Our Policies - Alexander College

Alumni Policy

Data Protection-General Data Protection Regulation (GDPR) (EU) 2016/679

In accordance with the provisions of the General Data Protection Regulation (GDPR) (EU) 2016/679 and any other relating legislation, Alexander College is the Processor of such Personal and/or Sensitive Data. Accordingly, Alexander College may gather and process personal data only for the sole purpose of providing the services requested by Alumni (internship/work). Alexander College may pass/process personal data to a third party to the extent that this is required as a contractual necessity, on the ground of legal obligations, and legitimate interest.

The personal data will be recorded in an electronic or any other form to the personal data filing system(s), within the meaning of the Law, maintained by Alexander College or by any other company or person with which co-operation exists and/or an agreement is in force.

The recipients of the personal data shall be the duly authorised personnel of Alexander College and of any other company or person with which co-operation exists and/or an agreement is in force.
Alumni have the right to:

Request a copy of their Personal Data (commonly known as a “data subject access request”). This enables them to receive a copy of the personal information Alexander College holds about them and to check that the College is lawfully processing it.
Request correction of the Personal Data that the College holds about them.
Request the erasure of Personal Data. Alumni may ask Alexander College to delete or remove Personal Data where there is no good reason for the College continuing to process it. Alumni may also request that the College stops processing Personal Data where the College is relying on a legitimate interest and there is something about their particular situation which permits an object to processing on this ground.
Request the restriction of processing of Personal Data for example until its accuracy or the reason for processing it is more clearly established.
Request the transfer of Personal Data to another party.
Alumni who wish to review, verify, correct or request erasure of Personal Data, object to the processing of Personal Data, or request that the College transfers a copy of Personal Data to another party, they may contact the College’s DPO.

Further information regarding data protection can be found in our Student/Alumni data collection notice.

Alumni Privacy Notice

Alexander College is committed to protecting any personal information provided to us and meet our legal duties under the General Data Protection Regulation (GDPR) (EU) 2016/679 and other applicable laws.

This Notice explains how Alexander College, through its Alumni Office and other departments, will collect and use your personal data for alumni and development activities. It should be read alongside the Student Data Collection Notice on how we process personal data.

Your personal data is collected from the following sources:

Alexander College – data is transferred from the College’s student databases to the database of the Alumni Office when students conclude their period of study
You – you provide data when you enquire about alumni services and benefits, register for events or volunteering opportunities, make a donation, register to join the alumni community or register to use alumni services.
Third parties – the College obtains data from the public domain and from organisations to aid the pursuit of its purposes.

The personal data that is processed

The data processed may include:

your name, title, gender and date of birth
contact details (address, email addresses, phone numbers and social media presence)
education history from your time at Alexander College and qualifications achieved at other institutions
prizes, scholarships and bursaries you were awarded
your attendance at graduation ceremonies
employment details, professional activities, career biographies and alumni profiles
partner/spouse and family details, and relationships with other alumni, supporters and friends
your interests as a student as well as your current interests
history of any donations to Alexander College, or philanthropic interests elsewhere
information about your potential philanthropic capacity
responses to Alexander College’s fundraising appeals and proposals
information from publically available sources and extracts from media stories
records of communications from, and interactions with Alexander College
attendance at events and meetings with Alexander College staff
volunteering activities at or on behalf of Alexander College
communication preferences
photographs, video or any other digital image either supplied by you for an alumni profile or taken during a graduation ceremony or alumni event or other Alexander College events.

Some of the above may contain “sensitive personal data”, otherwise known as “special category data”. This is data about your racial or ethnic origin, religious beliefs or other beliefs, physical or mental health. Alexander College will only process such data where you have given your consent for the College to have and use it or where the data has, to the best of the College’s knowledge and belief, been placed in the public domain by you.

The purpose of processing your personal data

The Alumni Office will process personal data in order to maintain and promote a vibrant and engaged alumni community, to further the College’s objectives and in pursuit of its Strategic Plan.

Personal data may also be processed for the following purposes:

Keeping you informed of opportunities for you to continue to be involved in the life and activities of Alexander College
Administration and provision of alumni services and activities
Fundraising in support of the College’s objectives
Volunteering in support of the College’s objectives

Fundraising research

Fundraising helps support the work of Alexander College. The College tries to undertake activities that are effective and appropriate. Research enables the Alumni Office to identify those alumni and other individuals who are likely, able and willing to assist and to make sure that fundraising communications are relevant and of interest.

Research is carried out by analysing personal data. This analysis will normally be done by the Alumni Office but a third party organisation may sometimes be used. Where a third party is asked to undertake analysis, they will do so strictly in accordance with instructions given by the College, scheduled within a data sharing agreement.

If you prefer that Alexander College does not conduct the above activity in relation to your personal data, please email the College Data Protection Officer: dpo@alexander.ac.cy

Securing your personal data

Your personal data is held on the Alumni Database. Arrangements are in place to ensure that your data remains secure. Access to the data is strictly controlled. Staff processing the data receive relevant training on data protection and information security.

From time to time, the College may commission agents of a third party to enhance the systems storing your personal data. Where this occurs they will act strictly in accordance with the instructions given by the College, scheduled within a data sharing agreement, so that your personal data remains secure.

Sharing your information with others

The Alumni Office does not share data with third-party organisations other than those acting on its behalf and with whom it has data sharing agreements. Arrangements will be in place to ensure that your data is exchanged in a secure manner and that it is not used for any purposes other than those agreed by Alexander College. Appropriate safeguards will be put in place where your data is to be transferred outside the European Union.

If the Alumni Office intends to share your personal information with anyone else, you will be notified and informed of the reason why when it is collected.

Your details will not be shared with any individuals looking to contact you, including your former fellow students.

How long will we retain your personal data?

The Alumni Office will look to retain your personal data for as long as there is a lawful reason to do so unless you request that it be removed from the records. Whenever you are written to you will be reminded of your right to request us to delete your personal data. Alternatively, you may ask at any time for us to delete your personal data by contacting dpo@alexander.ac.cy . Where this happens, a record of the request and basic details will be retained in order to ensure that your data is not added to the database in future.

The legal basis for processing your data

Alexander College relies on several different legal bases depending on the processing being performed:

Consent – processing will sometimes be carried out in accordance with your consent
Performance of the student contract – provision of alumni services as set out within the student contract
Legal obligation – providing data to statutory and regulatory agencies
Public interest – furthering the charitable objectives of the College delivers a public and societal benefit
Legitimate interests – a vibrant and engaged alumni community supports and enhances the teaching and research of the College, having taken account of the privacy rights and freedoms of alumni.

Your rights

The General Data Protection Regulation (GDPR) (EU) 2016/679 gives you have a number of rights to decide how your personal data is collected and processed. Details of these are contained within our Student Data Collection Notice.

Contact details

Should you have any concern about your personal data at Alexander College please contact the Data Protection Officer by email: dpo@alexander.ac.cy

Research Policy

Policy purpose

Alexander College is dedicated to the advancement of knowledge, learning and understanding in the service of society. This policy sets out Alexander College’s requirements for the curation of research data in pursuit of this goal. The policy outlines a framework of support to enable the management of research data so that the benefits of open research data can be realized, subject to compliance with legal, ethical, regulatory, contractual, intellectual property protection and other legitimate requirements.

Does GDPR apply to my research data?

GDPR is only concerned with information which can be used to identify living people. GDPR does not apply if your research involves only fully anonymised data (so there is no way of linking it back to the individual it relates to, including through use of a code or numerical identifier). Pseudonymised data (partially anonymised) is covered by GDPR as it could be used indirectly to identify individuals.

Personal information includes name, ID number, location (including IP address and data from cookies), online identifiers, physical and physiological factors, biometrics, and genetic, mental, economic, cultural or social identity.

‘Special category’ personal information are particularly sensitive and require additional conditions to be satisfied under GDPR (see Special Category Data, below). Special category data includes racial/ethnic origin, political opinions, religious/philosophical beliefs, trade union, genetic and biometric data, health, sex life, and sexual orientation.

How does GDPR impact on me?

If you are dealing with identifiable information you have a responsibility to keep the data safe, keep data subjects informed and report any breaches.

Documentation

GPDR requires data controllers keep a written record of data processing. We strongly recommend you create a Data Management Plan (DMP), if you don’t already have one, and keep it up to date. Your research funder may have requested a DMP as part of your funding application. Your DMP, along with your ethical planning documents, privacy notices (see below) and, if needed, a Privacy Impact Statement (see below) should be used to record the nature of the data you will collect, any re-use of existing data, your justification for processing data, and data security and retention policies.

Alexander College policies also contribute to your documentation. For example, our student data collection notice documents the College’s appropriate organisational and technical measures’ for safegurding students’ data.

It will be essential when thinking about further use of data collected to check this documentation to ensure that you are not straying beyond the arrangements described at the point of collection. If the arrangements for data use are not documented there, it will be important to update participants.

Should I seek consent to process personal data?

The answer is probably ‘no’. There are six different legal justifications for processing identifiable information; ‘consent’ is just one of them. As a general principle researchers should look for another legal basis before fixing on consent, in part due to a data subject’s right to withdraw consent at any time.

The College gives researchers the power to “make provision for research and for the advancement and dissemination of knowledge” and this provides our legal basis for the processing of data for research purposes. We therefore expect researchers to stipulate the legal basis for processing data as ‘public task’.

However, there will still often be a requirement to obtain consent to participate in a research activity where sensitive data (eg. racial or ethnic origin, physical or mental health conditions and particular criminal convictions) are processed.

Privacy notices

When collecting data, it is important that researchers explain to people what will happen to their data. Although this information can go into participant information sheets, consent forms, etc, ‘privacy notices’ do have a number of mandatory elements that might not be met by other information supplied to research participants. Privacy notices need to be:

Concise, transparent, intelligible and easily accessible
Written in clear and plain language, particularly if addressed to a child
Accessible free of charge

Aim to address the following questions:
What information is being collected? Who is collecting it? How is it collected? Why is it being collected? How will it be used? Who will it be shared with? What will be the effect of this on the individuals concerned? Is the intended use likely to cause individuals to object or complain? How long is it intended to be held for?

Researchers will need to consider how best to circulate privacy notices: this could be online, paper based or verbal.

It may not always be possible, at the outset of a research project, to know what processing activities will be carried out on personal data collected as part of the research. Further processing must be compatible with those activities stated in the original Privacy notice.

Secure data storage

Identifiable information should never be stored on an unencrypted device.

Handling subject access request

Under GDPR, everyone has the following rights over their own personal data:

The right to be informed of the collection and use of their personal data
The right to access their personal data
The right to have inaccurate or incomplete information corrected
The right to have their personal data erased
The right to request that you restrict the ways in which their personal data is processed
The right to a copy of their personal data in a portable, machine readable format
The right to object to processing of their personal data
The right to be informed of any automated individual decision-making or profiling, and the right to challenge such decisions

However, if you are processing data for research purposes then your activities are exempted from many of these rights provided that certain conditions are met (see below). Specifically, your data subjects will retain:

The right to be informed of the collection and use of their personal data
The right to be informed of any automated individual decision-making or profiling, and the right to challenge such decisions

If data subjects can be identified in the published results of your research then they also retain the right to access their personal data.

If a data subject makes a request relating to one of these rights, you must inform the Data Protection Office dpo@alexander.ac.cy.

Conditions for processing for research and statistical purposes

Your data processing must meet certain conditions in order to qualify for the ‘research or statistical purposes’ exemptions to data subject rights. Specifically, you must:

Follow the principle of data minimisation (collect no more personal data than is needed for your research)
Anonymise your data as far as possible and at the earliest opportunity

In addition, if your data processing is likely to cause harm or distress to data subjects then you have not met the requirements for processing for research purposes, and the exemptions will not apply.

Reporting data breaches

If you suspect a data breach has occurred you must inform the Data Protection Office dpo@alexander.ac.cy. To do this, do not rely on email alone but confirm that the breach has been formally logged. Reporting possible incidents as early as possible is vital as the College is subject to time-limits governing how long we must undertake certain actions in response to a data breach.

How long should I keep different types of data?

This depends on the type of data, you should contact the Data Protection Office dpo@alexander.ac.cy regards retention periods.

Special category data

Special category data may be processed provided that there is a lawful basis for processing (probably ‘public task’, as before), AND that another specific condition is met. There are a number of conditions for processing special category data but the one most likely to be suitable for research is if processing is necessary for “scientific or historical research purposes or statistical purposes”. You must ensure that the principle of data minimisation is respected when collecting special category data: you should identify the minimum amount of special category data you need to properly fulfil your purpose, and hold no more than that.

See Article 9 EU GDPR “Processing of special categories of personal data” and Article 6 EU GDPR “Lawfulness of processing”

Staff Privacy Notice

What is the purpose of this Privacy Notice?

Alexander College collects and processes personal data relating to its staff to manage the employment relationship, to conduct its operations effectively, and to fulfill its legal and regulatory responsibilities. The College is committed to being transparent about how it collects and uses that data to meet its data protection obligations.

This Notice explains how Alexander College will collect, use and share your personal data and sets out your rights in relation to your personal data.

Definitions

“Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

This can be summarised as information that we hold about an individual employee from which they can be identified.

It may include but may not be limited to the following:

Personal contact information such as name, title, address, telephone number(s) and personal and / or company email addresses.
Date of birth.
Details of next of kin or dependents.
Employment records (including job titles, start date, work history, working hours, training records and professional memberships).
Workplace location.
Salary and benefit details and history including payroll records and tax records/information.
Holiday and absence records.
Copy documents such as passport or identity card or other identification document provided to us as part of our legal obligation to report to the various departments of the Ministry of Labour and Social Insurances.
Recruitment information (including references and other information included in a CV or cover letter or as part of the job application process).
Information relating to qualifications and performance including appraisal records.
Disciplinary and grievance information.
CCTV footage and other information obtained through electronic means such as swipecard records, time and attendance data.
Information about an employee’s use of our information and communications systems.

“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

“Sensitive Personal Data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

How is Personal Data collected?

Typically, an employee will have provided Personal Data or we have recorded Personal Data about the employee in connection with or in the course of their employment.

We will pass Personal Data to a third party such as our payroll provider, HR advisers or training providers.

For what purposes is Personal Data used?

We will only use Personal Data when the law allows us to which can be summarised under the following headings:

(a) Consent: an individual has given clear consent for us to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract we have with the individual or because they have asked us to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for us to comply with the law.

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party.

Details of the Personal Data that we are most likely to process are set out in Appendix One.

What safeguards are in place?

We will comply with the data protection principles applying in Cyprus which states that Personal Data must be:

processed fairly, transparently and lawfully ;
obtained only for one or more specified and lawful purposes and not be further processed in any manner incompatible with that purpose or those purposes;
be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed;

be accurate and, where necessary, kept up to date;

shall not be kept for longer than is necessary for lawful purposes;

protected by having appropriate technical and organisational measures in place to safeguard against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, the Personal Data;

and in addition Personal Data:

shall be processed in accordance with the rights of data subjects under applicable legislation;
shall transferred to a country or territory outside the European Economic Area only in order to fulfil the request of a client and the same time we will ensure that the organisation we will transfer the data to will apply an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

What rights and obligations do Employees have?

Duty to inform us of changes

It is important that Personal Data is kept accurate and up to date. Employees should please advise us if their personal information changes whilst they are employed by us.

Rights in connection with Personal Data

Under certain circumstances, individuals have the right to:

Request a copy of their Personal Data (commonly known as a “data subject access request”). This enables them to receive a copy of the personal information we hold about them and to check that we are lawfully processing it.
Request correction of the Personal Data that we hold about them.
Request the erasure of Personal Data. An individual may ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. An individual may also request that we stop processing Personal Data where we are relying on a legitimate interest and there is something about their particular situation which permits an object to process on this ground.
Request the restriction of processing of Personal Data for example until its accuracy or the reason for processing it is more clearly established.
Request the transfer of Personal Data to another party.
Individuals who wish to review, verify, correct or request erasure of Personal Data, object to the processing of Personal Data or request that we transfer a copy of Personal Data to another party, please contact our nominated Data Controller.

What we may need to comply with a Data Subject Access Request

We may need to request specific information to help us confirm a lawful right to access the information (or to exercise any other rights). This is another appropriate security measure to ensure that Personal Data is not disclosed to any person who has no right to access it.

Charges

No fee is usually required to access Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if the request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

Right to withdraw consent

In certain circumstances, consent may be required for the processing of Personal Data. Where an employee provides such consent to the processing of Personal Data for a specific purpose, that employee has the right to withdraw consent for that specific processing at any time. To withdraw consent, please contact the nominated Data Controller. Once notification is received that consent has been withdrawn, we will no longer process Personal Data for the said specific purpose unless we have another lawful basis to do so.

Amending this Privacy Notice

We may update this Privacy Notice from time to time and we will issue a new privacy notice when we make any material changes including when we the identity of the Data Protection Officer changes.

Appendix One – Data Processing

The situations in which we are most likely to process Personal Data are in connection with the following processes set out below:

Dealing with recruitment or appointment and termination matters including the assessment of experience, qualifications and overall suitability for a particular role.
Administration of matters connected with the employment relationship.
Payroll and benefit provision.
Managing our business including accounting, forecasting, planning, scheduling and auditing.
Conducting appraisals, managing performance and determining performance requirements.
Dealing with grievance and disciplinary matters.
Dealing with training and development requirements and related issues.
Dealing with conflicts and disputes involving employees.
To monitor the use of our information and communication systems to ensure compliance with our IT policies.
Managing absence including assessing fitness to work.
Health and safety matters including compliance.
To prevent fraud.
To ensure effective general HR and business administration.
To provide references on request for current or former employees.
To respond to and defend against legal claims.
To maintain and promote equality in the workplace.

We believe that we have a legitimate interest in processing the above Personal Data in the context of the overall employment relationship. Some of the above grounds for processing may overlap and there may be several grounds which justify our use of Personal Data.

Appendix Two – Our safeguarding measures

Please note that will only transfer Personal Data to countries or territories that do not have an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data only in the course of our business and after having evaluated the level of protection of personal data they apply.

We do not use any Personal Data for automated decision making or other forms of profiling.

We aim to keep Personal Data accurate and up to date. Data that is out of date or inaccurate will be amended when we are made aware of that. Employees should notify us if they become aware of any inaccuracies in their Personal Data held by us.

We will not keep Personal Data for longer than is permitted. This means that some data will be destroyed or erased from our systems 2.5 years after the termination of the employment and the remaining seven years after the termination of the employment or when it is no longer lawfully required. For regulatory purposes, we are required to keep certain Personal Data for a seven-year period after which it is securely destroyed.

We have in place procedures and solutions to maintain the security of all personal data from the point of collection to the point of destruction and have taken appropriate measures against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data. Maintaining data security means guaranteeing the confidentiality, integrity and availability (for authorised purposes) of personal data. For example, we take the following steps to protect data:

Staff is trained in relation to the importance of privacy and data security.
Electronic files can only be accessed via password logins
Only a limited number of staff has access to the employee data.

We will only pass Personal Data to third parties where we are lawfully obliged to do so. For example, an employee may ask us to provide their salary details to a building society when they apply for a mortgage or we may lawfully pass data to our payroll adviser in order to ensure that employees are paid.

We will not disclose Personal Data to a third party without consent unless we are satisfied that they are legally entitled to the data. Where we do disclose Personal Data to a third party without consent, we will only do so where that third party has confirmed that it has in place adequate measures to protect Personal Data.

Student Data Collection Notice

Alexander College, a company incorporated in Cyprus (company number HE149687)and Alexander Professional Studies ltd, a company incorporated in Cyprus(company number HE391038),(hereinafter BOTH referred to as “Alexander College”)are committed to protecting your personal information.

Alexander College will collect, process and use your personal data exclusively in compliance with the principles of Regulation (EU) 2016/679 of The European Parliament And of The Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter the “GDPR”), the applicable local legislation as amended from time to time and any other legal and/or regulatory obligations.

Why we hold personal data about you

Alexander College collects, holds and processes personal data about you while you are a current student and after you leave and become an alumnus/alumna. It is essential for us to do so in order to manage our operations effectively and provide you with teaching, research and administrative support.

This Data Collection Notice explains in a general way what personal data the college collects about you, how that data will be used and to whom it will be disclosed. It is not possible to describe all of the ways in which the College uses personal data on students, so this Notice should not be seen as exhaustive. By enrolling at the College, you consent to the College handling and use of your personal data in accordance with this Notice and for other legitimate purposes connected to your education at Alexander College; this includes improving teaching and learning, developing services and enhancing the student experience. The College may amend and update this Notice from time to time to reflect changes in how we use personal data.

While this Notice is intended for current and former students of Alexander College’s, applicants for admission to the College’s programmes should note that the College retains information on unsuccessful applications for statistical and audit purposes and in the event of a complaint or appeal. Applicants who require further information on what the College holds about them should contact dpo@alexander.ac.cy

Where your personal data is collected from

Your personal data is collected from the following sources:

You – you provide data when you express an interest in studying at Alexander College, upon application to study, when registering as a student at the College, through using various College services while you undertake your studies, when registering for events or volunteering opportunities, when making a donation, when registering an interest in or joining the alumni community.
Third parties – the College obtains data from various organisations such as other academic institutions.

Securing your personal data

The College is committed to carrying out its activities in accordance with the General Date Protection Regulation (GDPR)and any legislation enacted in the Republic of Cyprus in respect of the protection of personal data.

Your personal data is held securely within the College. Access to the data is controlled. Staff processing the data receive relevant training on data protection and information security.

What information we hold about you

The information held by Alexander College includes the details provided by you on application and enrolment, to which the College adds data collected during and after your studies at the College. This can include sensitive personal data.

The data collected and processed may include:

Your name, title, gender, date of birth, passport number, country of domicile and nationality
Contact details (address, email addresses, phone numbers)
Information relating to your previous education, such as subjects studied and examination outcomes
Any employment history, including employers and employment period
Records of attendance at Alexander College
Records of assessment outcomes, including details of summative assessments submitted, examinations taken, marks and grades awarded, academic appeals, student complaints and disciplinary procedures

A digital photograph of you, which is used to produce your student ID and for security and identification purposes

Records generated through your use of College services, such as Student Accommodation and Wellbeing
Sensitive personal data or special category data, including your racial or ethnic origin, physical or mental health conditions and particular criminal convictions.

Sharing your personal data

The General Data Protection Regulation (GDPR)exists to protect the privacy of individuals. The College is committed to protecting the privacy of its students, and it should be noted that spouses, parents and friends have no automatic right of access to personal data on students. The general principle is that your personal data will normally only be disclosed outside the College with your consent. This is also true if you are under 18 when you enroll at the College– for Data Protection purposes, the College will treat your data in the same way as if you were over 18.

However, there are also occasions while you are here and after you leave when the College is obliged by law, or under other obligations, to disclose the personal data that we hold about you to external people or agencies. These are sometimes called third party disclosures. The College has internal procedures to check that the disclosure is appropriate and that the third party is legitimate before any release takes place.

Who we release your information to

Alexander College Students’ Union
Ministry of Education
Visas and Immigration Office
Local authorities
The police and other organisations with prosecuting powers
Graduations, examination results and degree awards
Professional Bodies
Research Institutions
Embassies
Insurance companies
Hospitals & Private Clinics
Funding Agencies / Partner Institutions submitting to Funding Agencies
Partner Universities for Erasmus purposes
Career Promotion Organisations
Other private organisations offering assistance to students

The legal basis for processing your data

Alexander College relies on several different legal bases. Depending on the processing being performed these may include one or more of the following:

Consent – processing will sometimes be carried out in accordance with your consent
Performance of the student contract – processing is required to fulfil the College’s contractual obligations to deliver you educational services
Vital interest – to protect the vital interests of yourself or another, particularly in the case of medical emergencies
Legal obligation – providing data to statutory and regulatory agencies
Public interest – to enable teaching and research, which delivers a public and societal benefit
Legitimate interests – a vibrant and engaged alumni community supports and enhances the teaching and research of the College, having taken account of the privacy rights and freedoms of alumni.

How long will we retain your personal data for?

We will keep your personal information for as long as you are a student and/or otherwise a person enjoying our services.

After you stop being a student and/or a person enjoying our services, we need to keep your personal information for a period of 7 years based on Cyprus government law. For academic purposes and in order for the College to be able to print and certify transcripts validity and issue certificates we may keep your data for up to 50 years. We also may keep your data for more than 50 years if we cannot delete it for legal and / or regulatory and/or technical reasons. If we do so, we will ensure that your privacy is protected and the data are used only for the above-mentioned purposes.

If for any reason we keep sensitive information, we will delete it as soon as the student or employee leaves from the College and there is no other relationship

You may ask at any time for us to delete your personal data by contacting dpo@alexander.ac.cy

Data transferred to a country outside the European Union

GDRP and the applicable local legislation as amended from time to time prohibits the transfer of personal information outside the European Economic Area (“EEA”) unless specific requirements are met for the protection of that personal information.

Data will only be transferred to countries outside the EU or the EEA (i) if it is required by law; or (ii) if you have granted us your consent and/or instructed us to do so.

Please note that if service providers in a third country are used, all reasonable and practicable measures will be taken to ensure that they will comply with the data protection level in Europe in accordance with the GDPR.

Any transfers to parties located outside the European Union will be in line with the legal and regulatory provisions of the GDPRand applicable local legislation as amended from time to time.

Photography and filming

Prior permission should be obtained for filming by external parties on the College’s premises and that the filming of individuals by external parties should only take place with their permission. Where photography or filming is carried out by or on behalf of the College, the College will take reasonable steps to ensure that students are aware that filming/photography is taking place so that students have the opportunity not to participate (unless fliming/photography is part of their assessment).

Employment references/confirmation of qualifications

The College receives numerous requests for references. Where you have provided the College or an individual within the College as a referee, we will assume your consent to respond to the request, and will do so unless we have reason to believe that the request is not genuine.

The College treats the details of your award from Alexander College as public information and will normally confirm your qualifications when requested to do so.

Your responsibilities

Students are required by the College’s Regulations to keep the College informed of their current term time and home addresses, including any changes to your personal email address if you have provided it to the College. If your personal details change, you must update them.

The College regards the Alexander College email address provided to you on enrolment as the primary method of contact with students. You must ensure that you check your College email account regularly.

As part of your record, we request that you provide us with your mobile telephone number, where you have one. In addition to being a normal contact method this number may be used to send you a text in an emergency. Therefore you will be asked to check this periodically and will also receive a limited number of texts to confirm that this service is working.

Access to your data

Students have the right to access any information that the College holds on them. Article 15 of the EU General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) grants you the right to access your personal data held by Alexander College, including the right to obtain confirmation that we process your personal data, receive certain information about the processing of your personal data, and obtain a copy of the personal data we process. We require that you submit this request electronically via email todpo@alexander.ac.cy. We will then seek to authenticate your identity.

We expect to respond to your request within 28 days of receipt of a fully completed form and proof of identity.

Your rights

Privacy legislation gives you have a number of rights to decide how your personal data is collected and processed. Details of these are contained within the general information on our website (see forms).

Changes to this notice

This Notice may be amended or updated. Where this occurs, Alexander College will announce the change on this website. Once this has been done, you will be deemed to have accepted the change.

Contact details

Should you have any concern about your personal data at Alexander College please contact the Data Protection Officer by email via dpo@alexander.ac.cy

Refund Policy

Refund Policy: All Students

The following refund policy applies to local, EU and International students who wish to withdraw from any course offered at Alexander College within the first four weeks of their studies during any academic year.

Time of Withdrawal	Refund (excluding Reg Fee)
Before classes begin	100%
During week 1	80%
During week 2	70%
During week 3	50%
During week 4	25%
After week 4 of classes	0%

Please note:

Registration fees are non-refundable
Students who withdraw after 4 weeks of studies, will be required to pay the full tuition fee for the year.

Refund Policy: International Students

Students will receive a full refund (excluding the registration fee) in cases where they have paid their tuition fees but their visa has been rejected.
Students who have paid their tuition fees will NOT be refunded in cases where their visa has been rejected due to forged or counterfeit documentation.
The College will only issue refunds, where eligible, to the name and bank account of the individual who originally paid/transferred the tuition fees.

Πολιτική απορρήτου για τις τελικές εξ’ αποστάσεως εξετάσεις

Σημειώνουμε ότι το ακαδημαϊκό μας ίδρυμα Alexander College, δεν διαθέτει εξ αποστάσεως προγράμματα. Επομένως, όσες τροποποιήσεις έχουν γίνει για εξ αποστάσεως μαθήματα και τελικές εξετάσεις, έγιναν με βάση τις ανακοινώσεις του Φορέα Διασφάλισης και Πιστοποίησης της ποιότητας της Ανώτερης εκπαίδευσης, σχετικά με τις «τελικές εξετάσεις σε καταστάσεις έκτακτης ανάγκης λόγω κορωνοϊού».

Για τις εξ αποστάσεως τελικές εξετάσεις χρησιμοποιούνται δύο μορφές, οι οποίες υλοποιούνται μέσα από την πλατφόρμα Moodle και χρησιμοποιώντας το εργαλείο οπτικής και ακουστικής επικοινωνίας Zoom.

Μορφές εξ αποστάσεως αξιολόγησης

Οι μορφές αξιολόγησης για εξ αποστάσεως αξιολόγηση, επιλέχθησαν με βάση τη φύση των μαθημάτων, καθώς και τις ιδιαιτερότητες του φοιτητικού πληθυσμού. Οι εναλλακτικοί τρόποι εξ αποστάσεως αξιολόγησης είναι

Η προφορική εξ αποστάσεως εξέταση (Υλοποιείται με μικρά ακροατήρια και η αξιοπιστία της διασφαλίζεται με τη μαγνητοσκόπηση και την ανάλογη ποιότητα των ερωτήσεων όπως καθορίζεται στο Ευρωπαϊκό Πλαίσιο Προσόντων με βάση το επίπεδο του προγράμματος).
Η αξιολόγηση με ανοικτά βιβλία (Γίνεται ενώ οι φοιτητές βρίσκονται στον προσωπικό τους χώρο, με μαγνητοσκόπηση και δίδεται συγκεκριμένος χρόνος σε όλους για απάντηση των ερωτήσεων).

Ταυτοποίηση Φοιτητών που αξιολογούνται εξ αποστάσεως

Κατά τη διάρκεια της τελικής αξιολόγησης χρησιμοποιείται συμβατική κάμερα. Κατά την εγγραφή κάθε φοιτητή, και με την δική τους συναίνεση, λαμβάνεται φωτογραφία προσώπου για έκδοση φοιτητικής ταυτότητας, η οποία κατά τη διάρκεια της τελικής εξ αποστάσεως αξιολόγησης ταυτοποιείται με το πρόσωπο εκάστου φοιτητή από τον επιτηρητή. Επιπλέον, η διαδικασία ταυτοποίησης ενισχύεται και από το γεγονός ότι η τελική εξέταση γίνεται με μικρά ακροατήρια, έτσι ώστε να υπάρχει έλεγχος. Σε καμία περίπτωση δεν ζητείται η χρήση ή/και η ταυτοποίηση τους με πολιτική ταυτότητα ή/και διαβατηρίου.

Συλλογή και επεξεργασία προσωπικών δεδομένων

Οι τελικές αξιολογήσεις, λόγω του γεγονότος ότι μαγνητοσκοπούνται, περιέχουν προσωπικά δεδομένα. Όπως προνοείται και στην ανακοίνωση του Φορέα Διασφάλισης και Πιστοποίησης της ποιότητας της Ανώτερης Εκπαίδευσης, αποθηκεύονται σε ασφαλισμένες ηλεκτρονικές βάσεις με δικαίωμα πρόσβασης μόνο σε εξουσιοδοτημένα πρόσωπα και στον Φορέα ΔΙΠΑΕ, για σκοπούς αποκλειστικά ελέγχου και διασφάλισης της ποιότητας της παρεχόμενης εκπαίδευσης και απορρέει από τον Νόμο που διέπει την ίδρυση, τη λειτουργία και τις αρμοδιότητες του Φορέα [136(Ι)2015 έως 35(Ι)2019]. Η φύλαξη δεν θα υπερβαίνει τα δύο χρόνια. Επιπλέον, γίνεται διαβίβαση σε τρίτες χώρες. (βλ παρακάτω «Διαβίβαση σε τρίτες χώρες)

Ο τρόπος διεξαγωγής της εξ αποστάσεως εξέτασης (έτσι ώστε να προστατεύονται τα προσωπικά δεδομένα κατά τη συλλογή και επεξεργασία τους) είναι ο εξής: Η αξιολόγηση γίνεται ζωντανά μέσω της ηλεκτρονικής πλατφόρμας Zoom και επιτηρείται. Η αξιολόγηση οπτικογραφείται, ηχογραφείται και αποθηκεύεται. Κατά την εξ αποστάσεως προφορική εξέταση, οι φοιτητές βαθμολογούνται και το βίντεο αξιολόγησης δεν τυγχάνει επεξεργασίας. Κατά την αξιολόγηση με ανοιχτά βιβλία, με την λήξη του χρόνου εξέτασης, οι εξεταζόμενοι ανεβάζουν στην πλατφόρμα τις απαντήσεις. Τότε αποθηκεύονται στην πλατφόρμα Moodle, και ο καθηγητής τα επεξεργάζεται για να παραδόσει τη βαθμολογία στη Registrar. Τα γραπτά τυπώνονται και παραμένουν αποθηκευμένα στην Registrar, μέχρι δύο χρόνια. Επιπλέον, παραμένουν αποθηκευμένα ηλεκτρονικά στον διακομηστή (server), στον οποίο έχει πρόσβαση με κωδικό, μόνο ο Head of Information Technology.

Τα παραπάνω ισχύουν για όσους κλάδους σπουδών θα διεξαγάγουν ηλεκτρονικά τις τελικές εξετάσεις. Για τους υπόλοιπους κλάδους που οι τελικές εξετάσεις θα γίνουν με φυσική παρουσία, ισχύει η μέχρι τώρα πολιτική απορρήτου του ακαδημαϊκού ιδρύματος.

Η επεξεργασία των δεδομένων σχετικά με τις εξ αποστάσεως εξετάσεις είναι απαραίτητη για την εκτέλεση σύμβασης της οποίας το υποκείμενο των δεδομένων είναι συμβαλλόμενο μέρος. (άρθρο 6 (1)(α)(β) του ΓΚΠΔ). Οι αλλαγές στον τρόπο διεξαγωγής τελικών εξετάσεων (από εξετάσεις με φυσική παρουσία, σε εξ αποστάσεως εξετάσεις), έγιναν σύμφωνα με τις ανακοινώσεις του Φορέα Διασφάλισης και Πιστοποίησης της Ποιότητας της Ανώτερης εκπαίδευσης ΔΙΠΑΕ και τις οδηγίες του Υποργείου Παιδείας Πολιτισμού, Αθλητισμού και Νεολαίας.

Ασφαλιστικές δικλίδες/ Υπηρεσία cloud

Για την τελική αξιολόγηση χρησιμοποιείται υπηρεσία cloud (πλατφόρμα Moodle). Στην περίπτωση της προφορικής εξ αποστάσεως αξιολόγησης, τα βίντεο, αφού βαθμολογηθεί ο φοιτητής, αποθηκεύονται στον διακομηστή (όπου πρόσβαση μετά την παράδοση τελικής βαθμολογίας της προφορικής εξέτασης, έχει μόνο ο Head of Information Technology). Στην δεύτερη περίπτωση εναλλακτικής αξιολόγησης εξ αποστάσεως με ανοικτά βιβλία, μετά την αξιολόγηση της τελικής εξέτασης, αφού τύχουν επεξεργασίας από τους καθηγητές, οι οποίοι τα βαθμολογούν, τα αρχεία φυλάγονται στον διακομηστή, αλλά επίσης τυπώνονται και φυλάγονται όπου και οι μέχρι τώρα εξετάσεις, σύμφωνα με τις οδηγίες του Φορέα Διασφάλισης και Πιστοποίησης της Ποιότητας της Ανώτερης εκπαίδευσης. Οι καθηγητές έχουν υποχρέωση με το πέρας της διόρθωσης των γραπτών και αφού τα αποστείλουν στο αρμόδιο πρόσωπο να διαγράφουν από τον υπολογιστή τους οποιαδήποτε προσωπικά δεδομένα αφορούν τους φοιτητές.

Διαβίβαση σε τρίτες χώρες

Γίνεται διαβίβαση δεδομένων σε τρίτες χώρες. Το Alexander College με το βρετανικό πανεπιστήμιο Canterbury Christ Church University (CCCU) και University of the West of England (UWE Bristol) , συνεργάζονται στη βάση συμφωνίας κατά την οποία γίνεται παροχή κλάδων σπουδών του βρετανικού πανεπιστημίου, μέσω της συμφωνίας δικαιόχρησης. Επομένως, όσοι κλάδοι του CCCU στο Alexander College, διεξαγάγουν τελικές εξ αποστάσεως αξιολογήσεις, αυτές διαβιβάζονται στην πλατφόρμα του βρετανικού πανεπιστημίου έτσι ώστε να αξιολογηθούν. Η διαβίβαση των προσωπικών δεδομένων γίνεται με ασφαλιστικές δικλίδες των προσωπικών δεδομένων των φοιτητών, όπως έχουν καταρτισθεί στην εν λόγω συμφωνία και τα προσωπικά δεδομένα χρησιμοποιούνται μόνο για καθορισμένο σκοπό (αυτόν της αξιολόγησης των φοιτητών).

Ενημέρωση φοιτητών (υποκείμενα δεδομένων)

Τα υποκείμενα των δεδομένων έχουν ενημερωθεί μέσω email, σχετικά με όλα τα στοιχεία που περιλαμβάνονται στο άρθρο 13 του ΓΚΠΔ, αλλά και σχετικά με τη φύλαξη των εξ αποστάσεως τελικών εξετάσεων. Οι Κανονισμοί και Οδηγίες του Alexander College αναφορικά με την συλλογή και την επεξεργασία προσωπικών δεδομένων έχουν διαμορφωθεί ως προνοεί ο Γενικός Κανονισμός για την Προστασία Δεδομένων.Υπενθυμίζεται ότι το ακαδημαϊκό ίδρυμα Alexander College δεν διαθέτει εξ αποστάσεως κλάδους σπουδών. Για κάποια προσωπικά δεδομένα, έχει ήδη δοθεί συναίνεση κατά την εγγραφή των φοιτητών, με τη σύμφωνη γνώμη και υπογραφή τους.

Νόμιμη Επεξεργασία

Τα στοιχεία συλλέγονται για καθορισμένους σκοπούς, για τους οποίους έχει ήδη ενημερωθεί η φοιτητική κοινότητα και εμπίπτουν στις αρχές που ορίζονται στο άρθρο 5. Οι αλλαγές αυτές έχουν γίνει μετά από τις έκτακτες ανακοινώσεις και οδηγίες του Φορέα Διασφάλισης και Πιστοποίησης της Ποιότητας της Ανώτερης εκπαίδευσης ΔΙΠΑΕ.

Εκτίμηση Αντικτύπου Προστασίας Δεδομένων

Έχουν παρθεί μέτρα για αποφυγή πιθανής διαρροής των προσωπικών δεδομένων, και χρήσης τους από μη εξουσιοδοτημένα άτομα. Τηρώντας όλα τα παραπάνω θα αποφευχθεί η αθέμιτη χρήση ή χρήση για άλλο σκοπό. Τα μέτρα αφορούν τη συλλογή, επεξεργασία και φύλαξη.

Το νέο δεδομένο στο ακαδημαϊκό μας ίδρυμα που αφορά την εξ αποστάσεως εκπαίδευση και τελικές εξετάσεις φέρνει επιπλέον πράξεις επεξεργασίας που χρειάζονται τη διενέργεια εκτίμησης αντικτύπου, σχετικά με την προστασία προσωπικών δεδομένων.

Η χρήση και εφαρμογή τεχνολογικών λύσεων (πλατφόρμα επικοινωνίας Zoom) απαιτεί ταυτοποίηση των προσώπων κατά την εξ αποστάσεως τελική εξέταση (εφόσον δεν υπάρχει φυσική παρουσία). Αυτό γίνεται μέσω της φωτογραφίας που δόθηκε με συναίνεση του φοιτητή, κατά την εγγραφή του στο ακαδημαϊκό ίδρυμα. Επιπλέον, μέσω της πλατφόρμας Zoom, η εξέταση βιντεοσκοπείται.
Τα σχετικά βίντεο, παραμένουν αποθηκευμένα για επεξεργασία, ενώ στη συνέχεια παραμένουν αποθηκευμένα μόνο στον διακομηστή, όπου πρόσβαση σ’ αυτά έχει μόνο ο Head of Information Technology, χρησιμοποιώντας κωδικό.
Οι καθηγητές, όπως και οι επιτηρητές, δεσμεύονται όπως διαγράψουν προσωπικά δεδομένα φοιτητών από τους προσωπικούς τους ηλεκτρονικούς υπολογιστές που χρησιμοποιούν.
Η συλλογή προσωπικών δεδομένων γίνεται μόνο για εξυπηρέτηση του συγκεκριμένου σκοπού αξιολόγησης.
Δεν γίνεται διασύνδεση αρχείων και σε καμιά περίπτωση δεν συλλέγονται ευαίσθητα προσωπικά δεδομένα ή δεδομένα εξαιρετικά προσωπικού χαρακτήρα.

Μέτρα Ασφάλειας

Όλα τα προσωπικά δεδομένα τα οποία είναι απαραίτητο να αποθηκευθούν για να υλοποιηθεί ο σκοπός συλλογής τους (εξ αποστάσεως αξιολόγηση),

Υποχρεωτικά αποθηκεύονται και πρόσβαση σ’ αυτά υπάρχει μόνο μέσω κωδικού (τα διαδικτυακά αποθηκεύονται στον διακομηστή και πρόσβαση έχει ο Head of Information Technology, τα γραπτά ακολουθείται η σύνηθης διαδικασία και πρόσβαση σε αυτά έχει μόνο η Registrar).
Τα προσωπικά δεδομένα αποθηκεύονται μόνο για διάστημα εώς δύο ετών. Το ακαδημαϊκό προσωπικό μετά τη διόρθωση και την απονομή βαθμού αποθηκεύει τα γραπτά στον διακομηστή με ασφάλεια.

Οργανωτικά μέτρα ασφαλείας: Υπεύθυνος Ασφαλείας (Έχει ανατεθεί στον Υπεύθυνο Προστασίας Δεδομένων η επίβλεψη της πολιτικής ασφαλείας) Οργάνωση / Διαχείριση προσωπικού (Έχουν δοθεί σαφείς οδηγίες/ εγγυήσεις στα μέλη του προσωπικού που εμπλέκονται στις τελικές εξ αποστάσεως εξετάσεις, για προστασία των προσωπικών δεδομένων) Διαχείριση πληροφοριακών αγαθών (Υπεύθυνος είναι ο Head of Information Technology) Εκτελούντες την επεξεργασία (Οι απαντήσεις σε προηγούμενες ερωτήσεις, διασαφηνίζουν ότι οι καθηγητές είναι οι εκτελούντες την επεξεργασία και δεσμεύονται για προστασία των προσωπικών δεδομένων. Αυτό έγινε μέσω email που τους έχει αποσταλεί.) Καταστροφή δεδομένων και αποθηκευτικών μέσων (Υπεύθυνος είναι ο Head of Information Technology) Διαχείριση περιστατικών παραβίασης προσωπικών δεδομένων (Υπεύθυνος είναι ο Head of Information Technology) Εκπαίδευση προσωπικού (Η εκπαίδευση, σχετικά με τη λειτουργία της πλατφόρμας επικοινωνίας Zoom, αλλά και της συλλογής και επεξεργασίας προσωπικών δεδομένων έχει γίνει από τον Head of Information Technology).

Τεχνικά μέτρα ασφαλείας Τα τεχνικά μέτρα ασφαλείας τηρούνται από τον Head of Information Technology.

Μέτρα φυσικής προστασίας: Φυσική πρόσβαση σε εγκαταστάσεις και computer room (οι εκτελούντες την επεξεργασία υλοποιούν την εξ αποστάσεως τελική εξέταση από τον προσωπικό τους χώρο λόγω των έκτακτων μέτρων που λήφθησαν εν μέσω πανδημίας. Επιτρέπεται η πρόσβαση μόνο σε εξουσιοδοτημένο προσωπικό (καθηγητές και επιτηρητές), ενώ η τελική εξ αποστάσεως εξέταση οπτικογραφείται και αυτό το αρχείο λειτουργεί ως απόδειξη). Έκθεση εγγράφων (οι φάκελοι με προσωπικά δεδομένα που εκτυπώνονται, φυλάγονται και δεν εκτίθενται σε κοινή θέα) Συσκευές αναπαραγωγής εγγράφων (συσκευές που χρησιμοποιούνται, όπως εκτυπωτές, προστατεύονται κατάλληλα, έτσι ώστε να μην υπάρξει διαρροή προσωπικών δεδομένων)

Παραβίαση Δεδομένων

Σχετικά με τον εντοπισμό περιστατικών παραβίασης δεδομένων, ισχύουν όσα αναφέρονται στην Πολιτική Απορρήτου της διαδικτυακής πλατφόρμας Zoom, αλλά και όσα ισχύουν στην Πολιτική Απορρήτου του ακαδημαϊκού ιδρύματος. Τα νέα προσωπικά δεδομένα, τα οποία συλλέγονται για αυτόν τον καθορισμένο σκοπό, συλλέγονται και επεξεργάζονται μόνο για αυτό τον σκοπό, και οι αλλαγές έχουν γίνει σύμφωνα και με τις ανακοινώσεις του Φορέα ΔΙΠΑΕ, λόγω των έκτακτων μέτρων.

Για απορίες ή/και διευκρινήσεις, μπορείτε να αποστείλετε ηλεκτρονικό μήνυμα στις διευθύνσεις dpo@alexander.ac.cy και a.prodromou@alexander.ac.cy.