Roberts Wesleyan College GDPR Privacy Policy

学院承认通用数据保护条例(GDPR)和欧盟公民的权利，其信息可能驻留在其数据处理系统中，并积极努力表明这些欧盟公民个人信息数据处理的合规性. 本文件包含的信息显示了学院在为欧盟公民处理个人数据方面的准备和努力.

Data Subject(s)

The college identifies “Data Subjects” as any natural person to whom personal data relates. Within the context of the college the data subjects fall into the following categories:

• Students (prospective, current, alumni).
• Employees (applicants, current, past)
• Other contacts (agents, partners, vendors etc.)

Personal Data

根据GDPR的定义，与自然人(数据主体)直接或间接相关的任何数据. Personal data includes any identifiable personal data that can connect personal data to a data subject e.g. name, citizen Id, phone number, email address, gender, nationality, address, interests, career details etc.

Sensitive Personal Data

The College may, from time to time, be required to process sensitive personal data. Sensitive personal data includes data relating to medical information, gender, religion, race, sexual orientation, trade union membership and criminal records and proceedings.

Processing Personal Data

The College shall so far as is reasonably practicable make all efforts to ensure all personal data is:

• Fairly and lawfully processed
• Processed for a lawful purpose
• Adequate, relevant and not excessive
• Accurate and up to date
• Processed in accordance with the data subject's rights
• Secure
• Currently no data is transferred to other countries however, if the need arises in the future, the college will take adequate precautions that data is not transferred to other countries without adequate protection

Lawful bases for processing data

GDPR requires a lawful basis for processing personal data. The college houses personal data to recognize, process and communicate with its data subjects of prospective students, current students, prospective employees, current employees and alumni. The processing of this data is lawful and necessary and falls into one or more of the following categories:

(a) Consent: 美高梅mgm平台在处理与潜在学生和潜在员工沟通的数据时使用个人信息. While we do not have an implied contract with these data subjects at this point, 数据主体通过填写一份申请表格表示有意来美高梅mgm平台学院学习，从而暗示美高梅mgm平台同意与他们进行沟通. ( students, employees).

(b) Contract: 美高梅mgm平台在处理学院与个人签订的默示合同所必需的数据时使用个人信息.g.

• Academic Processing for students,
• Payroll and financial and tax processing for employees.

(c) Legal obligation: We will share personal information with companies, organizations or individuals outside of the College if we have a good-faith belief that access, use, preservation or disclosure of the information is reasonably necessary to:

• meet any applicable law, regulation, legal process or enforceable governmental request e.g. 这是学院遵守美国联邦法律以及纽约州和联邦报告要求所必需的.
• enforce applicable Terms of Service, including investigation of potential violations;
• detect, prevent, or otherwise address fraud, security or technical issues;
• protect against harm to the rights, property or safety of the college, our users or the public as required or permitted by law.

 (d) Public task: 对于学院执行公共利益任务或作为纽约州和美国私立学院的官方职能来说，处理是必要的, and the task or function has a clear basis in law. Examples of these are:

• Providing student statistical information to the National Student Clearinghouse.
• IPEDS reporting.

Confidential data

Any information which falls under the definition of personal data and is not otherwise exempt, will remain confidential and will only be disclosed to third parties with appropriate consent.

US laws of FERPA, GLBA and HIPAA

学院还必须根据美国法律保护个人数据，并根据这些法律向州和联邦当局提供信息. The college complies with data requirements under the United States FERPA (The Family Educational Rights and Privacy Act), GLBA (The Gramm-Leach-Bliley Act) and HIPAA ( (Health Insurance Portability and Accountability Act of 1996).  Our compliance to these US Laws and regulations takes precedence over GDPR. 

Data Controller, Data Processors and External Data Processors

The College acts as a Data Controller for all the personal data of its data subjects. The Data is processed by two parties.

1. 学院作为自己的数据处理器，使用内部学院拥有的系统来处理学院的数据.
2. In certain cases, data is transferred to external vendors who process the data on the College’s behalf. 学院指定的GDPR团队拥有学院目前将个人数据传递给的当前外部数据处理器组织的列表, who process personal data on the college’s behalf. The college will make every reasonable effort to get its external data processors to comply with this policy.
3. 学院将尽一切合理努力处理其内部和外部处理者批准的所有个人数据更改请求.  

Rights of Access to Information

Data subjects have the right of access to information held by the College. Any data subject wishing to access their personal data should put their request in writing to the RCM identified below.

• The College will endeavour to respond to any such written requests within 30 days.
• The college will need to verify the identity of the data subject making the request.
• Once the identity of the data subject has been verified, 学院将根据现行法规或资料当事人与学院之间的合同义务，决定是否可以执行该要求，或者学院是否必须拒绝该要求.
• If the request is approved, the request will be processed within the college’s internal and external data processing areas.
• If case the request is refused, the data subject will be notified as to why the request was denied.  

Exemptions

Certain data is exempted from the provisions of the Rights of Access to Information under GDPR. Below are examples of some of the exceptions:

• National security and the prevention or detection of crime
• The assessment of any tax or duty
• Where the processing is necessary to exercise a right or obligation conferred or imposed by law upon the College
• Data that may violate another person’s privacy
• For more information on exemptions please contact the RCM.

Accuracy

书院会尽一切合理努力，确保所持有的有关所有资料当事人的个人资料均属准确. Data subjects must notify the relevant college department of any changes to information held about them.

Data from Minors

学院致力于保护儿童的隐私，因此学院不会故意收集或处理16岁以下儿童的数据 except in compliance with children's online privacy protection law. Accordingly, 16岁以下的儿童只有在父母的许可和监督下才能使用学院提供的服务和项目. Additionally, 学院的教师和部门在课堂上为16岁以下的儿童提供课程和服务时，必须根据适用法律获得这些儿童父母的明确同意, prior to permitting such children to access or use the services or programs.

Compliance and cooperation with regulatory authorities

如果个人认为学院没有遵守本政策或采取与GDPR不同的行动, 该人员应联系RCM并以书面形式提交投诉，并利用学院的申诉程序.

The college regularly reviews our compliance with this Policy. We value your feedback so we may contact you to ask for more information or to follow up. We will work with the appropriate regulatory authorities, including local data protection authorities, 解决美高梅mgm平台无法直接与资料当事人解决的有关个人权利或个人资料转移的任何投诉.

Data Security

学院非常重视数据安全，并采取了多层行业适当的步骤，以确保学院委托的个人数据的保护和安全. The college uses multiple industry standard solutions and processes to detect, report and investigate a personal data breach.

We work hard to protect the College and our data subjects from unauthorized access to or unauthorized alteration, disclosure or destruction of information we hold. In particular:

• We encrypt our services where possible using SSL, in transit and at rest.
• We review our information collection, storage and processing practices, including physical security measures, to guard against unauthorized access to systems.
• We restrict access to personal information to those of the College authorized staff, and third parties who need to know that information in order to process it for us, 他们有严格的合同保密义务，如果不履行这些义务，可能会受到纪律处分或被解雇.

The college has a Security Incident Response Team (SIRT) that is part of the college’s Emergency Response Team. This team utilizes a Security Incident Response Plan (SIRP). The plan is designed to be enforced in case a data security breach is detected or reported to the college.

GDPR规定，所有组织都有义务向ICO报告某些类型的数据泄露，在某些情况下也有义务向受影响的个人报告. If the data breach falls into these categories, the college with help from the SIRT will make the appropriate reports.

Employee Training on GDPR

The college provides several layers of data security training to its employees on a regular basis. From May 25, 2018 onwards, 与欧盟公民互动的员工和办公室也将包括GDPR定义的个人数据以及如何确保有效保护这些数据的培训.

Secure Destruction

When data held in accordance with this policy is destroyed, it must be destroyed securely in accordance with best practice at the time of destruction.

Retention of Data

学院可以根据法规或最佳实践的要求，为不同的目的保留数据的不同时期, individual departments incorporate these retention times into the processes and manuals. Other statutory obligations, legal processes and enquiries may also necessitate the retention of certain data. The College may store some data such as registers, photographs, exam results, achievements, books and works etc. indefinitely in its archive.

Data Subject Point of Contact

学院风险与合规经理(RCM)将作为中心人员接受数据主体的个人数据权利请求.   

• 如果个人认为学院没有遵守本政策或采取与GDPR不同的行动, the person should contact the RCM and file their complaint in writing.
• 学院任命了一个跨职能的GDPR团队，管理与GDPR合规性相关的所有文件，并监督RCM从数据主体收到的所有请求的处理.
• GDPR团队和RCM确保来自数据主体的所有请求在这些请求的30天规定期限内得到解决.
• The GDPR Team is assisted in these responsibilities by the Department of Registration, the Department of Information Technology, the Department of Enrollment Management and the Department of Human Resources.

Location of the College

The College is located at 2301 Westside Drive, Rochester NY, USA and all its lead data protection supervisory authority operates from this location.