This policy describes Chapman University's data protection strategy to comply with multiple regulations, including the European Union General Data Protection Regulation ("EU GDPR").
REASON FOR THE POLICY
In order for Chapman to educate its foreign and domestic students, engage in world-class research, and provide community services, it is essential and necessary, and Chapman has a lawful basis, to collect, process, use, and/or maintain the personal data of its students, employees, applicants, research subjects, and others involved in its educational, research, and community programs. These activities include, without limitation, admission, registration, delivery of classroom and study abroad education, grades, communications, employment, applied research, development, program analysis for improvements, and records retention.
The EU GDPR imposes obligations on entities, like Chapman, that collect or process personal data about people in the European Union ("EU"). The EU GDPR applies to personal data collected or processed about anyone located in the EU, regardless of whether they are a citizen or permanent resident of an EU country.
Lawful Basis for Collecting or Processing Personal Data
Chapman has a lawful basis to collect and process personal data. Most of Chapman's collection and processing of personal data will fall under the following categories:
- Processing is necessary for the purposes of the legitimate interests pursued by Chapman or by a third party.
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
- Processing is necessary for compliance with a legal obligation to which Chapman is subject.
- The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
There will be some instances where the collection and processing of personal data will be pursuant to other lawful bases.
Data Protection & Governance
Chapman protects all personal data and sensitive personal data that it collects or processes for a lawful basis. Any personal data and sensitive personal data collected or processed by Chapman is:
- Processed lawfully, fairly, and in a transparent manner
- Collected for specified, explicit, and legitimate purposes, and not further processed in a manner that is incompatible with those purposes
- Limited to what is necessary in relation to the purposes for which they are collected and processed
- Accurate and kept up to date
- Retained only as long as necessary
Sensitive Personal Data & Consent
Chapman obtains consent before it collects or processes sensitive personal data.
Individual data subjects covered by this policy will be afforded the following rights:
- information about the controller collecting the data
- the data protection officer contact information (if assigned)
- the purposes and lawful basis of the data collection/processing
- recipients of the personal data
- if Chapman intends to transfer personal data to another country or international organization
- the period the personal data will be stored
- the existence of the right to access, rectify incorrect data or erase personal data, restrict or object to processing, and the right to data portability
- the existence of the right to withdraw consent at any time
- the right to lodge a complaint with a supervisory authority (established in the EU)
- why the personal data are required, and possible consequences of the failure to provide the data
- the existence of automated decision-making, including profiling
- if the collected data are going to be further processed for a purpose other than that for which it was collected
OFFICE RESPONSIBLE FOR POLICY
Name of Office: Information Services & Technology
Contact information for questions about this policy: firstname.lastname@example.org
WEBSITE ADDRESS FOR THIS POLICY
WHO APPROVED THIS POLICY
Senior Staff member submitting the policy: Helen Norris
Date approved: under review