Notre Dame GDPR Privacy Notice Information

What Personal Data is Collected 

When Notre Dame seeks to gather personal information, Notre Dame informs individuals as to why they are being asked for their information, and how Notre Dame intends to use the data via the Notre Dame data privacy notice. Personal information may include anything that directly or indirectly identifies or relates to a living person (e.g. a name, address, telephone number, date of birth, unique identification number, photographs, video recordings, including images on CCTV).

How Notre Dame Collects Your Data 

The data collected from you will be used by Notre Dame only in accordance with the purposes outlined in this privacy notice.

Data collected in this manner will be shared within the following areas of Notre Dame, and may be shared with the primary Notre Dame offices within the United States. 

If you have any queries or complaints in relation to the use of your personal data you may contact Notre Dame via the Office of Information Security and Compliance at infosec@nd.edu.

The Purpose for (use of), and Legal Basis for Collecting Your Data

There are a number of legal reasons and different circumstances why Notre Dame may collect personal information. Personal information may be collected and used when:

  • An individual, or their legal representative, has given consent
  • An individual or organization has entered into a contract with us
  • It is necessary for Notre Dame to perform their statutory duties, or other legitimate business purposes
  • It is necessary to protect someone in an emergency
  • It is required by law, or is necessary for legal cases
  • It is necessary for employment purposes
  • It is necessary to deliver part of our service
  • A company or individual has made their information publicly available
  • It is necessary for archiving, research, or statistical purposes

When Notre Dame has received consent to use personal information for specific reasons, individuals have the right to remove consent at any time. To remove consent, please contact Notre Dame via the GDPR Inquiry Form, stating which service the consent is withdrawn from.

How Notre Dame Stores and Secures Your Data

Any data collected from you by Notre Dame will be stored confidentially and securely as required by Notre Dame and the University of Notre Dame (USA) Information Security Policy. Notre Dame and its offices are committed to ensuring that all accesses to, uses of, and processing of such data is performed in a secure, controlled manner.

Notre Dame has a duty of care and a legal obligation to make sure personal information (on paper and electronically) is kept secure, and to only make information accessible to those individuals who have a right to it. To ensure this, Notre Dame has the following processes and policies in effect to safeguard personal information. These practices to ensure data security include:

  • encryption, keeping information encoded so it can be read only via secure processes
  • pseudonymisation, anonymizing sensitive aspects of personal information so an individual can work with data without knowing which individual data subject it belongs to
  • controlling access, to keep systems and networks secure by restricting who is allowed to view personal information through the use of two-factor identification or VPN connection
  • training, making UND employees aware of how to handle personal information, and how and when to report when something goes wrong
  • reviews, assessing technology and working practice to maintain good practice and secure IT

In keeping with these data protection principles, Notre Dame will only store and retain information for a time period that serves the original purpose for which it was collected, or as long as required by law. Notre Dame and its offices may at times be required for business purposes to keep personal information for a set period of time.

Personal information held by Notre Dame is stored either on the premises in-country or on secure IT platforms. In certain instances, pieces of information can and may be transferred to another organisation, including outside of the EU. This most routinely happens when academic progression information is sent to the primary Notre Dame within the United States. The University of Notre Dame (USA) has agreements with third-party organisations where data is collected, stored, or processed, in order to protect personal information per United States Law.

If you have any queries or complaints in relation to the use of your personal data you may contact Notre Dame via the Office of Information Security and Compliance at infosec@nd.edu.

When Notre Dame Shares Personal Data; Details of Third Parties with whom Notre Dame Shares Personal Data

In certain circumstances, Notre Dame may use a third-party organization to store an individual’s personal information or to help deliver a service. In such instance, Notre Dame and/or a European will have an agreement in place to ensure that the third party in question is compliant with pertinent and applicable data protection law.

Notre Dame may at times be required by legal duty to provide personal information to other organisations. In extremely rare circumstances, Notre Dame may also share personal information when there is a necessary reason to do so. This may happen under specific circumstances, including but not limited to:

  • identify or prevent crime
  • if there are serious risks to the general public or members of the Notre Dame community
  • to protect a vulnerable member of the community (such as a child)
  • to protect adults who are thought to be at risk (e.g. individuals who could be confused or incapacitated).

In such circumstances, the risk must be serious or significant to merit overriding the individuals’ right to privacy; as such, Notre Dame will thoroughly document what information is shared and the reasons for sharing, and will notify affected individuals when merited.

Normally, when Notre Dame is worried about a person’s safety and feels it is necessary to take action to protect them from harm, Notre Dame shall discuss their concerns and obtain such a person’s consent to inform and tell others about the situation. However, Notre Dame may share information without consent if it is believed that the risk of harm is serious enough. In this circumstance, Notre Dame will thoroughly document the information that is shared and the reasons for sharing, and if safe to do so the individual is notified of what personal information has been shared and where.

Notre Dame will share your data with the following third parties where necessary for purposes of the processing outlined here:

When your data is shared with the third parties outlined here, Notre Dame will ensure that the data is only processed according to our specific instructions and that the same standards of confidentiality and security are maintained. Once the processing of the data is complete any third parties with whom data was shared will be required to return the data to Notre Dame save where they are required to retain it by law.

What Are Your Rights?

The European General Data Protection Regulation provides individuals rights in relation to how their personal information is used. You have the following individual rights over the way Notre Dame processes your personal data.

Right of Access

You have the right to request a copy of the personal data Notre Dame processes about you, and to exercise that right easily and at reasonable intervals.

Consent

You have the right to withdraw your consent where that is the legal basis of Notre Dame’s processing.

Rectification

You have the right to have inaccuracies in personal data that is held about you rectified.

Erasure

You have the right to have your personal data deleted where there is no longer any justification for retaining it, subject to exemptions such as the use of pseudonymised data for scientific research.

Object

You have the right to object to processing your personal data if:

  • Notre Dame has processed your data based on a legitimate interest or for the exercise of the public tasks of the University of Notre Dame (USA), if you believe the processing to be disproportionate or unfair to you;
  • The personal data was processed for the purposes of direct marketing or profiling related to direct marketing;
  • Notre Dame has processed the personal data for scientific or historical research purposes or statistical purposes, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
Restriction

You have the right to restrict the processing of your personal data if:

  • You are contesting the accuracy of the personal data;
  • The personal data was processed unlawfully;
  • You need to prevent the erasure of the personal data in order to comply with legal obligations;
  • You have objected to the processing of the personal data and wish to restrict the processing until a legal basis for continued processing has been verified.
Portability

Where it is technically feasible you have the right to have a readily accessible, machine readable copy of your data transferred or moved to another data controller where we are processing your data based on your consent and if that processing is carried out by automated means.

Contact

Please contact Notre Dame via the GDPR Inquiry Form, if you wish to make a request:

  • To obtain information about yourself;
  • To have your information corrected (where applicable by law); OR
  • To have your information removed / erased (where applicable by law).

If you have any other queries relating to the processing of your personal data or if you have any queries or complaints in relation to the use of your personal data, you may contact Notre Dame via the Office of Information Security and Compliance at infosec@nd.edu.

For independent guidance about European data protection, privacy and data sharing issues, please contact the appropriate Legal Supervisory Authority's Office at:

Garante Per La Protezione
Dei Dati Personali
Piazza Venezia 11 – 00187 Roma
Phone: +39-06-6967 71
Fax: +39-06-6967 73785

https://www.garanteprivacy.it/web/guest/home

If you are not satisfied with the information we have provided to you in relation to the processing of your data you may also contact to the appropriate Legal Supervisory Authority’s Office via their website, listed above.