GS decides not to change your data, we will notify you of the decision and the reasons, as well as your right to request a hearing regarding this request.  Additional information regarding the hearing procedures will be provided to the parent/legal guardian or eligible student when notified of the right to a hearing. If the hearing results in a decision is not to rectify the data as requested, you have the right to include a statement in the record on the contested information and explain why you disagree with the decision.

RIGHT TO WITHDRAW CONSENT. You have the right to provide written consent before a school discloses personally identifiable information from your education records, except for legally authorized purposes, as outlined in the section on publications and disclosures above. We follow a non-disclosure policy by default. Parents/legal guardians and eligible students may choose to provide consent and authorize disclosure for specific purposes, such as our Media Consent Form.  You have the right to change your consent choices or preferences at any time.  Please contact us using one of the contact options below for assistance.

RIGHT TO DATA PORTABILITY. You have the right to transfer your information.  When parents/legal guardians or eligible students submit a signed School History Request to us, we will send your documents to the school or agency you identified on your request.

RIGHT TO ERASURE.  We are required to store personal data related to your education records per Florida’s general records requirements.  This includes student school history information defined by Florida statute 1002.42(3)(a)(2), which must be maintained as a permanent record.  For global students residing outside the United States or European Union (EU), please contact us if you have any specific questions or concerns about our data retention requirements, and if you believe there are any conflicts with your right to request to be forgotten under the circumstances defined in the EU General Data Protection Regulation (GDPR).

EXERCISE YOUR RIGHTS. We encourage parents/legal guardians and eligible students to not only understand their rights regarding their personal data but also to exercise their rights without fear of discrimination or retaliation.  We will not reduce, degrade, or deny any of the existing educational services or protections we provide when you exercise your privacy rights. 

RIGHT TO FILE A COMPLAINT. Parents/legal guardians or eligible students have the right to file a complaint with the U.S. Department of Education if they feel their privacy rights under the Family Educational Rights and Privacy Act (FERPA) or the Protection of Pupil Rights Act (PPRA) have been violated.  You can file a Complaint Form at the Department of Education’s Student Privacy Policy Office at https://studentprivacy.ed.gov/file-a-complaint or by sending a written request to the postal address below.

In compliance with Chapter III of the GDPR (Articles 12 to 22) and U.S. regulations such as the CCPA, FERPA and COPPA, Genuine School recognizes the following rights of the data subject:

RIGHT TO ACCESS (Art. 15 GDPR, FERPA): Data subjects can request information about the data collected and its processing.

RIGHT OF RECTIFICATION (Art. 16 GDPR, FERPA): Right to correct inaccurate or incomplete information.

RIGHT TO DATA ERASURE (“Right to be Forgotten”, Art. 17 GDPR, CCPA):

• In the EU, data subjects can request the deletion of their data when there is no legal obligation requiring its retention.
• In the U.S., California consumers can request deletion of their data under the CCPA.

RIGHT TO RESTRICTION OF PROCESSING (ART. 18 GDPR): Right to restrict the use of your data: 

• The interested party challenges the accuracy of the personal data, for a period that allows the controller to verify the accuracy of the same;
• The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
• The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
• The data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

RIGHT TO DATA PORTABILITY (ART. 20 GDPR, CCPA): Right to receive data in an easy-to-read format.  

RIGHT TO OBJECT (ART. 21 GDPR, CCPA): Possibility to request that your personal data not be processed further.

RIGHT TO OBJECT AUTOMATED INDIVIDUAL DECISION-MAKING INCLUDING PROFILING (ART. 22 GDPR, CCPA): Guarantee that no exclusively automated decisions will be made that significantly affect the data subject.

In the U.S., FERPA grants parents or guardians additional rights over the education records of minors until they reach age 18 or enter higher education.

SPECIAL REGULATIONS. 

In accordance with the geographical areas in which GS operates on the Asian continent, GS assumes full responsibility for the processing of personal data of data subjects from those countries. In order to comply with applicable regulations and protect the rights of data subjects, GS has carried out a detailed regulatory mapping focused on adhering to the data protection standards in Japan, China, and South Korea.

REPUBLIC OF SOUTH KOREA.

In South Korea, the processing of personal data is primarily governed by the Personal Information Protection Act (PIPA) (개인정보 보호법). This regulation establishes clear obligations for data controllers, such as:

• Obtaining informed and specific consent from the data subject before collecting or using their personal data.
• Limited data collection in accordance with Article 3, Section 1, data must be collected only when strictly necessary and in strict quantity, in accordance with the intended purpose.
• Obligation to inform data subjects about the purpose of the data processing and their rights under applicable law.
• Security measures and proactive accountability in the handling of personal information, which include conducting data protection impact assessments and establishing protocols for reporting security breaches.
• Anonymization and Pseudonymization of Data: “Pseudonymization” refers to processing personal data in a way that prevents identification without additional information—such as partially deleting or replacing identifying details. This means that when GS uses or shares data internally, any information that could fully identify the individual (like names or IDs) is excluded, while non-identifiable data such as behavior or qualifications, may be retained.

RIGHTS OF THE DATA SUBJECTS IN THE PIPA

• The right to be informed about the processing of such personal information;
• The right to decide whether to give consent for the processing of their personal data and to define the scope of that consent;
• The right to confirm whether or not personal information is being processed and to request access (including the provision of copies) to such personal information;
• The right to suspend processing and request the correction, erasure, and destruction of such personal information; 
• The right to seek timely and fair compensation or remedies for any harm caused by the processing of their personal data.

REPUBLIC OF JAPAN

In Japan, the main regulation is the Act on the Protection of Personal Information (APPI) (個人情報の保護に関する法律), which has been updated to progressively align with international standards. Relevant aspects include:

• The demand for transparency in the processing of personal data, including notification to data subjects about the use of their information.
• Limiting data use to the stated purposes and adopting appropriate security measures to prevent unauthorized access.
• International data transfers are allowed when specific legal requirements are met and an adequate level of data protection is ensured. Notably, the European Commission has recognized Japan as providing sufficient data protection standards.

RESPONSIBILITIES OF ENTITIES IN THE COLLECTION AND MANAGEMENT OF DATA

In accordance with Articles 15 to 17 of the APPI 

• When processing personal data, the operator, the person responsible for the data, must clearly specify, as precisely as possible, the intended purpose for which the data will be used (referred to as “Purpose of Use” or purpose).
• The data controller may only modify the original purpose of use if the change is reasonably related to the initial purpose, ensuring consistency and transparency in data processing.
• The personal data operator may not process an individual’s personal information beyond what is necessary to fulfill the previously specified Purpose of Use.
• If personal data is obtained through a business acquisition or merger from another operator, the acquiring operator must respect the original purpose of use and may not process the data beyond that scope without first obtaining the data subject’s consent.

The above restrictions do not apply in the following cases:

• When the data processing is based on laws and regulations.
• When the data processing is necessary for the protection of a person’s life, physical integrity, or property and it is difficult to obtain consent.
• Consent may be waived when data processing is essential for improving public health or supporting the healthy development of children, and obtaining consent is difficult.
• Consent may not be required when processing personal data is necessary for a government agency, local authority, or authorized organization to carry out legally mandated duties, and obtaining consent would obstruct those responsibilities.

Adequate Collection

• The personal data operator must not obtain personal information through deception or unlawful methods, ensuring that the data collection process remains legal and ethical.

PEOPLE’S REPUBLIC OF CHINA

In the People’s Republic of China, the processing of personal data is mainly regulated by the Personal Information Protection Law (PIPL) (中華人民共和國個人資訊保護法), which came into force on 1 November 2021. Relevant aspects include:

• Explicit consent from the individual is required before collecting or processing their personal data, particularly when it involves sensitive information.
• International data transfers are subject to strict conditions, including risk assessments and, in many cases, the implementation of additional security measures to match China’s data protection standards.
• Organizations must adopt strong technical and organizational measures to safeguard personal information. Non-compliance may result in serious administrative and criminal sanctions for violations of the law.

Obligations for data processors under Article 51. 

• Develop an internal management system and operating procedures;
• Manage personal information by classification;
• Take appropriate technical security measures, such as encryption and anonymization;
• Reasonably determine the authority to process personal information and provide regular security training and awareness programs for employees;
• Develop and implement emergency response plans to address personal data security incidents effectively. 

REPUBLIC OF BRAZIL.

General Data Protection Law (LGPD) (Law No. 13,709/2018)

Scope of Application:

• The law governs the processing of personal data by both individuals and organizations across the public and private sectors.
• It applies to data processed within Brazil or involving individuals located in Brazil, regardless of where the company responsible for the processing is based.

Main Obligations:

• Explicit consent is required for processing personal data, except in specific cases like legal obligations, contract fulfillment, or health-related needs.
• Data subjects are granted rights including access to their data, the ability to correct or delete it, and the right to data portability.
• Organizations are required to implement appropriate security measures to protect personal data.

Creation of the National Data Protection Authority (ANPD) to oversee compliance with the aforementioned regulations.

Protection of Data of Minors:

• You must obtain the consent of parents or legal guardians before processing the data of minors.
• Accessible information: Appropriate resources, such as audiovisual media, should be used to ensure children’s understanding.

REPUBLIC OF PERU  

Personal Data Protection Act (Law No. 29733/2011)

Scope of Application: The law regulates the processing of personal data by public and private entities, provided that the data controller is located in Peru or the data is processed in the country.

Main Obligations:

• Obtain informed consent before collecting and processing personal data.
• Ensure data subjects’ rights of access, rectification, erasure, and objection (ARCO).
• Keep a record of personal data databases, supervised by the General Directorate of Personal Data Protection.
• Adopt security measures to prevent unauthorized access or data loss.

Protection of Data of Minors:

• The security and confidentiality of minors’ personal data must be guaranteed.
• In cases the data processing may affect the rights of minors, the express consent of their legal representatives is required.

REPUBLIC OF CHILE 

Law on the Protection of Privacy (Law No. 19,628/1999) and New Data Protection Law (Law No. 21,719/2024)

Scope of Application: The law regulates the protection and processing of personal data in both the public and private sectors.

Chile’s new Law No. 21,719 brings the country in line with international standards like the EU’s General Data Protection Regulation (GDPR), helping to standardize the obligations detailed in this document.

Main Obligations:

• Obtain informed consent from the data subject before processing personal data.
• ARCO Rights (Access, Rectification, Cancellation and Opposition).

Protection of Data of Minors:

• Processing of data of minors should be restricted without the consent of their parents or guardians.
• The data of children and adolescents is required to be treated with special care and only when necessary for their well-being.

REPUBLIC OF MEXICO.

Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP/2010)

Scope of Application:

• The law regulates how companies and individuals process personal data, excluding government entities.
• It applies to any data controller based in Mexico or using data processing infrastructure within the country.

Main Obligations:

• Obtain consent for data processing, except when necessary for public health or security.
• Ensure data subjects can exercise their ARCO rights (Access, Rectification, Cancellation, and Opposition).
• Implement security measures to prevent unauthorized access to personal data.
• Comply with oversight by the National Institute for Transparency, Access to Information, and Protection of Personal Data (INAI).

Protection of Data of Minors:

• The processing of data concerning minors must guarantee their privacy and protection.
• Those responsible must ensure that consent is granted by parents or legal guardians.

SUPPORT IN OTHER LANGUAGES. GS staff members are available to assist with any necessary accommodations for students and parents, such as language support or verbal review and discussion between parents/students and teachers or staff members regarding this policy so that everyone can understand their rights.  Please contact us for any support you or your student may need. 

CONTACT US

We want to connect you with the best resources and subject-matter experts to help you. If you have questions or concerns that are not related to your privacy, we include contact information for other teams that can give you assistance.

Privacy Related Contacts. If you have any questions or would like to know more about our privacy practices or your privacy rights, please contact us at legal@genuinelab.us

Please note that Florida law identifies email addresses as public records. If you do not want your email address disclosed in response to a public records request, please do not submit your request by email. You can contact us via phone call or in writing, instead, using one of the options listed below.

You may also send questions and Privacy Rights Requests to our address at: 980 North Federal Highway, Suite 110, Boca Ratón, Florida 33432. Or also to our address: Vereda Llano Grande Ca 26 01 Paipa, Boyacá – Colombia

Educational Records Resources. If you have questions about your Educational Record that are not related to privacy questions or concerns, please contact our Records Management experts at academics@genuinelab.us

Other ways to contact us. We have multiple contact channels, including Facebook and Twitter, and you can choose your preferred method. You can review our contact options on the contact page of the GS studyatgenuine.com website or call a US-based customer service representative at +1 786 789 0299 and ask to be connected to a member of the Information Security and Privacy team.

To learn more about our AI usage policies on Genuine School’s WhatsApp channel, click here.

Last updated: May 14, 2025.