GENERAL DATA PROTECTION REGULATION COMPLIANCE POLICY
For students, employees and alumni conducting transactions with Raritan Valley Community College while in the European Union:
The following information should be considered together with Raritan Valley Community College’s Privacy Statement, because both discuss use of student information, and students’ rights regarding that use.
The General Data Protection Regulation (GDPR) is a set of rules for organizations that process personal information for individuals while those individuals are located in the European Union. GDPR took effect on May 25, 2018, and it affects organizations worldwide, including higher education institutions. The goal of GDPR is to give these individuals more control over their personal data. The GDPR regulations apply to Raritan Valley Community College and other higher education institutions because they will potentially process the personal information of students, employees and alumni while these individuals are in the European Union.
GDPR applies exclusively to the processing of personal information (see definition below) that is obtained from you while you are physically located in an EU member state.
If you have conducted a transaction with Raritan Valley Community College while in the European Union, or anticipate doing so, you should read the following, to best understand your rights, the nature of consent, and the reasons why data is collected.
What are examples of interactions that are subject to GDPR?
- An international student on an F-1 visa who transacts with RVCC while in an EU country;
- A student who completes an RVCC online course from the EU;
- An RVCC student who pursues education in an E.U. country;
- An individual who applies for employment at RVCC, while in the E.U.;
- Faculty and staff who visit E.U. countries and communicate with the College while there;
- Students who apply to RVCC from the E.U.;
- RVCC alumni who are in the E.U.
What are my rights under GDPR?
- You have the right to clear and transparent explanations of how your data is being used;
- You have the right to request access to your data;
- You have the right to request copies of your data;
- You have the right to request that your data be rectified;
- You have the right to restrict use of your data;
- You have the right to request erasure of your data (personal data, not academic data), subject to the retention periods specified by federal and state laws (see “Rectification and Erasure” and “right to be forgotten” below);
- Information created in the European Union will be transferred out of the European Union to the College. If you believe the College has not complied with applicable foreign laws regulating such information, you have the right to file a complaint with the appropriate supervisory authority in the European Union.
Rectification and Erasure
RVCC will provide the data subject the right to obtain, without undue delay, the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
RVCC will provide the data subject the right of erasure of personal data where the following conditions apply:
- The personal data are no longer necessary for the purposes for which it was collected;
- The individual withdraws his/her consent;
- There are no legitimate grounds for processing according to the GDPR.
This service will be made available without undue delay. The exact time will depend on the complexity of the request. The request can be made to John Wheeler, Registrar, at John.Wheeler@raritanval.edu
The GDPR distinguishes between Personal Information and Sensitive Personal Information. Following are the definitions:
- Personal Information
Any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
- Sensitive Personal Information
Sensitive Personal Information is defined as race, ethnic origin, religious or philosophical beliefs, health data, sexual orientation, and criminal convictions.
These definitions are analogous to the definitions of “Directory Information” and “Non-Directory Information” contained in RVCC’s Family Education Rights and Privacy Act (FERPA) statement, but are broader in reference.
What is the significance of these definitions of data?
These data definitions reflect the conditions in response to which GDPR was formed. The evolution of technology and globalization has caused the cross-border flow of personal data to grow exponentially. This evolution has made more urgent the need for regulations to guard against its misuse. Defining different types of personal data, and the different ramifications of misusing each, was an important part of assembling the GDPR regulations.
Which countries are included in the European Union?
Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, The Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, United Kingdom.
How does GDPR differ from FERPA?
FERPA contains requirements regarding the privacy of student records, and GDPR contains requirements for the protection of personal data.
Third-Party Use of Sensitive Information
Raritan Valley Community College may disclose a student’s Sensitive Information and other Information as follows:
- Consent: RVCC may disclose Sensitive Information and other Information if it has a student’s consent to do so.
- Emergency Circumstances: RVCC may share a student’s Information and Sensitive Information when necessary to protect the student’s interests when the student is physically or legally incapable of providing consent.
- Employment Necessity: RVCC may share a student’s Sensitive Information when necessary for administering employment benefits, subject to the imposition of appropriate safeguards to prevent further unauthorized disclosure.
- Public Information: RVCC may share a student’s Information and Sensitive Information if the student has manifestly made it public.
- Archiving: RVCC may share a student’s Information and Sensitive Information for archiving purposes in the public interest, for historical research, and for statistical purposes.
Performance of a Contract: RVCC may share a student’s Information when necessary to administer a contract the student has with the College.
- Legal Obligation: RVCC may share a student’s Information when the disclosure is required or permitted by international, federal, and state laws and regulations.
- Service Providers: RVCC uses third parties who have entered into a contract with the College to support the administration of College operations and policies. In such cases, the College will share a student’s Information with such third parties subject to the imposition of appropriate safeguards to prevent further unauthorized disclosure.
- College Affiliated Programs: RVCC may share a student’s Information with parties that are affiliated with the College for the purpose of contacting the student about goods, services, or experiences that may be of interest to the student.
- De-Identified and Aggregate Information: RVCC may use and disclosure Information in de-identified or aggregate form without limitation.
To what types of data does the “right to be forgotten” apply?
The right to be forgotten applies to personal data, not academic data. Furthermore, it applies to information related to transactions conducted by individuals with the College, while they are in the E.U.
Who uses data collected about individuals affected by GDPR?
Offices across campus receive necessary information to make arrangements to support students. Examples are: Admissions Office; RVCC Foundation; Student Life Office; Security; Student Services Offices; M.I.S. Office. This information is shared on a need-to-know basis.
Why is the data collected?
Raritan Valley Community College’s accrediting body (Middle States Association of Colleges and Schools), and the Department of Homeland Security, require the College collect certain information to enroll students. The College also needs academic and personal information to admit and matriculate students, to communicate with about subjects important to the College’s mission, and to meet their student life needs while on campus.
How long is the data retained, and when can it be destroyed?
Data regarding academic coursework, transcripts, applications and degree status are retained indefinitely, as part of the student’s record. The College shall retain and store personal data, email accounts and Directory information in accordance with applicable U.S. state and federal law. Upon acceptance, your personal information will be kept as part of your student record for the duration of your studies and, where applicable, a prescribed period of time thereafter. If you are unsuccessful, your information will be normally kept for at least five years after the completion of the application process.
Your information will be destroyed upon your request unless applicable law requires destruction after the expiration of an applicable retention period. The manner of destruction shall be appropriate to preserve and ensure the confidentiality of your information given the level of sensitivity, value and criticality to the College.
Whom do I contact with questions about GDPR and its impact on Raritan Valley Community College?
Contact the RVCC Registrar, John Wheeler, at John.Wheeler@raritanval.edu
How may I withdraw consent to collect or use my data?
Contact the RVCC Registrar, John Wheeler, at John.Wheeler@raritanval.edu