Privacy Notice for Prospective Students

Version: October 2023

In connection with processing applications for student enrollment at DIS – Study Abroad in Scandinavia, Fonden DIS and DIS Stockholm AB (DIS) will, as the joint data controller, collect, and process personal data about prospective students.

1. Categories of personal of data and purposes

We collect and process the following types of personal data

Non-sensitive categories of personal data are: name, email, university, academic standing, cumulative grade point average, major of study, minor of study, study abroad semester, home address, phone number(s), birth date, gender, nationality, photo, application status, application essay details, recommendation letter(s) details, transcripts, ID number, and system metadata. Prospective students may be interviewed as part of the application process, in which case interview notes or interview rubric scores may be processed. Tracking pixels are used in connection with newsletter communication.

Prospective students applying for financial aid have the following additional categories of non-sensitive data processed: alien registration number (if applicable), marital status, selective service registration, educational level, tax return form, income tax paid, exemptions/credits claimed, income, total savings, net worth, investments, child support paid, welfare status, financial aid received, other earnings, military service, children/dependents, family status, scholarship application details.

Sensitive categories of data are only processed when disclosed in application or scholarship essays, at the prospective students’ discretion and consent.

We process the personal data for the following purposes:

  • To process applications in order to make admissions decisions for prospective students applying to study at DIS
  • In pursuit of the DIS Mission, including the DIS commitment to its values and to diversity and respect
  • To collaborate with partners locally and globally
  • For statistical and research purposes
  • To comply with applicable personal data protection regulation and other legitimate interests, e.g.
    o Documentation requirements
    o Compliance with basic principles and legal grounds for processing personal data
    o Putting in place, maintaining and testing technical and organizational security measures
    o Investigating and reporting suspected personal data breaches, if any
    o Handling requests and complaints from data subjects and others, if any
    o Handling inspections and queries by supervisory authorities, if any
    o Handling disputes with data subjects and third parties, if any

2. Sources

Students’ personal data is collected from the individual student, either directly through online registration or indirectly through students’ home institutions. Interview details, ID number and other system metadata are generated by DIS.

3. The legal basis for the collection and processing of the personal data

The legal basis for collection and processing of name, email, university, academic standing, cumulative grade point average, major of study, minor of study, study abroad semester, home address, phone number(s), birth date, gender, nationality, photo, application status, application essay details, recommendation letter(s) details, transcripts, ID number, tracking pixels, and potentially interview notes or interview rubric scores is the following:

  • For prospective students admitted to DIS, processing is based on GDPR art. 6(1)(b), processing which is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
  • For prospective students not admitted to DIS, processing is based on GDPR art. 6(1)(f), processing which is necessary for the purposes of the legitimate interests pursued by the controller.

DIS collects personal data directly from prospective students for the purpose of processing applications in order to make admissions decisions, recruiting Prospective students to DIS, and to communicate relevant program and application information by newsletter. Prospective students provide personal data in order to be able to conclude an agreement with DIS or in the legitimate interests of DIS. The legitimate interests of DIS are to run an admissions process without the foreknowledge of which prospective students will be admitted (therefore making it pre-contract processing), to recruit Prospective students to DIS, and to improve communication efficacy through tracking pixels, and to contribute to improvements in the admissions process to better serve prospective students, their home institutions, and DIS. Prospective students are obliged to provide the information to DIS, but if a prospective student is not admitted then the prospective student has a right to object to any further processing on the basis that their legitimate interests as an individual outweigh the legitimate interests of DIS as an organization. To exercise this claim prospective students need to contact the DIS Data Protection Officer (dataprotectionofficer@dis.dk) detailing to which legitimate interest they are objecting, and why their interests outweigh those of DIS in the specific instance. Objecting on this basis does not affect the lawfulness of any processing prior to the objection. The consequences of not providing the personal data are that prospective students are unable to complete the admissions process and would be ineligible to be admitted to DIS. Prospective students may opt-out of newsletters at any time by selecting unsubscribe.

The legal basis for collection and processing any sensitive application or scholarship details shared at the discretion of prospective students is the following:

  • Based on GDPR art. 6(1)(a), processing which the data subject has given consent to of his or her personal data for one or more specific purposes.

When DIS collects this personal data directly from students, sharing for the purpose of fulfilling strategic diversity goals and processing scholarship applications, they provide it voluntarily. They are not obliged to provide the information to DIS and there are no consequences to not sharing sensitive information in any essays.

4. Disclosure of the personal data to other controllers

The prospective students’ personal data will be disclosed to and shared with their home universities.

The legal basis for the disclosure of prospective students’ name, email, photo, university, academic standing, cumulative grade point average, major of study, minor of study, study abroad semester, scholarship details, home address, and application status is the following:

  • For prospective students admitted to DIS, processing and disclosure is based on GDPR art. 6(1)(b), processing which is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
  • For prospective students not admitted to DIS, processing and disclosure is based on GDPR art. 6(1)(f), processing which is necessary for the purposes of the legitimate interests pursued by the controller.

For prospective students not admitted to DIS, no further disclosures are made after the application status is updated for prospective students’ home universities.

5. Transfer of personal data to data processors

DIS transfers the personal data to IT providers and the DIS North American Office (part of the University of Minnesota) which processes and/or stores the personal data on behalf of DIS.

6. International transfers of personal data to recipients (both controllers and processors) in countries outside the EU/EEA

We transfer the personal data to the following recipients located in countries outside the EU/EEA:

Transfers of personal data to a third country or an international organization
Transfer basis
Category of recipient:
IT Providers
Including Sendgrid, Papertrail, Parchment, Microsoft Office 365
Country:
United States
  • EU Standard Contractual Clauses – to processors
Category of recipient:
DIS North American Office (University of Minnesota)
Country:
United States
  • EU Standard Contractual Clauses – to processors
Category of recipient:
Home university of the student (varies)
Country:
United States
  • EU Standard Contractual Clauses – to controllers

EU Standard Contractual Clauses as a transfer basis, means that DIS and the other organization(s) have agreed to additional contractual language from the EU, which protects the legal rights Prospective Students have as a data subject, even though Prospective Student personal data is shared outside of the EU. Prospective Students have the right to obtain a copy of these clauses, which can be exercised by contacting dataprotectionofficer@dis.dk.

7. Retention period

DIS stores the personal data for as long as necessary to fulfill the purposes above, however, for no longer than a period of four years. Personal data for prospective students not accepted to DIS is anonymized within this four year period. Prospective students admitted to DIS are covered by a different set of retention parameters, which can be seen in the Student Privacy Notice here: Privacy Notice for Students

8. Prospective Students’ rights
Subject to the conditions set out in the applicable data protection legislation, students enjoy the following certain rights:

  • The right to request access to the personal data
  • The right to rectification of the personal data
  • The right to erasure of the personal data
  • The right to restriction of processing
  • The right to data portability
  • The right to objection to the processing of the personal data, including the absolute right to object to direct marketing

Prospective students also have the right to lodge a complaint with the competent supervisory authority, such as the Danish Data Protection Agency or the Swedish Data Protection Agency as relevant. Please consult their website for how to submit a complaint at datatilsynet.dk or imy.se respectively.

9. Contact

Prospective students should contact DIS if they have any questions in regards to the protection of their personal data or if they wish to exercise their legal rights.

Contact details of the controller(s):

Fonden DIS – Danish Institute for Study Abroad
Vestergade 7
DK-1456 København K
Business registration no. in Denmark: DK13058946
Tel no: +45 33 11 01 44

DIS Stockholm AB
Melodislingan 21
115 51 Stockholm
Business registration no. in Sweden: 559021-1206
Tel no: +46 (0)10 175 13 13

E-mail address: dataprotectionofficer@dis.dk
Tel no: +45 33 76 54 36