The Heritage Private School is an English co-educational, academically selective school for students aged 2 to 19, with an intake from a wide variety of cultural backgrounds. The School follows the 2014 National Curriculum for England (https://www.gov.uk/government/collections/national-curriculum), and as such, lessons are taught in English, and grades and marks for assessment purposes reflect standard UK practice. The School also issues a formal School Leaving Certificate (Apolytirion) at the end of Year 13. The Heritage Private School is a Cambridge International Fellowship Centre, and an Examination Centre for Cambridge Assessment International Education (http://www.cambridgeinternational.org/) and Pearson Edexcel International Examinations (http://qualifications.pearson.com). We take our responsibilities as a data controller seriously and are committed to using the personal data we hold in accordance with the law and the School’s purposes.

This Privacy Policy is compliant with the General Data Protection Regulation (GDPR) 2016/679, and it provides detailed information about how we process personal data. Please read it carefully and, if you have questions regarding your personal data or its use, please contact the Data Protection Officer by email at dpo@hps.ac.cy; by telephone on +35725367018; or, by post at DPO, The Heritage Private School, Palodia 4549, Cyprus.


We collect and process personal data about prospective, current and former students and their parents; staff, suppliers and contractors; friends and supporters; and other individuals connected to or visiting the Heritage Private School including students enrolled in our summer school.

The personal data we process takes different forms – it may be factual information, expressions of opinion, images or other recorded information which identifies or relates to a living individual. Examples include:

  • names, addresses, telephone numbers, e-mail addresses and other contact details
  • family details, such as parents’ names, telephone numbers, passport numbers, addresses
  • admissions, academic, disciplinary and other education related records, information about special educational needs, references, examination scripts and marks
  • education and employment data
  • images, audio and video recordings
  • financial information
  • courses, meetings or events attended.

As a school, we need to process special category personal data e.g. concerning health or ethnicity. We do so in accordance with applicable law (including with respect to safeguarding or employment) or by explicit consent.


We collect most of the personal data we process directly from the individual concerned (or in the case of students, from their parents). In some cases, we collect data from third parties (for example, referees, previous schools or professionals or authorities working with the individual) or from publicly available resources.

Personal data held by us is processed by appropriate members of staff for the purposes for which the data was provided. We take appropriate technical and organisational steps to ensure the security of personal data about individuals, including policies around use of technology and devices, and access to school systems. We do not transfer personal data outside of the European Union unless we are satisfied that the personal data will be afforded an equivalent level of protection.

In the course of school business, we share personal data (including special category personal data where appropriate) with third parties such as examination boards, the school’s professional advisors and relevant authorities (e.g. Ministry of Education, Welfare Office, Department of Statistics, Immigration Office, Tax Department, Social Insurance Services). Some of our systems are provided by third parties, e.g. hosted databases, school website, school calendar, school email, platforms and applications. This is always subject to contractual assurances that personal data will be kept securely and only in accordance with our specific directions. We maintain personal data about The Heritage Private School Alumni. We do not share or sell personal data to other organisations for their own purposes.


We process personal data to support the school’s operation as a private school registered by the Cyprus Ministry of Education and in particular for:

  • The selection and admission of students;
  • The provision of education to studentsincluding the administration of the school curriculum and timetable; monitoring student progress and educational needs; reporting on the same internally and to parents; administration of students’ entries to internal and external examinations, reporting upon and publishing the results; providing references for students (including after a student has left);
  • The provision of educational support and related services to students(and parents) including the maintenance of discipline; provision of careers and library services; administration of sports fixtures and teams, school trips; provision of the school’s IT and communications system and virtual learning environment (and monitoring the same) all in accordance with our Student Use of Educational Technology Policy.
  • The provision of educational coursesduring school holidays to students enrolled on such courses;
  • The safeguarding of students’ welfare and provision of pastoral care, welfare, health care servicesby school staff;
  • The research into and development of effective teaching and learning methods and best practice;
  • Compliance with legislation and regulationincluding the preparation of information for inspections, submission of information to the Ministry of Education and other government departments;
  • Operational managementincluding the compilation of student records; the administration of invoices, fees and accounts; the management of the School’s property; the management of security and safety arrangements (including the use of CCTV in accordance with our CCTV Policy and monitoring of the School’s IT and communications systems in accordance with our Student Use of Educational Technology Policy); management planning and forecasting; research and statistical analysis; the administration and implementation of the School’s rules and policies for students and staff; the maintenance of archives and other operational purposes;
  • Staff administrationincluding the recruitment of staff and/or engagement of sub-contractors; administration of payroll, pensions and sick leave; review and appraisal of staff performance; conduct of any grievance, capability or disciplinary procedures; and the maintenance of appropriate human resources records for current and former staff; and providing references;
  • The promotion of the Schoolthrough its own website, the prospectus and other publications and communications (including through our social media channels); and
  • Maintaining relationships with Heritage Alumni and the wider school communityby communicating with the body of current and former students and/or their parents or guardians and organising events.

The processing set out above is carried out to fulfil our legal obligations (including those under our School Application Admission Form and Staff employment contracts). We also expect these purposes to form our legitimate interests.


We fundraise from individuals, companies and foundations who want to support our events. We do not use third-party profiling companies but we may analyse publicly available data about potential donors (e.g. from LinkedIn) to create a profile of interests and preferences so that we can make appropriate requests.

We keep in touch with Heritage Alumni, current or former parents or other members of the school community. We ask you to join the Heritage School Mailing List in order to keep you updated about our activities and invite you to events of interest by email. You can join the list if you click https://www.heritageschool.ac.cy/subscribe. Note that you can unsubscribe from the Heritage Mailing List at any time by visiting https://www.heritageschool.ac.cy/unsubscribe/.


We retain personal data only for a legitimate and lawful reason and only for so long as necessary or required by law. We have Records Retention Guidelines which set out the time period for which different categories of data are kept. If you have any specific queries about our record retention periods or wish to request that your personal data is considered for erasure, please contact the Data Protection Officer.


You have various rights under GDPR to access and understand the personal data we hold about you, and in some cases to ask for it to be erased or amended or for us to stop processing it, but subject to certain lawful exemptions and limitations.

You always have the right to withdraw consent, where given, or otherwise object to receiving generic or fundraising communications. Please be aware however, that the School may have another lawful reason to process the personal data in question even without your consent. That reason will usually have been asserted under this Privacy Policy, or may exist under some form of contract or agreement with the individual (e.g. an employment or parent contract, or because of a purchase of goods or services).

If you would like to access or amend your personal data or would like it to be transferred to another person or organisation or have some other objection to how your personal data is used, please make your request in writing to the Data Protection Officer.

We will respond to any such written requests as soon as is reasonably practicable and in any event within statutory time-limits, which is one month in the case of requests for access to information. We will be better able to respond quickly to smaller, targeted requests for information. If the request is manifestly excessive or similar to previous requests, we may ask you to reconsider or charge a proportionate fee, but only where GDPR allows it.

You should be aware that certain data is exempt from the right of access. This may include information which identifies other individuals, or information which is subject to legal privilege. We are also not required to disclose any student examination scripts (though examiners' comments may be disclosed), nor any confidential reference given by the school for the purposes of the education, training or employment of any individual.


The rights under Data Protection legislation belong to the individual to whom the data relates. However, we will often rely on parental consent to process personal data relating to students (if consent is required) unless, given the nature of the processing in question, and the student's age and understanding, it is more appropriate to rely on the student's consent.

Parents should be aware that in such situations they may not be consulted, depending on the interests of the child, the parents’ rights at law or under their contract, and all the circumstances.

In general, we will assume that students’ consent is not required for ordinary disclosure of their personal data to their parents, e.g. for the purposes of keeping parents informed about the student's activities, progress and behaviour, and in the interests of the student's welfare, unless, in the school's opinion, there is a good reason to do otherwise.

However, where a student seeks to raise concerns confidentially with a member of staff and expressly withholds their agreement to their personal data being disclosed to their parents, we may be under an obligation to maintain confidentiality unless, in our opinion, there is a good reason to do otherwise; for example, where the school believes disclosure will be in the best interests of the student or other students, or is required by law.

Students can make subject access requests for their own personal data, provided that they have sufficient maturity to understand the request they are making. A person with parental responsibility will generally be entitled to make a subject access request on behalf of students, but the information in question is always considered to be the child’s at law. A student of any age may ask a parent or other representative to make a subject access request on their behalf. Moreover (if of sufficient maturity) their consent or authority may need to be sought by the parent making such a request.


We try to ensure that all personal data held in relation to an individual is as up to date and accurate as possible.  Please notify dpo@hps.ac.cy of any changes to important information, such as contact details, held about you.


Our Privacy Policy should be read in conjunction with our other policies and terms and conditions which make reference to personal data, including but not limited to our School Application Admission Form.

We will update this Privacy Policy from time to time. Any substantial changes that affect how we process your personal data will be notified on our website and to you directly, as far as practicable.

As a data subject you may address any concern of yours on a matter relating to your data protection rights to the School’s Data Protection by sending an email to dpo@hps.ac.cy.

Any complaints you may have with regards to any violation of your rights under the GDPR may be lodged with the relevant supervisory authority whose details are as follows:

Officer of the Commissioner on Personal Data Protection
1, Iasonos Str., 1082 Nicosia
P.O.Box 23378, 1682 Nicosia
Tel: +357 22818456, Fax: +357 22304565
Email: commissioner@dataprotection.gov.cy