Privacy Notice for FLP Students

Version: October 2023

In connection with student enrollment in customized and faculty-led programs offered based on agreements between students’ home institutions and DIS – Study Abroad in Scandinavia, Fonden DIS and DIS Stockholm AB (DIS) will, as the joint data controller, collect and process personal data about customized and faculty –led program students.

1. Categories of personal of data and purposes

DIS collects and processes up to and including the following types of personal data, with the scope ultimately determined by the individual customized and faculty-led program agreements.

Non-sensitive categories of personal data are: name, birth date, course enrollments and grades, program enrollment, home university, major of study, minor of study, academic standing, graduation semester, cumulative grade point average, emergency contact, home city and state/country, email, phone numbers, local Danish/Swedish address, passport details, arrival/departure flight information, class assignments, photo, video recordings, nationality, gender, student ID, registration ID, system metadata, dietary restrictions, internal case details, library records, survey responses, building security footage, staff appointment details, select social media posts, academic discussions and assignments through online learning management system. Tracking pixels are used in connection with newsletter communication.

When applicable the following categories of non-sensitive data are processed: accommodations letter when academic accommodations are requested, insurance claim details for those who file through DIS (which may contain sensitive data as well if the student discloses it), and hold details for any students owing DIS money at the end of a semester. Students who access the common wireless internet at DIS Copenhagen will have some website visits registered associated with their login (email address). Students with recurring, direct contact with those under the age of 15 as part of their program will have a børneattest processed.

Sensitive categories of personal data are: religion ethnicity, gender identity, and health data when students choose to consent to sharing it. Internal case or bias reporting details may contain sensitive categories of personal data.

DIS processes the personal data for the following purposes:

  • In pursuit of the customized and faculty-led program agreements between students’ home institutions and DIS
  • In pursuit of the DIS Mission, including the DIS commitment to its values and to diversity and respect
  • To collaborate with partners locally and globally
  • For statistical and research purposes
  • To comply with applicable personal data protection regulation and other legitimate interests, e.g.
    • Documentation requirements
    • Compliance with basic principles and legal grounds for processing personal data
    • Putting in place, maintaining and testing technical and organisational security measures
    • Investigating and reporting suspected personal data breaches, if any
    • Handling requests and complaints from data subjects and others, if any
    • Handling inspections and queries by supervisory authorities, if any
    • Handling disputes with data subjects and third parties, if any

2. Sources

Students’ personal data is collected from the individual student, either directly through online registration or indirectly through students’ home institutions. The exception are internal case or bias reporting details when relevant, which may come directly from the student themselves, but also may come from other students, or employees or agents of DIS. Building security footage at DIS is also processed based on the legitimate interest of safety and security, and otherwise program enrollment and DK/SE address, along with ID numbers and other system metadata, are generated by DIS.

3. The legal basis for the collection and processing of the personal data

The legal basis for collection and processing of students’ name, birth date, course enrollments and grades, program enrollment, home university, home city and state/country, email, phone numbers, local Danish/Swedish address, arrival/departure flight information, class assignments, photo, video recordings, nationality, passport gender, student ID, registration ID, dietary restrictions, payment details, billing details, hold details and amount owed when relevant, housing applications, personal interests, personal housing preferences, transcripts, library records, survey responses staff, appointment details, academic discussions and assignments through online learning management system, application and interview details depending on home universities’ admission processes, and any documentation related to practicum enrollment is the following:

  • Based on GDPR art. 6(1)(b), processing which is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

The contract to which faculty and customized program students are party is either directly with DIS, or with their home institution, which then has an agreement with DIS in order to fulfill the home institution’s contract with their students. Students are obliged to provide this information in order to fulfill their agreement with DIS or their home institution. Failure to provide this information could result in DIS being unable to provide the agreed to services, which could also result in early termination of students’ enrollment in the program.

The legal basis for collection and processing of religion, ethnicity, gender identity, political affiliation, national identification numbers, health data, and select social media posts. is the following:

  • Based on GDPR art. 6(1)(a), processing which the data subject has given consent to of his or her personal data for one or more specific purposes.

When DIS collects this personal data directly from students for the purpose of fulfilling strategic diversity goals, or to provide health advising, emergency assistance, and physical or academic accommodations when possible and relevant, students provide the personal data voluntarily. Students are not obliged to provide this infor-mation to DIS. The consequences of not providing information on the basis of con-sent is that the advice, accommodations, or emergency assistance DIS can provide to students may be limited. There are no consequences to denying consent for DIS to further publish select social media posts.

The legal basis for collection and processing of building security footage, internal case or bias reporting details, and tracking pixels is the following:

  • Based on GDPR art. 6(1)(f), processing which is necessary for the purposes of the legitimate interests pursued by the controller.

When DIS processes this security footage of students in DIS buildings for the legitimate purposes of providing a safe and secure learning and living environment. Students are included in this surveillance when in DIS buildings, but students have the right to object that their legitimate interests as an individual outweigh the legitimate interests of DIS as an organization. When DIS collects or processes internal case or bias reporting details, it is to keep a record of the communication delivered to student in relevant instances to maintain quality and consistency of service and to best pursue fulfilment of the agreement with the students to which they are party and the DIS mission and all its parts. When DIS uses tracking pixels, it is to improve communication efficacy with students.  DIS students have the right to object that their legitimate interests as an individual outweigh the legitimate interests of DIS as an organization. To exercise this claim students need to contact the DIS Data Protection Officer (dataprotectionofficer@dis.dk) detailing to which legitimate interest processing they’re objecting, and why their interests outweigh those of DIS in the specific instances.

DIS may also process students’ passport and residency permit details for residency permit processing purposes on the basis of the power of attorney form submitted to DIS.

4. Disclosure of the personal data to other controllers

Relevant personal data will be disclosed to and shared with the following recipients:

  • Travel or ticketing agencies for travelling with DIS
  • Public transportation organizations for transportation passes
  • Hotels, hostels, or other accommodation while travelling with DIS
  • Organizations hosting students for field studies, practicums, or study tours for academic or cultural purposes
  • Financial auditors
  • Cleaning and maintenance companies for DIS housing
  • Insurance companies
  • Housing administration companies
  • Students’ home universities
  • Faculty contractors
  • Governmental entities
  • Fellow students for social coordination
  • Social media apps
  • Telephone providers
  • Third party web services
  • Third party health providers, only with individual student’s consent

The legal bases for the disclosure of students’ full name, local Danish/Swedish ad-dress, home city and state/country, phone numbers, university, major of study, student ID, email, photo or video recordings, birth date, passport gender, nationality, residency permit details, arrival and departure details, program enrollment, course enrollments, course grades, academic assignment details, payment details, and ac-count details is the following:

  • Based on GDPR art. 6(1)(b), processing which is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
  • Based on GDPR art. 6(1)(f), processing which is necessary for the purposes of the legitimate interests pursued by the controller.

The legal basis for disclosure of students’ health data to third party health providers or is based on GDPR art. 6(1)(a), processing which the data subject has given consent to of his or her personal data for one or more specific purposes. Students have the right to withdraw their consent for this disclosure, which is the only disclosure based on consent. If students withdraw the consent, this will not affect the lawfulness of the disclosure prior to the withdrawal. Students should contact DIS using the contact details below if they want to exercise this withdrawal.

Disclosure to Governmental entities or auditors is based on GDPR art. 6(1)(f), processing which is necessary for compliance with a legal obligation to which the controller is subject.

5. Transfer of personal data to data processors

DIS transfers the personal data to IT providers and the DIS North American Office (part of the University of Minnesota).

6. International transfers of personal data to recipients (both controllers and processors) in countries outside the EU/EEA

DIS transfers the personal data to the following recipients located in countries out-side the EU/EEA:

Transfers of personal data to a third country or an international organisation
Transfer basis (varies per IT provider)
Category of recipient:
IT Providers
Including Involvio, Sendgrid, Papertrail,  Mailchimp, Microsoft Office 365
Country:
United States		 ☒  EU Standard Contractual Clauses – to processors

 
Category of recipient:

DIS North American Office (University of Minnesota)

 

Country:

United States

 

 ☒  EU Standard Contractual Clauses – to processors

 
Category of recipient:

Home university of the student (varies)

Country:

United States

 

 

 ☒  EU Standard Contractual Clauses – to controllers

☒  Explicit consent from the individual

☒  Conclusion or performance of a contract between the individual and the data controller

☒  Establishment, exercise or defense of legal claims

☒ Vital interests of the data subject or other persons, where the data subject is incapable of giving consent

 

EU Standard Contractual Clauses as a transfer basis, means that DIS and the other organization(s) have agreed to additional contractual language from the EU, which protects the legal rights FLP Students have as a data subject, even though FLP Student personal data is shared outside of the EU. FLP Students have the right to obtain a copy of these clauses, which can be exercised by contacting dataprotectionofficer@dis.dk.

7. Retention period

DIS stores personal data for as long as necessary to fulfil the purposes above. DIS anonymizes most personal data on an annual basis within one year of the conclusion of a student’s enrollment. Financial records are maintained for the period obliged by Danish law. Any security footage from DIS buildings is deleted at the latest within 30 days of recording.

8. Students’ rights

Subject to the conditions set out in the applicable data protection legislation, students enjoy the following certain rights:

  • The right to request access to the personal data
  • The right to rectification of the personal data
  • The right to erasure of the personal data
  • The right to restriction of processing
  • The right to data portability
  • The right to objection to the processing of the personal data, including the absolute right to object to direct marketing

Students also have the right to lodge a complaint with the competent supervisory authority, such as the Danish Data Protection Agency or the Swedish Data Protection Agency as relevant. Please consult their website for how to submit a complaint at www.datatilsynet.dk or www.imy.se respectively.

9. Contact

Students should contact DIS if they have any questions in regards to the protection of their personal data or if they wish to exercise their legal rights.

Contact details of the controller(s):
Fonden DIS – Danish Institute for Study Abroad
Vestergade 7
DK-1456 København K
Business registration no. in Denmark: DK13058946
Tel no: +45 33 11 01 44

DIS Stockholm AB
Melodislingan 21
115 51 Stockholm
Business registration no. in Sweden: 559021-1206
Tel no: +46 (0)10 175 13 13

Contact details of the data protection officer:
E-mail address: dataprotectionofficer@dis.dk
Tel no: +45 33 76 54 36