What are the University's breach notification obligations?
In the event that there is a data breach involving covered personal data of students,
employees, alumni, or vendors, the University will notify the appropriate supervisory
authorities within 72 hours, where feasible, after becoming aware of the breach, unless
the breach is unlikely to result in a risk to the rights and freedoms of data subjects.
If the breach is likely to result in a high risk to their rights and freedoms, The
University will also notify individual data subjects of a data breach regarding their
personal data. The notification to data subjects will include the nature of the breach
and recommended steps the data subject should take in order to mitigate potential
adverse effects. Initial notification may be general in nature and as additional information
is known a supplemental notice will be issued.
How does the University handle data transfers?
As needed, The University may transfer personal data outside of the EU and may also
share personal data with third party organizations both within and outside of the
EU. Where personal data is shared, The University will require that appropriate safeguards
be implemented to protect the personal data. Safeguards include but are not limited
to: requiring third parties to sign data security contracts (i.e. Data Protection
Agreements (DPAs), and anonymizing data.