UNDE GDPR Privacy Notice Information

What Personal Data is Collected 

When UNDE seeks to gather personal information, UNDE informs individuals as to why they are being asked for their information, and how UNDE intends to use the data via the UNDE data privacy notice. Personal information may include anything that directly or indirectly identifies or relates to a living person (e.g. a name, address, telephone number, date of birth, unique identification number, photographs, video recordings, including images on CCTV).

How UNDE Collects Your Data 

The data collected from you will be used by UNDE only in accordance with the purposes outlined in this privacy notice.

Data collected in this manner will be shared within the following areas of UNDE, and may be shared with the University of Notre Dame in the United States. 

If you have any queries or complaints in relation to the use of your personal data you may contact Notre Dame via the Office of Information Security and Compliance at infosec@nd.edu.

The Purpose for (use of), and Legal Basis for Collecting Your Data

There are a number of legal reasons and different circumstances why UNDE may collect personal information. Personal information may be collected and used when:

• An individual, or their legal representative, has given consent
• An individual or organization has entered into a contract with us
• It is necessary for UNDE to perform their statutory duties, or other legitimate business purposes
• It is necessary to protect someone in an emergency
• It is required by law, or is necessary for legal cases
• It is necessary for employment purposes
• It is necessary to deliver part of our service
• A company or individual has made their information publicly available
• It is necessary for archiving, research, or statistical purposes

When UNDE has received consent to use personal information for specific reasons, individuals have the right to remove consent at any time. To remove consent, please contact Notre Dame via the GDPR Inquiry Form, stating which service the consent is withdrawn from.

How UNDE Stores and Secures Your Data

Any data collected from you by UNDE will be stored confidentially and securely as required by UNDE and the University of Notre Dame (USA) Information Security Policy. UNDE and Notre Dame are committed to ensuring that all accesses to, uses of, and processing of such data is performed in a secure, controlled manner.

UNDE has a duty of care and a legal obligation to make sure personal information (on paper and electronically) is kept secure, and to only make information accessible to those individuals who have a right to it. To ensure this, UNDE has the following processes and policies in effect to safeguard personal information. These practices to ensure data security include:

• encryption, keeping information encoded so it can be read only via secure processes
• pseudonymisation, anonymizing sensitive aspects of personal information so an individual can work with data without knowing which individual data subject it belongs to
• controlling access, to keep systems and networks secure by restricting who is allowed to view personal information through the use of two-factor identification or VPN connection
• training, making UNDE employees aware of how to handle personal information, and how and when to report when something goes wrong
• reviews, assessing technology and working practice to maintain good practice and secure IT

In keeping with these data protection principles, UNDE will only store and retain information for a time period that serves the original purpose for which it was collected, or as long as required by law. UNDE may at times be required for business purposes to keep personal information for a set period of time.

Personal information held by UNDE is stored in systems within the U.K, either on the premises or on secure IT platforms. In certain instances, pieces of information can and may be transferred to another organisation, including outside of the EU. This most routinely happens when academic progression information is sent to Notre Dame, in the United States of America. Notre Dame has agreements with third-party organisations where data is collected, stored, or processed, in order to protect personal information per United States Law.

If you have any queries or complaints in relation to the use of your personal data you may contact Notre Dame via the Office of Information Security and Compliance at infosec@nd.edu.

When UNDE Shares Personal Data; Details of Third Parties With Whom UNDE Shares Personal Data

In certain circumstances, UNDE may use a third-party organization to store an individual’s personal information or to help deliver a service. In such instance, UNDE and/or Notre Dame will have an agreement in place to ensure that the third party in question is compliant with pertinent and applicable data protection law.

UNDE may at times be required by legal duty to provide personal information to other organisations. In extremely rare circumstances, UNDE may also share personal information when there is a necessary reason to do so. This may happen under specific circumstances, including but not limited to:

• identify or prevent crime
• if there are serious risks to the general public or members of the UNDE community
• to protect a vulnerable member of the community (such as a child)
• to protect adults who are thought to be at risk (e.g. individuals who could be confused or incapacitated).

In such circumstances, the risk must be serious or significant to merit overriding the individuals’ right to privacy; as such, UNDE will thoroughly document what information is shared and the reasons for sharing, and will notify affected individuals when merited.

Normally, when UNDE is worried about a person’s safety and feels it is necessary to take action to protect them from harm, UNDE shall discuss their concerns and obtain such a person’s consent to inform and tell others about the situation. However, UNDE may share information without consent if it is believed that the risk of harm is serious enough. In this circumstance, UNDE will thoroughly document the information that is shared and the reasons for sharing, and if safe to do so the individual is notified of what personal information has been shared and where.

UNDE will share your data with the following third parties where necessary for purposes of the processing outlined here:

When your data is shared with the third parties outlined here, UNDE will ensure that the data is only processed according to our specific instructions and that the same standards of confidentiality and security are maintained. Once the processing of the data is complete any third parties with whom data was shared will be required to return the data to UNDE save where they are required to retain it by law.

What Are Your Rights?

The European General Data Protection Regulation provides individuals rights in relation to how their personal information is used. You have the following individual rights over the way UNDE processes your personal data.

Right of Access

You have the right to request a copy of the personal data UNDE processes about you, and to exercise that right easily and at reasonable intervals.

Consent

You have the right to withdraw your consent where that is the legal basis of UNDE’s processing.

Rectification

You have the right to have inaccuracies in personal data that is held about you rectified.

Erasure

You have the right to have your personal data deleted where there is no longer any justification for retaining it, subject to exemptions such as the use of pseudonymised data for scientific research.

Object

You have the right to object to processing your personal data if:

• UNDE has processed your data based on a legitimate interest or for the exercise of the public tasks of UNDE/ the University of Notre Dame (USA), if you believe the processing to be disproportionate or unfair to you;
• The personal data was processed for the purposes of direct marketing or profiling related to direct marketing;
• UNDE has processed the personal data for scientific or historical research purposes or statistical purposes, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

Restriction

You have the right to restrict the processing of your personal data if:

• You are contesting the accuracy of the personal data;
• The personal data was processed unlawfully;
• You need to prevent the erasure of the personal data in order to comply with legal obligations;
• You have objected to the processing of the personal data and wish to restrict the processing until a legal basis for continued processing has been verified.

Portability

Where it is technically feasible you have the right to have a readily accessible, machine readable copy of your data transferred or moved to another data controller where we are processing your data based on your consent and if that processing is carried out by automated means.

Contact

Please contact Notre Dame and UNDE via the GDPR Inquiry Form, if you wish to make a request:

• To obtain information about yourself;
• To have your information corrected (where applicable by law); OR
• To have your information removed / erased (where applicable by law).

If you have any other queries relating to the processing of your personal data or if you have any queries or complaints in relation to the use of your personal data, you may contact Notre Dame via the Office of Information Security and Compliance at infosec@nd.edu.

For independent guidance about U.K. data protection, privacy and data sharing issues, please contact the Information Commissioner’s Office (ICO) at:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF (Tel: 0303 123 1113, local rate, or 01625 545 745, national rate)

If you are not satisfied with the information we have provided to you in relation to the processing of your data you may make a complaint to the Information Commissioner’s Office via the link on their website, Making a Complaint to the ICO.