Direct Notice to Schools

Student Data Protection

Effective: 1 January 2025 · Bangkok Bilingual School · PDPA B.E. 2562

This notice is addressed to schools and system administrators. BBS Portal, as software operator, processes student data under the school's direction. Bangkok Bilingual School is the Data Controller under Thailand's Personal Data Protection Act (PDPA) B.E. 2562.

1School–Operator Relationship

BBS Portal operates as a software service provider for Bangkok Bilingual School. The school decides what data is entered into the system. BBS Portal processes that data solely to deliver the services the school directs.

School is responsible for

  • Deciding what data to collect
  • Obtaining parental consent where required
  • Assigning user access roles
  • Requesting data deletion or correction
  • PDPA compliance as Data Controller

BBS Portal is responsible for

  • Storing data securely
  • Processing data only on school instruction
  • Never using data for advertising or personal gain
  • Notifying the school of any security incidents
  • Honouring school-initiated deletion requests

2Student Data BBS Portal Collects

BBS Portal collects only the minimum data required to deliver educational services. No browsing behaviour, location data, or biometric data is collected.

DataSourcePurposeSchool control
Name, school email, roleGoogle Workspace / adminIdentity & accessYes
Student ID, grade, classGoogle Classroom syncProgramme enrolmentYes
Enrolments, status, invoicesIn-portal actionsFinance & programme opsYes
Usage audit logsSystem-generatedSecurity & complianceSuperadmin
QR code (login token)BBS Portal systemPasswordless student loginYes

BBS Portal does NOT collect

Academic grades or test scores
Browsing or internet behaviour
Location or GPS data
Biometric or health data
Social media profiles
Any data unrelated to school operations

3How Schools Control Student Data

School administrators have full capability to manage student data through the BBS Portal dashboard at any time.

View Student Records

Access full student profiles, enrolments, and activity records at any time via Users → All Users.

Correct Data

Edit names, emails, roles, and other fields directly through the Users page — no support ticket required.

Delete Student Data

Delete student accounts and all associated data via Users. Related enrolments and invoice records are removed together.

Reset QR Codes & Passwords

Generate replacement QR codes or send password-reset emails from Users → QR Management. Old codes are immediately invalidated.

Review Audit Logs

All actions (logins, edits, deletions) are logged in System → Audit Logs for transparency and compliance review.

Manage Guardian Slots

Reset, remove, or recreate parent links at any time via Users → Guardian Overview.

4Parent Rights & How to Exercise Them

Under Thailand PDPA B.E. 2562 and school policy, parents have the following rights regarding their child's data. These rights are exercised through the school as Data Controller.

RightHow to exercise
Right to Access
Request a copy of data held about your child		Contact school administration in writing
Right to Rectification
Request correction of inaccurate or incomplete data		Notify class teacher or school office
Right to Erasure
Request deletion of your child's data from the system		Submit written request to admin. School admin will process deletion within 30 days.
Right to Object
Object to specific types of data processing		Contact school administration or email admin@bbs.ac.th
Right to Portability
Request data in machine-readable format		Submit written request to school admin

5What BBS Portal Will Never Do

Sell student or parent data to any third party
Use student data for advertising or marketing purposes
Build student profiles for non-educational purposes
Share data with external vendors beyond infrastructure providers (Google Firebase, Gmail API)
Disclose personal data without school authorisation, except as required by Thai law
Retain data longer than necessary for school operations

6Student Data Security

BBS Portal uses multiple layers of security to protect student data.

Encryption in Transit

All data transmitted over HTTPS/TLS at all times.

Firebase Auth

Authentication via Google Firebase Auth using OAuth 2.0.

Firestore Security Rules

Server-side Firestore rules enforce role-based data isolation.

Role-Based Access Control

Students, parents, teachers, and admins see only data relevant to their role.

Audit Logging

All significant actions logged with timestamps and actor identity.

No Stored Passwords for Students

Students log in via QR code or Google OAuth — no student passwords are stored.

7Data Retention & Deletion

Data typeRetention periodDeleted by
Student accountsWhile enrolled, or until deleted by schoolSchool admin
Enrolment & invoice recordsUp to 7 years per Thai accounting requirementsAdmin on request
Audit logs12 monthsAuto-purged
Parent accountsWhile child is enrolled, or until deletion is requestedAdmin / parent via school

8Third-Party Services Used

BBS Portal uses the following infrastructure services. All operate as data processors on behalf of the school.

ServicePurposeData accessed
Google Firebase
Firestore, Auth, Storage		Database, authentication, file storageAll user data (encrypted at rest)
Google Gmail API
Domain-Wide Delegation		Send school notification emailsRecipient email and notification content
Google Classroom APISync student and class roster dataNames, emails, class enrolments

These providers are not permitted to use student data for their own purposes and operate under Google for Education policies.

9Contact & Complaints

School

Bangkok Bilingual School (BBS) · โรงเรียนบางกอกทวิวิทย์ สองภาษา

Address

68 Soi Ramkhamhaeng 43/1, Hua Mak, Bang Kapi, Bangkok 10240

Data Administrator Email

admin@bbs.ac.th

Supervisory Authority

Personal Data Protection Committee (PDPC), Thailand — pdpc.or.th

Privacy Policy · Terms of Service · Back to Login