The Seminary recognizes the General Data Protection Regulation (GDPR) and the rights of European Union citizens whose information may reside in its data processing systems and is actively working towards efforts that show compliance of data processing of personal information for these EU citizens. This document contains information that shows the colleges preparedness and efforts towards compliance where personal data is processed for EU Citizens.
The Seminary identifies “Data Subjects” as any natural person to whom personal data relates. Within the context of the Seminary the data subjects fall into the following categories:
- Students (prospective, current, alumni).
- Employees (applicants, current, past)
- Other contacts (agents, partners, vendors etc.)
As defined within the context of GDPR is any data that can be directly or indirectly related to a natural person (data subject). Personal data includes any identifiable personal data that can connect personal data to a data subject e.g. name, citizen Id, phone number, email address, gender, nationality, address, interests, career details etc.
Sensitive Personal Data
The Seminary may, from time to time, be required to process sensitive personal data. Sensitive personal data includes data relating to medical information, gender, religion, race, sexual orientation, trade union membership and criminal records and proceedings.
Processing Personal Data
The Seminary shall so far as is reasonably practicable make all efforts to ensure all personal data is:
- Fairly and lawfully processed
- Processed for a lawful purpose
- Adequate, relevant and not excessive
- Accurate and up to date
- Processed in accordance with the data subject's rights
- Currently no data is transferred to other countries however, if the need arises in the future, the Seminary will take adequate precautions that data is not transferred to other countries without adequate protection
Lawful bases for processing data
GDPR requires a lawful basis for processing personal data. The Seminary houses personal data to recognize, process and communicate with its data subjects of prospective students, current students, prospective employees, current employees and alumni. The processing of this data is lawful and necessary and falls into one or more of the following categories:
(a) Consent: We use personal information while processing data for communicating with prospective students and prospective employees. While we do not have an implied contract with these data subjects at this point, the data subjects give us their implied consent to communicate with them by completing an application which is an intent to come to the Seminary. ( students, employees).
(b) Contract: We use personal information while processing data that is necessary for the implied contract the Seminary has with the individual e.g.
- Academic Processing for students,
- Payroll and financial and tax processing for employees.
(c) Legal obligation: We will share personal information with companies, organizations or individuals outside of the Seminary if we have a good-faith belief that access, use, preservation or disclosure of the information is reasonably necessary to:
- meet any applicable law, regulation, legal process or enforceable governmental request e.g. the processing is necessary for the Seminary to comply with the US Federal laws as well as NY State and Federal reporting requirements.
- enforce applicable Terms of Service, including investigation of potential violations;
- detect, prevent, or otherwise address fraud, security or technical issues;
- protect against harm to the rights, property or safety of the Seminary, our users or the public as required or permitted by law.
(d) Public task: the processing is necessary for the Seminary to perform a task in the public interest or for our official functions as a private Seminary within the State of NY and the USA, and the task or function has a clear basis in law. Examples of these are:
- Providing student statistical information to the National Student Clearinghouse.
- IPEDS reporting.
Any information which falls under the definition of personal data and is not otherwise exempt, will remain confidential and will only be disclosed to third parties with appropriate consent.
US laws of FERPA, GLBA and HIPAA
The Seminary is also required to protect the personal data with respect to the laws of the United States as well as provide information to State and Federal authorities with respect to these laws. The Seminary complies with data requirements under the United States FERPA (The Family Educational Rights and Privacy Act), GLBA (The Gramm-Leach-Bliley Act) and HIPAA ( (Health Insurance Portability and Accountability Act of 1996)
Data Controller, Data Processors and External Data Processors
The Seminary acts as a Data Controller for all the personal data of its data subjects. The Data is processed by two parties.
- The Seminary acts as its own Data Processor where on premise Seminary owned systems are used to process the Seminary's data.
- In certain cases, data is transferred to external vendors who process the data on the Seminary's behalf. The Seminary appointed GDPR Team has a list of current external Data Processor organizations that the Seminary currently passes personal data to, who process personal data on the Seminary's behalf. The Seminary will make every reasonable effort to get its external data processors to comply with this policy.
- The Seminary will make every reasonable effort to address all approved changes to Personal Data requests its internal and external processors.
Rights of Access to Information
Data subjects have the right of access to information held by the Seminary . Any data subject wishing to access their personal data should put their request in writing to the RCM identified below.
- The Seminary will endeavour to respond to any such written requests within 30 days.
- The Seminary will need to verify the identity of the data subject making the request.
- Once the identity of the data subject has been verified, the Seminary will determine if the request can be carried out or if the Seminary has to refuse the request based on current regulations or contract obligations between the data subject and the Seminary.
- If the request is approved, the request will be processed within the Seminary's internal and external data processing areas.
- If case the request is refused, the data subject will be notified as to why the request was denied.
Certain data is exempted from the provisions of the Rights of Access to Information under GDPR. Below are examples of some of the exceptions:
- National security and the prevention or detection of crime
- The assessment of any tax or duty
- Where the processing is necessary to exercise a right or obligation conferred or imposed by law upon the Seminary
- Data that may violate another person’s privacy
- For more information on exemptions please contact the RCM.
The Seminary will make every reasonable effort to ensure that all personal data held in relation to all data subjects is accurate. Data subjects must notify the relevant Seminary department of any changes to information held about them.
Data from Minors
The Seminary is committed to protecting the privacy of children therefore the Seminary does not knowingly collect or process data from children under 16 years of age except in compliance with children's online privacy protection law. Accordingly, children under the age of 16 may only use services and programs offered by the Seminary with the permission and supervision of their parents. Additionally, teachers and departments of the Seminary that provide programs and services in the classroom with children under 16 years of age are required to obtain express consent of such children's parents in compliance with the applicable law, prior to permitting such children to access or use the services or programs.
Compliance and cooperation with regulatory authorities
If an individual believes that the Seminary has not complied with this Policy or acted otherwise than in accordance with the GDPR, the person should contact the RCM and file their complaint in writing as well as utilize the Seminary's grievance procedures.
The Seminary regularly reviews our compliance with this Policy. We value your feedback so we may contact you to ask for more information or to follow up. We will work with the appropriate regulatory authorities, including local data protection authorities, to resolve any complaints regarding the individual rights or transfer of personal data that we cannot resolve with our data subjects directly.
The Seminary takes data security very seriously and takes multiple layers of industry appropriate steps to ensure protection and security of personal data entrusted with the Seminary . The Seminary uses multiple industry standard solutions and processes to detect, report and investigate a personal data breach.
We work hard to protect the Seminary and our data subjects from unauthorized access to or unauthorized alteration, disclosure or destruction of information we hold. In particular:
- We encrypt our services where possible using SSL, in transit and at rest.
- We review our information collection, storage and processing practices, including physical security measures, to guard against unauthorized access to systems.
- We restrict access to personal information to those of the Seminary authorized staff, and third parties who need to know that information in order to process it for us, and who are subject to strict contractual confidentiality obligations and may be disciplined or terminated if they fail to meet these obligations.
The Seminary has a Security Incident Response Team (SIRT) that is part of the Seminary's Emergency Response Team. This team utilizes a Security Incident Response Plan (SIRP). The plan is designed to be enforced in case a data security breach is detected or reported to the Seminary.
The GDPR introduces a duty on all organizations to report certain types of data breaches to the ICO and in some cases to the individuals affected. If the data breach falls into these categories, the Seminary with help from the SIRT will make the appropriate reports.
Employee Training on GDPR
The Seminary provides several layers of data security training to its employees on a regular basis. From May 25, 2018 onwards, employees and offices who interact with EU citizens will also include training on personal data as defined by GDPR and how to ensure effective protection of this data.
When data held in accordance with this policy is destroyed, it must be destroyed securely in accordance with best practice at the time of destruction.
Retention of Data
The Seminary may retain data for differing periods of time for different purposes as required by statute or best practices, individual departments incorporate these retention times into the processes and manuals. Other statutory obligations, legal processes and enquiries may also necessitate the retention of certain data. The Seminary may store some data such as registers, photographs, exam results, achievements, books and works etc. indefinitely in its archive.
Data Subject Point of Contact
The Seminary Risk And Compliance Manager (RCM) will act as the point person to accept requests from Data Subjects for Personal Data Rights Requests.
- If an individual believes that the Seminary has not complied with this Policy or acted otherwise than in accordance with the GDPR, the person should contact the RCM and file their complaint in writing.
- The Seminary has appointed a cross functional GDPR Team that manages all documents related to GDPR compliance and oversees the processing of all requests received by the RCM from data subjects.
- The GDPR Team and the RCM ensure that all requests from a data subject are addressed within the 30 day mandated period of these requests.
- The GDPR Team is assisted in these responsibilities by the Department of Registration, the Department of Information Technology, the Department of Enrollment Management and the Department of Human Resources.
Location of the Seminary
The Seminary is located at 2301 Westside Drive, Rochester NY, USA and all its lead data protection supervisory authority operates from this location.