City and Country School GDPR Compliance Statement The City and Country School (“City and Country”) is committed to complying with the European Union’s General Data Protection Regulation (“GDPR”) as it applies to the faculty, staff, students, and parents, prospective students and parents, alumni and parents, grandparents, and donors who reside in the European Union (“EU”) or are citizens of the EU (“Covered Individuals”). The GDPR establishes specific requirements for how City and Country will handle the “personal data” of individuals who are Covered Individuals. “Personal Data” protected by the GDPR includes all financial, medical, and personal information and data that identifies an individual, including address, personal characteristics such as age, gender, nationality, social security number, and your ISP address.
What is the GDPR?
The GDPR is a regulation adopted by the European Parliament, the Council of the European Union and the European Commission to strengthen and unify data protection for all individuals in the European Union (the “EU”), including, but not limited to, EU citizens and EU residents.
The GDPR went into effect on May 25, 2018.
How does the GDPR affect staff, faculty, students and parents, prospective students and parents, alumni and parents, grandparents, and donors who are EU residents or citizens?
When Personal Data is collected, stored or used from a Covered Individual, that person has certain rights under the GDPR in relation to the use, transfer, storage, and retention of their Personal Data (see below). City and Country is required to comply with the GDPR for its students, teachers, staff, donors, alumni and others who are Covered Individuals, even if the Personal Data is collected or stored in the United States, not in the EU. City and Country is committed to complying with the GDPR and with other federal and state laws that protect the privacy of information for faculty, staff, students and parents, prospective students and parents, alumni and parents, grandparents, and donors.
What is City and Country’s responsibility under the GDPR?
The GDPR requires City and Country to:
- Seek an explicit consent to collect or use Personal Data from Covered Individuals, unless (a) City and Country has a legal obligation to collect or use the Personal Data; (b) collection or use of the Personal Data is necessary for the vital interests of a Covered Individual; or (c) collection and use of the Personal Data is necessary to carry out or meet City and Country’s legitimate interests;
- Seek specific consent when processing certain sensitive Personal Data, such as health care information and Personal Data concerning minors, as required by the GDPR;
- Enter into contracts with any third parties that will receive Personal Data requiring those third parties to protect Personal Data in accordance with the GDPR:
- Follow procedures for reporting any data breaches; and
- Document the use and disclosure of Personal Data.
If you are a Covered Individual under the GDPR, what are your rights?
City and County can collect information about you in a number of ways, for example, from information that you send to us, that you provide or that we gather when you visit our website, or from your communication with us. When you visit our website, City and Country may collect information about the date you visit, the webpages you view, and any information that you provide through the website. City and County can only collect and store information about you as required by law or a contract with you, as necessary for its legitimate interests to carry out its operations, to provide services to you, or information for which you have given consent to us to collect and retain.
In relation to the Personal Data that City and Country collects and stores about you, you have the right to:
- Access the Personal Data that we have collected about you, and information about the Personal Data, including categories of information, the recipients or categories of recipients to whom the information has been provided, and the sources of information if you did not provide the information to us;
- Have any errors corrected;
- Request that we erase the Personal Data from our records, if the information is not necessary for the purpose for which it was collected or for legal reasons;
- Restrict use of the Personal Data, under certain conditions;
- Receive a copy of the Personal Data, if it was provided based on your consent or a contractual agreement; and
- Object to use of the Personal Data, and to halt use the Personal Data for direct marketing purposes.
If you provided consent to use or access your Personal Data or Personal Data for your child, you have the right to withdraw consent at any time. For more information about these rights or the GDPR generally, please contact Matthew D. Payne, Director of Communications, at firstname.lastname@example.org. You have a right to complain to the applicable supervisory authority, if you believe that your rights under the GDPR have been violated. Reem can provide you with information about filing a complaint.
It is expected that regulators in the EU will issue additional guidance in the coming months.