Version: July 2018
In connection with processing applications for student enrollment at DIS – Study Abroad in Scandinavia, Fonden DIS, DIS Stockholm AB, and DIS Properties APS (DIS) will, as the joint data controller, collect, and process personal data about prospective students.
1. Categories of personal of data and purposes
We collect and process the following types of personal data
Non-sensitive categories of personal data are: name, email, university, academic standing, cumulative grade point average, major of study, minor of study, study abroad semester, home address, phone number(s), birth date, gender, nationality, photo, application status, application essay details, recommendation letter(s) details, transcripts, and ID number. Prospective students may be interviewed as part of the application process, in which case interview notes or interview rubric scores may be processed.
Prospective students applying for financial aid have the following additional categories of non-sensitive data processed: alien registration number (if applicable), marital status, selective service registration, educational level, tax return form, income tax paid, exemptions/credits claimed, income, total savings, net worth, investments, child support paid, welfare status, financial aid received, other earnings, military service, children/dependents, family status, scholarship application details.
Sensitive categories of data are only processed when disclosed in application or scholarship essays, at the prospective students’ discretion and consent.
We process the personal data for the following purposes:
- To process applications in order to make admissions decisions for prospective students applying to study at DIS
- In pursuit of the DIS Mission, including the DIS commitment to its values and to diversity and respect
- To collaborate with partners locally and globally
- For statistical and research purposes
- To comply with applicable personal data protection regulation and other legitimate interests, e.g.
o Documentation requirements
o Compliance with basic principles and legal grounds for processing personal data
o Putting in place, maintaining and testing technical and organizational security measures
o Investigating and reporting suspected personal data breaches, if any
o Handling requests and complaints from data subjects and others, if any
o Handling inspections and queries by supervisory authorities, if any
o Handling disputes with data subjects and third parties, if any
2. The legal basis for the collection and processing of the personal data
The legal basis for collection and processing of name, email, university, academic standing, cumulative grade point average, major of study, minor of study, study abroad semester, home address, phone number(s), birth date, gender, nationality, photo, application status, application essay details, recommendation letter(s) details, transcripts, ID number, and potentially interview notes or interview rubric scores is the following:
- For prospective students admitted to DIS, processing is based on GDPR art. 6(1)(b), processing which is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
- For prospective students not admitted to DIS, processing is based on GDPR art. 6(1)(f), processing which is necessary for the purposes of the legitimate interests pursued by the controller.
DIS collects personal data directly from prospective students for the purpose of processing applications in order to make admissions decisions. Prospective students provide personal data in order to be able to conclude an agreement with DIS or in the legitimate interests of DIS. The legitimate interests of DIS are to run an admissions process without the foreknowledge of which prospective students will be admitted (therefore making it precontract processing) and to contribute to improvements in the admissions process to better serve prospective students, their home institutions, and DIS. Prospective students are obliged to provide the information to DIS, but if a prospective student is not admitted then the prospective student has a right to object to any further processing on the basis that their legitimate interests as an individual outweigh the legitimate interests of DIS as an organization. To exercise this claim prospective students need to contact the DIS Data Protection Officer (email@example.com) detailing to which legitimate interest they are objecting, and why their interests outweigh those of DIS in the specific instance. Objecting on this basis does not affect the lawfulness of any processing prior to the objection. The consequences of not providing the personal data are that prospective students are unable to complete the admissions process and would be ineligible to be admitted to DIS.
The legal basis for collection and processing any sensitive application or scholarship details shared at the discretion of prospective students is the following:
- Based on GDPR art. 6(1)(a), processing which the data subject has given consent to of his or her personal data for one or more specific purposes.
When DIS collects this personal data directly from students, sharing for the purpose of fulfilling strategic diversity goals and processing scholarship applications, they provide it voluntarily. They are not obliged to provide the information to DIS and there are no consequences to not sharing sensitive information in any essays.
3. Disclosure of the personal data to other controllers
The prospective students’ personal data will be disclosed to and shared with their home universities.
The legal basis for the disclosure of prospective students’ name, email, photo, and application status is the following:
- For prospective students admitted to DIS, processing and disclosure out-side of the EU is based on GDPR art. 6(1)(b), processing which is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
For prospective students not admitted to DIS, no further disclosures are made after the application status is updated for prospective students’ home universities.
4. Transfer of personal data to data processors
DIS transfers the personal data to IT providers and the DIS North American Office (part of the University of Minnesota) which processes and/or stores the personal data on behalf of DIS.
5. International transfers of personal data to recipients (both controllers and processors) in countries outside the EU/EEA
We transfer the personal data to the following recipients located in countries outside the EU/EEA:
|Transfers of personal data to a third country or an international organization|
|Transfer basis (varies per IT provider)|
|Category of recipient:
Including Vultr, Sendgrid, Paper-trail, Zendesk
(sub-processor categorization for following IT providers is on-going and will be updated as such)
|Category of recipient:
DIS North American Office (University of Minnesota)
Sub-processor Google Suite and Google Cloud
|Category of recipient:
Home university of the student (varies)
6. Retention period
DIS stores the personal data for as long as necessary to fulfill the purposes above, however, for no longer than a period of four years. Personal data for prospective students not accepted to DIS is psuedonymized within this four year period. Prospective students admitted to DIS are covered by a different set of retention parameters, which can be seen in the Student Privacy Notice here: Privacy Notice for Students
7. Prospective Students’ rights
Subject to the conditions set out in the applicable data protection legislation, students enjoy the following certain rights:
- The right to request access to the personal data
- The right to rectification of the personal data
- The right to erasure of the personal data
- The right to restriction of processing
- The right to data portability
- The right to objection to the processing of the personal data, including the absolute right to object to direct marketing
Prospective students also have the right to lodge a complaint with the competent supervisory authority, such as the Danish Data Protection Agency or the Swedish Data Protection Agency as relevant. Please consult their website for how to submit a complaint at datatilsynet.dk or datainspektionen.se respectively.
Prospective students should contact DIS if they have any questions in regards to the protection of their personal data or if they wish to exercise their legal rights.
Contact details of the controller(s):
Fonden DIS – Danish Institute for Study Abroad
DK-1456 København K
Business registration no. in Denmark: DK13058946
Tel no: +45 33 11 01 44
DIS Stockholm AB
115 51 Stockholm
Business registration no. in Sweden: 559021-1206
Tel no: +46 (0)10 175 13 13
DIS Properties APS
DK-1456 København K
Business registration no. in Denmark: 37511404
Contact details of the data protection officer:
E-mail address: firstname.lastname@example.org
Tel no: +45 33 76 54 36