Privacy Notice for Students

Version: March 2024

In connection with student enrollment at DIS – Study Abroad in Scandinavia, Fonden DIS, DIS Stockholm AB, and DIS Properties APS (DIS) will, as the joint data controller, collect, and process personal data about students.

1. Categories of personal of data and purposes

DIS collects and process the following types of personal data:

Non-sensitive categories of personal data are: name, birth date, course enrollments and grades, program enrollment, home university, gender identity, major of study, minor of study, academic standing, graduation semester, cumulative grade point average, emergency contact, home city and state/country, email, phone numbers, local Danish/Swedish address, visa information, arrival/departure flight information, passport page scan, power of attorney form, travel history and family information for residency permit applications, class assignments, photo, video recordings, nationality, gender, student ID, registration ID, system metadata, building security footage, dietary restrictions, payment details, billing details, housing applications, personal interests, personal housing preferences, transcripts, internal case details, library records, survey responses, student app messages, select social media posts, staff appointment details, DIS-sponsored student blogs, awards and media roles, academic discussions and assignments through online learning management system. Tracking pixels are used in connection with newsletter communication.

When applicable the following categories of non-sensitive data are processed: accommodations letter when academic accommodations are requested, insurance claim details for those who file through DIS (which may contain sensitive data as well if the student discloses it), application and interview details depending on home universities’ admission processes, residency permit details for visa-free students studying in Copenhagen, hold details for any students owing DIS money at the end of a semester. Students enrolled in the CDD program will have a børneattest processed. Students enrolled in other practicums may have their resumes and/or cover letters processed.

Students applying for financial aid have the following additional categories of non-sensitive data processed: alien registration number (if applicable), marital status, selective service registration, educational level, tax return form, income tax paid, exemptions/credits claimed, income, total savings, net worth, investments, child support paid, welfare status, financial aid received, other earnings, military service, children/dependents, family status, scholarship application details.

Sensitive categories of personal data are: religion ethnicity, and health data when students choose to consent to sharing it. Internal case or bias reporting details may contain sensitive categories of personal data.

DIS processes the personal data for the following purposes:

  • To fulfill the contract agreed to with enrolled students
  • In pursuit of the DIS Mission, including the DIS commitment to its values and to diversity and respect
  • To collaborate with partners locally and globally
  • For statistical and research purposes
  • To comply with applicable personal data protection regulation and other legitimate interests, e.g.
    o Documentation requirements
    o Compliance with basic principles and legal grounds for processing personal data
    o Putting in place, maintaining and testing technical and organizational security measures
    o Investigating and reporting suspected personal data breaches, if any
    o Handling requests and complaints from data subjects and others, if any
    o Handling inspections and queries by supervisory authorities, if any
    o Handling disputes with data subjects and third parties, if any

2. Sources

Students’ personal data is collected from the individual student in nearly all cases detailed in this privacy notice. The exception are internal case or bias reporting details when relevant, which may come directly from the student themselves, but also may come from other students, or employees or agents of DIS. Building security footage at DIS is also processed based on the legitimate interest of safety and security, and otherwise DIS program data related to enrollments and housing, along with ID numbers and other system metadata, are generated by DIS.

3. The legal basis for the collection and processing of the personal data

The legal basis for collection and processing of students’ name, birth date, course enrollments and grades, program enrollment, home university, home city and state/country, email, tracking pixels, phone numbers, local Danish/Swedish address, arrival/departure flight information, class assignments, photo, video recordings, nationality, passport gender, student ID, registration ID, dietary restrictions, payment details, billing details, hold details and amount owed when relevant, housing applications, personal interests, personal housing preferences, transcripts, library records, survey responses, staff appointment details, DIS-sponsored student blogs, awards and media roles, academic discussions and assignments through online learning management system, application and interview details depending on home universities’ admission processes, and any documentation related to practicum enrollment is the following:

  • Based on GDPR art. 6(1)(b), processing which is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

Students are obliged to provide this information in order to fulfill their agreement with DIS. Failure to provide this information could result in DIS being unable to provide the agreed to services, which could also result in early termination of students’ enrollment in the program.

The legal basis for collection and processing of religion, ethnicity, gender identity, political affiliation, national identification numbers, health data, and select social media posts is the following:

  • Based on GDPR art. 6(1)(a), processing which the data subject has given consent to of his or her personal data for one or more specific purposes.

When DIS collects this personal data directly from students for the purpose of fulfilling strategic diversity goals, scholarship applications directly related to sensitive categories of data, or to provide health advising, emergency assistance, and physical or academic accommodations when possible and relevant, students provide the personal data voluntarily. Students are not obliged to provide this information to DIS. The consequences of not providing information on the basis of consent is that the advice, accommodations, or emergency assistance DIS can provide to students may be limited. Regarding national identification numbers, failure to provide these for the purposes of DIS facilitated visa approval (depending on students’ visa eligibility), may have the consequences of students’ legal residence in the country ending during students’ enrollment in the program, in which case the consequence may be early termination of students’ enrollment in the program. There are no consequences to denying consent for DIS to further publish select social media posts.

The legal basis for collection and processing of students’ full name, local address, university, student ID, program enrollment, photo, email, birth date, course enrollments, course grades, nationality, gender, US address, residency permit details, student app messages, building surveillance footage, and internal case or bias reporting details when relevant, is the following:

  • Based on GDPR art. 6(1)(f), processing which is necessary for the purposes of the legitimate interests pursued by the controller.

When DIS collects personal data directly from students for the legitimate purposes of providing a safe and secure learning and living environment, to facilitate academic learning, to meet auditing obligations, to communicate services, reminders, and share events, to facilitate transcript requests through third party providers, to award scholarships, to facilitate intra-student communication, and to improve communication efficacy, and to provide local cell phones, students provide the personal data in order to meet this legitimate interest. Students are obliged to provide this information to DIS, but students have the right to object that their legitimate interests as an individual outweigh the legitimate interests of DIS as an organization. Students have the same obligation and rights relating to building security footage, which is processed for the purpose of providing a safe and secure learning and living environment, and they have the same obligation and rights relating to it is to keep a record of the communication delivered to student in relevant instances to maintain quality and consistency of service and to best pursue fulfilment of the agreement with the students to which they are party and the DIS mission and all its parts. To exercise this claim on any legitimate interest based processing, students need to contact the DIS Data Protection Officer (dataprotectionofficer@dis.dk) detailing to which legitimate interest processing they’re objecting, and why their interests outweigh those of DIS in the specific instances.

DIS also processes students’ name and student ID based on GDPR art. 6(1)(f), processing which is necessary for compliance with a legal obligation to which the controller is subject. This information is shared with financial auditors to meet our legal obligation.

DIS may also process students’ passport and visa information, and travel history and family information for residency permit processing purposes on the basis of the power of attorney form submitted to DIS. Students are obliged to provide this information if they require a residency permit to enroll in the DIS program, however students can contact DIS before providing this information or the power of attorney form, if they believe they do not require a residency permit facilitated by DIS.

4. Disclosure of the personal data to other controllers

Relevant personal data will be disclosed to and shared with the following recipients:

  • Travel or ticketing agencies for traveling with DIS
  • Public transportation organizations for transportation passes
  • Hotels, hostels, or other accommodation while traveling with DIS
  • Organizations hosting students for field studies, practicums, or study tours for academic or cultural purposes
  • Financial auditors
  • Cleaning and maintenance companies for DIS housing
  • Insurance companies
  • External housing partners
  • Housing administration companies
  • Students’ home universities
  • Danish universities, when relevant for students’ external course enrollment(s)
  • Faculty contractors
  • Governmental entities
  • Fellow students for social coordination
  • Social media apps
  • Telephone providers
  • Transportation providers, such as bike rental companies
  • Local libraries
  • Third party web services
  • Third party health providers, only with individual student’s consent

The legal basis for the disclosure of students’ full name, local Danish/Swedish address, home city and state/country, phone numbers, university, major of study, student ID, email, photo or video recordings, birth date, passport gender, nationality, residency permit details, arrival and departure details, program enrollment, course enrollments, course grades, academic assignment details, payment details, hold details if applicable, and account details is the following:

  • Based on GDPR art. 6(1)(b), processing which is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
  • Based on GDPR art. 6(1)(f), processing which is necessary for the purposes of the legitimate interests pursued by the controller.

The legal basis for disclosure of students’ health data to third party health providers or external housing partners is based on GDPR art. 6(1)(a), processing which the data subject has given consent to of his or her personal data for one or more specific purposes. Students have the right to withdraw their consent for these disclosures, which is the only disclosure based on consent. If students withdraw the consent, this will not affect the lawfulness of the disclosure prior to the withdrawal. Students should contact DIS using the contact details below if they want to exercise this withdrawal.

Disclosure to governmental entities or auditors is based on GDPR art. 6(1)(f), processing which is necessary for compliance with a legal obligation to which the controller is subject.

For those whose residency permit is facilitated by DIS, passport and visa information, travel history and family information, and power of attorney forms may be disclosed to relevant governmental entities on the basis of the power of attorney form.

5. Transfer of personal data to data processors

DIS transfers the personal data to IT providers and the DIS North American Office (part of the University of Minnesota) which processes and/or stores the personal data on our behalf.

6. International transfers of personal data to recipients (both controllers and processors) in countries outside the EU/EEA

DIS transfers the personal data to the following recipients located in countries outside the EU/EEA:

Transfers of personal data to a third country or an international organization
Transfer basis (varies per IT provider)
Category of recipient:
IT Providers
Including Mailchimp, Sendgrid, Papertrail, , Microsoft Office 365
Country:
United States
  • EU Standard Contractual Clauses – to processors
Category of recipient:
DIS North American Office (University of Minnesota)
Country:
United States
  •  EU Standard Contractual Clauses – to processors
Category of recipient:
Home university of the student (varies)
Country:
United States
  • EU Standard Contractual Clauses – to controllers (in development)
  • Explicit consent from the individual
  • Conclusion or performance of a contract between the individual and the data controller
  • Establishment, exercise or defense of legal claims
  • Vital interests of the data subject or other persons, where the data subject is incapable of giving consent

7. Retention period

DIS stores personal data for as long as necessary to fulfil the purposes above. DIS anonymizes most personal data on an annual basis within one year of the conclusion of a student’s enrollment. Financial records are maintained for the period obliged by Danish law. DIS-sponsored student blogs are linked through the DIS website indefinitely, unless the student decides to take their blogs offline. Any security footage from DIS buildings is deleted at the latest within 30 days of recording.

8. Students’ rights

Subject to the conditions set out in the applicable data protection legislation, students enjoy the following certain rights:

  • The right to request access to the personal data
  • The right to rectification of the personal data
  • The right to erasure of the personal data
  • The right to restriction of processing
  • The right to data portability
  • The right to objection to the processing of the personal data, including the absolute right to object to direct marketing

Students also have the right to lodge a complaint with the competent supervisory authority, such as the Danish Data Protection Agency or the Swedish Data Protection Agency as relevant. Please consult their website for how to submit a complaint at datatilsynet.dk or datainspektionen.se respectively.

9. Contact

Students should contact DIS if they have any questions in regards to the protection of their personal data or if they wish to exercise their legal rights.

Contact details of the controller(s):

Fonden DIS – Danish Institute for Study Abroad
Vestergade 7
DK-1456 København K
Business registration no. in Denmark: DK13058946
Tel no: +45 33 11 01 44

DIS Stockholm AB
Melodislingan 21
115 51 Stockholm
Business registration no. in Sweden: 559021-1206
Tel no: +46 (0)10 175 13 13

DIS Properties APS
Vestergade 5
DK-1456 København K
Business registration no. in Denmark: 37511404

Contact details of the data protection officer:

E-mail address: dataprotectionofficer@dis.dk
Tel no: +45 33 76 54 36