Like other academic institutions, Vesalius College processes personal data. Vesalius College is committed to protecting personal data and handling it with the utmost care in order to safeguard the privacy of those concerned. In this privacy statement you can read more about our guidelines for handling personal data, about questions and services you may request from us, and about our point of contact for further information regarding privacy and data protection at Vesalius College.
Which personal data is processed and why
Personal data Vesalius College processes
Vesalius College is responsible for processing large amounts of personal data: not just from students, researchers and staff, but also from alumni, third party experts and visitors, as well as data that is required to perform academic research. We process this data either to fulfil the legal requirements necessary to provide education and perform research, or in order to improve our services as a university.
The purposes for which it is processed include:
- providing education
- keeping records on student affairs;
- managing internal and external information flows;
- registering study results;
- issuing certificates, diplomas, qualifications and degrees;
- concluding contracts with students;
- formulating policy on education matters;
- developing and writing policy and management reports in the context of accreditation demands;
- being able to provide advice, guidance, and counselling; settling disputes, providing training and education in medical studies; ensuring procedural justice in the election of members for participatory bodies etc.
- performing academic research: The researchers affiliated with Vesalius College gather, analyse, and manage large quantities of data, necessary for the advancement of the scientific disciplines represented at the institution. Many of the activities carried out by researchers involve processing personal data.
- human resources: Searching for, selecting and recruiting new employees; concluding of contracts; negotiating salaries, benefits, and pensions; information regarding the membership of a trade union; information on the termination of employment; being able to comply with obligations arising from employment and health & safety legislation; registering leaves of absence etc.
- strategy, business administration, policy and management
- keeping records on the financial affairs of (parts of) Vesalius College, managing IT-, purchase and payment systems, litigating on behalf of the VESALIUS COLLEGE;
- managing contacts and contracts with suppliers, clients, consumers, suppliers, business partners; ensuring the wellbeing of students, staff and visitors, being able to improve policy, organizational analysis, management, and dispute resolution etc.
- facility management
- ensuring the health and safety of students, staff and visitors;
- ensuring accessibility and maintenance of the campus and of (automated) systems;
- providing appropriate security measures and supervision;
- maintaining contacts with facility management services and partners etc.
- valorisation, outreach, marketing and communication
- recruitment of prospective students; performing market research;
- concluding and fulfilling contracts with other educational institutions (e.g. high schools);
- improving public and customer relations;
- improving marketing and branding of Vesalius College;
- managing and improving our website, libraries, library systems, archival services etc.
All these various types of data will be treated with the utmost care; none will be freely accessible. Employees of Vesalius College and persons acting on behalf of Vesalius College who work with such data will only be authorised to do so to the extent necessary for the performance of their duties. Additionally, Vesalius College is continuously committed to maintaining the proper technical and organizational safeguards with regard to information security and data protection.
Categories of personal data processed by Vesalius College
Because Vesalius College performs activities in all the areas listed, a lot of personal data is gathered and stored. In light of these activities, it is possible that Vesalius College processes the following categories of personal data:
- Place of Birth
- Bank Account Number
- Telephone number
- Date of Birth
- Information regarding user interaction (e.g. IP address, cookies, clicking behaviour, information from contact forms etc.)
- Images (photos and videos)
- Information regarding choice of study programme, study progress and study results
- Data gathered in the context of academic research
In principle, the personal data processed by Vesalius College has been disclosed to the Vesalius College directly. However, it may also be the case that Vesalius College receives personal data from third parties. We often collaborate with universities, research centres and (international) organisations located abroad, both inside and outside the EU. Within the scope of such collaborative projects, it is possible for personal data to be disclosed to these third parties: naturally, this will always happen in compliance with all relevant privacy and data protection laws and regulations and Vesalius College will always strive for the shortest possible retention period of relevant data.
Provision of data to third parties
Vesalius College will not exchange personal data with third parties for financial gain. Personal data that allows for a third party to trace an individual person will only be supplied to a third party when this is required by law; when this is necessary for the fulfilment of a contract with the data subject; or when the data subject has given his or her explicit, informed consent to the transfer of the data. Preparing and awarding a degree is an example of transferring data to a third party: the Flemish government sets the requirements necessary for graduation and certification and in this context Vesalius College has an obligation to transmit personal data concerning graduation to the government.
Vesalius College can instruct third parties to perform services for it, in which case the Vesalius College will draw up an agreement in which it lays down the duties of the service provider with regard to the processing of personal data (a so-called “data processor agreement”). In this contract it is stipulated that the third party will handle any disclosed personal data confidentially, carefully, and in compliance with privacy legislation. Aside from the situations that have been specifically mentioned above, Vesalius College will not disclose personal data to third parties, unless required to do so by law.
Subjects’ rights with regard to their personal data
On May 25th 2018, the “General Data Protection Regulation” will take effect. The GDPR is a European regulation which grants individuals rights with respect to the way their personal data is handled and protected. Individuals may, for example – depending on the legal basis for the processing of their personal data and dependent on the fulfilment of certain conditions – exercise a right to:
- inquire as to what personal data is processed and, when the data is provided to Vesalius College by a third party, inquire into the source of this information;
- request the correction of data insofar as it is incorrect;
- object to the processing of his or her data;
- know of the existence of possible automated decision making processes, and, when these are used to create profiles, inquire into the logic underlying these processes, the purposes they serve, and their consequences;
- ‘be forgotten’ by an institution that has processed their personal data.
The competent national authority concerning privacy and data protection is the Commission for the Protection of Privacy (or CBPL: “Commissie voor de bescherming van de persoonlijke levenssfeer”). This is the authority that monitors privacy law compliance and where any individual can file a complaint regarding privacy and the processing of personal data.
Further questions regarding the different rights and obligations in the field of privacy can be directed to Vesalius College’s Data Protection Officer (DPO).