GDPR Policy
-
Side Navigation
In April 2016, the European Union (EU) adopted new privacy regulations related to the collection of personal information. This regulatory framework – known as the General Data Protection Regulation (GDPR) – went into effect on May 25, 2018. The GDPR applies to any organization or entity that collects personal information from a natural person who is physically present in an EU member state, regardless of the location of the entity collecting the information. The regulation places transparency requirements and use restrictions on entities collecting information and gives individuals robust rights regarding the management of their information. These rights include the right to access, to rectify and to object to information collected, and even the “right to be forgotten” when personal information is no longer needed by the collecting entity. In addition, there are notification requirements in the event of a data breach.
It is important to note that the GDPR is a new compliance regulation issued from a foreign jurisdiction. How the EU member states will enforce this regulation is unknown. Saint Vincent will closely monitor enforcement activities, as well as any additional guidance issued by the EU. The College may then modify its compliance strategy based on this information.
This policy is to ensure compliance with the EU regulations relating to the collection, storage, disclosure and use of personal data, as well as the rights of persons with regard to their data.
-
Purpose
The purpose of the policy is to ensure compliance with the EU General Data Protection Regulation. This regulation requires that institutions that collect personal data from natural persons who are in EU member states meet certain standards, including disclosure of what information is being collected, why the information is being collected, how the information will be stored, what the information will be used/processed for and who will have access to it. The regulation also gives robust rights to the person regarding their data. -
Impact
Any College department or office that collects, stores or uses the data of students, faculty, staff or any other person while they are in an EU member state will be impacted by this Policy. These include, but are not limited to:
- Academic Affairs
- Admission
- Alumni
- Business Office
- Campus Ministry
- Institutional Advancement
- Marketing and Communications
- Office of Financial Aid
- Office of Information Technology
- Service Learning
- Study Abroad
-
Definitions
Key definitions are found in Chapter 1 Article 4 of the GDPR Regulation. Those definitions include:
- Personal data
Any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified – directly or indirectly – in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- Processing
Any operation or set of operations which is performed on personal data or on sets of personal data – whether or not by automated means – such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- Consent
Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
- Personal data breach
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed.
- Data subject
A natural person (not a corporate or other organizational entity).
- European Union (EU)
Those countries that have ratified membership in the Union.
- Supervisory authority
An independent public authority which is established by an EU state pursuant to the GDPR.
- Legal basis
Necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
- Personal data
-
Policy
- Collection of personal data
All College activities that collect personal data from natural persons in the EU related to admission, enrollment or employment shall communicate to the person the reason and purpose for collecting the information by using College-approved forms and directing such persons to this policy. This provision shall apply to any person (student, faculty or staff) who is physically present in the EU and from whom the University is collecting personal data.
All College activities that collect personal data from natural persons in the EU not related to admission, enrollment or employment – or otherwise collected on a lawful basis – shall obtain written consent from the person with regard to the collection of the information using College-approved forms available from the appropriate College department or office.
Any personal data collected from a natural person in the EU shall be stored, secured and accessed consistent with the College’s data security policies.
- Personal data breaches
Any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed shall be reported to the Supervisory Authority of the EU member state within 72 hours of notice of the breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
- Data subject rights and retention of academic data
The individual rights of persons in the EU with regard to their personal data includes the rights of access, ratification, removal, restriction, portability, to object and to not be subject to automated individual decision making, and those rights shall be respected consistent with the procedures implementing this policy.
With regard to academic data – including course work attempted and/or completed, as well as grades associated with those courses – the College must preserve that data for legal and accrediting requirements. With respect to other data, the individual’s right to erasure and to be forgotten will be respected consistent with the regulation and United States law.
- Implementation
All College departments and offices that collect data should perform an analysis to determine whether and to what extent the office collects personal data that could originate from natural persons in EU member states. Departments and offices that collect such information must document the processing and storage of the data.
All College contracts within those offices should be reviewed for compliance with this policy and, if non-compliant, a strategy to achieve compliance must be implemented.
All personnel who deal with GDPR-covered data must go through appropriate training.
- Communication
All academic and administrative offices will be made aware of this policy through appropriate College mechanisms.
- Collection of personal data
-
Accountability
Failure to adhere to this policy could result in discipline under the applicable rules, policy or contract, up to and including termination of employment.
Contact Us
For Privacy Requests: Privacy@stvincent.edu