PERSONAL DATA PROTECTION POLICY
THE AMERICAN COLLEGE OF GREECE
The American College of Greece (hereinafter referred to as “the College” or “ACG”), founded in 1875, is the oldest and largest US accredited college or university in Europe.
ACG is an independent, not for profit, nonsectarian, co-educational academic institution.
In order to fulfill its mission to offer transformative education ACG processes personal data on various data subjects (students, alumni, parents and legal guardians, staff, as well as other people associated with ACG), in accordance with this Policy.
Data protection was and remains a subject that ACG handles with extreme sensitivity and precaution and this policy outlines the College’s commitment to data privacy and protection.
We review this policy regularly and reserve the right to make changes at any time to take into account any changes in our activities, legal requirements and how we process personal data.
This policy lays out the main framework of principles and rules regarding how we collect, process and store personal data about employees, professors, students and other individuals who interact with the College (“Data Subjects”), the rights of Data Subjects, as well as, data security issues, in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council (“General Data Protection Regulation” or “GDPR”) as well as the applicable Greek Legislation regarding the protection of personal data, as in effect from time to time (collectively referred herein as the “Data Protection Legislation”).
WHO MUST READ AND ADHERE TO THIS POLICY
This policy applies to individuals who are connected to the College or interact with the College in any manner or capacity, and whose personal data we may hold from time to time, including the administrative personnel of the College, persons engaged by it in any way or under any capacity; its faculty members; anyone who may work for it on a contractual or casual basis; pupils and students and their parents/legal guardians, alumni, etc. It is the responsibility of all Faculty, Staff and Students to adhere to this policy.
PERSONAL DATA & DATA CONTROLLER
By personal data we refer to any information that relates and can identify an individual. Personal Data includes the so-called “Special Categories of Personal Data”, namely data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation as well as data relating to criminal convictions and offences.
The American College of Greece, an educational institution which is established in Denver, Colorado, U.S.A., and operates in Greece at Aghia Paraskevi of Attica (6 Gravias Street), functions as the Data Controller of the personal data of students, parents/legal guardians, alumni, personnel and professors, maintaining records of such data both in an electronic and a hard copy format for various purposes.
HOW DOES THE COLLEGE PROCESS PERSONAL DATA
The collection, storage, and processing of personal data by the College takes place in accordance with the terms of this Policy as well as the provisions of the Data Protection Legislation.
TYPE OF PERSONAL DATA WE PROCESS PER CATEGORY OF DATA SUBJECTS
DATA COLLECTION, ACCESS TO DATA & DISCLOSURE/TRANSFER OF DATA
Personal data are legally collected by the College from the individuals to whom the data refer (“Data Subjects”), or by third parties, in accordance with the Data Protection Legislation.
Access to the personal data which are collected and processed by the College is restricted mainly to authorized ACG personnel, on a need-to-know basis, and within the framework of the College’s educational activities.
Furthermore, some of the personal data may be accessible and processed, within the framework of their responsibilities, by authorized external associates of ACG for the fulfillment of defined purposes and objectives. All external processors are selected based on whether they fulfill the same austere data protection measures as ACG. Any further transfer of personal data to any third person or to a country outside the European Union, will take place only in case it is so provided so by the Data Protection Legislation.
PURPOSE, LEGAL BASIS & DURATION OF PROCESSING
The College processes personal data in order to serve the educational needs of the College and its students, employment procedures for purposes of compliance with its legal obligations (including towards public authorities) and the serving of its legitimate interests.
The College may process personal data based on a number of legal bases, which may include the Data Subject’s consent, complying with agreements entered into with Data Subject and/or its legal obligations, protecting the vital interests of Data Subject, fulfilling a legitimate interest, except where such interests are overridden by the interests or fundamental rights and freedoms of a Data Subject, or protecting the health or life of the Data Subjects.
ACG will keep and process the personal data for as long as it is required for the serving of the purposes of processing and in order to comply with its legal obligations and to defend itself against any legal claims. After the above time period, ACG will proceed to the definite deletion of the above personal data.
ADHERENCE TO THE PRINCIPLES RELATING TO THE PROCESSING OF PERSONAL DATA
Personal Data maintained by the College shall be processed in accordance with the principles set forth in the Data Protection Legislation, including, without limitation the principles of lawfulness, fairness and transparency, accuracy, data minimization, purpose and storage limitation, integrity and confidentiality.
In this context the College makes every effort through its personnel to keep the personal data stored by it in an updated form. Yet, Data Subjects must inform the College immediately of any change to their personal data, while the College also uses its reasonable endeavours to periodically update its records. Despite that, the College cannot guarantee the complete accuracy of any data stored by it.
RIGHTS OF DATA SUBJECTS
Subject to the exceptions, conditions and limitations provided by the Data Protection Legislation, the College secures the unhindered exercise by the data subjects of their rights under the Data Protection Legislation. The data subjects have the following rights:
- Right to information: This is the right of the data subject to be informed when data about him/her is being collected
- Right to access: The data subjects have the right to obtain from the College confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the information provided by the Data Protection Legislation.
- Right to rectification: Data subjects have the right to rectification of inaccurate personal data concerning them, including completion of incomplete personal data.
- Right to restriction of processing: Where applicable, data subjects have the right to object to the processing of their data. They exercise this right by preparing a document that should be addressed to the Data Protection Officer, and should further include the request for a specific action (such as correction, temporary non-use, blocking of information, non-transfer or deletion, as the case may be).
- Right to erasure: Under certain circumstances, data subjects might request the erasure of their personal data.
- Right to objection: Under certain circumstances, data subjects have the right to object to the processing of their personal data.
- Right to data portability: Where processing is based on a consent or a contract and the processing is carried out by automated means, data subjects have the right to receive the personal data concerning them in a structured, commonly used and machine-readable format. They also have the right to transmit this personal data to a third party without hindrance of the College, if technically possible.
The above rights are exercised exclusively by the data subjects, or by their legally authorized proxies. For the purposes hereof, the parents of College students who are adults are considered as third persons and, as such, are not entitled to exercise the rights of those students on their behalf, unless they have been specifically authorized by the students to do so.
In the case of minors, the personal data rights are exercised by the minors’ parents, or by the person or persons who have legal custody of those minors.
In case data subject exercises one of the aforementioned rights, ACG will take any possible measure for the prompt satisfaction of the data subject’s request, according to the specific provisions and conditions of the Data Protection Legislation, and shall inform the data subject in writing regarding the satisfaction of his /her request, or the reasons that prevent the exercise or satisfaction there according to the Data Protection Legislation.
In addition, data subject may at any time withdraw his/ her consent for the processing of his/her personal data, without although affecting the lawfulness of processing based on consent before its withdrawal or the processing which has been based on another legal basis. We inform data subjects that in case of withdrawal of their consent, we may not be able to use their personal data and they might not be able to use College’s services (or some of them).
Furthermore, data subjects have the right to lodge a complaint with the Hellenic Data Protection Authority, in case they consider that the processing of their personal data is against the applicable Data Protection Legislation.
To ensure data security ACG strives to take extra organizational and technical security measures, continuously updates its privacy policies, regularly trains its Faculty & Staff on data protection issues, supports the data subjects when they wish to exercise their rights in accordance with the Data Protection Legislation, takes all steps to ensure that its partners and vendors who process personal data are also Compliant with the Data Protection Legislation.
As far as the destruction of personal data is concerned the following procedures are followed:
The destruction of personal data kept by the College after the completion of the processing and/or the fulfillment of the purposes served in keeping it, is carried out in accordance with the Guidelines of the Hellenic Data Protection Authority (currently the Guideline number 1/2005 for the safe destruction of personal data following the period required for the fulfillment of the purpose for processing), and, where applicable, is carried out under the supervision of the designated person-representative of the data processor. Specifically, data maintained in hard-copy form and designated for destruction are selected, gathered and guarded in a specially allocated and safe place to which only authorized personnel has access. Such data are either shredded and pulped and recycled, or burnt. A record of destruction is made when the above action takes place. The record notes the date of destruction and describes the data destroyed, the method of destruction and the full name of the employee of the data processor appointed as the responsible for the destruction. The destruction of data stored in electronic form is carried out by overwriting it with the assistance of programs designed specifically for that purpose (file erasers, file shredders, etc.). Following that, the material in which the data is stored is also destroyed, as are all back-ups of the data. The same type of record of destruction is made in this case as in the case of destruction of hard-copy data.
The processing and storage of the personal data records by the College is a classified activity and, as such, is conducted by specifically authorized employees and executives of the College.
Data stored in hard-copy form are guarded in special places. The appropriate technical measures have been taken to ensure that non-authorized persons do not have access to those places. Only authorized personnel who have been charged with maintaining and processing personal data have access to those areas.
With regard to data maintained in electronic form, the appropriate security measures have also been taken. The data are stored in specific computers which block entry to anyone who does not have a password. Only authorized employees have the password, while back-up is guarded in special, restricted-access places. College employees who are authorized to maintain and process personal data on behalf of the College are bound to absolute secrecy regarding personal data. These employees are fully cognizant of all the stipulations of the law and all the procedures, terms and conditions pertaining to compliance with the applicable law on personal data and the legal storage and processing thereof.
PERSONAL DATA BREACHES
By breach we mean every breach of security that leads to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, unauthorized access to data processed, stored or transmitted.
If such a breach occurs at ACG, ACG shall take all steps required by the Data Protection Legislation, including, where applicable, reporting it to it, to the Hellenic Data Protection Authority and/or communication with the Data Subjects which may have been affected thereby.
If a member of the staff, faculty, student or a member associated with the ACG Community becomes aware of the breach they should contact immediately the Data Protection Officer.
DATA PROTECTION OFFICER
If you have any queries in relation to the protection of your personal data or you wish to exercise any of your legal rights, you can contact the Data Protection Officer of the American College of Greece by using the following contact details:
Address: 6 Gravias Street, Aghia Paraskevi, 15342
E-mail address: [email protected]