GDPR Policy

GENERAL DATA PROTECTION REGULATION POLICY

For students, employees and alumni conducting transactions with Felician University while in the European Union:

The following information should be considered together with the Felician University Privacy Statement because both discuss use of student information, and students’ rights regarding that use.

The General Data Protection Regulation (GDPR) is a set of rules for organizations that process personal information for individuals while those individuals are located in the European Union.

GDPR took effect on May 25, 2018, and it affects organizations worldwide, including higher education institutions. The goal of GDPR is to give these individuals more control over their personal data. The GDPR regulations apply to Felician University and other higher education institutions because they will potentially process the personal information of students, employees, and alumni while these individuals are in the European Union.

GDPR applies exclusively to the processing of personal information (see definition below) that is obtained from you while you are physically located in an EU member state.

If you have conducted a transaction with Felician University while in the European Union, or anticipate doing so, you should read the following, to best understand your rights, the nature of consent, and the reasons why data is collected.


What are examples of interactions that are subject to GDPR?

  • An international student on an F-1 visa who transacts with Felician University while in an EU country.
  • A student who completes an Felician University online course from the EU.
  • An Felician student who pursues education in an E.U. country.
  • Faculty and staff who visit E.U. countries and communicate with the University while there.
  • Students who apply to Felician University from the E.U.
  • Felician alumni who are in the E.U.

What are my rights under GDPR?

  • You have the right to clear and transparent explanations of how your data is being used.
  • You have the right to request access to your data.
  • You have the right to request copies of your data.
  • You have the right to request that your data be rectified.
  • You have the right to restrict use of your data.
  • You have the right to request erasure of your data (personal data, not academic data), subject to the retention periods specified by federal and state laws (see “Rectification and Erasure” and “right to be forgotten” below).
  • Information created in the European Union will be transferred out of the European Union to Felician. If you believe the University has not complied with applicable foreign laws regulating such information, you have the right to file a complaint with the appropriate supervisory authority in the European Union.

Rectification and Erasure
Felician will provide the data subject the right to obtain, without undue delay, the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Felician will provide the data subject the right of erasure of personal data where the following conditions apply:

  • The personal data are no longer necessary for the purposes for which it was collected.
  • The individual withdraws his/her consent.
  • There are no legitimate grounds for processing according to the GDPR.

This service will be made available without undue delay. The exact time will depend on the complexity of the request. The request can be made to Nicollette Matesic at  MatesicN@felician.edu

The GDPR distinguishes between Personal Information and Sensitive Personal Information. Following are the definitions:

  • Personal Information
    Any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
  • Sensitive Personal Information
    Sensitive Personal Information is defined as race, ethnic origin, religious or philosophical beliefs, health data, sexual orientation, and criminal convictions.

These definitions are analogous to the definitions of “Directory Information” and “Non-Directory Information” contained in Family Felician’s Education Rights and Privacy Act (FERPA) statement but are broader in reference.

What is the significance of these definitions of data?
These data definitions reflect the conditions in response to which GDPR was formed. The evolution of technology and globalization has caused the cross-border flow of personal data to grow exponentially. This evolution has made more urgent the need for regulations to guard against its misuse. Defining different types of personal data, and the different ramifications of misusing each, was an important part of assembling the GDPR regulations.

Which countries are included in the European Union?
Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, The Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, United Kingdom.

How does GDPR differ from FERPA?
FERPA contains requirements regarding the privacy of student records, and GDPR contains requirements for the protection of personal data.

In what ways do GDPR regulations differ from the university’s Privacy Policy?
The Privacy Policy defines “personally identifiable information” (similar in scope to the GDPR’s definition of “Personal Information”); explains how and why it is collected; explains the terms in which third-party companies and individuals are employed; and what the student or employee agrees to when he/she consents to the Privacy Policy. GDPR regulations include terms for the retention and destruction of information, and more detailed explanations for third-party use of information, and for student rights.

Third-Party Use of Sensitive Information
Felician University may disclose a student’s sensitive information and other information as follows:

  • Consent:   The University may disclose Sensitive Information and other Information if it has a student’s consent to do so.
  • Emergency Circumstances: Felician may share a student’s Information and sensitive information when necessary to protect the student’s interests when the student is physically or legally incapable of providing consent.
  • Employment Necessity:  Felician University may share a student’s sensitive information when necessary for administering employment benefits, subject to the imposition of appropriate safeguards to prevent further unauthorized disclosure.
  • Public Information:  Felician University may share a student’s information and sensitive information if the student has manifestly made it public.
  • Archiving: Felician may share a student’s Information and Sensitive Information for archiving purposes in the public interest, for historical research, and for statistical purposes.
    Performance of a Contract:  Felician may share a student’s Information when necessary to administer a contract the student has with the University.
  • Legal Obligation:  Felician may share a student’s Information when the disclosure is required or permitted by international, federal, and state laws and regulations.
  • Service Providers: Felician uses third parties who have entered a contract with the University to support the administration of institutional operations and policies. In such cases, the school will share a student’s Information with such third parties subject to the imposition of appropriate safeguards to prevent further unauthorized disclosure.
  • College Affiliated Programs: Felician may share a student’s Information with parties that are affiliated with the University for the purpose of contacting the student about goods, services, or experiences that may be of interest to the student.
  • De-Identified and Aggregate Information: Felician may use and disclosure Information in de-identified or aggregate form without limitation.

To what types of data does the “right to be forgotten” apply?
The right to be forgotten applies to personal data, not academic data. Furthermore, it applies to information related to transactions conducted by individuals with the University, while they are in the E.U.

Who uses data collected about individuals affected by GDPR?
Offices across campus receive necessary information to plan to support students. Examples are: Admissions Office; University Advancement; Student Life Office; Security; Student Services Offices; Information Systems Office. This information is shared on a need-to-know basis.

Why is the data collected?
Felician University’s accrediting body (Middle States Association of Colleges and Schools), and the Department of Homeland Security, require the school to collect certain information to enroll students. The University also needs academic and personal information to admit and matriculate students, to communicate with about subjects important to the university mission, and to meet their student life needs while on campus.

How long is the data retained, and when can it be destroyed?
Data regarding academic coursework, transcripts, applications, and degree status are retained indefinitely, as part of the student’s record. The College shall retain and store personal data, email accounts and Directory information in accordance with applicable U.S. state and federal law. Upon acceptance, your personal information will be kept as part of your student record for the duration of your studies and, where applicable, a prescribed period of time thereafter. If you are unsuccessful, your information will be normally kept for at least five years after the completion of the application process.

Your information will be destroyed upon your request unless applicable law requires destruction after the expiration of an applicable retention period. The manner of destruction shall be appropriate to preserve and ensure the confidentiality of your information given the level of sensitivity, value, and criticality to the University.

Whom do I contact with questions about GDPR and its impact on Felician University?
Contact the Registrar, Erminda Velez-Quinones at
VelezE@felician.edu

How may I withdraw consent to collect or use my data?
Contact the Registrar at Registrar@felician.edu