EU GDPR Policy
EU GDPR Policy
The Pantheon Institute takes seriously its duty to protect the personal data it collects or processes. The European Union General Data Protection Regulation (“EU GDPR”) imposes obligations on entities, like the Pantheon Institute, that collect or process personal data about people in the European Union (“EU”). The EU GDPR applies to personal data that Pantheon Institute collects or processes about anyone located in the EU, regardless of whether they are a citizen or permanent resident of an EU country. Among other things, the EU GDPR requires the Pantheon Institute to: be transparent about the personal data it collects or processes and the uses it makes of any personal data; keep track of all uses and disclosures it makes of personal data; and appropriately secure personal data.
This policy describes Pantheon Institute’s data protection strategy to comply with the EU GDPR.
A. Policy Statement:
i) Lawful Basis for Collecting or Processing Personal Data
The Pantheon Institute has a lawful basis to collect and process personal data of its students, employees, applicants, and others involved in its programs. These activities include, without limitation, admission, registration, education, excursions, activities such as museums, bookings for trips (hotels, restaurants, etc.), housing accommodations, internships, grades, communications, employment, alumni programs, and records retention.
Most of Pantheon Institute’s collection and processing of personal data will fall under the following categories:
- Processing is necessary for the purposes of the legitimate interests pursued by the Pantheon Institute or by a third party.
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
- Processing is necessary for compliance with a legal obligation to which the Pantheon Institute is subject.
- The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
There will be some instances where the collection and processing of personal data will be pursuant to other lawful bases.
ii) Data Protection & Governance
The Pantheon Institute will protect all personal data and sensitive personal data that it collects or processes for a lawful basis. Any personal data and sensitive personal data collected or processed by the Pantheon Institute shall be:
- Processed lawfully, fairly, and in a transparent manner;
- Collected for specified, explicit, and legitimate purposes, and not further processed in a manner that is incompatible with those purposes;
- Limited to what is necessary in relation to the purposes for which they are collected and processed;
- Accurate and kept up to date;
- Retained only as long as necessary; and
- Secure.
iii) Sensitive Personal Data & Consent
The Pantheon Institute must obtain consent before it collects or processes sensitive personal data as defined by the EU GDPR.
iv) Individual Rights
Individual data subjects covered by this policy will be afforded the following rights:
- information about the processor collecting the data;
- the data protection officer contact information;
- the purposes and lawful basis of the data collection/processing;
- recipients of the personal data;
- the existence of the right to know if the Pantheon Institute intends to transfer personal data to another country or international organization;
- the period the personal data will be stored;
- the existence of the right to access, rectify incorrect data or erase personal data, restrict or object to processing, and the right to data portability;
- the existence of the right to withdraw consent at any time;
- the right to lodge a complaint with a supervisory authority (established in the EU);
- the existence of the right to know why the personal data is required, and possible consequences of the failure to provide the data;
- the existence of automated decision-making, including profiling (if any); and
- the existence of the right to know if the collected data is going to be further processed for a purpose other than that for which it was collected.
Note: Exercising of these rights is a guarantee to be afforded a process and not the guarantee of an outcome.
B. Scope
This policy applies to the personal data and sensitive personal data protected by the EU GDPR and the Pantheon Institute’s offices who collect or process personal data and sensitive personal data protected by the EU GDPR.
C. Definitions
Collect or Process Data
Collection, storage, recording, organizing, structuring, adaptation or alteration, consultation, use, retrieval, disclosure by transmission/dissemination or otherwise making data available, alignment or combination, restriction, erasure or destruction of personal data, whether or not by automated means.
Consent
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Under the EU GDPR:
- Consent must be a demonstrable, clear affirmative action.
- Consent can be withdrawn by the data subject at any time and must be as easy to withdraw consent as it is to give consent.
- Consent cannot be silence, a pre-ticked box or inaction.
- Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
- Request for consent must be presented clearly and in plain language.
- Maintain a record regarding how and when consent was given.
Processor
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Identified or Identifiable Person
An identified or identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that person.
Examples of identifiers include but are not limited to: name, photo, email address, physical address or other location data, IP address or other online identifier.
Lawful Basis
Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:
- The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- Processing is necessary for compliance with a legal obligation to which the controller is subject;
- Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
Legitimate Interest
Processing of personal data is lawful if such processing is necessary for the legitimate business purposes of the data controller/processor, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
Personal Data
Any information relating to an identified or identifiable person (the data subject).
Processor
A natural or legal person, public authority, agency or other body who processes personal data on behalf of the controller.
Sensitive Personal Data
Special categories of personal data that require consent by the data subject before collecting or processing are:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic, biometric data for the purposes of uniquely identifying a natural person
- Health data
- Data concerning a person’s sex life or sexual orientation
D. Procedures:
i) Data Governance
Document Lawful Basis for Collection or Processing
All Pantheon Institute’s offices who collect or process personal data protected by the EU GDPR must document the lawful basis for the collection or processing of personal data and sensitive personal data they collect or process, why they collect it, and how long they keep it.
ii) Privacy Notice
Privacy Notice
The Pantheon Institute’s Privacy Notice to data subjects specifies the lawful basis to collect or process personal data and includes:
- whether their personal data is being collected or processed and for what purpose
- categories of personal data concerned
- to whom personal data is disclosed
- records retention period
- existence of individual rights to rectify incorrect data, erase, restrict or object to processing
- how to lodge a complaint
- the source of the personal data (if not collected from the data subject)
- the existence of automated decision-making, including profiling (if any)
iii) Individual Rights
Exercise of Rights
Any individual wishing to exercise their rights under this policy should contact our General Counsel, Marco Martemucci, at [email protected], as well as contact the Italian National Data Protection Authority (“Garante per la Protezione dei Dati Personali”), at www.garanteprivacy.it
iv) Data Protection
Security of Personal Data
All personal data and sensitive personal data collected or processed by any Pantheon Institute office under the scope of this policy must comply with the security controls and systems and process requirements and standards of European Union law.
Breach Notification
Any Pantheon Institute office that suspects that a breach or disclosure of personal data has occurred must immediately notify Marco Martemucci, General Counsel, whom you can reach to the following telephone number/email: +1 347 623 1560 / [email protected].