The GDPR requires that the University must inform data subjects when, why and how their personal data is used by the University.
Privacy notices should include the following information:
- name and contact details of the University, its representative (as applicable) and Data Protection Officer
- purpose of the processing of personal data
- lawful basis for processing personal data and the legitimate interests for processing (if applicable)
- the categories of personal data obtained (if the personal details not obtained from the individual)
- who the data subject's personal data is shared with, the recipients or categories of recipients of the personal data
- details of international personal data transfers to any third countries or international organisations (if applicable)
- how long the individual's personal data is held (retention periods)
- rights of the individual as a data subject
- right to withdraw consent (if applicable)
- right to lodge a complaint with the ICO
- the source of the personal data (if it is not obtained from the individual)
- the details of whether individuals are under a statutory or contractual obligation to provide the personal data (if applicable, and if it is collected from the individual)
- the details of the existence of automated decision-making, including profiling (if applicable)