EU General Data Protection Regulation Compliance Policy
Scope
All financial and administrative policies involving community members across campus, including volunteers are within the scope of this policy. If there is a variance between departmental expectations and the common approach described through college policy, the college will look to the campus community, including volunteers to support the spirit and the objectives of college policy. Unless specifically mentioned in a college policy, the college’s Board of Trustees are governed by their Bylaws.
Policy
ºÚÁÏ³Ô¹Ï (CC) is an institute of higher education involved in education, research and community development. In order for CC to educate its foreign and domestic students, engage in research, and provide community services, it is essential and necessary, and CC has a lawful basis, to collect, process, use, and/or maintain the personal data of its students, employees, applicants, research subjects, and others involved in its educational, research, and community programs. These activities include, without limitation, admission, registration, delivery of classroom, field, and study abroad education, grades, communications, employment, research, development, program analysis for improvements, and records retention.
ºÚÁÏ³Ô¹Ï takes seriously its duty to protect the personal data it collects or processes. In addition to CC’s overall data protection program, the imposes obligations on entities, like ºÚÁϳԹÏ, that collect or process personal data about people in the . The EU GDPR applies to personal data CC collects or processes about anyone located in the EU, regardless of whether they are a citizen or permanent resident of an EU country. Among other things, the EU GDPR requires ºÚÁÏ³Ô¹Ï to:
- be transparent about the personal data it collects or processes and the uses it makes of any personal data
- keep track of all uses and disclosures it makes of personal data
- appropriately secure personal data
This policy describes ºÚÁϳԹϒs data protection strategy to comply with the EU GDPR.
Lawful Basis for Collecting or Processing Personal Data
ºÚÁÏ³Ô¹Ï (CC) has a lawful basis to collect and process personal data. Most of CC’s collection and processing of personal data will fall under the following categories:
- Processing is necessary for the purposes of the legitimate interests pursued by ºÚÁÏ³Ô¹Ï or by a third party.
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
- Processing is necessary for compliance with a legal obligation to which ºÚÁÏ³Ô¹Ï is subject.
- The data subject has given consent to the processing of their personal data for one or more specific purposes.
There will be some instances where the collection and processing of personal data will be pursuant to other lawful bases.
Data Protection & Governance
ºÚÁÏ³Ô¹Ï (CC) will protect all personal data and sensitive personal data that it collects or processes for a lawful basis. Any personal data and sensitive personal data collected or processed by CC shall be:
- Processed lawfully, fairly, and in a transparent manner
- Collected for specified, explicit, and legitimate purposes, and not further processed in a manner that is incompatible with those purposes
- Limited to what is necessary in relation to the purposes for which they are collected and processed
- Accurate and kept up to date
- Retained only as long as necessary
- Secure
Sensitive Personal Data & Consent
Processing of personal data revealing racial or ethnic origin, political opinion, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation is prohibited by ºÚÁϳԹÏ, unless one of the following applies:
- the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
- processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorized by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
- processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
- processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
- processing relates to personal data which are manifestly made public by the data subject;
- processing is necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity;
- processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
- processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards;
- processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy; L 119/38 EN Official Journal of the European Union 4.5.2016
- processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 (1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
Individual Rights
Individual data subjects covered by this policy will be afforded the following rights:
- information about the controller collecting the data
- the data protection officer contact information (if assigned)
- the purposes and lawful basis of the data collection/processing
- recipients of the personal data
- if ºÚÁÏ³Ô¹Ï intends to transfer personal data to another country or international organization
- the period the personal data will be stored
- the existence of the right to access, rectify incorrect data or erase personal data, restrict or object to processing, and the right to data portability
- the existence of the right to withdraw consent at any time
- the right to lodge a complaint with a supervisory authority (established in the EU)
- why the personal data are required, and possible consequences of the failure to provide the data
- the existence of automated decision-making, including profiling
- if the collected data are going to be further processed for a purpose other than that for which it was collected
Note: Exercising of these rights is a guarantee to be afforded a process and not the guarantee of an outcome.
Scope:
This policy applies to the personal data and sensitive personal data protected by the EU GDPR and all ºÚÁÏ³Ô¹Ï Units who collect or process personal data and sensitive personal data protected by the EU GDPR.
Procedures
5.1 Data Governance |
|
Document Lawful Basis for Collection or Processing |
All ºÚÁÏ³Ô¹Ï Units who collect or process personal data protected by the EU GDPR must document the lawful basis for the collection or processing of personal data and sensitive personal data they collect or process, why they collect it, and how long they keep it. All data at ºÚÁÏ³Ô¹Ï shall be kept in compliance with the college’s Records Retention Schedule |
5.2. Privacy Notice |
|
ºÚÁϳԹϒs Privacy Notice |
ºÚÁϳԹϒs Privacy Notice to data subjects must specify the lawful basis for ºÚÁÏ³Ô¹Ï to collect or process personal data and include:
|
5.4 Individual Rights |
|
Exercise of Rights |
Any individual wishing to exercise their rights under this policy should contact privacy@coloradocollege.edu |
5.5 Data Protection |
|
Security of Personal Data |
All personal data and sensitive personal data collected or processed by any ºÚÁÏ³Ô¹Ï Units under the scope of this policy must comply with the security controls and systems and process requirements and standards of the college’s Information Security Policy /basics/welcome/leadership/policies/information-security-policy |
Breach Notification |
Any ºÚÁÏ³Ô¹Ï Unit that suspects that a breach or disclosure of personal data has occurred must immediately notify ºÚÁϳԹϒs Cyber Security at privacy@coloradocollege.edu |
Responsible Party and Responsibilities:
ºÚÁÏ³Ô¹Ï Units
To document the lawful basis for personal data or sensitive personal data collected or processed pursuant to this policy.
To cooperate with privacy@coloradocollege.edu when individuals inquire about their personal data or sensitive personal data collected or processed pursuant to this policy.
To immediately notify (24/7) and cooperate with ºÚÁÏ³Ô¹Ï Cyber Security relating to any data breach: privacy@coloradocollege.edu
Privacy@coloradocollege.edu
To field inquiries about personal data or sensitive personal data collected from individuals while in the EU (See Section 2.4).
To coordinate with ºÚÁÏ³Ô¹Ï Unit responding to inquiries about personal data or sensitive personal data collected from individuals while in the EU.
Cyber Security
To answer questions about and review data security measures.
To handle data breach notification for the Institute.
Enforcement:
Violations of the policy may result in loss of system, network, and data access privileges, administrative sanctions (up to and including termination or expulsion) as outlined in the college’s Information Security Policy.
/basics/welcome/leadership/policies/information-security-policy
To report suspected instances of noncompliance with this policy, please contact privacy@coloradocollege.edu
Definitions
Collect or Process Data |
Collection, storage, recording, organizing, structuring, adaptation or alteration, consultation, use, retrieval, disclosure by transmission/dissemination or otherwise making data available, alignment or combination, restriction, erasure or destruction of personal data, whether or not by automated means. |
Consent
|
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to them. Under the EU GDPR:
|
Controller
|
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. |
ºÚÁÏ³Ô¹Ï Unit |
A ºÚÁÏ³Ô¹Ï office, program or department. |
Identified or Identifiable Person
|
An identified or identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that person. Examples of identifiers include but are not limited to: name, photo, email address, identification number such as CC ID#, CC Account (User ID), physical address or other location data, IP address or other online identifier. |
Lawful Basis
|
Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:
|
Legitimate Interest
|
Processing of personal data is lawful if such processing is necessary for the legitimate business purposes of the data controller/processor, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. |
Personal Data |
Any information relating to an identified or identifiable person (the data subject). |
Processor
|
A natural or legal person, public authority, agency or other body who processes personal data on behalf of the controller. |
Sensitive Personal Data |
Special categories of personal data that require consent by the data subject before collecting or processing are:
|