Principles of Personal Data Protection

1. Introduction

1.1 The purpose of this document “Principles of Personal Data Protection” is to explain all the conditions of Personal Data processing by GTS ALIVE ME DMCC, the conditions of Processing the Personal Data of Holders when using Passes and Cards and the conditions of using the Website and FB.

1.2 These Principles apply to the Holders and applicants for possession of the following Passes and Cards and co-brands of those Passes and Cards

ISIC, International Student Identity Card,
ISIC SCHOLAR, International Scholar Identity Card,
IYTC, International Youth Travel Card,
ITIC, International Teacher Identity Card,
ALIVE Student, ALIVE Employee and ALIVE Alumni and ALIVE membership cards.

1.3 We devote the same care and interest to approaching the protection of Personal Data provided by the Holders of Passes and Cards as we do to the Passes and Cards and options of their use.

1.4 We collect only those Personal Data which we truly need for the stipulated purposes. We do everything so as to provide and guarantee to Holders the best service not only in the United Arab Emirates, but also in all the other countries where the Passes can be used.

1.5 On the following pages, you will find the complete information and conditions concerning Personal Data protection.

1.6 All the terms written with a capital first letter in these Principles have the meaning specified in the definitions here.

1.7 These Principles are valid from 1 January 2018.

2. Contact information

GTS ALIVE ME DMCC: The company GTS ALIVE ME DMCC, with registered address: DMCC Business Centre, Unit No: 3928, Jewellery & Gemplex 3, Dubai, United Arab Emirates, license number: DMCC-073822, which is the operator of the Website and simultaneously the controller of Personal Data, unless stipulated otherwise in these Principles.

Rules: The Rules means the Rules for using Passes and Cards, which you can find here.

Principles: The Principles mean these Principles of Personal Data Protection.

Business Terms and Conditions: The Business Terms and Conditions mean the Business Terms and Conditions for Online Ordering, which you can find here.

FB: The Facebook profile of ISIC POINT (https://www.facebook.com/isic.ae)

Website: The website https://www.studentcard.ae

Pass: A Pass means any ISIC, ISIC SCHOLAR, IYTC, ITIC, ALIVE Student, ALIVE Employee and ALIVE Alumni pass, which may be issued by a university or school, GTS ALIVE ME DMCC or another authorised distributor.

Card: A Card means any ALIVE card, ALIVE membership card which is issued by GTS ALIVE ME DMCC or another authorised distributor.

Holder: The user of any Pass or Card; the Holder is also the data subject.

Personal Data: Personal Data refers to any information concerning an identified or identifiable data subject. The data subject is considered identified or identifiable if the data subject can be directly or indirectly identified particularly based on a number, code or one or more elements specific to their physical, physiological, psychic, economic, cultural or social identity; for instance, Personal Data refers to the e-mail address or mobile phone number; Personal Data may also be data about shopping preferences associated with the surname. The processing of your Personal Data is essential for issuing the Pass or Card.

Sensitive Personal Data: Sensitive Personal Data are Personal Data which testify to the nationality, racial or ethnic origin, political views, membership in trade union organisations, religious or philosophical beliefs, conviction of crimes, medical condition and sexual life of the data subject and genetic data of the data subject; sensitive Personal Data also refers to biometric data, which allow the direct identification or authentication of the data subject. GTS ALIVE ME DMCC never discloses sensitive Personal Data. These are not processed.

Processing: Personal Data Processing refers to any operation or set of operations which the controller or processor systematically perform with Personal Data, either by automated or other means. Personal Data Processing refers in particular to collection, storage on information carriers, disclosure, modification or alteration, searching, use, handover, dissemination, publication, preservation, exchange, sorting or combining, blocking and deletion; collection of Personal Data is a systematic procedure or set of procedures, the aim of which is to obtain Personal Data for the purpose of their further storage on an information carrier for immediate or later processing; storage of Personal Data is the retention of data in such a form that allows their further processing; blocking of Personal Data is an operation or set of operations, through which the means or resources for processing Personal Data are restricted for a stipulated period, with the exception of essential interventions; deletion of Personal Data refers to the physical destruction of their carrier, their physical deletion or their permanent exclusion from further processing.

Purpose: The purpose of processing refers to the reason for which GTS ALIVE ME DMCC processes the Personal Data.

Scope: Scope refers to the specific Personal Data which we need for Processing, for instance the name and surname.

3. Common information for Holders of Passes purchased within the GTS ALIVE ME DMCC agent network or issued through the online application

3.1 Among other, GTS ALIVE ME DMCC is the holder of license rights and rights to issue ISIC, ISIC SCHOLAR / ITIC / IYTC passes for the United Arab Emirates. GTS ALIVE ME DMCC declares that all the Personal Data are considered strictly confidential and are handled in accordance legal regulations of the United Arab Emirates. GTS ALIVE ME DMCC also accepts all obligations arising from the new General Data Protection Regulation.

3.2 The controller of Personal Data for Passes and Cards issued through the GTS ALIVE ME DMCC agent network or through the online application is GTS ALIVE ME DMCC, which produces and issues the Passes and ensures the related activities.

3.3 The seller included in the GTS ALIVE ME DMCC agent network is the processor of Personal Data.

3.4 GTS ALIVE ME DMCC is only the processor for Personal Data for all ALIVE member Cards and partner Cards. The Card issuer is the controller. All rights, requests and complaints must be applied with the issuer.

4. Common information for Holders of Passes of schools participating in the ISIC FOR SCHOOLS project

4.1 GTS ALIVE ME DMCC is the holder of license rights and rights to issue ISIC / ISIC SCHOLAR / ITIC / IYTC passes for the United Arab Emirates and license rights to issue ALIVE passes.

4.2 GTS ALIVE ME DMCC declares that all the Personal Data are considered strictly confidential and are handled in accordance with the laws of the United Arab Emirates, on Personal Data protection. GTS ALIVE ME DMCC also accepts all obligations arising from the new General Data Protection Regulation.

4.3 The controller of Personal Data within the ISIC FOR SCHOOLS project is GTS ALIVE ME DMCC, which within this project produces and issues the Passes for schools, respectively their students, and ensures the related activities, including allowing the use of Passes by the subject for the purpose of identification of the subject, the possibility of enjoying benefits at home and abroad for the subject, etc. The controller of Personal Data is also the school itself which participates in the ISIC FOR SCHOOLS project, in order to allow use of the Pass as a student/teacher identification pass, to confirm the status of school student/pupil/teacher/employee and potentially for use in the school’s access and security systems and other use by the school.

4.4 A school participating in the ISIC FOR SCHOOLS project is the controller of Personal Data, because it mediates the applications for its students/pupils for GTS ALIVE ME DMCC. GTS ALIVE ME DMCC is the processor for the school participating in the project as for processing concerning use during the subject’s term of study at the school, for the purpose of ensuring Pass functionality as a student identification pass.

4.5 Learn more about the ISIC FOR SCHOOLS project here.

5. Declaration on protection of Personal Data for Holders of Passes from universities and colleges which issue combined school student/teacher/employee/alumni passes with ISIC, ITIC, ALIVE Student, ALIVE Employee and ALIVE Alumni passes

5.1 GTS ALIVE ME DMCC is the holder of license rights and rights to issue ISIC/ITIC passes for the United Arab Emirates and license rights to issue ALIVE passes.

5.2 Universities and colleges might issue student identification document, hereinafter also “pass”. A student pass is a document issued by the university, which the student receives upon registering for study; the said document confirms the student’s legal position, authorising them to enjoy the rights and benefits of a student arising from legal regulations or the university’s internal regulations. Such school student pass may be issued with an ISIC ID card.

5.3 GTS ALIVE ME DMCC allows the academic partner to issue a combined student/teacher/employee/alumni school pass and ISIC/ITIC/ALIVE pass.

5.4 In this case, the controller of Personal Data is the respective academic partner which issued the given Pass, because the specific school produces and issues the pass and ensures all the related activities. GTS ALIVE ME DMCC is not involved in processing, but merely ensures the possibility of using the Pass as imposed on the school.

5.5 GTS ALIVE ME DMCC is the processor for ensuring the possibility of verifying the Pass and enjoying the discounts and benefits according to the Rules for use of Passes, which are here, because the school only entrusts GTS ALIVE ME DMCC with the activities concerning the ensuring of Pass discounts and benefits.

5.6 GTS ALIVE ME DMCC as the processor strictly observes the effective legislation and these Principles.

5.7 GTS ALIVE ME DMCC does not provide your Personal Data to any third parties, unless you grant consent to do so.

5.8 For information about Personal Data processing for the purpose of a combined school pass and Pass, please inquire with the specific school which issues the Pass.

5.9 Use of the Pass is also governed by the internal regulations of the school that issued the Pass.

6. Purposes of Personal Data processing

The purpose refers to the reason why the Holders’ Personal Data are processed in individual cases, respectively why they are required. Unless stipulated otherwise or unless GTS ALIVE ME DMCC is authorised by legal regulations to perform processing, GTS ALIVE ME DMCC processes Personal Data for the following purposes:

6.1 Order performance = issuing and use of the Pass/Card By completing the respective application, the Holder requests the issuing of the Pass/Card. The Pass/Card can only be issued if the Holder gives the controller the necessary Personal Data; this processing is essential for issuing the Pass/Card. The Holder’s Personal Data are used only for issuing the Pass/Card and enabling use. The Holder’s Personal Data are used only as follows:

to manufacture the body of the Pass/Card;
to register the Holder’s Personal Data in order to verify student status, Pass/Card validity, authorisation of the claim to a discount/benefit;
to send the information which the Holder essentially needs for Pass/Card functionality, e.g. information about expiring validity;
to use other functions enabled by the individual types of Passes/Cards according to the Rules and respective application;
to keep records of Pass/Card Holders, their verification and control (i.e. verification of pupil/student status, which is a condition for drawing the discount and benefita, and verifying the right to draw discounts/benefits).

6.2 Personalised commercial messages = marketing, direct marketing If the Holder granted voluntary and express consent, GTS ALIVE ME DMCC will inform the Holder and send them personalised commercial messages about the options offered by the Pass and GTS ALIVE ME DMCC’s business partners, about discounts, events and contests by GTS ALIVE ME DMCC and GTS ALIVE ME DMCC’s business partners. The Holder’s Personal Data will be used for this purpose so as to allow the following:

sending of personalised commercial messages from GTS ALIVE ME DMCC and GTS ALIVE ME DMCC’s business partners which are interesting for the Holder based on the ongoing evaluation and updating of Personal Data, including information about the use of the Holder’s Pass/Card among the controller’s business partners and the Holder’s preferences determined from use of the Website and FB, including the use of electronic means of communication;
sending of regular commercial messages, including the use of electronic means of communication;
conducting market surveys and evaluation.

6.3 Verification/control of identification during online Pass purchase If you grant us your voluntary and express consent, we will verify and control your identity when purchasing the Pass online via verification of a scan of your national ID card/passport. The copy (scan) can be made exclusively by the Holder. The scan of the national ID card (or other provided identification document) will be used exclusively to verify the Holder’s identity. Verification of identity includes checking the photograph on the Pass with the photograph on the national ID card/passport, verifying the data from the Pass with data on the national ID card/passport. After such verification, GTS ALIVE ME DMCC will immediately and securely liquidate the copy (scan) of the national ID card/passport.

7. Scope of processing Personal Data

The scope of Personal Data is always defined so as to be the scope necessary to fulfil the given purpose. Based on the individual purposes, the scope is as follows:

7.1 Order performance = issuing and use of the Pass/Card We only process such Personal Data which the Holder discloses to us, provides or completes in the respective request. For the purpose of production and functioning of the Pass/Card, GTS ALIVE ME DMCC processes the Holder’s photograph, name and surname, issue date and other Personal Data of the Holder, depending on the type of Pass/Card. The scope of Personal Data on the body of the Passes and Cards is as follows:

ISIC, ISIC SCHOLAR, ITIC passes contain: name, surname, date of birth, photograph, validity, serial number, school name;
IYTC Passes contain: name, surname, photograph, validity, serial number;
ALIVE Student and ALIVE Employee contain: name, surname, date of birth, photograph, validity, serial number, school name;
ALIVE Alumni contain: name, surname, school name, validity, serial number;
ALIVE Card (sporting associations) contain: name, surname, date of birth, validity, serial number, institution name.

The Pass or Card may also contain other Personal Data of the Holder, which the Holder provided to GTS ALIVE ME DMCC, such as the Holder’s photograph for Passes/Card on which the photograph is depicted. The scope may also include the issue date and other Personal Data of the Holder. Furthermore, for the purposes of use and functionality, we keep a database of Holders in which we register in particular the Pass/Card number, issue date, expiry, data about Pass/Card extension and chip information (if it exists) in order to verify the Pass/Card, discount and benefit options and other uses. The purpose of processing Personal Data is the issuing of the Card, provision of discounts, Card control, management of the numerical Card series for protection against misuse and management of Holder records.

7.2 Personalised commercial messages = marketing, direct marketing Only the Holder’s Personal Data for which the Holder has granted consent to use for this purpose will be used for this purpose. The scope of Personal Data used for the above purpose is: • name, surname and titles, address data (permanent address, mailing address, country and other data including e-mail address), telephone number and date of birth; • all Personal Data provided by the Holder in the form or otherwise disclosed by the Holder while granting consent; • data about us of the Pass/Card among GTS ALIVE ME DMCC’s business partners, including the purchases made, data about use of the controller’s website and social networks, data identified during participation in contests, events and surveys or polls conducted by the controller and data about use of the “MY ISIC” personal account, data on the use of related Passes/Card by one User, including data about the use of Passes and Cards of other controllers, such as membership Passes/Cards, ALIVE Cards; • the Holder’s other Personal Data concerning the Passes and Cards provided by the Holder or determined by GTS ALIVE ME DMCC from the Holder of Personal Data.

8. Recipients of Personal Data

8.1 Processors for GTS ALIVE ME DMCC ISIC Association – a non-profit organisation which controls and manages international identification Passes; ISIC Global Office – a service organisation of the ISIC Association which ensures the international functioning of Passes and manages the international database of Passes; Orchitech Solutions, s.r.o. – IT company providing information system management; An overview of all GTS ALIVE ME DMCC business partners, with which the Holder may apply discounts/benefits and make purchases, can be found here. An overview of GTS ALIVE ME DMCC partners participating in the agency network can be found here.

8.2 Recipients of GTS ALIVE ME DMCC ISIC Association – a non-profit organisation which controls and manages international identification Passes; ISIC Global Office – a service organisation of the ISIC Association which ensures the international functioning of Passes and manages the international database of Passes;

9. Processing term

The processing term is always defined so as to be the term necessary to fulfil the given purpose. Based on the individual purposes, the processing term is as follows:

9.1 Order performance = issuing and use of the Pass/Card Personal Data will be processed for this purpose throughout the validity term of the Pass/Card, respectively for the period bound to the respective processing purpose stipulated in the request to issue the Pass, i.e. for the period during which the Pass Holder is authorised to draw the services and benefits associated with the Pass/Card. A. If the Pass/Card was issued by an authorised partner in the agent network, authorised by GTS ALIVE ME DMCC, the processing term of the Holder’s Personal Data is the validity period and an additional 12 months. The validity period of the Pass/Card starts on the issue date and ends in the month of December of the year after the year of issue – depending on the chosen academic year, but no more than 16 months (for more, see Art. 5.7 of the Business Terms and Conditions). Upon the expiry of validity, the Personal data are stored for 12 months for the following reasons:

to verify misuse of the Pass/Card and verify expiry of the Pass/Card in the network of GTS ALIVE ME DMCC business partners;
to send control information reports to the Holder about expiry of the Pass/Card validity, information about the options of obtaining a new Pass/Card and information about the impossibility of further use of the Pass/Card;
for reasons of controlling the usability of the Pass/Card license number and Holder records in the case of issuing a new Pass/Card. B. If the Pass was issued based on an online order from the GTS ALIVE ME DMCC Website, the processing term of the Holder’s Personal Data is the validity period and an additional 12 months. The validity period of the Pass/Card starts on the issue date and ends in the month of December of the year after the year of issue – depending on the chosen academic year, but no more than 16 months (for more, see Art. 5.7 of the Business Terms and Conditions). Upon the expiry of validity, the Personal data are stored for 12 months for the following reasons:
to verify misuse of the Pass/Card and verify expiry of the Pass/Card in the network of GTS ALIVE ME DMCC business partners;
to send control information reports to the Holder about expiry of the Pass/Card validity, information about the options of obtaining a new Pass/Card and information about the impossibility of further use of the Pass/Card;
for reasons of controlling the usability of the Pass/Card license number and Holder records in the case of issuing a new Pass/Card. C. If it is a Pass/Card issued by the school within the “ISIC For Schools” project, the period of processing the Holder’s Personal Data is nine years, which is the period of study, respectively the expiry period of the Pass/Card according to the Rules, during which it is possible:
in the case of invalidation, to preserve the option of renewing the Pass/Card according to the Rules; • to verify misuse of the Pass/Card and verify expiry of the Pass/Card in the network of GTS ALIVE ME DMCC business partners;
to send control information reports to the Holder about expiry of the Pass/Card validity, information about the options of obtaining a new Pass/Card and information about the impossibility of further use of the Pass/Card;
for reasons of controlling the usability of the Pass/Card license number and Holder records in the case of issuing a new Pass/Card. D. If it is a Pass/Card issued by the school within the project for universities and other schools, where GTS ALIVE ME DMCC is merely the processor of the Holder’s Personal Data for the given specific school, the processing period is nine years, which is the period of study, respectively the expiry period of the Pass/Card according to the Rules, during which it is possible:
in the case of invalidation, to preserve the option of renewing the Pass/Card according to the Rules;
to verify misuse of the Pass/Card and verify expiry of the Pass/Card in the network of GTS ALIVE ME DMCC business partners;
to send control information reports to the Holder about expiry of the Pass/Card validity, information about the options of obtaining a new Pass/Card and information about the impossibility of further use of the Pass/Card;
for reasons of controlling the usability of the Pass/Card license number and Holder records in the case of issuing a new Pass/Card. E. If it is a membership ALIVE Card, where GTS ALIVE ME DMCC is merely the processor, because the Card was issued by the specific organisation, the term of processing Personal Data is usually the validity period of the Card, which is printed on the specific Card, respectively the period by which validity was extended. For specific information about processing and the term, the Holder may contact the organisation which is a member and which issued the Card. The validity period of individual Passes and Cards is also regulated in detail in the Rules. The validity period and processing time may differ for the aforementioned reasons, e.g. due to the option of renewing the Pass/Card. If the Holder no longer wishes to use the Pass/Card, they undertake to inform GTS ALIVE ME DMCC of this according to the Rules. In this case, we will process the Holder’s Personal Data only in the necessary scope in order to fulfil the legal obligations of GTS ALIVE ME DMCC and to protect the justified interests of GTS ALIVE ME DMCC, as stipulated by special legal regulations (e.g. due to inspection by individual supervisory authorities). F. In the case of co-branded payment Pass/Card, GTS ALIVE ME DMCC is only the processor, because the card was issued directly by cooperating financial/banking partner. The processing term is validity period of the Pass/Card. Upon termination of validity, the Personal Data are stored for the purpose of enabling revalidation and for the following reasons:
to verify misuse of the Pass and verify expiry of the Pass in the network of GTS ALIVE ME DMCC business partners;
to send control information reports to the Holder about expiry of the Pass validity, information about the options of obtaining a new Pass and information about the impossibility of further use of the Pass;
for reasons of controlling the usability of the Pass serial number and Holder records in the case of issuing a new Pass. The validity period of individual Passes and Cards is also regulated in detail in the Rules. The validity period and processing time may differ for the aforementioned reasons, e.g. due to the option of renewing the Pass/Card. If the Holder no longer wishes to use the Pass/Card, they undertake to inform GTS ALIVE ME DMCC of this according to the Rules. In this case, we will process the Holder’s Personal Data only in the necessary scope in order to fulfil the legal obligations of GTS ALIVE ME DMCC and to protect the justified interests of GTS ALIVE ME DMCC, as stipulated by special legal regulations (e.g. due to inspection by individual supervisory authorities).

9.2 Personalised commercial messages = marketing, direct marketing Personal Data will be processed for this purpose for an indefinite term, maximally until consent is revoked. Personal data will not be processed further once the purpose of processing expires. The Holder may request the termination of sending commercial messages here. In this case, their Personal Data will be further processed in the meaning of Art. 7.2 of these Principles, except for the sending of commercial messages. Consent to Personal Data processing for the purpose pursuant to Article 7.2 of these Principles may be revoked at any time in writing at the address of GTS ALIVE ME DMCC or here

10. Information about the option of terminating the sending of commercial messages, application of objections, complaints and requests to terminate processing.

You may ask us at any time to terminate the sending of commercial messages, either here or in every individual commercial message. If you wish to revoke your consent to Personal Data processing for the purpose of personalised commercial messages, marketing, market surveys and direct marketing, you can do so here. If you have any questions concerning Personal Data processing, security, or wish to apply a right or submit a complaint, please do so here. XI Information about the rights of Personal Data subjects pursuant to the General Data Protection Regulation effective from 25 May 2018le Text

11. Information about the rights of Personal Data subjects pursuant to the General Data Protection Regulation effective from 25 May 2018.

11.1 Transparent information, notices and procedures for exercising the rights of data subjects The controller will adopt adequate measures to provide each Holder with complete information in a concise, transparent, comprehensible and easily accessible manner using clear and simple language (e.g. about the Personal Data processor and the course of such Processing) and to make all notices about Processing, in particular as concerns information designated specifically for a child. The controller will provide the information in writing or via other means (e.g. in electronic form). Assuming that your identity is proven by other means, you also have the right to request the provision of this information orally. The controller will not refuse to accommodate your request whilst exercising your rights (in particular the right to access), unless it proves that it cannot determine the identity of the data subject to which the given data pertain. You have the right, at your request, to be provided by the controller with information about adopted measures, without undue delay and in any case within one month from receiving the request. This deadline may be extended by an additional two months if necessary given the complexity and number of applications. The controller will inform you of any such extension within one month from receiving the request together with reasons for such delay. If you submitted the request in electronic form, the information will be provided in electronic form, if possible and if you do not require other means. If the controller does not adopt the measures you requested, it will inform you immediately and at latest within one month from receiving the request about the reasons for not adopting the measures and the possibility of filing a complaint with the supervisory authority and requesting court protection. We inform you that all this information, notices and actions are provided free of charge. If the requests submitted by the Holder are evaluated as obviously unjustified or inadequate, and in particular if they are repeated, the controller may either: a) impose a reasonable fee taking into account the administrative costs related to providing the requested information or notice or performing the requested actions; or b) refuse to accommodate the request. The controller must prove the obvious lack of justification or inadequacy of the request. If the controller has justified doubts about the identity of the natural person submitting the request, it may ask for the provision of additional information required to confirm the identity of the Holder. The information which is to be provided to you may be supplemented with standardised icons with the aim of providing an easily visible, comprehensible and clear overview of the intended processing. If the icons are presented in electronic format, they must be machine-legible.

11.2 Right to correction You have the right to have the controller correct inaccurate Personal Data concerning your person without undue delay. With regard to the purposes of processing, you also have the right to complete incomplete Personal Data by providing an additional declaration.

11.3 Right to deletion (“right to be forgotten”) You have the right to have your Personal Data concerning your person deleted without undue delay by the controller, and the controller is obliged to delete the Personal Data without undue delay, only if one of the following reasons exists: a) Your Personal Data are no longer required for the purpose for which they were collected or otherwise processed; b) You revoke the consent based on which the data were processed, and there are no further legal grounds for Processing; c) You object to Processing (pursuant to the “Right to objection” below) and there are no superior justified reasons for Processing; d) The Personal Data were processed unlawfully; e) The Personal Data must be deleted to fulfil the legal obligation stipulated by Community law or by the laws of the member state which apply to the controller; f) The Personal Data were collected in connection to an offer of information society services in the case of a person less than 16 years of age, in whose case Processing pursuant to legal regulations requires consent from the person exercising parental responsibility. If the controller published the Personal Data and is obliged to delete them pursuant to the above “Right to deletion”, it will undertake adequate steps given the available technology and costs, including technical measures, to inform the controllers processing these Personal Data that the subject has requested the deletion of all references to these Personal Data, copies or replications thereof. The foregoing will not apply if Processing is necessary: a) to exercise the right to freedom of expression and information; b) to fulfil legal obligations, which require Processing pursuant to Community law or the laws of member state which apply to the controller, or to fulfil tasks performed in public interest or when exercising public power which has been delegated to the controller; c) for reasons of public interest in the area of public health; d) for the purpose of archiving in public interest, for the purpose of scientific or historical research or for statistical purposes, if it is likely that the aforementioned right would prevent or seriously impede the fulfilment of the objectives of such Processing; e) to determine, exercise or defend legal claims.

11.4 Right to restriction of Processing You have the right to have the controller restrict Processing in any of these cases:

a) If you deny the accuracy of the Personal Data, for the time needed for the controller to verify the accuracy of the Personal Data;

b) Processing is unlawful and you reject the deletion of Personal Data and instead request the restriction of their use;

c) The controller no longer needs your Personal Data for the purposes of processing, but you require them to determine, exercise or defend your legal claims;

d) If you have raised an objection against Processing, until it is verified whether the controller’s justified reasons outweigh your justified reasons.

If Processing was restricted pursuant to the aforementioned “Right to restriction of processing”, the Personal Data (with the exception of storage) may be processed only with your consent or in order to determine, exercise and defend legal claims, for reasons of protection of the rights of other natural persons or legal entities, or for reasons of important public interest of the Union or a member state. If you attained the restriction of Processing, you will be notified in advance by the controller that restriction of Processing will be cancelled. Notification obligation concerning the correction or deletion of Personal Data or Processing restriction The controller informs the individual recipients, to whom Personal Data were disclosed, of any corrections or deletion of Personal Data, or will limit Processing, with the exception of cases when this proves to be impossible or requires disproportionate effort. The controller will inform you of these surnames, if you request it.

11.5 Right to data portability You have the right to obtain the Personal Data concerning your person which you provided to the controller in structured, regularly used and machine-legible format, and the right to provide these data to another controller without interference from the controller to whom these Personal Data were provided, in the case that: a) Processing is based on consent or on an agreement, b) Processing is performed automatically. When exercising the right to data portability, you have the right to have the Personal Data transferred directly by one controller to another, if this is technically feasible. Exercising the aforementioned “Right to data portability” does not affect your aforementioned “Right to deletion”. This right does apply to the Processing necessary for the purpose of performing tasks in public interest or when exercising public authority, with which the controller is entrusted. The aforementioned “Right to data portability” must not have a negative impact on the rights and freedoms of other persons.

11.6 Right to objection For reasons concerning your specific situation, you have the right at any time to raise an objection to the processing of Personal Data concerning your person. The controller will no longer process the Personal Data if it does not prove its serious justified reasons for processing, which outweigh your interest or rights and freedoms, or for the determination, exercising or defence of legal claims. If the Personal Data are processed for the purpose of direct marketing, you have the right at any time to object to the Processing of Personal Data concerning your person for such purpose, which also includes profiling as concerns direct marketing. If you object to Processing for the purpose of direct marketing, your Personal Data will no longer be processed for this purpose. In connection to the use of information society services, you may apply your right to raise an objection via automated means using technical specifications. If the Personal Data are processed for the purpose of scientific or historical research or for statistical purposes, you have the right to object to the processing of Personal Data concerning your person for reasons related to your specific situation, unless Processing is necessary to fulfil a task performed for reasons of public interest.

11.7 Automated individual decision-making including profiling You have the right not to be the subject of any decision based solely on automated processing, including profiling, which has legal consequences for you or significantly affects you in a similar manner. GTS ALIVE ME DMCC does not base any of its decisions exclusively on automated processing.

12. Contact data of the supervisory body

Please direct questions, comments, requests concerning Personal Data Processing to: GTS ALIVE ME DMCC with registered address: DMCC Business Centre, Unit No: 3928, Jewellery & Gemplex 3, Dubai, United Arab Emirates, license number: DMCC-073822, email: info(at)studentcard.ae Contacts for the international company IGO: Privacy Officer IGO (ISIC Global Office) Keizersgracht 174-176 1016 DW Amsterdam The Netherlands Telephone: + 31 (0) 20 421 2800 Fax: +31 (0) 20 421 2810 Please direct requests concerning Personal Data processing for insurance to: GTS ALIVE ME DMCC with registered address: DMCC Business Centre, Unit No: 3928, Jewellery & Gemplex 3, Dubai, United Arab Emirates, license number: DMCC-073822, email: info(at)studentcard.ae Your request, inquiry, revocation of consent, application of rights, request for access or other request will be processed without undue delay after being received, in justifies cases maximally within 30 days. This deadline may be extended by an additional two months if necessary given the complexity and number of applications. Revocation of consent to the sending of commercial messages will be handled immediately, at latest within 7 calendar days. If necessary, additional information may be requested to assign the application to the specific Holder. In justified cases, to protect Holder’s rights, control/verification of the applicant’s identity may be required. The Personal Data processing officer for GTS ALIVE ME DMCC is Mr. Michal Lezo, e-mail: michal.lezo(at)gtsalive.com.

13. Conditions for use of the Website

13.1 Introductory provisions This Website is operated by GTS ALIVE ME DMCC, with registered address: DMCC Business Centre, Unit No: 3928, Jewellery & Gemplex 3, Dubai, United Arab Emirates, license number: DMCC-073822, email: info(at)studentcard.ae The Website users acknowledge that: • this Website is designated exclusively for private and non-commercial use, • the content on the Website is provided to users free of charge, • GTS ALIVE ME DMCC is not obliged to provide any updates, maintenance or technical support for the Website, • GTS ALIVE ME DMCC is the executor of all property rights to the Website, including all related intellectual property rights, • GTS ALIVE ME DMCC bears no responsibility for damages which users may incur by using the Website, for contributions made on the Website or for damage caused due to the non-functionality or inaccuracy of the Website, • the Website must not be used by users in other ways that those stipulated by these Principles.

13.2 Cookies Cookies are small text files which the Website places in the user’s computer or other device with internet access. These files allow GTS ALIVE ME DMCC to distinguish the specific user (Holder) from other Website users, to provide users with greater comfort when browsing the pages and to improve them. GTS ALIVE ME DMCC uses cookies on this Website for the following reasons: (a) To guide the user to the relevant part of the Website. (b) To ensure that the Website is displayed identically in various browsers and devices. (c) To remember the login data of the user, if the user is registered. (d) To display relevant advertising, marketing. (e) To ensure the functioning of complex parts of the Website and certain Website functions. (f) To collect anonymous summarised statistical data about Website visitation, which help GTS ALIVE ME DMCC to improve functionality and services. Using browser settings to control and delete cookies Most internet browsers enable the control of most types of cookies through the browser settings. The user can set their browser to inform them about the acceptance of cookies, so that the user can decide whether or not to confirm the use of cookies. The user can disable cookies in the browser settings. If the user disables cookies, they might not be able to use all the functions of their internet browser and the Website. If cookies are disabled, the user will not be shown relevant advertising. The user may continuously delete saved cookies from their browser. The user can find detailed information about how to delete cookies, disable them or continuously block them in the instruction guide for their browser. Explanations in text format with images for Firefox, Microsoft Internet Explorer and Google Chrome are also available under the following links:

https://support.mozilla.org/en-US/products/firefox/protect-your-privacy/

https://support.microsoft.com/en-us/help/17442/windows-internet-explorer-delete-manage-cookies

https://support.google.com/chrome/answer/95647?co=GENIE.Platform%3DDesktop&hl=en-GB

Users who wish to learn more about using cookies, what type they have set, what cookies mean and how they can be managed better can visit the SPIR website at

https://www.youronlinechoices.com/uk/your-ad-choices

14. Alive App Mobile Application and Alive App User Authentication

14.1. Purpose and Other Information:

GTS Alive allows you to get an overview of all your products and other functionalities according to the Alive Profile Terms of Use. The Alive Profile is accessible via a web-based interface at mystudentcard.org or via the Alive App mobile application.

Alive App is operated by GTS ALIVE Group s.r.o., identification number (IČ): 09296727, with its registered office at Na Maninách 1092/20, Holešovice, 170 00 Prague 7, registered in the Commercial Register maintained by the Municipal Court in Prague, section C, entry no. 334013 (“GTS Alive Group”).

The purpose of the Alive App is to provide access to a single Alive Profile for the UAE and to provide access to the Alive Profile for all countries, where the Alive Profile is available.

GTS Alive shall not be responsible for the operation of the Alive App, as it is governed by the Alive App Terms of Use, whereas the processing of personal data shall be governed by the Alive App Privacy Policy.

GTS Alive Group acts as a processor for GTS Alive, ensuring certain activities relating to the Alive App, such as email verification.

15. Alive Profile and Provision of Selected Marketing Information

15.1. Purpose and Other Information:

The Alive Profile allows you to get an overview of all your products and other functionalities according to the Alive Profile Terms of Use. The Alive Profile is only accessible via the Alive App mobile application. The purpose of the Alive Profile is to provide and use digital IDs, store issued IDs, display information about purchased insurance, enable participation in contests, search for nearby discounts and benefits, and receive news from the GTS Alive world.

Furthermore, if you give your consent to us in the Alive Profile, you will receive relevant contents, including selected commercial communications by electronic means; in return, you may take part in various marketing events for newsletter subscribers – e.g. contests for consumers; consequently, we will perform direct marketing in the manner described below.

If it is necessary in connection with the given service, you will receive service messages (notifications) to your selected contacts.

If you give your voluntary and express consent to us and if you are over the age of 18 (eighteen) years, we will provide selected marketing information to you, including:

Exclusive offers and contests;
Selected (personalized) commercial communications of GTS Alive and its business partners that might be attractive for the Holder based on continuous assessments and updates of Personal Data, including any information about the Holder’s activity within his or her Alive Profile, use of Holder’s IDs/Cards with controller’s business partners, and Holder’s preferences identified in connection with the use of the Website and FB, by all means (by mail or telephone, including the use of electronic means of communication);
Direct marketing through direct contacts, notifications, and by displaying relevant contents according to preferences specified by the Holder and identified activities of the Holder.

Legal basis for the processing: the legal basis of the Alive Profile and associated services is the performance of a contract. Without the processing of personal data, it is not possible to use any Alive Profile services, including the displaying of digital IDs and other functionalities.

Service messages (notifications) are sent on the basis of contract performance, since these are essential technical messages (notifications) relating to the provided service.

Marketing information is sent and direct marketing is conducted on the basis of voluntary consent that may be withdrawn at any time. You have the right at all times to request that we stop sending commercial communications to you – both in your Alive Profile in the “Documents” section and in each commercial communication.

If you wish to withdraw your consent to the processing of Personal Data for the purpose of personalized commercial communications, marketing, market research, and direct marketing, you can do so in your Alive Profile in the “Legal documents and personal data processing settings” section. You can also update any settings relating to marketing directly in your Alive Profile, to which you can sign in via the Alive App.

Legitimate interests: based on the legitimate interest, we reward subscribers of our commercial communications by electronic means, for instance, by giving them an opportunity to take part in contests and other marketing events (for more information see here). We retain a selection of important facts and/or documents (e.g. records of granted consents) for the purpose of any review by a supervisory authority, defense against claims or exercising of our rights pursuant to Section 8.

Recipients: categories of processors specified in Section 8.

Data retention period: In order to provide any Alive Profile services (including service messages/notifications), Personal Data shall be retained until the relevant profile is deleted; they shall only be retained thereafter in case a legitimate interest exists.

In order to provide marketing information and perform direct marketing, Personal Data shall be retained for an indefinite period of time; however, solely until the relevant consent is withdrawn or objections against the performance of direct marketing are lodged. Personal Data will not be processed after the purpose for which they were processed ceases to exist. Selected documents may only be retained for a longer period of time in case of compliance with a legal obligation or in case a legitimate interest exists.

Categories of personal data concerned: Identification and contact details (name, surname, date of birth, email address (required), gender, telephone, address), data relating to IDs (field of study, photograph of an ID holder (optional), and other details relating to IDs), and data on used products (names, specifications, and other relevant information, as appropriate) are used within the Alive Profile. We further retain data on profile activity, granted consents, and relevant settings (segmentation of displayed information).

If no photograph is uploaded to the database for a user by his or her school, the user must upload it in order to be able to use his or her digital ID in connection with the given service. Since the purpose of an identification card is to verify identity, the relevant photograph must be verified; for this purpose, it is necessary to follow the identity verification process described in Section 3.4 hereof.

Holder’s Personal Data may only be used for the purpose of providing marketing information, if the Holder granted his or her consent for such purpose in connection with his or her Personal Data, subject to the following terms and conditions:

Identification and contact details provided by the Holder when giving consent;
Information about activity and use of ID/Card with business partners of GTS Alive (including any purchases made, information about the use of controller’s website and social media, data collected when taking part in contests, events, and surveys and polls of the controller, as well as data on the use of the Alive Profile, data on the use of associated IDs/Cards by one Holder, including data on the use of IDs and Cards of other controllers, such as membership IDs/Cards and Alive Cards);
Other Personal Data of the Holder relating to his or her preferences for the selection of relevant information collected in connection with Holder’s activities or provided by the Holder.

15.2. Processing of Personal Data in case of an Incomplete Alive Profile Activation:

Purpose: Since it is a priority for GTS Alive to comply with effective legislation and to ensure proper matching of products and services of the Holder, two-step verification takes place during the activation process, as follows:

1) The user shall enter his or her email address and password for the purpose of verifying his or her email address – email address must be actively verified by the user using a received link, otherwise the activation process cannot continue;

2) Once a user’s email address is verified, he or she shall specify his or her name, surname, and date of birth for the purpose of verifying user’s age and identity and assigning his or her products (IDs/Cards/insurance);

3) If the Holder is under the age of 18 (eighteen) years, he or she must enter his or her legal guardian’s email address, who will then be required to provide confirmation – more information about confirmation by parent is available here – the activation process cannot be completed without the legal guardian’s confirmation and digital ID/Card/insurance cannot be displayed, for example;

4) If no verified electronic photograph is registered for the Holder, such Holder (or his or her legal guardian) shall proceed in accordance with the procedure described in the Alive App.

Legal basis for the processing: performance of a contract or taking steps at the request of the data subject prior to entering into a contract.

Legitimate interests: A selection of important facts and/or documents (e.g. records of granted consents) shall be retained for the purpose of any review by a supervisory authority, defense against claims or exercising of our rights pursuant to Section 8.

Recipients: categories of processors specified in Section 8.

Data retention period: emails and passwords shall be retained for no more than 14 (fourteen) days for the purpose of the confirmation; if an email address is not confirmed within the aforementioned period, the relevant data are safely disposed of. If a user is under the age of 18 (eighteen) years, his or her data shall be retained for no more than 14 (fourteen) days for the purpose of activation approval by his or her legal guardian; if no approval is obtained within the aforementioned period, any data of such user shall be safely disposed of. If the user activation process is properly completed and all required verifications and confirmations take place, the relevant data shall be retained in the manner and for the period foreseen in Section 5.1 herein.

Categories of personal data concerned: identification and contact details, logs (and/or documents) relating to approvals, and any other related communications.

15.3. Photo Verification

Purpose: This service is used for the purpose of the initial validation of a photograph uploaded for a card. In the event that the Holder provides us with a photo of him or herself for display on the ID Pass, we must check the photo to ensure that the Holder’s him or herself is in the photo, that the person in the photo is not wearing sunglasses or headgear, that the quality of the photo is sufficient to identify and verify the person when using the ID Pass, that the head is not hidden, and related checks. For this purpose, we must process the Holder’s personal data.

We also use the services of a contractor, Google Ireland Limited, a company incorporated under the laws of Ireland, identification number 368047, with registered office at Gordon House, Barrow Street, Dublin 4, Ireland (“Google") to check the photo. We have entered into a data processing agreement with Google, the text of which is available here. Google’s service is called Google cloud vision and we have entered into a contract for this service, the content of which can be found here, while an overview of the information about the service is available here and information on the processing of personal data here. The way Google cloud vision works is that once a user uploads a photo, the service verifies, among other things, that there is a person in the photo and that the person in the photo is not wearing sunglasses or headgear and that the quality of the photo is sufficient for its use. Google cloud vision authentication does not involve a check of identity or processing of biometric personal data or other special categories of data.

Legal basis:

performance of the contract and legitimate interest. The legitimate interest may be objected to.

Providing a photo is voluntary, but without providing and verifying it, it is not possible to use the ID Pass.

Legitimate interests: Selected important data and/or documents (e.g., records of consents given) are retained for inspection by a supervisory authority, to defend against claims, or to exercise our rights under section 8.

Data categories: a photograph and parameters for assessing such photograph – compliance with requirements for a card photo (check for face and its position, any headwear, etc.) , network identifiers, logs, the result of the check, data on the internal check of the controller, data relating to the use of Google cloud vision.

Recipients: categories of processors according to paragraph 2.2. For Google cloud vision, Google Ireland Limited is the supplier, access from outside the EU is possible for use of the service, standard contractual clauses are used to ensure sufficient safeguards, and where a third country is subject to an adequacy decision, such decisions also apply. Additional information on this topic can be found here.

Retention time: Data used for internal verification and checking of the photo is deleted immediately after validation, within 24 hours at most. The retention period of a photo is the period of time for which the photo is used on the ID Pass, i.e., it is equal to the period of retention of personal data on the ID Pass under this Policy. Access to the photo by the Google service provider is limited to the time necessary to use the service and to check the photo against the criteria described above.

The source from which the personal data comes: The data source is always the Holder.

15.4. Participation in Contests:

Any Holder with an active Alive Profile, who has given his or her consent to the receipt of selected information (and direct marketing pursuant to Section 5.1 herein), may – in return for signing up to a newsletter – take part in various contests organized by GTS Alive.

The Holder’s participation in a contest is always voluntary and he or she may cease to participate at any time.

The legal basis for the processing of personal data for this purpose is our legitimate interest in rewarding newsletter subscribers in the form of contests for consumers. Holders may object to the legitimate interest at any time.

The purpose of this processing is to ensure organization of contests, proper evaluation, verification of registrations or inputs in respect to such contests, monitoring of compliance with the relevant rules, and awarding of prizes.

The data retention period for this purpose shall equal to the duration of the relevant contest plus 6 months thereafter. In case of any objections or withdrawal from a contest, the processing shall be immediately terminated. In case the data retention period expires or in case of any objections/withdrawal from a contest, only a limited selection of the most important documents shall be retained for the purpose of any review by a supervisory authority in accordance with the principles specified in Section 9.

Categories of personal data concerned: entering a contest, contest task, identification and contact details, prize details and awarding of a prize, data on related communication.

Legitimate interests: only the protection of rights for selected documents, as specified in Section 4.

Recipients: categories of processors specified in Section 8.

15.5. Social Media Contests:

Any Holder that follows GTS Alive on social media may take part in contests organized by GTS Alive on social media, provided he or she gives his or her consent to the applicable rules and associated processing of personal data. The Holder’s participation in a contest is always voluntary and he or she may cease to participate at any time.

The legal basis for the processing of personal data for this purpose is consent. Such consent may be withdrawn at any time. It is not possible to take part in a contest without giving consent and participation in such contest terminates once the consent is withdrawn.

The data retention period for this purpose shall equal to the duration of the relevant contest plus 6 (six) months thereafter. In case of withdrawal of consent or withdrawal from a contest, the processing shall be immediately terminated. In case the data retention period expires or in case of consent withdrawal/withdrawal from a contest, only a limited selection of the most important documents shall be retained for the purpose of any review by a supervisory authority in accordance with the principles specified in Section 9.

Categories of personal data concerned: entering a contest, contest task, identification and contact details, prize details and awarding of a prize, data on related communication.

Legitimate interests: only the protection of rights for selected documents, as specified in Section 4.

Recipients: categories of processors specified in Section 8.

15.6. Vouchers/PROMO CODES:

Purpose: By generating a Voucher/Promo Code in respect of a discount or other benefits with a GTS Alive benefit partner, the Holder enters into a contract with GTS Alive, in each case under the terms and conditions specified in connection with a particular proposition. The Holder’s request for a voucher is always voluntary; by using the relevant voucher, the Holder agrees with the conditions for use thereof as well as the associated processing of Personal Data. The terms of use for vouchers and the terms and conditions for receiving “Promo Codes” are available in the “Special offers” section of the Holder’s Alive Profile.

The Personal Data of the Holder shall be used to:

· Generate a Voucher/Promo Code;

· Register the Personal Data of the Holder with a view to verify the Voucher validity, eligibility for a discount/benefit;

· Send information that is strictly necessary for the Holder to use the Voucher – e.g. notification of expiration or conditions for use;

· Maintain records relating to Voucher Holders and the verification and monitoring thereof (i.e. verification of voucher validity, compliance with any terms and conditions for the use of discounts/benefits, verification of eligibility for discounts/benefits).

The legal basis for the processing is the performance of a contract.

Legitimate interests: only the protection of rights for selected documents, as specified in Section 4.

Recipients: categories of processors specified in Section 8.

Data retention period: 3 (three) years after a Voucher/Promo Code expires.

Categories of personal data concerned: data on a generated Voucher/Promo Code, including the transfer and use thereof, identification and contact details, data on related communication.

15.7. Consent to Receive Selected News:

If you give your separate consent to us to receive selected news, we will provide you with such news by all means using the contact details provided by you, including commercial communications by electronic means.

Solely the following Personal Data shall be used for this purpose: identification and contact details of the Holder, data on Holder’s ID and his or her Alive Profile activity, requests made in the profile, participation in events and contests, and other Personal Data of the Holder relating to IDs/Cards and insurance disclosed by the Holder or collected by GTS Alive from the Holder of such personal data.

For this purpose, Personal Data shall be processed for an indefinite period of time; however, in any case until the relevant consent is withdrawn. Personal Data will not be processed after the purpose for which they were processed ceases to exist. In case the data retention period expires, only a limited selection of the most important documents shall be retained for the purpose of any review by a supervisory authority in accordance with the principles specified here.

The legal basis for the processing is voluntary consent that may be withdrawn at any time.

Such consent may be withdrawn at any time, either in writing at the address of GTS Alive or electronically in the Holder’s Alive Profile – in the Personal Data processing settings. The Holder may unsubscribe from our electronic commercial communications in each email. In such a case, his or her Personal Data will subsequently be processed in accordance with this Section, with the exception of the receipt of electronic commercial communications.