NAISR
Our Privacy Notice — Parent Information & Consent Statement (PICS)
Nord Anglia International School Rotterdam | Version 2.1 | Last updated: 01 June 2026
1. Introduction
Nord Anglia International School Rotterdam
('NAISR', 'the School', 'we', 'us', 'our') is committed to safeguarding Personal Data.
NAISR is an international school based in Rotterdam, the Netherlands, designated as a B4 school under the Dutch Leerplichtwet (Compulsory Education Act). Attendance at NAISR fulfils the Dutch compulsory education requirement for children temporarily in the Netherlands or transitioning from a different school system.
This Privacy Notice is addressed to Parents and Guardians responsible for one or more prospective, past or present Student of the School, which is managed and owned by Nord Anglia Education (NAE). It explains how we collect and use your Personal Data and the Personal Data of each Student you are responsible for during the provision of our educational and related services.
This Privacy Notice is governed by the General Data Protection Regulation (GDPR) (EU) 2016/679 and the Dutch Uitvoeringswet Algemene verordening gegevensbescherming (UAVG).
Data Controllership — NAISR and NAE |
For day-to-day educational and pastoral activities, NAISR is the sole Data Controller for Student and Parent/Guardian data. For certain centralised services — for example, group-wide IT platforms, learning analytics or group reporting — NAISR and Nord Anglia Education Limited (NAE) act as joint controllers. |
Where NAE or any third party acts as a data processor on behalf of NAISR, appropriate data processing agreements are in place in accordance with GDPR Art. 28. Contact details for NAE are at Appendix 3. |
Age of consent under Dutch law (UAVG art. 5):
The age of independent data consent in the Netherlands is 16. Parental or guardian consent is required for Students under 16. Students aged 16 and over may independently exercise all data protection rights and withdraw or override consent at any time without parental involvement. If you are the Parent or Guardian of a Student who is, or becomes, 16, you must provide a copy of this Privacy Notice to them.
Information for Students |
NAISR is committed to ensuring that Students understand their data protection rights in an age-appropriate way. Students can request a summary of how we use their data by contacting dpo@naisr.nl. |
In exceptional safeguarding circumstances — for example, where there is a concern about abuse, neglect, or the safety of a child — data about a Student may be collected or held in a way that is not shared with Parents or Guardians. In these cases, the Student's right to safety takes precedence over the parental right to access or control the child's data, in accordance with applicable Dutch child protection legislation. |
This Privacy Notice covers:
• What Personal Data we process
• How and why we use your Personal Data
• Special Categories of Personal Data
• Transmission, storage and security
• Your rights as a Data Subject
• Changes to this Privacy Notice
• Definitions, lawful bases and contact details
By providing your information, or the information of any Student you are responsible for, you acknowledge the processing set out in this Privacy Notice.
2. What Personal Data Do We Process?
We may collect and process the following Personal Data about you and any Student you are responsible for:
• Biographical and identification information ► name, gender, nationality, date and place of birth, details of family members, passport and national identity information;
• Contact information ► address(es), telephone number(s), email address(es), emergency contacts;
• Student information ► admission information (e.g. test scores), start date, year group, class, school ID, grades, transcripts, assignments, classroom observations, participation notes, timetables, transport routes, photographs, videos, and communications with Parents, teachers and other Students;
• Financial information ► bank account and payment card information and, where applicable, results of relevant checks;
• Correspondence ► records of communications between you or any Student and the School;
• Website and communication usage ► details of visits to our websites including IP address, browser data, cookies and tracking technologies, traffic data, web logs and associated telemetry data;
• Information you provide to us ► any additional information provided via enquiry or feedback forms;
• Special Categories of Personal Data ► in certain limited circumstances; see Section 5.
3. How We Use Your Personal Data
Personal Data will only be processed where we have a specific purpose and a lawful basis for doing so (see Appendix 1). We process Personal Data manually and electronically, including through technology tools that may use machine learning.
Automated decision-making: We do not use automated decision-making that produces legal effects concerning Students or significantly affects them, within the meaning of GDPR Art. 22.
Legitimate interests: We do not rely on legitimate interests for the core provision of education, safeguarding and pastoral support to Students. Where we use legitimate interests — for example, to improve our curriculum or services using pseudonymised data — our processing is supplementary and not strictly necessary for the basic provision of education. A documented balancing test (GEB) is maintained on file for each such use.
Purpose | Description | Lawful Basis (GDPR / UAVG) |
Enrolment & admissions | Processing enquiry and application forms, tests, interviews and all activities relating to Student enrolment. | Contract performance (Art. 6(1)(b)); legal obligation (Art. 6(1)(c)) |
Managing academic programme | Scheduling activities; providing access to the School intranet, LMS and communication tools. | Contract performance (Art. 6(1)(b)) |
Developing and supporting Students | Assessment, coaching, record-keeping, academic progression, learning insights, suitability for opportunities. May include religion/cultural and pastoral Special Category data. | Contract performance (Art. 6(1)(b)); legal obligation (Art. 6(1)(c)); explicit consent (Art. 9(2)(a)) for Special Categories |
Safe and healthy environment | Health conditions, allergies, disabilities, injuries, CCTV, sharing with medical professionals or insurers. May include health data and photographs. | Contract performance (Art. 6(1)(b)); legal obligation (Art. 6(1)(c)); vital interests (Art. 6(1)(d)) for emergencies. Health data: Art. 9(2)(h) GDPR / UAVG art. 22 |
Extra-curricular programmes | Organising and administering activities, expeditions and after-school programmes; sharing with insurers, supervisors and medical providers. | Contract performance (Art. 6(1)(b)) |
Reporting to Parents and Guardians | Progress reports, correspondence, parent portal, liaison with educational and sporting bodies. | Contract performance (Art. 6(1)(b)) |
Reporting to DUO / SIO | Mandatory reporting to Dienst Uitvoering Onderwijs (DUO) via the school information system (SIO) as required under the Leerplichtwet and applicable ministerial regulations applicable to B4 schools. | Legal obligation (Art. 6(1)(c)); Leerplichtwet; applicable ministerial regulations |
Legal position and proceedings | To determine, defend or exercise our legal position or rights, including in any civil law proceedings. | Legitimate interests (Art. 6(1)(f)) — GEB on file |
Vital interests / emergencies | To protect the vital interests of Students in case of a medical or safety emergency where the student is unable to consent. | Vital interests (Art. 6(1)(d)) |
Governmental and child protection orders | To comply with binding orders or requests from governmental bodies or authorities, including making filings to child protection services (Jeugdbescherming / Veilig Thuis). | Legitimate interests (Art. 6(1)(f)); legal obligation (Art. 6(1)(c)) |
Marketing and newsletters | Updates and offers where you have opted in. You may unsubscribe at any time via the link in any communication or by contacting us. See also the soft opt-in note in Appendix 1. | Consent (Art. 6(1)(a)); Telecommunicatiewet art. 11.7a. For existing Parents/Guardians who have not objected, the soft opt-in under art. 11.7a of the Telecommunicatiewet may apply for similar school services. |
Ensuring payment | Recovering fees due; engaging debt collection agencies or legal proceedings where necessary. | Contract performance (Art. 6(1)(b)); legal claims (Art. 9(2)(f)) |
Improving our services | Analysing pseudonymised data to improve services and tailor our offering. This processing is supplementary to the provision of education. | Legitimate interests (Art. 6(1)(f)) — GEB on file |
Supporting and improving teaching | Analysing pseudonymised data for curriculum development and educational product improvement. Resulting insights (not underlying data) may be used for education-related commercial purposes. This processing is supplementary to the provision of education. | Legitimate interests (Art. 6(1)(f)) — GEB on file; consent (Art. 6(1)(a)) where gathered via cookies |
Monitoring communications | Monitoring School network communications for compliance with internal procedures and legal requirements. | Legal obligation (Art. 6(1)(c)); legitimate interests (Art. 6(1)(f)) |
Website and cookies | Ensuring website content is presented effectively; use of cookies and tracking technologies. Analytics cookies are only set with your prior consent and are configured with privacy-enhancing settings such as IP truncation where supported. You can withdraw consent at any time via our cookie banner. | Legitimate interests (Art. 6(1)(f)) for strictly necessary cookies only. Consent (Art. 6(1)(a); Telecommunicatiewet art. 11.7a) for all non-essential cookies — prior opt-in required. |
Business reorganisation | Transferring data in connection with a sale, merger or reorganisation of the School or NAE. Any recipient in this context will be bound by confidentiality and data protection obligations. | Legitimate interests (Art. 6(1)(f)) — GEB on file |
Legal and regulatory obligations | Complying with regulatory requirements; disclosures to courts, regulators or law enforcement. | Legal obligation (Art. 6(1)(c)); legal claims (Art. 9(2)(f)) |
4. Sharing Personal Data with Other Organisations
In order to provide our educational services effectively, we share Personal Data with the following categories of organisations:
• NAE Central and Regional Office Teams ► which undertake management and governance functions. For centralised services, NAISR and NAE may act as joint controllers; the essence of any joint controller arrangement is available on request;
• Educational programme partners ► Juilliard, MIT and UNICEF as part of NAE’s global academic collaborations;
• Suppliers and service providers ► including catering, transportation, IT contractors and after-school programme operators. A full list is available on request;
• Dutch public authorities ► including DUO (Dienst Uitvoering Onderwijs), Inspectie van het Onderwijs, and other bodies as required by law;
• Child protection services ► including Jeugdbescherming and Veilig Thuis where required by Dutch child protection law;
• Medical and emergency services ► where necessary to protect the vital interests of a Student;
• Insurers and legal advisors ► in connection with claims or litigation.
5. Special Categories of Personal Data
We process Special Categories of Personal Data only where necessary for our educational, safeguarding and legal obligations. This includes, for example, health data, religious or cultural information and, in some cases, sensitive pastoral information. We apply enhanced safeguards to these data, including segregation, pseudonymisation and strict access controls.
The Special Category data we process includes:
• Health and medical data ► allergies, disabilities, dietary requirements, accident records, so that we can maintain a safe environment;
• Religious beliefs, ethnicity and race ► so that Students can observe religious and cultural practices;
• Sex life or sexual orientation ► so that we can advise and respond to sensitive pastoral issues;
• Photographs ► Standard school photographs used for registers, ID badges, yearbooks or school communications are treated as ordinary Personal Data and are only used with your consent (see the Data Consent & Privacy Declaration). Where photographs are processed using technology that enables unique identification or authentication of a Student (for example, facial recognition for access control), this would constitute biometric data under UAVG art. 29 and would require explicit consent. NAISR does not currently deploy such biometric recognition systems.
• Safeguarding incident records ► We do not systematically collect or store criminal records about Students. In exceptional safeguarding situations, we may record information that relates to alleged criminal behaviour by Students where necessary to protect Students and staff and to comply with legal obligations (for example, incident reports involving bullying or violence). Such information is handled with strict access controls and in line with UAVG requirements.
Withdrawing consent: You are free to withdraw consent at any time by contacting us at dpo@naisr.nl. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. Where a Student is aged 16 or over, they may withdraw or override consent independently.
6. Transmission, Storage and Security
6.1 Security
We maintain appropriate technical and organisational measures to protect Personal Data in accordance with GDPR requirements, including encryption in transit and at rest, access controls and regular security reviews.
6.2 International Transfers
As part of the NAE global group, your Personal Data may in limited circumstances be transferred to or accessed from destinations outside the EU/EEA, specifically NAE’s UK headquarters.
As long as the European Commission adequacy decision for the UK remains in force, no additional safeguards are required for transfers to the UK. If this decision changes, we will implement appropriate safeguards such as the EU Standard Contractual Clauses (2021 version) and update this Privacy Notice accordingly.
The current list of EU adequacy decisions is available at: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en
The NAE Dubai regional office does not access or process NAISR Rotterdam student or parent data.
Where NAISR uses third-party processors or NAE group services hosted outside the EU/EEA (for example, global IT platforms or cloud-hosted services), any such transfers are subject to appropriate safeguards including Standard Contractual Clauses or other mechanisms permitted under GDPR Art. 46. Details are available on request from the DPO.
6.3 Retention Periods (Bewaartermijnen)
We retain Personal Data for as long as is necessary for the purposes for which it was collected and in accordance with applicable Dutch law:
Category | Retention Period | Legal Basis |
Student academic records (leerlingdossier) | Retained in accordance with applicable Dutch education regulations and our internal retention schedule, which sets specific periods per category and is available on request from the DPO | Leerplichtwet; applicable ministerial regulations |
Financial and payment records | 7 years from end of financial year | Burgerlijk Wetboek art. 2:10; Belastingdienst |
CCTV footage | Maximum 4 weeks (unless required for incident investigation) | AP guidelines on CCTV |
Marketing data | Until consent withdrawn. We periodically review our marketing lists and delete or anonymise data where there has been no interaction for 3 years. | GDPR Art. 17; Art. 6(1)(a) |
Cookie / analytics data | Up to 13 months (analytics, with prior consent only and IP truncation where supported); session only (strictly necessary) | Telecommunicatiewet art. 11.7a; GDPR Art. 5(1)(e) |
Records no longer required are either irreversibly anonymised or securely destroyed. A full retention schedule (bewaartermijnenoverzicht) is available on request from the DPO.
6.4 Data Protection Impact Assessments (DPIA)
For processing activities likely to result in a high risk to individuals’ rights and freedoms — including processing of children’s data at scale, health data, CCTV and learning analytics — NAISR conducts and maintains Data Protection Impact Assessments (DPIAs / Gegevensbeschermingseffectbeoordeling) in accordance with GDPR Art. 35 and guidance from the Autoriteit Persoonsgegevens.
7. Your Rights Relating to Personal Data
Under the GDPR and UAVG, you (and Students aged 16 and over) have the following rights:
Right | What This Means |
Access (inzage) | Receive a copy of the Personal Data we hold about you (GDPR Art. 15). We respond within one month of confirming your identity. |
Rectification (rectificatie) | Have inaccurate data corrected or incomplete data completed (Art. 16). |
Erasure (vergetelheid) | Request deletion of your data where consent is withdrawn and no other basis applies (Art. 17). |
Restriction (beperking) | Request that we restrict processing in certain circumstances, e.g. while a complaint is resolved (Art. 18). |
Portability (overdraagbaarheid) | Receive your data in a machine-readable format or have it transferred to another controller where processing is based on consent or contract (Art. 20). |
Object (bezwaar) | Object to processing based on legitimate interests. For direct marketing the right is absolute (Art. 21). |
Withdraw consent | Withdraw consent at any time where processing is based on consent. Withdrawal does not affect prior processing (Art. 7(3)). Students aged 16+ may withdraw independently. |
Complaint (klacht) | Lodge a complaint with the Autoriteit Persoonsgegevens (AP). See Appendix 3 for contact details (GDPR Art. 13(1)(d)). |
Note on parental access requests In some cases we may limit the information we disclose in response to an access request where this would adversely affect the rights and freedoms of others, including the privacy of the Student or third parties (GDPR Art. 15(4)). This may apply, for example, where sensitive pastoral or safeguarding information about a Student is held. Where this is the case, we will explain the reasons to you as far as we are permitted to do so. |
To exercise any right, contact our Data Protection Officer: dpo@naisr.nl. We will verify your identity and respond within one month (extendable by two months for complex requests).
8. Changes to This Privacy Notice
This Privacy Notice may be updated to reflect changes in our practices or in applicable law. We will notify you of material changes by email or by a prominent notice on our website.
Version 2.1. Last updated: 8 June 2026. This version replaces Version 2.0.
Appendix 1: Lawful Bases
Lawful Basis | Explanation |
Consent (Art. 6(1)(a)) | Freely given, specific, informed and unambiguous consent. You may withdraw at any time. Under Dutch law (UAVG art. 5), the age of independent consent is 16. |
Contract performance (Art. 6(1)(b)) | Necessary to enter into or perform our contract with you (the School Enrolment Agreement). |
Legal obligation (Art. 6(1)(c)) | Necessary to comply with EU or Dutch law, including the Leerplichtwet, DUO reporting obligations, and tax law. |
Vital interests (Art. 6(1)(d)) | Necessary to protect the vital interests of you or another person, e.g. medical emergencies. |
Legitimate interests (Art. 6(1)(f)) | Necessary for our supplementary legitimate interests, provided those interests are not overridden by your rights. We do not rely on this basis for the core provision of education, safeguarding or pastoral support. A documented balancing test (GEB) is maintained for each use. |
Legal claims (Art. 9(2)(f)) | Necessary for the establishment, exercise or defence of legal claims. |
Explicit consent — Special Categories (Art. 9(2)(a)) | Explicit consent for Special Category data where no other Art. 9(2) basis applies. |
Healthcare provision (Art. 9(2)(h) / UAVG art. 22) | Processing health data necessary for medical care, treatment and management of health systems. |
Soft opt-in — Telecommunicatiewet art. 11.7a | For direct electronic marketing we rely on your prior consent. Where the Telecommunicatiewet permits, we may send marketing about our own similar school services to existing Parents/Guardians who have not objected ('soft opt-in'). In all cases you can unsubscribe at any time. |
Appendix 2: Definitions
Term | Definition |
Autoriteit Persoonsgegevens (AP) | The Dutch Data Protection Authority and the competent supervisory authority for GDPR enforcement in the Netherlands. Hoge Nieuwstraat 8, 2514 EL Den Haag | www.autoriteitpersoonsgegevens.nl | Tel: 0900 2001 201 |
B4 School | A school designated under the Dutch Leerplichtwet that fulfils the compulsory education requirement for children temporarily in the Netherlands or from a different school system. NAISR is a B4-designated school. |
Criminal Convictions / Safeguarding Data | Personal Data relating to criminal convictions, offences or safeguarding incidents. At NAISR, this is limited to exceptional safeguarding incident records and is handled under strict access controls in accordance with UAVG requirements. |
Data Controller | The entity that determines the purposes and means of processing Personal Data. For day-to-day educational activities, NAISR is the sole Data Controller. For centralised group services, NAISR and NAE may act as joint controllers. |
Data Processor | An entity that processes Personal Data on behalf of the Data Controller, e.g. IT suppliers, catering companies. |
Data Subject | Any living individual whose Personal Data we process, including Students, Parents, Guardians and staff. |
DUO | Dienst Uitvoering Onderwijs — the Dutch government body responsible for administering education legislation and maintaining the education register. |
GDPR | General Data Protection Regulation (EU) 2016/679, as implemented in the Netherlands by the UAVG. |
Legal Capacity | Under UAVG art. 5, a Student aged 16 or over has legal capacity to independently provide, withdraw or override consent to the processing of their personal data. |
NAE | Nord Anglia Education Limited, Nova South, 160 Victoria Street, Westminster, London SW1E 5LB, United Kingdom. The ultimate parent company of NAISR. |
Personal Data | Any information relating to an identified or identifiable natural person. |
Special Categories of Personal Data | Data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data (for unique identification), health data, sex life or sexual orientation (GDPR Art. 9; UAVG Chapter 3). |
Student | Any prospective, past or present pupil of NAISR. |
UAVG | Uitvoeringswet Algemene verordening gegevensbescherming — the Dutch implementing legislation for the GDPR. |
Appendix 3: Key Contacts and Supervisory Authority
Entity | Address | Data Protection Contact | Supervisory Authority |
Nord Anglia International School Rotterdam (NAISR) | Verhulstlaan 21, 3055 WJ Rotterdam, The Netherlands | Data Protection Officer (registered with AP): dpo@naisr.nl | +31 (0)10 422 5351 | Autoriteit Persoonsgegevens (AP) Hoge Nieuwstraat 8, 2514 EL Den Haag www.autoriteitpersoonsgegevens.nl Tel: 0900 2001 201 |
Nord Anglia Education Limited (NAE) — Group HQ | Nova South, 160 Victoria Street, Westminster, London SW1E 5LB, United Kingdom | Group DPO (Jon Townsley): compliance@nordanglia.com | Information Commissioner's Office (ICO) www.ico.org.uk |
End of document — NAISR Privacy Notice (PICS) Version 2.0 — 8 June 2026
