Privacy Notice for students

Version: June 2018

In connection with student enrollment at DIS – Study Abroad in Scandinavia, Fonden DIS, DIS Stockholm AB, and DIS Properties APS (DIS) will, as the joint data controller, collect, and process personal data about students.

1. Categories of personal of data and purposes

DIS collects and process the following types of personal data:

Non-sensitive categories of personal data are: name, birth date, course enrollments and grades, program enrollment, home university, major of study, minor of study, academic standing, graduation semester, cumulative grade point average, emergency contact, home city and state/country, email, phone numbers, local Danish/Swedish address, visa information, arrival/departure flight information, passport page scan, power of attorney form, , class assignments, photo, video recordings, nationality, gender, student ID, registration ID, dietary restrictions, payment details, billing details, housing applications, personal interests, personal housing preferences, transcripts, internal case details, library records, survey responses, staff appointment details, academic discussions and assignments through online learning management system.

When applicable the following categories of non-sensitive data are processed: accommodations letter when academic accommodations are requested, insurance claim details for those who file through DIS (which may contain sensitive data as well if the student discloses it), application and interview details depending on home universities’ admission processes, residency permit details for visa-free students studying in Copenhagen, hold details for any students owing DIS money at the end of a semester. Students enrolled in the CDD program will have a børneattest processed. Students enrolled in other practicums may have their resumes and/or cover letters processed.

Students applying for financial aid have the following additional categories of non-sensitive data processed: alien registration number (if applicable), marital status, selective service registration, educational level, tax return form, income tax paid, exemptions/credits claimed, income, total savings, net worth, investments, child support paid, welfare status, financial aid received, other earnings, military service, children/dependents, family status, scholarship application details.

Sensitive categories of personal data are: religion ethnicity, gender identity, and health data when students choose to consent to sharing it. Internal case details may contain sensitive categories of personal data in the event of an emergency or in the establishment, exercise, or defense of legal claims.

DIS processes the personal data for the following purposes:

  • To fulfil the contract agreed to with enrolled students
  • In pursuit of the DIS Mission, including the DIS commitment to its values and to diversity and respect
  • To collaborate with partners locally and globally
  • For statistical and research purposes
  • To comply with applicable personal data protection regulation and other legitimate interests, e.g.
    o Documentation requirements
    o Compliance with basic principles and legal grounds for processing personal data
    o Putting in place, maintaining and testing technical and organizational security measures
    o Investigating and reporting suspected personal data breaches, if any
    o Handling requests and complaints from data subjects and others, if any
    o Handling inspections and queries by supervisory authorities, if any
    o Handling disputes with data subjects and third parties, if any

2. Sources

Students’ personal data is collected from the individual student in nearly all cases detailed in this privacy notice. The exception are internal case notes details when relevant, which may come directly from the student but also may come from employees or agents of DIS. The legal basis for this processing is the legitimate interest of DIS based on GDPR article 6(1)(f). The legitimate interests of DIS is to keep a record of the advice or communication delivered to students in relevant instances to maintain quality and consistency of service and to best pursue fulfillment of the agreement with the students to which they are party and the DIS Mission and all its parts. When relevant, the legal bases for this processing may also be based on GDPR article 9(1)(f), the establishment, exercise, or defense of legal claims. In emergency situations, personal data may be collected and processed from employees or agents of DIS or third parties based on GDPR article 6(1)(d), processing which is necessary in order to protect the vital interests of the data subject or of another natural person.

3. The legal basis for the collection and processing of the personal data

The legal basis for collection and processing of students’ name, birth date, course enrollments and grades, program enrollment, home university, home city and state/country, email, phone numbers, local Danish/Swedish address, arrival/departure flight information, class assignments, photo, video recordings, nationality, passport gender, student ID, registration ID, dietary restrictions, payment details, billing details, hold details and amount owed when relevant, housing applications, personal interests, personal housing preferences, transcripts, library records, survey responses staff appointment details, academic discussions and assignments through online learning management system, application and interview details depending on home universities’ admission processes, and any documentation related to practicum enrollment is the following:

  • Based on GDPR art. 6(1)(b), processing which is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

Students are obliged to provide this information in order to fulfill their agreement with DIS. Failure to provide this information could result in DIS being unable to provide the agreed to services, which could also result in early termination of students’ enrollment in the program.

The legal basis for collection and processing of religion, ethnicity, gender identity, political affiliation, national identification numbers, and health data is the following:

  • Based on GDPR art. 6(1)(a), processing which the data subject has given consent to of his or her personal data for one or more specific purposes.

When DIS collects this personal data directly from students for the purpose of fulfilling strategic diversity goals, scholarship applications directly related to sensitive categories of data, or to provide health advising, emergency assistance, and physical or academic accommodations when possible and relevant, students provide the personal data voluntarily. Students are not obliged to provide this information to DIS. The consequences of not providing information on the basis of consent is that the advice, accommodations, or emergency assistance DIS can provide to students may be limited. Regarding national identification numbers, failure to provide these for the purposes of DIS facilitated visa approval (depending on students’ visa eligibility), may have the consequences of students’ legal residence in the country ending during students’ enrollment in the program, in which case the consequence may be early termination of students’ enrollment in the program.

The legal basis for collection and processing of students’ full name, local address, university, student ID, program enrollment, photo, email, birth date, course enrollments, course grades, nationality, gender, US address, residency permit details, and building surveillance footage is the following:

  • Based on GDPR art. 6(1)(f), processing which is necessary for the purposes of the legitimate interests pursued by the controller.

When DIS collects personal data directly from students for the legitimate purposes of providing a safe and secure learning and living environment, to facilitate academic learning, to meet auditing obligations, to communicate services, reminders, and share events, to facilitate transcript requests through third party providers, to award scholarships, and to provide local cell phones, students provide the personal data in order to meet this legitimate interest. Students are obliged to provide this information to DIS, but students have the right to object that their legitimate interests as an individual outweigh the legitimate interests of DIS as an organization. To exercise this claim students need to contact the DIS Data Protection Officer (dataprotectionofficer@dis.dk) detailing to which legitimate interest processing they’re objecting, and why their interests outweigh those of DIS in the specific instances.

DIS also processes students’ name and student ID based on GDPR art. 6(1)(f), processing which is necessary for compliance with a legal obligation to which the controller is subject. This information is shared with financial auditors to meet our legal obligation.

DIS may also process students’ passport and residency permit details for residency permit processing purposes on the basis of the power of attorney form submitted to DIS.

4. Disclosure of the personal data to other controllers

Relevant personal data will be disclosed to and shared with the following recipients:

  • Travel or ticketing agencies for traveling with DIS
  • Public transportation organizations for transportation passes
  • Hotels, hostels, or other accommodation while traveling with DIS
  • Organizations hosting students for field studies, practicums, or study tours for academic or cultural purposes
  • Financial auditors
  • Cleaning and maintenance companies for DIS housing
  • Insurance companies
  • Housing administration companies
  • Students’ home universities
  • Danish universities, when relevant for students’ external course enrollment(s)
  • Faculty contractors
  • Governmental entities
  • Fellow students for social coordination
  • Social media apps
  • Telephone providers
  • Local libraries
  • Third party health providers, only with individual student’s consent

The legal basis for the disclosure of students’ full name, local Danish/Swedish address, home city and state/country, phone numbers, university, major of study, student ID, email, photo or video recordings, birth date, passport gender, nationality, residency permit details, arrival and departure details, program enrollment, course enrollments, course grades, academic assignment details, payment details, and account details is the following:

  • Based on GDPR art. 6(1)(b), processing which is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
  • Based on GDPR art. 6(1)(f), processing which is necessary for the purposes of the legitimate interests pursued by the controller.
    Students have the right to withdraw their consent for disclosures to third party health providers, which is the only disclosure based on consent. If students withdraw the consent, this will not affect the lawfulness of the disclosure prior to the withdrawal. Students should contact DIS using the contact details below if they want to exercise this withdrawal.

5. Transfer of personal data to data processors

DIS transfers the personal data to IT providers, the DIS North American Office (part of the University of Minnesota), and students’ home universities which processes and/or stores the personal data on our behalf.

6. International transfers of personal data to recipients (both controllers and processors) in countries outside the EU/EEA

DIS transfers the personal data to the following recipients located in countries outside the EU/EEA:

Transfers of personal data to a third country or an international organization
Transfer basis (varies per IT provider)
Category of recipient:
IT Providers
Including Vultr, Sendgrid, Papertrail, Parchment, (sub processor categorization for following IT providers is ongoing and will be updated as such)
Country:
United States
  • EU Standard Contractual Clauses – to processors (in development)
  • EU-U.S. Privacy Shield (only the U.S.) (in development)
  • Conclusion or performance of a contract between the individual and the data controller
Category of recipient:
DIS North American Office (University of Minnesota)
Sub processor Google Suite and Google Cloud
Country:
United States
  •  EU Standard Contractual Clauses – to processors (in development)
  • EU-U.S. Privacy Shield (only the U.S.) (for sub processor)
  • Conclusion or performance of a contract between the individual and the data controller
  • Vital interests of the data subject or other persons, where the data subject is incapable of giving consent
  • Establishment, exercise or defense of legal claims
Category of recipient:
Home university of the student (varies)
Country:
United States
  • EU Standard Contractual Clauses – to controllers (in development)
  • Explicit consent from the individual
  • Conclusion or performance of a contract between the individual and the data controller
  • Establishment, exercise or defense of legal claims
  • Vital interests of the data subject or other persons, where the data subject is incapable of giving consent

7. Retention period

DIS stores personal data for as long as necessary to fulfill the purposes above. DIS psuedonymizes all personal data on an annual basis within two years of the conclusion of a student’s enrollment, at which time all qualitative personal data (i.e. student essays) are deleted. Quantitative data is kept for statistical and research purposes in a psuedonymized format. Identifiable backups are made and stored securely and separately from all active personal data to cover relevant statutes of limitation, which at maximum lasts up to seven years.

8. Students’ rights

Subject to the conditions set out in the applicable data protection legislation, students enjoy the following certain rights:

  • The right to request access to the personal data
  • The right to rectification of the personal data
  • The right to erasure of the personal data
  • The right to restriction of processing
  • The right to data portability
  • The right to objection to the processing of the personal data, including the absolute right to object to direct marketing

Students also have the right to lodge a complaint with the competent supervisory authority, such as the Danish Data Protection Agency or the Swedish Data Protection Agency as relevant. Please consult their website for how to submit a complaint at datatilsynet.dk or datainspektionen.se respectively.

9. Contact

Students should contact DIS if they have any questions in regards to the protection of their personal data or if they wish to exercise their legal rights.

Contact details of the controller(s):

Fonden DIS – Danish Institute for Study Abroad
Vestergade 7
DK-1456 København K
Business registration no. in Denmark: DK13058946
Tel no: +45 33 11 01 44

DIS Stockholm AB
Melodislingan 21
115 51 Stockholm
Business registration no. in Sweden: 559021-1206
Tel no: +46 (0)10 175 13 13

DIS Properties APS
Vestergade 5
DK-1456 København K
Business registration no. in Denmark: 37511404

Contact details of the data protection officer:

E-mail address: dataprotectionofficer@dis.dk
Tel no: +45 33 76 54 36