Alumni Policy

Data Protection-General Data Protection Regulation (GDPR) (EU) 2016/679

In accordance with the provisions of the General Data Protection Regulation (GDPR) (EU) 2016/679 and any other relating legislation, Alexander College is the Processor of such Personal and/or Sensitive Data. Accordingly, Alexander College may gather and process personal data only for the sole purpose of providing the services requested by Alumni (internship/work). Alexander College may pass/process personal data to a third party to the extent that this is required as a contractual necessity, on the ground of legal obligations, and legitimate interest.

The personal data will be recorded in an electronic or any other form to the personal data filing system(s), within the meaning of the Law, maintained by Alexander College or by any other company or person with which co-operation exists and/or an agreement is in force.

The recipients of the personal data shall be the duly authorised personnel of Alexander College and of any other company or person with which co-operation exists and/or an agreement is in force.
Alumni have the right to:

  • Request a copy of their Personal Data (commonly known as a “data subject access request”). This enables them to receive a copy of the personal information Alexander College holds about them and to check that the College is lawfully processing it.
  • Request correction of the Personal Data that the College holds about them.
  • Request the erasure of Personal Data. Alumni may ask Alexander College to delete or remove Personal Data where there is no good reason for the College continuing to process it. Alumni may also request that the College stops processing Personal Data where the College is relying on a legitimate interest and there is something about their particular situation which permits an object to processing on this ground.
  • Request the restriction of processing of Personal Data for example until its accuracy or the reason for processing it is more clearly established.
  • Request the transfer of Personal Data to another party.
  • Alumni who wish to review, verify, correct or request erasure of Personal Data, object to the processing of Personal Data, or request that the College transfers a copy of Personal Data to another party, they may contact the College’s DPO.

Further information regarding data protection can be found in our Student/Alumni data collection notice.

Alumni Privacy Notice

Alexander College is committed to protecting any personal information provided to us and meet our legal duties under the General Data Protection Regulation (GDPR) (EU) 2016/679 and other applicable laws.

This Notice explains how Alexander College, through its Alumni Office and other departments, will collect and use your personal data for alumni and development activities. It should be read alongside the Student Data Collection Notice on how we process personal data.

Your personal data is collected from the following sources:

  • Alexander College – data is transferred from the College’s student databases to the database of the Alumni Office when students conclude their period of study
  • You – you provide data when you enquire about alumni services and benefits, register for events or volunteering opportunities, make a donation, register to join the alumni community or register to use alumni services.
  • Third parties – the College obtains data from the public domain and from organisations to aid the pursuit of its purposes.

The personal data that is processed

The data processed may include: 

  • your name, title, gender and date of birth
  • contact details (address, email addresses, phone numbers and social media presence) 
  • education history from your time at Alexander College and qualifications achieved at other institutions
  • prizes, scholarships and bursaries you were awarded
  • your attendance at graduation ceremonies
  • employment details, professional activities, career biographies and alumni profiles
  • partner/spouse and family details, and relationships with other alumni, supporters and friends
  • your interests as a student as well as your current interests
  • history of any donations to Alexander College, or philanthropic interests elsewhere
  • information about your potential philanthropic capacity
  • responses to Alexander College’s fundraising appeals and proposals
  • information from publically available sources and extracts from media stories
  • records of communications from, and interactions with  Alexander College
  • attendance at events and meetings with Alexander College staff
  • volunteering activities at or on behalf of Alexander College
  • communication preferences 
  • photographs, video or any other digital image either supplied by you for an alumni profile or taken during a graduation ceremony or alumni event or other Alexander College events.

Some of the above may contain “sensitive personal data”, otherwise known as “special category data”. This is data about your racial or ethnic origin, religious beliefs or other beliefs, physical or mental health. Alexander College will only process such data where you have given your consent for the College to have and use it or where the data has, to the best of the College’s knowledge and belief, been placed in the public domain by you.   

The purpose of processing your personal data

The Alumni Office will process personal data in order to maintain and promote a vibrant and engaged alumni community, to further the College’s objectives and in pursuit of its Strategic Plan.

Personal data may also be processed for the following purposes:

  • Keeping you informed of opportunities for you to continue to be involved in the life and activities of Alexander College
  • Administration and provision of alumni services and activities
  • Fundraising in support of the College’s objectives
  • Volunteering in support of the College’s objectives

Fundraising research

Fundraising helps support the work of Alexander College. The College tries to undertake activities that are effective and appropriate. Research enables the Alumni Office to identify those alumni and other individuals who are likely, able and willing to assist and to make sure that fundraising communications are relevant and of interest.

Research is carried out by analysing personal data. This analysis will normally be done by the Alumni Office but a third party organisation may sometimes be used. Where a third party is asked to undertake analysis, they will do so strictly in accordance with instructions given by the College, scheduled within a data sharing agreement.

If you prefer that Alexander College does not conduct the above activity in relation to your personal data, please email the College Data Protection Officer: dpo@alexander.ac.cy

Securing your personal data

Your personal data is held on the Alumni Database. Arrangements are in place to ensure that your data remains secure. Access to the data is strictly controlled. Staff processing the data receive relevant training on data protection and information security.

From time to time, the College may commission agents of a third party to enhance the systems storing your personal data. Where this occurs they will act strictly in accordance with the instructions given by the College, scheduled within a data sharing agreement, so that your personal data remains secure.

Sharing your information with others

The Alumni Office does not share data with third-party organisations other than those acting on its behalf and with whom it has data sharing agreements. Arrangements will be in place to ensure that your data is exchanged in a secure manner and that it is not used for any purposes other than those agreed by Alexander College. Appropriate safeguards will be put in place where your data is to be transferred outside the European Union.

If the Alumni Office intends to share your personal information with anyone else, you will be notified and informed of the reason why when it is collected.

Your details will not be shared with any individuals looking to contact you, including your former fellow students.

How long will we retain your personal data?

The Alumni Office will look to retain your personal data for as long as there is a lawful reason to do so unless you request that it be removed from the records. Whenever you are written to you will be reminded of your right to request us to delete your personal data. Alternatively, you may ask at any time for us to delete your personal data by contacting dpo@alexander.ac.cy . Where this happens, a record of the request and basic details will be retained in order to ensure that your data is not added to the database in future.

The legal basis for processing your data

Alexander College relies on several different legal bases depending on the processing being performed:

  • Consent – processing will sometimes be carried out in accordance with your consent
  • Performance of the student contract – provision of alumni services as set out within the student contract
  • Legal obligation – providing data to statutory and regulatory agencies
  • Public interest – furthering the charitable objectives of the College delivers a public and societal benefit
  • Legitimate interests – a vibrant and engaged alumni community supports and enhances the teaching and research of the College, having taken account of the privacy rights and freedoms of alumni.

Your rights

The General Data Protection Regulation (GDPR) (EU) 2016/679 gives you have a number of rights to decide how your personal data is collected and processed. Details of these are contained within our Student Data Collection Notice.

Contact details

Should you have any concern about your personal data at Alexander College please contact the Data Protection Officer by email: dpo@alexander.ac.cy

Research Policy

Policy purpose

Alexander College is dedicated to the advancement of knowledge, learning and understanding in the service of society. This policy sets out Alexander College’s requirements for the curation of research data in pursuit of this goal. The policy outlines a framework of support to enable the management of research data so that the benefits of open research data can be realized, subject to compliance with legal, ethical, regulatory, contractual, intellectual property protection and other legitimate requirements.

Does GDPR apply to my research data?

GDPR is only concerned with information which can be used to identify living people. GDPR does not apply if your research involves only fully anonymised data (so there is no way of linking it back to the individual it relates to, including through use of a code or numerical identifier). Pseudonymised data (partially anonymised) is covered by GDPR as it could be used indirectly to identify individuals.

Personal information includes name, ID number, location (including IP address and data from cookies), online identifiers, physical and physiological factors, biometrics, and genetic, mental, economic, cultural or social identity.

‘Special category’ personal information are particularly sensitive and require additional conditions to be satisfied under GDPR (see Special Category Data, below). Special category data includes racial/ethnic origin, political opinions, religious/philosophical beliefs, trade union, genetic and biometric data, health, sex life, and sexual orientation.

How does GDPR impact on me?

If you are dealing with identifiable information you have a responsibility to keep the data safe, keep data subjects informed and report any breaches.

Documentation

GPDR requires data controllers keep a written record of data processing. We strongly recommend you create a Data Management Plan (DMP), if you don’t already have one, and keep it up to date. Your research funder may have requested a DMP as part of your funding application. Your DMP, along with your ethical planning documents, privacy notices (see below) and, if needed, a Privacy Impact Statement (see below) should be used to record the nature of the data you will collect, any re-use of existing data, your justification for processing data, and data security and retention policies.

Alexander College policies also contribute to your documentation. For example, our student data collection notice documents the College’s appropriate organisational and technical measures’ for safegurding students’ data.

It will be essential when thinking about further use of data collected to check this documentation to ensure that you are not straying beyond the arrangements described at the point of collection. If the arrangements for data use are not documented there, it will be important to update participants.

Should I seek consent to process personal data?

The answer is probably ‘no’. There are six different legal justifications for processing identifiable information; ‘consent’ is just one of them. As a general principle researchers should look for another legal basis before fixing on consent, in part due to a data subject’s right to withdraw consent at any time.
 
The College gives researchers the power to “make provision for research and for the advancement and dissemination of knowledge” and this provides our legal basis for the processing of data for research purposes. We therefore expect researchers to stipulate the legal basis for processing data as ‘public task’.

However, there will still often be a requirement to obtain consent to participate in a research activity where sensitive data (eg. racial or ethnic origin, physical or mental health conditions and particular criminal convictions) are processed.

Privacy notices

When collecting data, it is important that researchers explain to people what will happen to their data. Although this information can go into participant information sheets, consent forms, etc, ‘privacy notices’ do have a number of mandatory elements that might not be met by other information supplied to research participants. Privacy notices need to be:

  1. Concise, transparent, intelligible and easily accessible
  2. Written in clear and plain language, particularly if addressed to a child
  3. Accessible free of charge

Aim to address the following questions:
What information is being collected? Who is collecting it? How is it collected? Why is it being collected? How will it be used? Who will it be shared with? What will be the effect of this on the individuals concerned? Is the intended use likely to cause individuals to object or complain? How long is it intended to be held for?

Researchers will need to consider how best to circulate privacy notices: this could be online, paper based or verbal.

It may not always be possible, at the outset of a research project, to know what processing activities will be carried out on personal data collected as part of the research. Further processing must be compatible with those activities stated in the original Privacy notice.

Secure data storage

Identifiable information should never be stored on an unencrypted device.

Handling subject access request

Under GDPR, everyone has the following rights over their own personal data:

  1. The right to be informed of the collection and use of their personal data
  2. The right to access their personal data
  3. The right to have inaccurate or incomplete information corrected
  4. The right to have their personal data erased
  5. The right to request that you restrict the ways in which their personal data is processed
  6. The right to a copy of their personal data in a portable, machine readable format
  7. The right to object to processing of their personal data
  8. The right to be informed of any automated individual decision-making or profiling, and the right to challenge such decisions

However, if you are processing data for research purposes then your activities are exempted from many of these rights provided that certain conditions are met (see below). Specifically, your data subjects will retain:

  1. The right to be informed of the collection and use of their personal data
  2. The right to be informed of any automated individual decision-making or profiling, and the right to challenge such decisions

If data subjects can be identified in the published results of your research then they also retain the right to access their personal data.

If a data subject makes a request relating to one of these rights, you must inform the Data Protection Office dpo@alexander.ac.cy.

Conditions for processing for research and statistical purposes

Your data processing must meet certain conditions in order to qualify for the ‘research or statistical purposes’ exemptions to data subject rights. Specifically, you must:

  • Follow the principle of data minimisation (collect no more personal data than is needed for your research)
  • Anonymise your data as far as possible and at the earliest opportunity 

In addition, if your data processing is likely to cause harm or distress to data subjects then you have not met the requirements for processing for research purposes, and the exemptions will not apply.

Reporting data breaches

If you suspect a data breach has occurred you must inform the Data Protection Office dpo@alexander.ac.cy. To do this, do not rely on email alone but confirm that the breach has been formally logged. Reporting possible incidents as early as possible is vital as the College is subject to time-limits governing how long we must undertake certain actions in response to a data breach.

How long should I keep different types of data?

This depends on the type of data, you should contact the Data Protection Office dpo@alexander.ac.cy regards retention periods.

Special category data

Special category data may be processed provided that there is a lawful basis for processing (probably ‘public task’, as before), AND that another specific condition is met. There are a number of conditions for processing special category data but the one most likely to be suitable for research is if processing is necessary for “scientific or historical research purposes or statistical purposes”. You must ensure that the principle of data minimisation is respected when collecting special category data: you should identify the minimum amount of special category data you need to properly fulfil your purpose, and hold no more than that.

See Article 9 EU GDPR “Processing of special categories of personal data” and Article 6 EU GDPR “Lawfulness of processing”

Staff Privacy Notice

What is the purpose of this Privacy Notice?

Alexander College collects and processes personal data relating to its staff to manage the employment relationship, to conduct its operations effectively, and to fulfill its legal and regulatory responsibilities. The College is committed to being transparent about how it collects and uses that data to meet its data protection obligations.

This Notice explains how Alexander College will collect, use and share your personal data and sets out your rights in relation to your personal data.

Definitions

“Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

This can be summarised as information that we hold about an individual employee from which they can be identified.

It may include but may not be limited to the following:

  • Personal contact information such as name, title, address, telephone number(s) and personal and / or company email addresses.
  • Date of birth.
  • Details of next of kin or dependents.
  • Employment records (including job titles, start date, work history, working hours, training records and professional memberships).
  • Workplace location.
  • Salary and benefit details and history including payroll records and tax records/information.
  • Holiday and absence records.
  • Copy documents such as passport or identity card or other identification document provided to us as part of our legal obligation to report to the various departments of the Ministry of Labour and Social Insurances.
  • Recruitment information (including references and other information included in a CV or cover letter or as part of the job application process).
  • Information relating to qualifications and performance including appraisal records.
  • Disciplinary and grievance information.
  • CCTV footage and other information obtained through electronic means such as swipecard records, time and attendance data.
  • Information about an employee’s use of our information and communications systems.

“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

“Sensitive Personal Data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

How is Personal Data collected?

Typically, an employee will have provided Personal Data or we have recorded Personal Data about the employee in connection with or in the course of their employment.

We will pass Personal Data to a third party such as our payroll provider, HR advisers or training providers.

For what purposes is Personal Data used?

We will only use Personal Data when the law allows us to which can be summarised under the following headings:

(a) Consent: an individual has given clear consent for us to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract we have with the individual or because they have asked us to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for us to comply with the law.

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party.

Details of the Personal Data that we are most likely to process are set out in Appendix One.

What safeguards are in place?

We will comply with the data protection principles applying in Cyprus which states that Personal Data must be:

  • processed fairly, transparently and lawfully ;
  • obtained only for one or more specified and lawful purposes and not be further processed in any manner incompatible with that purpose or those purposes;
  • be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed;
  • be accurate and, where necessary, kept up to date;
  • shall not be kept for longer than is necessary for lawful purposes;
  • protected by having appropriate technical and organisational measures in place to safeguard against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, the Personal Data;

and in addition Personal Data:

  • shall be processed in accordance with the rights of data subjects under applicable legislation;
  • shall transferred to a country or territory outside the European Economic Area only in order to fulfil the request of a client and the same time we will ensure that the organisation we will transfer the data to will apply an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

What rights and obligations do Employees have?

Duty to inform us of changes

It is important that Personal Data is kept accurate and up to date. Employees should please advise us if their personal information changes whilst they are employed by us.

Rights in connection with Personal Data

Under certain circumstances, individuals have the right to:

  • Request a copy of their Personal Data (commonly known as a “data subject access request”). This enables them to receive a copy of the personal information we hold about them and to check that we are lawfully processing it.
  • Request correction of the Personal Data that we hold about them.
  • Request the erasure of Personal Data. An individual may ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. An individual may also request that we stop processing Personal Data where we are relying on a legitimate interest and there is something about their particular situation which permits an object to process on this ground.
  • Request the restriction of processing of Personal Data for example until its accuracy or the reason for processing it is more clearly established.
  • Request the transfer of Personal Data to another party.
  • Individuals who wish to review, verify, correct or request erasure of Personal Data, object to the processing of Personal Data or request that we transfer a copy of Personal Data to another party, please contact our nominated Data Controller.

What we may need to comply with a Data Subject Access Request

We may need to request specific information to help us confirm a lawful right to access the information (or to exercise any other rights). This is another appropriate security measure to ensure that Personal Data is not disclosed to any person who has no right to access it.

Charges

No fee is usually required to access Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if the request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

Right to withdraw consent

In certain circumstances, consent may be required for the processing of Personal Data. Where an employee provides such consent to the processing of Personal Data for a specific purpose, that employee has the right to withdraw consent for that specific processing at any time. To withdraw consent, please contact the nominated Data Controller. Once notification is received that consent has been withdrawn, we will no longer process Personal Data for the said specific purpose unless we have another lawful basis to do so.

Amending this Privacy Notice

We may update this Privacy Notice from time to time and we will issue a new privacy notice when we make any material changes including when we the identity of the Data Protection Officer changes.

Appendix One – Data Processing

The situations in which we are most likely to process Personal Data are in connection with the following processes set out below:

  • Dealing with recruitment or appointment and termination matters including the assessment of experience, qualifications and overall suitability for a particular role.
  • Administration of matters connected with the employment relationship.
  • Payroll and benefit provision.
  • Managing our business including accounting, forecasting, planning, scheduling and auditing.
  • Conducting appraisals, managing performance and determining performance requirements.
  • Dealing with grievance and disciplinary matters.
  • Dealing with training and development requirements and related issues.
  • Dealing with conflicts and disputes involving employees.
  • To monitor the use of our information and communication systems to ensure compliance with our IT policies.
  • Managing absence including assessing fitness to work.
  • Health and safety matters including compliance.
  • To prevent fraud.
  • To ensure effective general HR and business administration.
  • To provide references on request for current or former employees.
  • To respond to and defend against legal claims.
  • To maintain and promote equality in the workplace.

We believe that we have a legitimate interest in processing the above Personal Data in the context of the overall employment relationship. Some of the above grounds for processing may overlap and there may be several grounds which justify our use of Personal Data.

Appendix Two – Our safeguarding measures

Please note that will only transfer Personal Data to countries or territories that do not have an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data only in the course of our business and after having evaluated the level of protection of personal data they apply.

We do not use any Personal Data for automated decision making or other forms of profiling.

We aim to keep Personal Data accurate and up to date. Data that is out of date or inaccurate will be amended when we are made aware of that. Employees should notify us if they become aware of any inaccuracies in their Personal Data held by us.

We will not keep Personal Data for longer than is permitted. This means that some data will be destroyed or erased from our systems 2.5 years after the termination of the employment and the remaining seven years after the termination of the employment or when it is no longer lawfully required. For regulatory purposes, we are required to keep certain Personal Data for a seven-year period after which it is securely destroyed.

We have in place procedures and solutions to maintain the security of all personal data from the point of collection to the point of destruction and have taken appropriate measures against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data. Maintaining data security means guaranteeing the confidentiality, integrity and availability (for authorised purposes) of personal data. For example, we take the following steps to protect data:

  • Staff is trained in relation to the importance of privacy and data security.
  • Electronic files can only be accessed via password logins
  • Only a limited number of staff has access to the employee data.

We will only pass Personal Data to third parties where we are lawfully obliged to do so. For example, an employee may ask us to provide their salary details to a building society when they apply for a mortgage or we may lawfully pass data to our payroll adviser in order to ensure that employees are paid.

We will not disclose Personal Data to a third party without consent unless we are satisfied that they are legally entitled to the data. Where we do disclose Personal Data to a third party without consent, we will only do so where that third party has confirmed that it has in place adequate measures to protect Personal Data.

Student Data Collection Notice

Alexander College, a company incorporated in Cyprus (company number HE149687)and Alexander Professional Studies ltd, a company incorporated in Cyprus(company number HE391038),(hereinafter  BOTH referred to as “Alexander College”)are committed to protecting your personal information.

Alexander College will collect, process and use your personal data exclusively in compliance with the principles of Regulation (EU) 2016/679 of The European Parliament And of The Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter the “GDPR”), the applicable local legislation as amended from time to time and any other legal and/or regulatory obligations.

Why we hold personal data about you

Alexander College collects, holds and processes personal data about you while you are a current student and after you leave and become an alumnus/alumna. It is essential for us to do so in order to manage our operations effectively and provide you with teaching, research and administrative support.

This Data Collection Notice explains in a general way what personal data the college collects about you, how that data will be used and to whom it will be disclosed. It is not possible to describe all of the ways in which the College uses personal data on students, so this Notice should not be seen as exhaustive. By enrolling at the College, you consent to the College handling and use of your personal data in accordance with this Notice and for other legitimate purposes connected to your education at Alexander College; this includes improving teaching and learning, developing services and enhancing the student experience. The College may amend and update this Notice from time to time to reflect changes in how we use personal data.

While this Notice is intended for current and former students of Alexander College’s, applicants for admission to the College’s programmes should note that the College retains information on unsuccessful applications for statistical and audit purposes and in the event of a complaint or appeal. Applicants who require further information on what the College holds about them should contact dpo@alexander.ac.cy

Where your personal data is collected from

Your personal data is collected from the following sources:

  • You – you provide data when you express an interest in studying at Alexander College, upon application to study, when registering as a student at the College, through using various College services while you undertake your studies, when registering for events or volunteering opportunities, when making a donation, when registering an interest in or joining the alumni community.
  • Third parties – the College obtains data from various organisations such as other  academic institutions.

Securing your personal data

The College is committed to carrying out its activities in accordance with the General Date Protection Regulation (GDPR)and any legislation enacted in the Republic of Cyprus in respect of the protection of personal data.

Your personal data is held securely within the College. Access to the data is controlled. Staff processing the data receive relevant training on data protection and information security.

From time to time, the College may commission agents of a third party to enhance the systems storing your personal data. Where this occurs they will act strictly in accordance with the instructions given by the College, scheduled within a data sharing agreement, so that your personal data remains secure.

What information we hold about you

The information held by Alexander College includes the details provided by you on application and enrolment, to which the College adds data collected during and after your studies at the College. This can include sensitive personal data.

The data collected and processed may include: 

  • Your name, title, gender, date of birth, passport number, country of domicile and nationality
  • Contact details (address, email addresses, phone numbers)
  • Information relating to your previous education, such as subjects studied and examination outcomes
  • Any employment history, including employers and employment period
  • Records of attendance at Alexander College
  • Records of assessment outcomes, including details of summative assessments submitted, examinations taken, marks and grades awarded, academic appeals, student complaints and disciplinary procedures
  • A digital photograph of you, which is used to produce your student ID and for security and identification purposes
  • Records generated through your use of College services, such as Student Accommodation and Wellbeing
  • Sensitive personal data or special category data, including your racial or ethnic origin, physical or mental health conditions and particular criminal convictions.

Sharing your personal data

The General Data Protection Regulation (GDPR)exists to protect the privacy of individuals. The College is committed to protecting the privacy of its students, and it should be noted that spouses, parents and friends have no automatic right of access to personal data on students. The general principle is that your personal data will normally only be disclosed outside the College with your consent. This is also true if you are under 18 when you enroll at the College– for Data Protection purposes, the College will treat your data in the same way as if you were over 18.

However, there are also occasions while you are here and after you leave when the College is obliged by law, or under other obligations, to disclose the personal data that we hold about you to external people or agencies. These are sometimes called third party disclosures.  The College has internal procedures to check that the disclosure is appropriate and that the third party is legitimate before any release takes place.

Who we release your information to

  • Alexander College Students’ Union
  • Ministry of Education
  • Visas and Immigration Office
  • Local authorities
  • The police and other organisations with prosecuting powers
  • Graduations, examination results and degree awards
  • Professional Bodies
  • Research Institutions
  • Embassies
  • Insurance companies
  • Hospitals & Private Clinics
  • Funding Agencies / Partner Institutions submitting to Funding Agencies
  • Partner Universities for Erasmus purposes
  • Career Promotion Organisations
  • Other private organisations offering assistance to students

The legal basis for processing your data

Alexander College relies on several different legal bases. Depending on the processing being performed these may include one or more of the following:

  • Consent – processing will sometimes be carried out in accordance with your consent
  • Performance of the student contract – processing is required to fulfil the College’s contractual obligations to deliver you educational services
  • Vital interest – to protect the vital interests of yourself or another, particularly in the case of medical emergencies
  • Legal obligation – providing data to statutory and regulatory agencies
  • Public interest – to enable teaching and research, which delivers a public and societal benefit
  • Legitimate interests – a vibrant and engaged alumni community supports and enhances the teaching and research of the College, having taken account of the privacy rights and freedoms of alumni.

How long will we retain your personal data for?

We will keep your personal information for as long as you are a student and/or otherwise a person enjoying our services.

After you stop being a student and/or a person enjoying our services, we need to keep your personal information for a period of 7 years based on Cyprus government law. For academic purposes and in order for the College to be able to print and certify transcripts validity and issue certificates we may keep your data for up to 50 years. We also may keep your data for more than 50 years if we cannot delete it for legal and / or regulatory and/or technical reasons. If we do so, we will ensure that your privacy is protected and the data are used only for the above-mentioned purposes.

If for any reason we keep sensitive information, we will delete it as soon as the student or employee leaves from the College and there is no other relationship

You may ask at any time for us to delete your personal data by contacting dpo@alexander.ac.cy

Data transferred to a country outside the European Union

GDRP and the applicable local legislation as amended from time to time prohibits the transfer of personal information outside the European Economic Area (“EEA”) unless specific requirements are met for the protection of that personal information. 

Data will only be transferred to countries outside the EU or the EEA (i) if it is required by law; or (ii) if you have granted us your consent and/or instructed us to do so.

Please note that if service providers in a third country are used, all reasonable and practicable measures will be taken to ensure that they will comply with the data protection level in Europe in accordance with the GDPR.

Any transfers to parties located outside the European Union will be in line with the legal and regulatory provisions of the GDPRand applicable local legislation as amended from time to time.

Photography and filming

Prior permission should be obtained for filming by external parties on the College’s premises and that the filming of individuals by external parties should only take place with their permission. Where photography or filming is carried out by or on behalf of the College, the College will take reasonable steps to ensure that students are aware that filming/photography is taking place so that students have the opportunity not to participate (unless fliming/photography is part of their assessment).

Employment references/confirmation of qualifications

The College receives numerous requests for references. Where you have provided the College or an individual within the College as a referee, we will assume your consent to respond to the request, and will do so unless we have reason to believe that the request is not genuine.

The College treats the details of your award from Alexander College as public information and will normally confirm your qualifications when requested to do so.

Your responsibilities

Students are required by the College’s Regulations to keep the College informed of their current term time and home addresses, including any changes to your personal email address if you have provided it to the College. If your personal details change, you must update them.

The College regards the Alexander College email address provided to you on enrolment as the primary method of contact with students. You must ensure that you check your College email account regularly.

As part of your record, we request that you provide us with your mobile telephone number, where you have one.  In addition to being a normal contact method this number may be used to send you a text in an emergency.  Therefore you will be asked to check this periodically and will also receive a limited number of texts to confirm that this service is working.

Access to your data

Students have the right to access any information that the College holds on them. Article 15 of the EU General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) grants you the right to access your personal data held by Alexander College, including the right to obtain confirmation that we process your personal data, receive certain information about the processing of your personal data, and obtain a copy of the personal data we process. We require that you submit this request electronically via email todpo@alexander.ac.cy.  We will then seek to authenticate your identity.

We expect to respond to your request within 28 days of receipt of a fully completed form and proof of identity.

Your rights

Privacy legislation gives you have a number of rights to decide how your personal data is collected and processed. Details of these are contained within the general information on our website (see forms).

Changes to this notice

This Notice may be amended or updated. Where this occurs, Alexander College will announce the change on its website. Once this has been done, you will be deemed to have accepted the change.

Contact details

Should you have any concern about your personal data at Alexander College please contact the Data Protection Officer by email via dpo@alexander.ac.cy.