Policy

Colorado College (CC) is an institute of higher education involved in education, research and community development. In order for CC to educate its foreign and domestic students, engage in research, and provide community services, it is essential and necessary, and CC has a lawful basis, to collect, process, use, and/or maintain the personal data of its students, employees, applicants, research subjects, and others involved in its educational, research, and community programs. These activities include, without limitation, admission, registration, delivery of classroom, field, and study abroad education, grades, communications, employment, research, development, program analysis for improvements, and records retention.

Colorado College takes seriously its duty to protect the personal data it collects or processes. In addition to CC’s overall data protection program, the European Union General Data Protection Regulation (“EU GDPR”) imposes obligations on entities, like Colorado College, that collect or process personal data about people in the European Union (“EU”). The EU GDPR applies to personal data CC collects or processes about anyone located in the EU, regardless of whether they are a citizen or permanent resident of an EU country. Among other things, the EU GDPR requires Colorado College to:

1. be transparent about the personal data it collects or processes and the uses it makes of any personal data
2. keep track of all uses and disclosures it makes of personal data
3. appropriately secure personal data

This policy describes Colorado College’s data protection strategy to comply with the EU GDPR.

Lawful Basis for Collecting or Processing Personal Data

Colorado College (CC) has a lawful basis to collect and process personal data. Most of CC’s collection and processing of personal data will fall under the following categories:

• Processing is necessary for the purposes of the legitimate interests pursued by Colorado College or by a third party.
• 处理是履行数据主体为当事人的合同或在签订合同前应数据主体的要求采取步骤所必需的.
• Processing is necessary for compliance with a legal obligation to which Colorado College is subject.
• The data subject has given consent to the processing of their personal data for one or more specific purposes.

There will be some instances where the collection and processing of personal data will be pursuant to other lawful bases.

Data Protection & Governance

赌博正规的十大网站(CC)将保护其合法收集或处理的所有个人数据和敏感个人数据.  Any personal data and sensitive personal data collected or processed by CC shall be:

• Processed lawfully, fairly, and in a transparent manner
• Collected for specified, explicit, and legitimate purposes, and not further processed in a manner that is incompatible with those purposes
• Limited to what is necessary in relation to the purposes for which they are collected and processed
• Accurate and kept up to date
• Retained only as long as necessary
• Secure

Sensitive Personal Data & Consent

Processing of personal data revealing racial or ethnic origin, political opinion, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation is prohibited by Colorado College, unless one of the following applies:

• the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, 除非欧盟或成员国法律规定第1段所述的禁令不得由数据主体解除;
• 为了履行控制者或数据主体在就业、社会保障和社会保护法领域的义务和行使特定权利，处理是必要的，只要它是由欧盟或成员国法律授权的，或根据成员国法律制定的集体协议，为数据主体的基本权利和利益提供适当的保障;
• 处理是必要的，以保护数据主体或其他自然人的切身利益，而数据主体在身体上或法律上没有能力给予同意;
• processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, 宗教或工会的目的，并且条件是处理仅涉及该机构的成员或前成员，或与该机构就其目的定期联系的人，并且未经数据主体同意，个人数据不会在该机构之外披露;
• processing relates to personal data which are manifestly made public by the data subject;
• processing is necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity;
• processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, 尊重数据保护权利的本质，并提供适当和具体的措施来维护数据主体的基本权利和利益;
• processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, 在欧盟或成员国法律的基础上，或根据与卫生专业人员签订的合同，并受条件和保障的约束，提供卫生或社会保健或治疗，或管理卫生或社会保健系统和服务;
• processing is necessary for reasons of public interest in the area of public health, 例如防范对健康的严重跨界威胁，或确保卫生保健和医药产品或医疗装置的高质量和安全标准, 在欧盟或成员国法律的基础上，该法律规定了保护数据主体权利和自由的适当和具体的措施, in particular professional secrecy; L 119/38 EN Official Journal of the European Union 4.5.2016
• processing is necessary for archiving purposes in the public interest, 基于欧盟或成员国法律的符合第89(1)条的科学或历史研究目的或统计目的，这些目的应与所追求的目标成比例, 尊重数据保护权利的本质，并提供适当和具体的措施来维护数据主体的基本权利和利益.

Individual Rights

Individual data subjects covered by this policy will be afforded the following rights:

• information about the controller collecting the data
• the data protection officer contact information (if assigned)
• the purposes and lawful basis of the data collection/processing
• recipients of the personal data
• if Colorado College intends to transfer personal data to another country or international organization
• the period the personal data will be stored
• the existence of the right to access, rectify incorrect data or erase personal data, restrict or object to processing, and the right to data portability
• the existence of the right to withdraw consent at any time
• the right to lodge a complaint with a supervisory authority (established in the EU)
• why the personal data are required, and possible consequences of the failure to provide the data
• the existence of automated decision-making, including profiling
• if the collected data are going to be further processed for a purpose other than that for which it was collected

Note: Exercising of these rights is a guarantee to be afforded a process and not the guarantee of an outcome.

Scope: 

本政策适用于受EU GDPR保护的个人数据和敏感个人数据，以及所有收集或处理受EU GDPR保护的个人数据和敏感个人数据的科罗拉多大学单位.

Procedures

Responsible Party and Responsibilities:

Colorado College Units
To document the lawful basis for personal data or sensitive personal data collected or processed pursuant to this policy.

To cooperate with privacy@aprender-a-bailar.com when individuals inquire about their personal data or sensitive personal data collected or processed pursuant to this policy.

To immediately notify (24/7) and cooperate with Colorado College Cyber Security relating to any data breach: privacy@aprender-a-bailar.com

Privacy@aprender-a-bailar.com
To field inquiries about personal data or sensitive personal data collected from individuals while in the EU (See Section 2.4).

协调赌博正规的十大网站单位回应个人资料或敏感个人资料的查询，而从个人在欧盟收集.

Cyber Security
To answer questions about and review data security measures.

To handle data breach notification for the Institute.

Enforcement: 

Violations of the policy may result in loss of system, network, and data access privileges, 行政处罚(包括终止或开除)，如学院的信息安全政策所述.

http://b0hzdz.aprender-a-bailar.com/basics/welcome/leadership/policies/information-security-policy

To report suspected instances of noncompliance with this policy, please contact privacy@aprender-a-bailar.com

Definitions