In April 2016, the European Union (EU) adopted new privacy regulations related to the collection of personal information. This regulatory framework – known as the General Data Protection Regulation (GDPR) – went into effect on May 25, 2018. The GDPR applies to any organization or entity that collects personal information from a natural person who is physically present in an EU member state, regardless of the location of the entity collecting the information. The regulation places transparency requirements and use restrictions on entities collecting information and gives individuals robust rights regarding the management of their information. These rights include the right to access, to rectify and to object to information collected, and even the “right to be forgotten” when personal information is no longer needed by the collecting entity. In addition, there are notification requirements in the event of a data breach.
It is important to note that the GDPR is a new compliance regulation issued from a foreign jurisdiction. How the EU member states will enforce this regulation is unknown. Saint Vincent will closely monitor enforcement activities, as well as any additional guidance issued by the EU. The College may then modify its compliance strategy based on this information.
This policy is to ensure compliance with the EU regulations relating to the collection, storage, disclosure and use of personal data, as well as the rights of persons with regard to their data.
Any College department or office that collects, stores or uses the data of students, faculty, staff or any other person while they are in an EU member state will be impacted by this Policy. These include, but are not limited to:
Key definitions are found in Chapter 1 Article 4 of the GDPR Regulation. Those definitions include:
Any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified – directly or indirectly – in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Any operation or set of operations which is performed on personal data or on sets of personal data – whether or not by automated means – such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed.
A natural person (not a corporate or other organizational entity).
Those countries that have ratified membership in the Union.
An independent public authority which is established by an EU state pursuant to the GDPR.
All College activities that collect personal data from natural persons in the EU related to admission, enrollment or employment shall communicate to the person the reason and purpose for collecting the information by using College-approved forms and directing such persons to this policy. This provision shall apply to any person (student, faculty or staff) who is physically present in the EU and from whom the University is collecting personal data.
All College activities that collect personal data from natural persons in the EU not related to admission, enrollment or employment – or otherwise collected on a lawful basis – shall obtain written consent from the person with regard to the collection of the information using College-approved forms available from the appropriate College department or office.
Any personal data collected from a natural person in the EU shall be stored, secured and accessed consistent with the College’s data security policies.
Any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed shall be reported to the Supervisory Authority of the EU member state within 72 hours of notice of the breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
The individual rights of persons in the EU with regard to their personal data includes the rights of access, ratification, removal, restriction, portability, to object and to not be subject to automated individual decision making, and those rights shall be respected consistent with the procedures implementing this policy.
With regard to academic data – including course work attempted and/or completed, as well as grades associated with those courses – the College must preserve that data for legal and accrediting requirements. With respect to other data, the individual’s right to erasure and to be forgotten will be respected consistent with the regulation and United States law.
All College departments and offices that collect data should perform an analysis to determine whether and to what extent the office collects personal data that could originate from natural persons in EU member states. Departments and offices that collect such information must document the processing and storage of the data.
All College contracts within those offices should be reviewed for compliance with this policy and, if non-compliant, a strategy to achieve compliance must be implemented.
All personnel who deal with GDPR-covered data must go through appropriate training.
For Privacy Requests: Privacy@stvincent.edu