European General Data Protection Regulation
The European Union General Data Protection Regulation (GDPR), effective May 25, 2018, is designed to protect the privacy of personal data of citizens of the European Union (EU) or people residing in the EU (called Data Subjects in the GDPR regulation) regardless of the physical location of the EU citizen. (https://www.eugdpr.org/the-regulation.html). Any organization inside or outside of the European Union that processes or controls data of citizens of the European Union or of people whom are residing in the European Union is subject to the GDPR. https://www.eugdpr.org/gdpr-faqs.html.
Iowa Lakes Community College is dedicated to protecting prospective students, students, alumni, and faculty and staff’s personal information. According to the GDPR, personal data is any data that can identify a person. The personal identifiers can be direct personal identifiers or indirect personal identifiers such as name, student ID, student photo, gender, race, personal or student email address, banking information, or medical information as well as “online identifiers provided by their devices, applications, tools and protocols” such as IP addresses and cookies. http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf
Iowa Lakes Community College collects, processes, records, stores, and disseminates a person’s personal data for the specific and legitimate purpose of performing college functions, processes, reporting, and compliance of legal obligations.
EU Data Subjects must give consent to data collection. "Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.” http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf
EU Data Subjects will be asked by Iowa Lakes Community College to consent to the following statement. Consenting to this statement allows Iowa Lakes to collect your personal data for legitimate college purposes in regards to your status as a prospective student, student, or alumni, supporter, or stakeholder of the college.
I agree that by submitting an application to Iowa Lakes Community College, I give consent to Iowa Lakes to store and use personal and academic and/or employment related information for all recruitment and academic records-related activities. I also agree to allow Iowa Lakes to use multiple forms of communication for the purpose of recruitment and academic-related information during my academic career. I understand that if I do not agree to this statement I cannot be admitted to Iowa Lakes.
Iowa Lakes only uses your information for academic and regulatory purposes. Iowa Lakes does not sell student information to third-parties.
The GDPR provides “limited exceptions to the consent rule, such as legal requirements or protection of vital interests of the data subject” https://er.educause.edu/articles/2017/8/the-general-data-protection-regulation-explained.
Iowa Lakes Community College will not share your personal information with third parties except as required by law, as necessary to protect the college’s interests, and with vendors contracted by the college who have agreed to keep this information confidential.
Right to be forgotten- Data Erasure
EU Data Subjects have the right to have their personal data erased if the retention of the personal data is no longer necessary for the purposes for which the data was collected or processed, is not necessary for legitimate college purposes, legal obligation, or is past the mandatory data storage retention limits.
In the event of a data breach, Iowa Lakes will perform the following steps to notify affected constituency groups within 72 hours of the breach.
- Provide specific contact details with Iowa Lakes’ data compliance team
- Brief description of the nature of the breach
- Likely consequences of the breach
- Steps Iowa Lakes Community College has taken or will take to address the breach
- Advice on how those affected by the breach can protect themselves.
For more information on the GDPR go to: