Main content
Home - GDPR Privacy Policy

Roberts Wesleyan College GDPR Privacy Policy

The College recognizes the General Data Protection Regulation (GDPR) and the rights of European Union citizens whose information may reside in its data processing systems and is actively working towards efforts that show compliance of data processing of personal information for these EU citizens. This document contains information that shows the colleges preparedness and efforts towards compliance where personal data is processed for EU Citizens.

Data Subject(s)

学院将“数据主体”定义为与个人数据相关的任何自然人. 在学院的背景下,数据主体分为以下几类:

  • Students (prospective, current, alumni).
  • Employees (applicants, current, past)
  • Other contacts (agents, partners, vendors etc.)

Personal Data

As defined within the context of GDPR is any data that can be directly or indirectly related to a natural person (data subject). 个人资料包括可将个人资料与资料当事人联系起来的任何可识别的个人资料.g. name, citizen Id, phone number, email address, gender, nationality, address, interests, career details etc.

Sensitive Personal Data

学院可能会不时被要求处理敏感的个人资料. 敏感个人数据包括与医疗信息有关的数据, gender, religion, race, sexual orientation, trade union membership and criminal records and proceedings.

Processing Personal Data

学院须在合理可行的范围内,尽一切努力确保所有个人资料:

  • Fairly and lawfully processed
  • Processed for a lawful purpose
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Processed in accordance with the data subject's rights
  • Secure
  • Currently no data is transferred to other countries however, if the need arises in the future, 学院将采取充分的预防措施,防止数据在没有充分保护的情况下转移到其他国家

Lawful bases for processing data

GDPR requires a lawful basis for processing personal data. The college houses personal data to recognize, 处理并与潜在学生的数据主体进行沟通, current students, prospective employees, current employees and alumni. 这些数据的处理是合法和必要的,并且属于以下一个或多个类别:

(a) Consent: We use personal information while processing data for communicating with prospective students and prospective employees. 虽然美高梅mgm平台目前还没有与这些数据主体签订隐含合同, the data subjects give us their implied consent to communicate with them by completing an application which is an intent to come to the college. ( students, employees).

(b) Contract: We use personal information while processing data that is necessary for the implied contract the college has with the individual e.g.

  • Academic Processing for students,
  • Payroll and financial and tax processing for employees.

(c) Legal obligation: We will share personal information with companies, 学院以外的组织或个人,如果美高梅mgm平台有善意的信念,访问, use, 保存或披露信息是合理必要的,以便:

  • 符合任何适用的法律、法规、法律程序或可执行的政府要求.g. the processing is necessary for the college to comply with the US Federal laws as well as NY State and Federal reporting requirements.
  • 执行适用的服务条款,包括调查潜在的违规行为;
  • 检测、预防或以其他方式解决欺诈、安全或技术问题;
  • protect against harm to the rights, property or safety of the college, our users or the public as required or permitted by law.

 (d) Public task: the processing is necessary for the college to perform a task in the public interest or for our official functions as a private college within the State of NY and the USA, and the task or function has a clear basis in law. Examples of these are:

  • 向国家学生信息中心提供学生统计信息.
  • IPEDS reporting.

Confidential data

任何属于个人资料定义的资料,否则不会获豁免, 是否会保密,并只会在获得适当同意的情况下向第三方披露.

US laws of FERPA, GLBA and HIPAA

The College is also required to protect the personal data with respect to the laws of the United States as well as provide information to State and Federal authorities with respect to these laws. 学院符合美国FERPA (The Family Educational Rights and Privacy Act), 《美高梅mgm平台》和《美高梅mgm平台》.  美高梅mgm平台对这些美国法律法规的遵守优先于GDPR. 

Data Controller, Data Processors and External Data Processors

书院为其资料当事人的所有个人资料担任资料控制者. The Data is processed by two parties.

  1. The College acts as its own Data Processor where on premise college owned systems are used to process the college’s data.
  2. In certain cases, 数据被转移到代表学院处理数据的外部供应商. The College appointed GDPR Team has a list of current external Data Processor organizations that the college currently passes personal data to, who process personal data on the college’s behalf. 学院将尽一切合理的努力使其外部数据处理器遵守此政策.
  3. The college will make every reasonable effort to address all approved changes to Personal Data requests its internal and external processors.  

Rights of Access to Information

资料当事人有权查阅学院所持有的资料. 任何资料当事人如欲查阅其个人资料,应以书面形式向下述的个人资料管理机构提出要求.

  • 学院将尽力在30天内对任何此类书面请求作出回应.
  • 学院将需要核实提出要求的资料当事人的身份.
  • Once the identity of the data subject has been verified, the college will determine if the request can be carried out or if the college has to refuse the request based on current regulations or contract obligations between the data subject and the College.
  • If the request is approved, 该请求将在学院的内部和外部数据处理区域进行处理.
  • 如要求被拒绝,资料当事人会获通知拒绝要求的原因.  

Exemptions

某些数据不受GDPR下获取信息权利的规定的约束. Below are examples of some of the exceptions:

  • National security and the prevention or detection of crime
  • The assessment of any tax or duty
  • 在什么情况下,处理程序是为了行使法律赋予或强加给学院的权利或义务所必需的
  • Data that may violate another person’s privacy
  • For more information on exemptions please contact the RCM.

Accuracy

The College will make every reasonable effort to ensure that all personal data held in relation to all data subjects is accurate. 资料当事人必须通知有关学院院系任何有关其资料的更改.

Data from Minors

The college is committed to protecting the privacy of children therefore the college does not knowingly collect or process data from children under 16 years of age except in compliance with children's online privacy protection law. Accordingly, children under the age of 16 may only use services and programs offered by the college with the permission and supervision of their parents. Additionally, teachers and departments of the college that provide programs and services in the classroom with children under 16 years of age are required to obtain express consent of such children's parents in compliance with the applicable law, 在允许这些儿童访问或使用服务或程序之前.

Compliance and cooperation with regulatory authorities

If an individual believes that the College has not complied with this Policy or acted otherwise than in accordance with the GDPR, 有关人士应联络投诉专员,并以书面提出投诉 as well as utilize the College’s grievance procedures.

The college regularly reviews our compliance with this Policy. 美高梅mgm平台非常重视您的反馈,因此美高梅mgm平台可能会与您联系以索取更多信息或跟进. We will work with the appropriate regulatory authorities, including local data protection authorities, to resolve any complaints regarding the individual rights or transfer of personal data that we cannot resolve with our data subjects directly.

Data Security

The college takes data security very seriously and takes multiple layers of industry appropriate steps to ensure protection and security of personal data entrusted with the college. 学院采用多种行业标准解决方案和流程进行检测, report and investigate a personal data breach.

美高梅mgm平台努力保护学院和美高梅mgm平台的数据主体免受未经授权的访问或未经授权的更改, disclosure or destruction of information we hold. In particular:

  • 美高梅mgm平台在可能的情况下使用SSL加密美高梅mgm平台的服务,无论是在传输中还是在静止状态.
  • We review our information collection, storage and processing practices, including physical security measures, to guard against unauthorized access to systems.
  • 美高梅mgm平台限制访问个人信息的学院授权的工作人员, 第三方需要知道这些信息以便为美高梅mgm平台处理, and who are subject to strict contractual confidentiality obligations and may be disciplined or terminated if they fail to meet these obligations.

学院有一个安全事件响应小组(SIRT),是学院应急响应小组的一部分. This team utilizes a Security Incident Response Plan (SIRP). 该计划旨在在发现数据安全漏洞或向学院报告的情况下执行.

The GDPR introduces a duty on all organizations to report certain types of data breaches to the ICO and in some cases to the individuals affected. If the data breach falls into these categories, the college with help from the SIRT will make the appropriate reports.

Employee Training on GDPR

该学院定期为员工提供多层数据安全培训. From May 25, 2018 onwards, employees and offices who interact with EU citizens will also include training on personal data as defined by GDPR and how to ensure effective protection of this data.

Secure Destruction

When data held in accordance with this policy is destroyed, 它必须在销毁时按照最佳做法安全销毁.

Retention of Data

The College may retain data for differing periods of time for different purposes as required by statute or best practices, 各个部门将这些保留时间合并到流程和手册中. Other statutory obligations, 法律程序和调查也可能需要保留某些数据. The College may store some data such as registers, photographs, exam results, achievements, books and works etc. indefinitely in its archive.

Data Subject Point of Contact

The College Risk And Compliance Manager (RCM) will act as the point person to accept requests from Data Subjects for Personal Data Rights Requests.   

  • If an individual believes that the College has not complied with this Policy or acted otherwise than in accordance with the GDPR, 有关人士应联络投诉专员,并以书面提出投诉.
  • The College has appointed a cross functional GDPR Team that manages all documents related to GDPR compliance and oversees the processing of all requests received by the RCM from data subjects.
  • The GDPR Team and the RCM ensure that all requests from a data subject are addressed within the 30 day mandated period of these requests.
  • 注册部协助GDPR团队履行这些职责, the Department of Information Technology, 招生管理处和人力资源部.

Location of the College

The College is located at 2301 Westside Drive, Rochester NY, 美国及其所有主要数据保护监管机构都在这里开展业务.