This Privacy Statement explains how Britannica International School Budapest, part of Orbital Education Group, collects, uses and protects personal data in accordance with the EU General Data Protection Regulation (EU GDPR) and applicable Hungarian data protection law, including Act CXII of 2011 on Informational Self‑Determination and Freedom of Information.
It applies to:
- student applicants, current and former students, and their parents or guardians;
- employees, officers, consultants and contracted staff engaged by the school;
- job applicants;
- users of school‑managed IT systems, tools and services; and
- visitors to the school campus and school‑managed websites.
This Privacy Statement should be read alongside any more specific privacy information provided at the point personal data is collected, including role‑specific notices and the school’s Cookie Notice provided by Cookiebot.
For the purposes of EU GDPR, Britannica School Budapest, with registered address at Kakukk út 1 3 Budapest 1121, Hungary, acts as the data controller in respect of personal data processed by the school.
As part of an international education group, the school may work with other Orbital Education Group entities to support governance, information technology services and operational management, in accordance with applicable data protection requirements.
The school operates within Orbital Education Group’s data protection framework. At a local level, responsibility for overseeing data protection compliance and handling data protection matters rests with the school’s designated Data Protection Officer (DPO).
For any questions, requests or concerns regarding personal data, please contact: contact@britannicaschool.hu
This contact point should be used for all data protection queries and data subject rights requests and will coordinate responses with the appropriate school personnel.
Personal data is any information relating to an identified or identifiable individual. This may include, for example:
- identification and contact details;
- family and guardian information;
- financial and billing information;
- academic records and school reports;
- photographs, video recordings and CCTV images; and
- information relating to health, safeguarding or educational support, where relevant.
Certain personal data we process, such as information relating to health, safeguarding or educational support, is considered special category personal data under EU GDPR.
This data is handled with additional care and appropriate safeguards and is processed only where permitted under applicable legal and regulatory requirements, including where necessary under Article 9 GDPR (for example, safeguarding, employment obligations or substantial public interest) or, where required, on the basis of explicit consent.
We collect and process personal data for clear, specific and legitimate purposes linked to the operation of the school, the provision of education, safeguarding, and compliance with legal and regulatory obligations.
We do not process personal data for purposes that are incompatible with these.
In some circumstances, personal data may be obtained from sources other than the individual it relates to, including previous schools, referees, professional advisers, recruitment agencies, public authorities or other entities within Orbital Education Group, where permitted by law.
Lawful basis for processing
We process personal data in accordance with EU GDPR. Depending on the context, processing may be carried out on one or more of the following grounds:
- where it is necessary for the provision of education and school-related services (performance of a contract);
- where it is necessary to comply with legal and regulatory obligations;
- where it is necessary for tasks carried out in the public interest, including safeguarding and education provision;
- where it is necessary for legitimate operational and safeguarding purposes; and
- where the individual, or where appropriate a parent or legal guardian, has provided consent.
Where consent is required, it is obtained in a clear, specific and informed manner and may be withdrawn at any time, subject to legal or operational limitations.
Further information about the applicable legal basis for specific processing activities is provided at the point of collection or in relevant supplementary notices.
Retention of personal data
Personal data is stored securely and retained only for as long as necessary.
Retention periods are determined by reference to:
the purpose for which the personal data was collected and processed;
applicable legal, regulatory and safeguarding requirements;
operational, contractual and administrative needs; and
the rights and reasonable expectations of the individuals concerned.
By way of example, student records may be retained in accordance with regulatory and safeguarding requirements, and recruitment data retained only for a limited period following completion of the recruitment process.
Retention is managed in line with applicable legal, regulatory and safeguarding requirements and internal data management practices.
Students, parents and guardians
We process personal data relating to students and their parents or guardians in order to provide education and associated services, including admissions, learning, assessment, pastoral care, safeguarding and compliance with legal obligations.
Most student‑related personal data is required to deliver education and meet statutory and regulatory responsibilities. Where personal data is optional or processed on the basis of consent, this will be made clear at the point of collection.
Personal data is collected during the admissions and enrolment process and throughout a student’s time at the school. Information may be collected through application forms (paper or electronic), school systems, correspondence, meetings, assessments, observations and communications with parents or guardians.
Student personal data is used for purposes including:
- managing admissions and enrolment;
- identifying students and maintaining school records;
- billing and financial administration;
- supporting learning, development and assessment;
- safeguarding student welfare;
- providing pastoral and educational support;
- communicating with families;
- monitoring academic progress; and
- meeting statutory, regulatory and inspection requirements.
Student records are retained in line with applicable education and safeguarding requirements and internal data management practices.
Children’s online privacy
Where personal data is collected online from or about students, including through admissions portals, learning platforms, forms or other school‑managed website features, the school ensures that such processing is carried out transparently, fairly and only for legitimate educational, safeguarding or operational purposes.
Where required under EU GDPR and applicable Hungarian law (including age‑related consent requirements), the school obtains consent from a parent or legal guardian before collecting or processing a child’s personal data through online services.
Personal data collected online about students is used only for the purposes explained at the time of collection and is not disclosed to third parties unless this is necessary to deliver those purposes, required by law, or subject to appropriate contractual and data protection safeguards.
Employees and contracted staff
We collect and process personal data during recruitment, onboarding and throughout the course of employment or engagement with the school.
Employee and contractor personal data is processed for purposes including:
- managing employment and contractual relationships;
- administering pay, benefits and workforce processes;
- complying with Hungarian employment, social security and safeguarding requirements; and
- ensuring the effective operation and management of the school.
Where lawful and appropriate, this may include special category personal data, such as health information or data relating to criminal background checks. Such data is processed subject to additional safeguards.
Employment‑related records are retained in accordance with applicable legal requirements and internal data management practices.
Job applicants
We collect personal data when you apply for a role at the school, whether applications are made through recruitment platforms, by email or during interviews.
Applicant data is processed to assess suitability for roles and manage recruitment processes.
Applicant data is retained for a limited period following completion of the recruitment process, in line with applicable legal requirements and internal data management practices.
Where applicants consent to receive information about future opportunities, limited contact details may be processed using third‑party communication platforms. Individuals can withdraw consent at any time.
Marketing and Communications
We may process personal data for marketing, communications and community engagement purposes, including providing information about school events, admissions, educational programmes, open days, newsletters, alumni activities and other school-related services.
Marketing and communications may be sent by email, telephone, SMS, post, social media or other appropriate communication channels, depending on the nature of the communication and the contact preferences provided.
Where required by applicable law, we will obtain consent before sending marketing communications. Individuals may withdraw consent or opt out of receiving marketing communications at any time by using the unsubscribe option provided in the communication, updating their communication preferences, or contacting the school directly. Withdrawal of consent will not affect the lawfulness of processing carried out before consent was withdrawn.
We do not sell personal data to third parties for marketing purposes. Personal data used for marketing and communications is managed in accordance with applicable data protection requirements, consent records, communication preferences and retention practices.
Users of school IT Systems
Personal data is generated through the use of school‑managed IT systems, networks and email accounts. This information is used to:
- maintain the security, integrity and proper use of systems;
- prevent unauthorised access or misuse; and
- support diagnostics and troubleshooting.
Access to IT‑related data is restricted to authorised personnel and protected by appropriate technical and organisational security measures.
IT-related data is retained for as long as necessary to support system security, integrity and operational requirements, in line with internal data management practices.
Visitors to the school site (including CCTV)
We collect limited personal data about visitors to the school campus, including visitor sign‑in details and CCTV footage, for the purpose of ensuring the safety and security of students, staff and premises.
CCTV operates only in public areas, is clearly signposted, and footage is retained for the minimum period necessary in accordance with Hungarian law, unless required for incident investigation or legal proceedings.
Where consent is required under EU GDPR (for example, for certain uses of images, video, marketing or optional services), it is obtained in a clear, specific and informed manner.
Where applicable, consent is obtained from a parent or legal guardian and may be withdrawn at any time by contacting the school.
We limit the sharing of personal data to what is necessary and lawful. Personal data may be shared with:
- other Orbital Education Group entities, where this is necessary for governance, safeguarding, reporting, IT, finance or operational support;
- trusted third‑party service providers who support the delivery of education and school operations, such as IT service providers, learning platforms, safeguarding partners, payroll and finance providers. These providers process personal data only on our instructions and are subject to contractual data protection obligations;
- public authorities, regulators or law enforcement bodies, where disclosure is required to comply with legal, regulatory or safeguarding obligations; and
- third parties in connection with a corporate transaction, such as a merger, acquisition or reorganisation, where personal data may be disclosed subject to appropriate confidentiality and data protection safeguards.
Where personal data is shared for reporting, analytics or planning purposes, this is done in anonymised or aggregated form wherever possible, so that individuals cannot be identified.
We do not sell personal data to third parties.
As part of an international education group, personal data may be transferred to, stored in or accessed from countries outside the European Economic Area.
Where such transfers occur, the school ensures that appropriate safeguards are in place to protect personal data. These may include Standard Contractual Clauses, intra‑group agreements, and, where required, supplementary measures following risk assessments.
Individuals have rights in relation to their personal data, which include the right to:
- access personal data held about them;
- request correction of inaccurate or incomplete data;
- request deletion of personal data where appropriate;
- request restriction of processing in certain circumstances;
- object to certain processing activities;
- receive personal data in a portable format; and
- withdraw consent where processing is based on consent.
Requests may be made by contacting contact@britannicaschool.hu. We may need to verify your identity before responding to a request.
We will respond to requests in accordance with applicable legal requirements. Where permitted by law, we may refuse a request or charge a reasonable administrative fee where a request is manifestly unfounded, excessive or repetitive.
Individuals have the right to lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) if they believe that their personal data has been processed in breach of applicable data protection laws.
We do not use personal data for automated decision‑making or profiling that produces legal or similarly significant effects on individuals.
The school implements appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction or damage. These measures include access controls, system protections, staff training and contractual safeguards with third‑party providers.
The school operates within Orbital Education Group’s data protection framework. This framework includes group‑wide policies, procedures and oversight mechanisms designed to ensure compliance with applicable data protection requirements.
This Privacy Statement is reviewed at least annually and may be updated to reflect changes in law, regulation or school operations. The most current version will always be available through the school’s official channels. This Privacy Statement was last updated on 01/06/2026.

