National University System EU GDPR Privacy Policy

  1. 1. Scope
    All data subjects whose personal data is collected, in line with the requirements of the General Data Protection Regulation (GDPR).

    This regulation applies to data about anyone in the EU, regardless of whether they are a citizen or permanent resident of an EU country. The regulation makes no distinctions based on individuals' permanent places of residence or nationality.

  2. 2. Responsibilities
    2.1 – The Data Protection Officer is responsible for ensuring that this policy is made available to data subjects prior to National University System and/or its affiliates collecting/processing their personal data.

    2.2 – All employees of National University System and/or its affiliates who interact with data subjects are responsible for ensuring that this policy is presented to them and required consent is collected.

  3. 3. Policy Statement
    National University System (NUS) and its affiliates are institutes of higher education.  For National University System and its affiliates to educate their students, it is necessary to collect, process, use, and maintain data for its student, employees, applicants, and others involved in their educational programs.  The lawful bases include, without limitation, admission, registration, delivery of content, on ground and online courses, study abroad education, grades, communications, employment, program analysis for improvements, and records retention.

    NUS and its affiliates take seriously its duty to protect the personal data it collects or processes. In addition to National University System’s and its affiliates overall data protection program, the European Union General Data Protection Regulation ('GDPR') imposes obligations on entities like National University, CityU of Seattle and John F. Kennedy University (JFKU), that collect or process personal data for people in the European Union ('EU'). GDPR applies to personal data National University System and its affiliates collect or process about anyone located in the EU, regardless of whether they are a citizen or permanent resident of an EU country. Among other things, GDPR requires National University System and its affiliates to:

    • Be transparent about the personal data it collects or processes and the uses it makes of any personal data
    • Keep track of all uses and disclosures it makes of personal data
    • Appropriately secure personal data

    This policy describes National University System and its affiliates' data protection strategy to comply with the GDPR. For more information regarding the National University Privacy Policy, please review National University's Privacy Policy.

  4. 3.1. Background to the General Data Protection Regulation ('GDPR')
    The General Data Protection Regulation 2016 replaces the EU Data Protection Directive of 1995 and supersedes the laws of individual Member States that were developed in compliance with the Data Protection Directive 95/46/EC. Its purpose is to protect the “rights and freedoms” of natural persons (i.e. living individuals) and to ensure that personal data is not processed without their knowledge, and, wherever possible, that it is processed with their consent.

  5. 3.2. Definitions used by National University System
    GDPR applies to the processing of personal data wholly or partly by automated means (i.e. by computer) and to the processing other than by automated means of personal data (i.e. paper records) that form part of a filing system or are intended to form part of a filing system.

    Territorial scope (Article 3) – GDPR will apply to all controllers that are established in the EU (European Union) who process the personal data of data subjects, in the context of that establishment. It will also apply to controllers outside of the EU that process personal data to offer goods and services or monitor the behaviour of data subjects who are resident in the EU.

    Article 4 definitions

    Child – GDPR defines a child as anyone under the age of 16 years old, although this may be lowered to 13 by Member State law. The processing of personal data of a child is only lawful if parental or custodian consent has been obtained. The controller shall make reasonable efforts to verify in such cases that consent is given or authorized by the holder of parental responsibility over the child.

    Data controller – the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

    Data subject – any living individual who is the subject of personal data held by an organization.

    Data subject consent – means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data.

    To give your consent/withdraw to National University System and/or its affiliates, please visit: https://iso.nu.edu/Privacy-GDPR.html

    Establishment – the main establishment of the controller in the EU will be the place in which the controller makes the main decisions as to the purpose and means of its data processing activities. The main establishment of a processor in the EU will be its administrative centre. If a controller is based outside the EU, it will have to appoint a representative in the jurisdiction in which the controller operates to act on behalf of the controller and deal with supervisory authorities.

    Filing system – any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.

    Legitimate Interest – Processing of personal data is lawful if such processing is necessary for the legitimate business purposes of the data controller/processor, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

    Personal data – any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

    Processing – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use,
    disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

    Profiling – is any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person, or to analyse or predict that person’s performance at work, economic situation, location, health, personal preferences, reliability, or behaviour. This definition is linked to the right of the data subject to object to profiling and a right to be informed about the existence of profiling, of measures based on profiling and the envisaged effects of profiling on the individual.

    Personal data breach – a breach of security leading to the accidental, or unlawful, destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. There is an obligation on the controller to report personal data breaches to the supervisory authority and where the breach is likely to adversely affect the personal data or privacy of the data subject.

    Special categories of personal data – personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

    Third party – a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

  6. 3.3. Data Protection & Governance
    National University System (NUS) and/or its affiliates will protect all personal data and sensitive personal data that it collects or processes for a lawful basis. Any personal data and sensitive personal data collected or processed will be:

    • Processed lawfully, fairly, and in a transparent manner
    • Collected for specified, explicit, and legitimate purposes, and not further processed in a manner that is incompatible with those purposes
    • Limited to what is necessary in relation to the purposes for which they are collected and processed
    • Accurate and kept up-to-date
    • Retained only as long as necessary
    • Secure
  7. 4.1. Policy Enforcement
    This policy applies to all Employees/Staff/Students/Faculty and interested parties of National University System and its affiliates, such as outsourced suppliers. Any breach of GDPR will be dealt with under the applicable NUS or affiliate disciplinary policy and may also be a criminal offence, in which case the matter will be reported as soon as possible to the appropriate authorities.

    Partners and any third parties working with or for National University System and/or its affiliates, and who have or may have access to personal data, will be expected to have read, understood and to comply with this policy. No third party may access personal data held by National University System and/or its affiliates without having first entered into a data confidentiality agreement, which imposes on the third-party obligations no less onerous than those to which NUS and/or its affiliates is committed, and which gives NUS and/or its affiliates the right to audit compliance with the agreement.

  8. 5.1. Retention Period
    National University System and/or its affiliates will process and store personal data for no longer than it is necessary for the specified education opportunities purpose(s).

  9. 6.1. Policy Updates
    National University System and/or its affiliates reserve the right to modify this GDPR Privacy Policy, or any related policies, at any time. We encourage visitors to frequently check this page for any changes to this Privacy Policy. If we make changes we will post an updated effective date below. Your continued use of this site after any change in this Privacy Policy will constitute your acceptance of such change. This policy was last updated on May 23, 2018.

  10. 6.2. Contacts:
    Our Data Protection Officer can be contacted directly here:

    • US – National University, 11355 N Torrey Pines Rd, La Jolla, CA 92037 – Office of Information Technology, Information Security Office. dataprotection@nu.edu

    Form Links:
    National University Privacy Policy
    NU-EU-GDPR Model Consent/Withdraw Forms

    Frequently Asked Questions:
    For Frequently Asked Questions about EU GDPR compliance at National University System and/or its affiliates, see the Information Technology, Information Security Office website

    .