Notification regarding the processing of personal data of participants in language competence examinations
(BCCE, ABLE, ALCE, STYLE and ETECT)
Pursuant to the application of the General Data Protection Regulation (EU) 2016/679 (“GDPR”), Hellenic American University (436 Amherst Str., Nashua, NH 03063, USA) (the “Hellenic American University”) would like to inform you of the following:
1. What data is processed by Hellenic American University belonging to which natural persons: Hellenic American University, in its capacity as data controller, processes personal data of the following persons (“data subjects”): (a) adults who participate in language competence examinations organized by Hellenic American University; and (b) minors that participate in language competence examinations and which are being represented by holders of the parental responsibility or the guardianship. Data processed by Hellenic American University, as appropriate, shall include, inter alia: (a) personal information (e.g. full name, father’s name, gender, date of birth, examination center, type of the language competence examination in which the data subject participates and the date in which the examinations are being conducted, data of the examiner of the data subject, examiner marks and comments relating to examiner marks, the Foreign Language Center at which the participant in the language competence examinations is studying, candidate number, native language and attendance records, assessment papers, candidate voice, candidate answers etc.); and (b) special categories of data, i.e., where applicable, health-related data that may be disclosed by the data subject in order for special arrangements to be taken for the carrying out of the language competence examinations (e.g. special learning difficulties, other health issues, etc.). The disclosure of the data specified in subparagraph (a) above is a legal or contractual obligation of the data subject or a requirement to conclude a contract. Where the data subject does not provide the above data or part thereof, he or she will not be able to register and therefore, participate in the above language competence examinations.
2. Source of data: The source of the data, as the case may be, is the data subject himself/ herself disclosing his/ her data or the holders of the parental responsibility or the guardianship of the data subject or the test centers that organize the above language competence examinations. To the extent that the persons mentioned above transmit third party personal data to Hellenic American University, they shall be responsible for complying with the applicable provisions of the data protection legislation.
3. Purpose and legal basis of processing data: Hellenic American University processes data subjects’ personal data, as the case may be, for the following purposes: (a) to develop and deliver language competence examinations, including the development of assessment materials, the collection and marking of exam papers and the issuance of certificates and the assurance that the appropriate examination facilities are available to those with specific requirements. For such data processing, the legal basis shall be the performance of the relevant contract concluded with Hellenic American University and the compliance with a legal obligation of Hellenic American University, while for special categories of data (as specified in clause 1 (b) above) that may have been disclosed to Hellenic American University, the legal basis for processing shall be the data subject’s relevant consent given by the disclosure of the relevant personal data to Hellenic American University and the protection of the vital interests of the data subject or of another natural person where the data subject is incapable of giving consent; (b) to handle complaints or to investigate allegations of misconduct in relation to the sitting of exams. For such data processing, the legal basis is the data subject’s (e.g. complainant’s) relevant consent or that that processing is necessary for the purposes of the legitimate interests pursued by Hellenic American University which override the interest, fundamental rights and freedoms of the data subject which require the protection of personal data (e.g. for the establishment, exercise or support of legal claims, in which case the processing, if necessary, will also extend to specific categories of data); and (c) to safeguard the interests of Hellenic American University, to carry out research in the field of education and qualification delivery, to set standards and other activities that are required to ensure that Hellenic American University’s services and programs are delivered to a high standard and that the participants in the language competence examinations are protected. For such data processing, the legal basis is that processing is necessary for the purposes of the legitimate interests pursued by Hellenic American University which override the interest, fundamental rights and freedoms of the data subject which require the protection of personal data (e.g. for the establishment, exercise or support of legal claims, in which case the processing, if necessary, will also extend to specific categories of data).
4. Recipients of data: As the case may be and depending on the purpose of processing, personal data may be transmitted to the authorized employees in each department of Hellenic American University, to companies associated with Hellenic American University with which Hellenic American University has a concluded a contract and which process the data on its behalf (e.g. IT companies, IT service providers, etc.), within their competencies and subject to the obligation of confidentiality, secrecy and compliance with the data protection legislation. For the purpose of the (onward) transmission of data outside the European Economic Area, Hellenic American University has taken the appropriate and suitable safeguards for the protection of the personal data. If a data subject wishes to receive a copy of these safeguards, he/ she may contact Hellenic American University using the contact information mentioned in the term 6 below.
Finally, Hellenic American University may transmit personal data to third parties where so required by law, or for the purposes of, or in connection with legal proceedings in which it participates, or otherwise for the purposes of supporting, exercising or defending its rights, or to third parties that are law enforcement authorities and have submitted a lawful transmission request, or where it considers that transmission is necessary in connection with any investigation into the suspicion or existence of any illegal activity.
5. Data retention time: Hellenic American University will retain the above data for as long as necessary to fulfill the purpose for which it was collected or to comply with legal, regulatory, accounting, reporting or internal policy requirements. To determine the appropriate retention period, Hellenic American University considers the applicable legal requirements, as well as the amount, nature, and sensitivity of the data, the potential risk of harm from unauthorized use or disclosure of the data, the purposes for which its processes the data and whether it can achieve those purposes through other means. Further information on the retention periods can be requested from Hellenic American University using the contact information mentioned in the term 6 below.