General Data Protection Regulation (GDPR)
For Individuals Affected by the European Union’s General Data Protection Regulation (GDPR)
What is GDPR?
GDPR replaced the Data Protection Directive 95/46/EC in May 2018 in order to harmonize data privacy laws across Europe, protect and empower all EU citizens data privacy, and reshape how organizations approach data privacy.
Who is Affected?
Organizations located within the EU and those located outside that offer goods or services to or monitor the behavior of EU data subjects are affected. GDPR applies to all organizations processing and holding the personal data of individuals residing in the EU, regardless of the company’s location. If you are physically located inside of the EU, regardless of nationality or permanent place of residence, your personal data is protected by GDPR.
How will GDPR Impact Rollins College?
Rollins College prides itself on being a diverse community that seeks to advance global citizenship. As such, there are members of the Rollins College community who may be residing (permanently or temporarily) in the EU and who are EU residents attending or working for the College. As a result, Rollins College will need to comply with GDPR which will affect the College’s methods of collecting, storing, and processing personal data.
There are two basic categories that comprise a legal basis for collecting and processing EU data subjects’ personal data : (1) consent from the data subject and (2) one of the specified business reasons outlined in the GDPR.. GDPR consent requirements are very specific and limit the use of personal data for uses other than those specifically stated.
What is Considered Personal Data?
GDPR defines personal data to mean any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. As such, the following personal identifies are name, identification number, location data, and online identifier. The scope of information that can be considered personal data is subject to change as technology and the way that organizations collect information about people change.
Legal Bases for Using Personal Data
Rollins College processes your personal data only if we have a legal basis to do so, including:
- to comply with our legal and regulatory obligations;
- for the performance of our contract with you or to take steps at your request before entering into a contract;
- for our legitimate interests or those of a third party;
- where you have given consent to our specific use.
Purposes for which we will process the information | |
|---|---|
To deliver services to users and process transactions. | It is necessary for us to process your personal data in order to deliver the services and process transactions according to the applicable contract between us. |
To send communications to you about our products, services, promotions, offers, news, and events. | We will send electronic communications (such as emails and SMS messages) to you if you have consented to these communications. With respect to other communications, it is in our legitimate interest to communicate to you about our products, services, promotions, offers, news, and events. We consider this use to be proportionate and will not be prejudicial or detrimental to you. |
To determine how you found out about us. | It is in our legitimate interest to understand how our customers find our Website and/or our services. We consider this use to be proportionate and will not be prejudicial or detrimental to you. |
To serve advertising, content, and offers to you based on your interests and online activities, from us or third parties. | We will serve you advertising, content, and offers to you based on your interests and online activities if you have consented to this processing. |
To enable our service providers to perform certain activities on our behalf. | It is necessary for us to process your personal data in this manner in order to deliver the services and process transactions according to the applicable contract between us. It is also in our legitimate interest to enable our service providers to perform certain activities on our behalf. We consider this use to be proportionate and will not be prejudicial or detrimental to you. |
To notify you of any changes to the Website that may affect you. | It is necessary for us to process your personal data in order to deliver the services and process transactions according to the applicable contract between us. |
To contact you or to respond to your communications, including to provide you with products and information you request. | It is necessary for us to process your personal data in order to communicate with you. |
To improve our Website, shopping experience, and quality of service. | It is in our legitimate interest to improve our Website, shopping experience, and quality of service. We consider this use to be proportionate and will not be prejudicial or detrimental to you. |
To administer our Website including troubleshooting, data analysis, testing, research, statistical, and survey purposes; and to improve our Website to ensure that consent is presented in the most effective manner for you and your computer, device, or other item of hardware through which you access the Website. | For all these categories, it is in our legitimate interest to continually monitor and improve our services and your experience of the Website and to ensure network security. We consider this use to be proportionate and will not be prejudicial or detrimental to you. |
To keep our Website safe and secure and to prevent and detect fraud and abuse; and to comply with our legal obligations, policies, and procedures. | We conduct this processing to comply with our legal obligations and to protect the public interest. |
To process otherwise for internal administrative and analytics purposes. | It is in our legitimate interest to process your personal data for internal administrative or analytics purposes. We consider this use to be proportionate and will not be prejudicial or detrimental to you. |
International Transfers
Some of our processing of your data will involve transferring your data outside the European Economic Area ("EEA"). Some of our external third party service providers are also based outside of the EEA, and their processing of your personal data will involve a transfer of data outside the EEA. This includes the United States. Where personal data is transferred to and stored in a country not determined by the European Commission as providing adequate levels of protection for personal data, we take steps to provide appropriate safeguards to protect your personal data, including entering into standard contractual clauses approved by the European Commission, obliging recipients to protect your personal data.
Personal Data Retention
Rollins College will retain your personal data for as long as necessary for the purposes it was attained, such as to enable you to use the Website and products or to provide services to you. In some instances, we may retain data for longer periods in order to comply with applicable laws (including those regarding document retention), resolve disputes with any parties, and otherwise as necessary to allow us to conduct our business. All personal data we retain will be subject to this Privacy Policy and our internal retention guidelines.
Your Rights Under GDPR
GDPR gives EU data subjects new rights over how their personal data is collected, processed, and transferred by data controllers and processors. If you fall under GDPR protection (see Who is affected?) then, upon request and in certain cases, you may have the right to, among other things:
- obtain confirmation from the data controller as to whether or not your personal data is being processed, where it is being processed, and for what purpose it is being processed;
- access to your personal data and related information that an organization has collected about you;
- correct any of your personal information that is inaccurate;
- know the reason for your data being collected and the categories of personal data that an organization processes;
- know the retention period an organization will store your personal data;
- restrict or limit how we use your personal information;
- request the limiting of the organization’s processing;
- object to the processing of your personal information: you have the right to lodge a complaint with a supervisory authority in the member state of your habitual residence;
- request your personal information to be deleted;
- obtain a copy of your personal information in an easily accessible format;
- transmit your personal information to another controller, including to have it transmitted directly, where technically feasible;
- withdraw your consent to the processing of your personal information, if processing is solely based on your consent;
- be notified by a breach notification within 72 hours of first having become aware of a breach.
If you withdraw your consent to the use or sharing of your personal information for the purposes set out in this Privacy Statement, you may not have access to all (or any) of the services and we might not be able to provide you all (or any) of the services. Please note that, in certain cases, we may continue to process your personal information after you have withdrawn consent and requested that we delete your personal information, if we have a legal basis to do so. For example, we may retain certain information if we need to do so to comply with an independent legal obligation or if it is necessary to do so to pursue our legitimate interest in keeping the services safe and secure or if deleting the information would undermine the integrity of a research study in which you are enrolled.