Privacy Notice for FLP Students

Version: February 2019

In connection with student enrollment in customized and faculty-led programs offered based on agreements between students’ home institutions and DIS – Study Abroad in Scandinavia, Fonden DIS, DIS Stockholm AB, and DIS Properties APS (DIS) will, as the joint data controller, collect and process personal data about customized and faculty –led program students.

1. Categories of personal of data and purposes

DIS collects and processes up to and including the following types of personal data, with the scope ultimately determined by the individual customized and faculty-led program agreements.

Non-sensitive categories of personal data are: name, birth date, course enrollments and grades, program enrollment, home university, major of study, minor of study, academic standing, graduation semester, cumulative grade point average, emergency contact, home city and state/country, email, phone numbers, local Danish/Swedish address, passport details, arrival/departure flight information, class assignments, photo, video recordings, nationality, gender, student ID, registration ID, dietary restrictions, internal case details, library records, survey responses, building security footage, staff appointment details, academic discussions and assignments through online learning management system.

When applicable the following categories of non-sensitive data are processed: accommodations letter when academic accommodations are requested, insurance claim details for those who file through DIS (which may contain sensitive data as well if the student discloses it), and hold details for any students owing DIS money at the end of a semester. Students who access the common wireless internet at DIS Copenhagen will have some website visits registered associated with their login (email address). Students with recurring, direct contact with those under the age of 15 as part of their program will have a børneattest processed.

Sensitive categories of personal data are: religion ethnicity, gender identity, and health data when students choose to consent to sharing it. Internal case details may contain sensitive categories of personal data in the event of an emergency or in the establishment, exercise, or defense of legal claims.

DIS processes the personal data for the following purposes:

  • In pursuit of the customized and faculty-led program agreements between students’ home institutions and DIS
  • In pursuit of the DIS Mission, including the DIS commitment to its values and to diversity and respect
  • To collaborate with partners locally and globally
  • For statistical and research purposes
  • To comply with applicable personal data protection regulation and other legitimate interests, e.g.
    • Documentation requirements
    • Compliance with basic principles and legal grounds for processing personal data
    • Putting in place, maintaining and testing technical and organisational security measures
    • Investigating and reporting suspected personal data breaches, if any
    • Handling requests and complaints from data subjects and others, if any
    • Handling inspections and queries by supervisory authorities, if any
    • Handling disputes with data subjects and third parties, if any

2. Sources

Students’ personal data is collected from the individual student, either directly through online registration or indirectly through students’ home institutions. The exception are internal case notes details when relevant, which may come directly from the student but also may come from employees or agents of DIS.

3. The legal basis for the collection and processing of the personal data

The legal basis for collection and processing of students’ name, birth date, course enrollments and grades, program enrollment, home university, home city and state/country, email, phone numbers, local Danish/Swedish address, arrival/departure flight information, class assignments, photo, video recordings, nationality, passport gender, student ID, registration ID, dietary restrictions, payment details, billing details, hold details and amount owed when relevant, housing applications, personal interests, personal housing preferences, transcripts, library records, survey responses staff appointment details, academic discussions and assignments through online learning management system, application and interview details depending on home universities’ admission processes, and any documentation related to practicum enrollment is the following:

  • Based on GDPR art. 6(1)(b), processing which is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

The contract to which faculty and customized program students are party is either directly with DIS, or with their home institution, which then has an agreement with DIS in order to fulfill the home institution’s contract with their students. Students are obliged to provide this information in order to fulfill their agreement with DIS or their home institution. Failure to provide this information could result in DIS being unable to provide the agreed to services, which could also result in early termination of students’ enrollment in the program.

The legal basis for collection and processing of religion, ethnicity, gender identity, political affiliation, national identification numbers, and health data is the following:

  • Based on GDPR art. 6(1)(a), processing which the data subject has given consent to of his or her personal data for one or more specific purposes.

When DIS collects this personal data directly from students for the purpose of fulfilling strategic diversity goals, or to provide health advising, emergency assistance, and physical or academic accommodations when possible and relevant, students provide the personal data voluntarily. Students are not obliged to provide this infor-mation to DIS. The consequences of not providing information on the basis of con-sent is that the advice, accommodations, or emergency assistance DIS can provide to students may be limited.

The legal basis for collection and processing of building surveillance footage is the following:

  • Based on GDPR art. 6(1)(f), processing which is necessary for the purposes of the legitimate interests pursued by the controller.

When DIS collects this surveillance footage of students in DIS buildings for the legitimate purposes of providing a safe and secure learning and living environment. Students are included in this surveillance when in DIS buildings, but students have the right to object that their legitimate interests as an individual outweigh the legitimate interests of DIS as an organization. To exercise this claim students need to contact the DIS Data Protection Officer (dataprotectionofficer@dis.dk) detailing to which legitimate interest processing they’re objecting, and why their interests outweigh those of DIS in the specific instances.

DIS may also process students’ passport and residency permit details for residency permit processing purposes on the basis of the power of attorney form submitted to DIS.

4. Disclosure of the personal data to other controllers

Relevant personal data will be disclosed to and shared with the following recipients:

  • Travel or ticketing agencies for travelling with DIS
  • Public transportation organizations for transportation passes
  • Hotels, hostels, or other accommodation while travelling with DIS
  • Organizations hosting students for field studies, practicums, or study tours for academic or cultural purposes
  • Financial auditors
  • Cleaning and maintenance companies for DIS housing
  • Insurance companies
  • Housing administration companies
  • Students’ home universities
  • Faculty contractors
  • Governmental entities
  • Fellow students for social coordination
  • Social media apps

The legal bases for the disclosure of students’ full name, local Danish/Swedish ad-dress, home city and state/country, phone numbers, university, major of study, student ID, email, photo or video recordings, birth date, passport gender, nationality, residency permit details, arrival and departure details, program enrollment, course enrollments, course grades, academic assignment details, payment details, and ac-count details is the following:

  • Based on GDPR art. 6(1)(b), processing which is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
  • Based on GDPR art. 6(1)(f), processing which is necessary for the purposes of the legitimate interests pursued by the controller.

Students have the right to withdraw their consent for disclosures to third party health providers, which is the only disclosure based on consent. If students withdraw the consent, this will not affect the lawfulness of the disclosure prior to the withdrawal. Students should contact DIS using the contact details below if they want to exercise this withdrawal.

5. Transfer of personal data to data processors

DIS transfers the personal data to IT providers and the DIS North American Office (part of the University of Minnesota).

6. International transfers of personal data to recipients (both controllers and processors) in countries outside the EU/EEA

DIS transfers the personal data to the following recipients located in countries out-side the EU/EEA:

Transfers of personal data to a third country or an international organisation
Transfer basis (varies per IT provider)
Category of recipient:

IT Providers

Including Vultr, Sendgrid, Papertrail, Zendesk

(sub-processor categorization for following IT providers is on-going and will be updated as such)

Country:

United States

☒  EU Standard Contractual Clauses – to processors (in development)

☒  EU-U.S. Privacy Shield (only the U.S.)  (in development)

☒  Conclusion or performance of a contract between the individual and the data controller

 

Category of recipient:

DIS North American Office (University of Minnesota)

Sub-processor Google Suite and Google Cloud

Country:

United States

 

☒  EU Standard Contractual Clauses – to processors (in development)

☒  EU-U.S. Privacy Shield (only the U.S.) (for sub-processor)

☒  Conclusion or performance of a contract between the individual and the data controller

☒  Vital interests of the data subject or other persons, where the data subject is incapable of giving consent

☒  Establishment, exercise or defense of legal claims

Category of recipient:

Home university of the student (varies)

Country:

United States

 

 

☒  EU Standard Contractual Clauses – to controllers (in development)

☒  Explicit consent from the individual

☒  Conclusion or performance of a contract between the individual and the data controller

☒  Establishment, exercise or defense of legal claims

☒  Vital interests of the data subject or other persons, where the data subject is incapable of giving consent

 

7. Retention period

DIS stores personal data for as long as necessary to fulfill the purposes above. DIS psuedonymizes all personal data on an annual basis within five years of the conclusion of a student’s enrollment. Any security footage from DIS buildings is deleted at the latest within 30 days of recording. Quantitative data is kept for statistical and research purposes in a psuedonymized format. Identifiable back-ups of relevant personal data are made and stored securely and separately from all active personal data to cover relevant statutes of limitation, which at maximum lasts up to seven years.

8. Students’ rights

Subject to the conditions set out in the applicable data protection legislation, students enjoy the following certain rights:

  • The right to request access to the personal data
  • The right to rectification of the personal data
  • The right to erasure of the personal data
  • The right to restriction of processing
  • The right to data portability
  • The right to objection to the processing of the personal data, including the absolute right to object to direct marketing

Students also have the right to lodge a complaint with the competent supervisory authority, such as the Danish Data Protection Agency or the Swedish Data Protection Agency as relevant. Please consult their website for how to submit a complaint at www.datatilsynet.dk or www.datainspektionen.se respectively.

9. Contact

Students should contact DIS if they have any questions in regards to the protection of their personal data or if they wish to exercise their legal rights.

Contact details of the controller(s):
Fonden DIS – Danish Institute for Study Abroad
Vestergade 7
DK-1456 København K
Business registration no. in Denmark: DK13058946
Tel no: +45 33 11 01 44

DIS Stockholm AB
Melodislingan 21
115 51 Stockholm
Business registration no. in Sweden: 559021-1206
Tel no: +46 (0)10 175 13 13

DIS Properties APS
Vestergade 5
DK-1456 København K
Business registration no. in Denmark: 37511404

Contact details of the data protection officer:
E-mail address: dataprotectionofficer@dis.dk
Tel no: +45 33 76 54 36