Privacy Policy

This Privacy Policy outlines how the International School of Tallinn (IST) collects, processes, and protects personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Estonian Personal Data Protection Act. This policy applies to all users of our website and individuals who communicate with us electronically.

Website URL: https://ist.ee

1. Scope and Data Collection

We collect personal data, including but not limited to: names, contact information, identification and application data, communication records, digital usage data (such as IP address and cookies), and academic or health information when necessary. Data may be collected via website forms, email correspondence, cookies, and integrated educational or communication platforms.

IST processes personal data only where there is a lawful basis under Article 6 of the GDPR:

2. Legal Bases and Porpose of Processing

• Consent (Art. 6(1)(a)) – where the data subject has provided clear and informed consent (e.g. for newsletters or media use);
• Contractual necessity (Art. 6(1)(b)) – to fulfil obligations relating to admission or education services;
• Legal obligation (Art. 6(1)(c)) – where required by national or EU legislation;
• Vital interests (Art. 6(1)(d)) – in urgent matters affecting health or safety;
• Legitimate interests (Art. 6(1)(f)) – to pursue IST’s operational interests, balanced against the rights of data subjects.

Data may be shared with authorised processors, including educational platforms (e.g. Toddle), cloud service providers (e.g. Google Workspace), regulatory bodies, and emergency services, subject to appropriate safeguards and Data Processing Agreements.

Special categories of data, particularly those concerning children, are processed with enhanced protection and, where applicable, parental consent, in compliance with Article 9 GDPR and relevant local legislation.

3. Data Subject Rights and Security Measures

Under GDPR, individuals have the right to:

• Access their personal data (Art. 15);
• Rectify inaccurate data (Art. 16);
• Erase data (‘right to be forgotten’, Art. 17);
• Restrict or object to processing (Art. 18, 21);
• Data portability (Art. 20);
• Withdraw consent at any time (Art. 7(3)).

To exercise these rights or raise concerns, please contact IST at dpo@ist.ee. Complaints may be lodged with the Estonian Data Protection Inspectorate (www.aki.ee).

IST implements appropriate technical and organisational measures to ensure data confidentiality, integrity, and availability, including encryption (HTTPS), restricted access, regular security audits, and staff training. Personal data is retained only for as long as necessary for the purposes outlined and may be transferred outside the EU only with adequate safeguards (e.g. Standard Contractual Clauses).

Policy revisions will be published on our website. For further details, please contact:

International School of Tallinn
Valukoja 9, Ülemiste City, 11415 Tallinn
Email: dpo@ist.ee
Website: https://ist.ee