PURPOSE
The European Union’s General Data Protection Regulation (GDPR) provides greater data protection for individuals in the European Union (EU). This comprehensive regulation, effective May 25, 2018, applies to all members of the European Union and the European Economic Area, and is designed to strengthen and unify data protection law and practice across the EU. The GDPR provides several rights to Data Subjects which are the subject of this policy.
SCOPE
This policy applies to permanent and temporary workforce members, including contractors and vendors. Individuals who violate these requirements are subject to disciplinary action, up to and including termination, in compliance with the Administrative Guide and Fundamental Standard.
RESPONSIBILITIES
The Chief Privacy Officer is the privacy official for the Santa Rosa Junior College District, and ensures that the requirements in these policies are maintained in accordance.
All workforce members including employees, contracted staff, students and volunteers are responsible for ensuring that individuals comply with this policy. Violations of this policy will be reported to the SRJC Privacy Office. Reported violations will be investigated by the SRJC Privacy Office in collaboration with appropriate departments, such as the Office of General Counsel, Global Business Services or the Information Security Office. Workforce members who violate this policy may be subject to the appropriate disciplinary action up to and including termination.
DATA SUBJECTS RIGHTS
Individuals located in the European Economic Area only, whose Personal Data SRJC processes (“Data Subjects”), have the following rights with regard to their Personal Data:
“Personal Information” is any information that we can reasonably use to identify you. If you are located in the European Economic Area (EEA), Personal Information includes all Personal Data as defined under EEA laws.
The District will inform any third parties with whom it might have shared the Data Subject’s Personal Information of the deletion request.
The District may decline a Data Subject’s request for deletion if processing of their Personal Information is necessary
- Right of access
Data Subjects may request details of their Personal Information that the District holds. The District will confirm whether it is processing the individual’s Personal Information and will disclose supplementary information including the categories of Personal Information, the sources from which it originated, the purpose and legal basis for the processing, the expected retention period, and the safeguards regarding Personal Information transfers to non-EEA countries, subject to the limitations set out in applicable statutes, regulations and other laws.
- Right of correction
The District will comply with a Data Subject’s request to edit and update incorrect Personal Information promptly and in most cases within 30 days from the receipt of the request for correction. In the event that correction is not possible or cannot occur within 30 days, the District will document its reasons, specify the time frame in which correction will occur (to the extent knowable), and respond to the requestor with this information within 30 days from the receipt of request for correction.
- Right to be forgotten
At a Data Subject’s request, the District will delete their Personal Information promptly if
- it is no longer necessary to retain the Personal Information;
- the Data Subject withdraws the consent which formed the basis of the Personal Information processing;
- the Data Subject objects to the processing of their Personal Information and there are no overriding legitimate grounds for such processing;
- the Personal Information was processed illegally; or, the Personal Information must be deleted for the District to comply with its legal obligations.
The District will inform any third parties with whom it might have shared the Data Subject’s Personal Information of the deletion request.
The District may decline a Data Subject’s request for deletion if processing of their Personal Information is necessary
- to comply with a District legal obligation;
- in pursuit of a legal action;
- to detect and monitor fraud; or,
- for the performance of a task in the public interest.
- Right to restrict processing of Personal Information
At a Data Subject’s request, the District will limit the processing of their Personal Information if:
- the Data Subject disputes the accuracy of their Personal Information;
- the Data Subject’s Personal Information was processed unlawfully and they request a limitation on processing, rather than the deletion of their Personal Information;
- the District no longer needs to process the Data Subject’s Personal Information, but the individual requires their Personal Information in connection with a legal claim; or
- the Data Subject objects to the processing pending verification as to whether an overriding legitimate ground for such processing exists
- Right to notice related to correction, deletion, and limitation on processing
In so far as it is practicable, the District will notify a Data Subject of any correction, deletion, and/or limitation on processing of their Personal Information.
-
Right to data portability
At a Data Subject’s request, the District will provide them a copy of their Personal Information in a structured, commonly used and machine-readable format, if: (i) the Data Subject provided the District with Personal Information; (ii) the processing of the Data Subject’s Personal Information is based on consent or required for the performance of a contract; or, (iii) the processing is carried out by automated means. - Right to object
Where the District processes a Data Subject’s Personal Information based upon the lawful basis of legitimate interest, then the individual has the right to object to this processing.
- Right not to be subject to decision s based solely on automated processing
Data Subjects will not be subject to decisions with a legal or similarly significant effect (including profiling) that are based solely on the automated processing of their Personal Information, unless the District has received explicit consent or where the automatic processing is necessary for a contract with the District
- Right to withdraw consent
A Data Subject who has provided the District with consent to process their Personal Information has the right to withdraw any consent previously provided to the District at any time. If a Data Subject withdraws their consent, this will not affect the lawfulness of the District's collecting, using and sharing of their Personal Information up to the point in time that consent was withdrawn Even if a Data Subject withdraws their consent, the District may still use the information that has been anonymized and does not personally identify the Data Subject.
- Right to complain to a supervisory authority
If a Data Subject is not satisfied with the District's response, they have the right to complain to or seek advice from a supervisory authority and/or bring a claim against the District in any court of competent jurisdiction.
Any person, Department or School at the District that receives a request from a Data Subject seeking to exercise their rights under GDPR should contact the District Privacy Office to assist in the review of and response to the Data Subject’s request. Requests will be responded to within 30 days of receipt. Under certain circumstances, the District may inform the requesting Data Subject that additional time is needed to fully comply with the request. Such notification shall occur within 30 days of receipt of the request.