主要内容
首页 - GDPR隐私政策

罗伯茨卫斯理学院GDPR隐私政策

The College recognizes the General Data Protection Regulation (GDPR) and the rights of European Union citizens whose information may reside in its data processing systems and is actively working towards efforts that show compliance of data processing of personal information for these EU citizens. This document contains information that shows the colleges preparedness and efforts towards compliance where personal data is processed for EU Citizens.

数据对象(s)

学院将“数据主体”定义为与个人数据相关的任何自然人. 在学院的背景下,数据主体分为以下几类:

  • 学生(准学生、在校生、校友).
  • 员工(申请人,现在,过去)
  • 其他联系人(代理商、合作伙伴、供应商等.)

个人资料

As defined within the context of GDPR is any data that can be directly or indirectly related to a natural person (data subject). 个人资料包括可将个人资料与资料当事人联系起来的任何可识别的个人资料.g. 名字, 公民身份证, 电话号码, 电子邮件地址, 性别, 国籍, address, 利益, 职业详情等.

敏感个人资料

学院可能会不时被要求处理敏感的个人资料. 敏感个人数据包括与医疗信息有关的数据, 性别, 宗教, 比赛, 性取向, 工会会员资格、刑事记录和诉讼.

处理个人资料

学院须在合理可行的范围内,尽一切努力确保所有个人资料:

  • 公平合法地处理
  • 为合法目的而处理的
  • 适当、相关且不过度
  • 准确和最新
  • 根据数据主体的权利进行处理
  • 安全
  • 然而,目前没有数据转移到其他国家, 如果将来有需要的话, 学院将采取充分的预防措施,防止数据在没有充分保护的情况下转移到其他国家

处理数据的合法依据

GDPR要求处理个人数据有合法依据. 学院存放个人资料以供识别, 处理并与潜在学生的数据主体进行沟通, 当前的学生, 未来的员工, 在职员工和校友. 这些数据的处理是合法和必要的,并且属于以下一个或多个类别:

(一)同意: We 使用 personal information while processing data for communicating with prospective students and 未来的员工. 虽然美高梅mgm平台目前还没有与这些数据主体签订隐含合同, the data subjects give us their implied consent to communicate with them by completing an application which is an intent to come to the college. (学生,空单继刚).

(b)合同: We 使用 personal information while processing data that is necessary for the implied contract the college has with the individual e.g.

  • 学生的学术处理;
  • 处理员工的工资、财务和税务.

(c)法律义务: 美高梅mgm平台将与公司共享个人信息, 学院以外的组织或个人,如果美高梅mgm平台有善意的信念,访问, 使用, 保存或披露信息是合理必要的,以便:

  • 符合任何适用的法律、法规、法律程序或可执行的政府要求.g. the processing is necessary for the college to comply with the US Federal laws as well as NY State and Federal reporting requirements.
  • 执行适用的服务条款,包括调查潜在的违规行为;
  • 检测、预防或以其他方式解决欺诈、安全或技术问题;
  • 保护权利不受损害, 学校的财产或安全, 美高梅mgm平台的用户或公众在法律要求或允许的情况下.

 (d)公共任务: the processing is necessary for the college to perform a task in the public interest or for our official functions as a private college within the State of NY and the USA, 该任务或职能具有明确的法律依据. 这些例子有:

  • 向国家学生信息中心提供学生统计信息.
  • 爱浦多报道.

机密数据

任何属于个人资料定义的资料,否则不会获豁免, 是否会保密,并只会在获得适当同意的情况下向第三方披露.

美国FERPA, GLBA和HIPAA法律

The College is also required to protect the personal data with respect to the laws of the United States as well as provide information to State and Federal authorities with respect to these laws. 学院符合美国FERPA (《美高梅mgm平台》, 《美高梅mgm平台》和《美高梅mgm平台》.  美高梅mgm平台对这些美国法律法规的遵守优先于GDPR. 

数据控制器,数据处理器和外部数据处理器

书院为其资料当事人的所有个人资料担任资料控制者. 数据由双方处理.

  1. The College acts as its own Data Processor where on premise college owned systems are 使用d to process the college’s data.
  2. 在某些情况下, 数据被转移到代表学院处理数据的外部供应商. The College appointed GDPR Team has a list of current external Data Processor organizations that the college currently passes personal data to, 谁代表学院处理个人资料. 学院将尽一切合理的努力使其外部数据处理器遵守此政策.
  3. The college will make every reasonable effort to address all approved changes to 个人资料 requests its internal and external processors.  

获取信息的权利

资料当事人有权查阅学院所持有的资料. 任何资料当事人如欲查阅其个人资料,应以书面形式向下述的个人资料管理机构提出要求.

  • 学院将尽力在30天内对任何此类书面请求作出回应.
  • 学院将需要核实提出要求的资料当事人的身份.
  • 一旦数据主体的身份得到验证, the college will determine if the request can be carried out or if the college has to ref使用 the request based on current regulations or contract obligations between the data subject and the College.
  • 如果请求被批准, 该请求将在学院的内部和外部数据处理区域进行处理.
  • 如要求被拒绝,资料当事人会获通知拒绝要求的原因.  

豁免

某些数据不受GDPR下获取信息权利的规定的约束. 下面是一些例外的例子:

  • 国家安全和预防或侦查犯罪
  • 税评税任何税或关税的评税
  • 在什么情况下,处理程序是为了行使法律赋予或强加给学院的权利或义务所必需的
  • 可能侵犯他人隐私的数据
  • 有关豁免的更多信息,请联系RCM.

精度

The College will make every reasonable effort to ensure that all personal data held in relation to all data subjects is accurate. 资料当事人必须通知有关学院院系任何有关其资料的更改.

未成年人数据

The college is committed to protecting the privacy of children therefore the college does not knowingly collect or process data from children under 16 years of age 除符合儿童在线隐私保护法规定外. 相应的, children under the age of 16 may only 使用 services and programs offered by the college with the permission and supervision of their parents. 另外, teachers and departments of the college that provide programs and services in the classroom with children under 16 years of age are required to obtain express consent of such children's parents in compliance with the applicable law, 在允许这些儿童访问或使用服务或程序之前.

与监管部门的合规性和合作

If an individual believes that the College has not complied with this Policy or acted otherwise than in accordance with the GDPR, 有关人士应联络投诉专员,并以书面提出投诉 as well as utilize the College’s grievance procedures.

学院定期审查美高梅mgm平台遵守本政策的情况. 美高梅mgm平台非常重视您的反馈,因此美高梅mgm平台可能会与您联系以索取更多信息或跟进. 美高梅mgm平台将与相关监管机构合作, 包括当地数据保护机构, to resolve any complaints regarding the individual rights or transfer of personal data that we cannot resolve with our data subjects directly.

数据安全

The college takes data security very seriously and takes multiple layers of industry appropriate steps to ensure protection and security of personal data entrusted with the college. 学院采用多种行业标准解决方案和流程进行检测, 报告和调查个人数据泄露.

美高梅mgm平台努力保护学院和美高梅mgm平台的数据主体免受未经授权的访问或未经授权的更改, 披露或销毁美高梅mgm平台所掌握的信息. 特别是:

  • 美高梅mgm平台在可能的情况下使用SSL加密美高梅mgm平台的服务,无论是在传输中还是在静止状态.
  • 美高梅mgm平台审查美高梅mgm平台收集的信息, 存储和处理实践, 包括物理安全措施, 防止对系统的未经授权访问.
  • 美高梅mgm平台限制访问个人信息的学院授权的工作人员, 第三方需要知道这些信息以便为美高梅mgm平台处理, and who are subject to strict contractual confidentiality obligations and may be disciplined or terminated if they fail to meet these obligations.

学院有一个安全事件响应小组(SIRT),是学院应急响应小组的一部分. 该团队使用安全事件响应计划(SIRP). 该计划旨在在发现数据安全漏洞或向学院报告的情况下执行.

The GDPR introduces a duty on all organizations to report certain types of data breaches to the ICO and in some cases to the individuals affected. 如果数据泄露属于这些类别, 学院将在SIRT的帮助下做出相应的报告.

GDPR员工培训

该学院定期为员工提供多层数据安全培训. 5月25日起, 2018年起, employees and offices who interact with EU citizens will also include training on personal data as defined by GDPR and how to ensure effective protection of this data.

安全的破坏

当根据此策略保存的数据被销毁时, 它必须在销毁时按照最佳做法安全销毁.

资料的保留

The College may retain data for differing periods of time for different purposes as required by statute or best practices, 各个部门将这些保留时间合并到流程和手册中. 其他法定义务, 法律程序和调查也可能需要保留某些数据. 学院可能会存储一些数据,如寄存器, 照片, 考试成绩, 成就, 书籍、作品等. 无限期地保存在档案中.

数据主体联系点

The College Risk And Compliance Manager (RCM) will act as the point person to accept requests from Data Subjects for 个人资料 Rights Requests.   

  • If an individual believes that the College has not complied with this Policy or acted otherwise than in accordance with the GDPR, 有关人士应联络投诉专员,并以书面提出投诉.
  • The College has appointed a cross functional GDPR Team that manages all documents related to GDPR compliance and oversees the processing of all requests received by the RCM from data subjects.
  • The GDPR Team and the RCM ensure that all requests from a data subject are addressed within the 30 day mandated period of these requests.
  • 注册部协助GDPR团队履行这些职责, 信息技术部, 招生管理处和人力资源部.

学院位置

学院位于西侧大道2301号, 纽约罗切斯特, 美国及其所有主要数据保护监管机构都在这里开展业务.