GDPR Policy| FLAG International

General Data Protection Regulation Policy

Policy number	FLAG-13P
Categories	Information Technology and Data Security
Effective Date	May 2018 (Review Date: Feb.2022)
Enforcement Official	Terri Cunha, Chief Operating Officer
Approved by	Mazi Cunha, Founder/Executive Director

Statement of Policy

Foreign Links Around the Globe (FLAG Intl.) is committed to processing data in accordance with its responsibilities under the GDPR. This policy is to ensure compliance with the European Union (EU) regulations relating to the collection, storage, disclosure and use of personal data, as well as the rights of persons with regard to their data in accordance with GDPR.

FLAG is a is a U.S.-based nonprofit international exchange organization. In order for FLAG to work in partnership with International Partners and place students on exchange programs within the United States and aborad, FLAG has a lawful basis, to collect, process, use, and/or maintain the personal data of its partners, students, employees, applicants and others involved in exchange programs. These activities include, without limitation, admission, registration, communications, employment, development, exchange program analysis for improvements/expansion, and student record(s) retention.

FLAG takes seriously its duty to protect the personal data it collects or processes. FLAG will be evaluating this policy on a regular basis and it will continue to evolve and improve this policy as new guidelines and responsibilities emerge, along with FLAG's responsibilities to the U.S. Department of State.

Data Protection Principles

2.1 Lawful Basis for Collecting or Processing of Personal Data

FLAG has a lawful basis to collect and process personal data. FLAG's collection and processing of personal data will fall under the following categories:

Processing is necessary for the purposes of the legitimate interests pursued by FLAG, a FLAG International Partner or by a third party.
Processing is necessary for the performance of a student exchange program to which the data subject is party or in order to take steps at the request of the data subject prior to entering into an exchange program.
Processing is necessary for compliance with a legal obligation to which FLAG is subject.
The data subject has given consent to the processing of his or her special categories of sensitive personal data for one or more specific purposes of international student exchange.

There will be some instances where the collection and processing of personal data will be pursuant to other lawful bases or policies set forth with FLAG's responsibilities to the U.S. Department of State.

2.2 Data Protection & Governance

FLAG will protect all personal data and sensitive personal data that it collects or processes for a lawful basis. Any personal data and sensitive personal data collected or processed by FLAG shall be:

Processed lawfully, fairly, and in a transparent manner.
Collected for specified, explicit, and legitimate purposes, and not further processed in a manner that is incompatible with those purposes.
Limited to what is necessary in relation to the purposes of international student exchange and for which they are collected and processed.
Accurate and kept up-to-date (where applicable).
Retained only as long as necessary and or mandated by FLAG's responsibilities to the U.S. Department of State.
Secure.

2.3 Sensitive Personal Data & Consent

FLAG will obtain consent before it collects or processes special sensitive personal data.

2.4 Individual Rights

Individual data subjects covered by this FLAG policy will be afforded the following rights upon request:

Information about the controller collecting the data.
The FLAG data protection officer contact information.
The purposes and lawful basis of the data collection/processing.
Recipients of the personal data.
Transfership of personal data to another country, international organization or international partner.
The period the personal data will be stored.
The existence of the right to access, rectify incorrect data or request an erase of personal data, restrict or object to processing of personal data, and the right to data portability.
The existence of the right to withdraw consent at any time and not participate in a FLAG student exchange program.
The right to lodge a complaint with a supervisory authority (a FLAG International Parnter or a Third Party Established in the EU).
Why the personal data is required, and possible consequences of the failure to provide the data or participate in a student exchange program.
The existence of automated decision-making, including profiling (if applicable).
If the collected data is going to be further processed for a purpose other than that for which it was collected originally.

Note: These rights is a guarantee to be afforded a process and not the guarantee of an outcome.

Scope

This policy applies to the personal data and special categories of sensitive personal data protected by the EU GDPR and FLAG who collects or process personal data and special personal data protected by the EU GDPR.

Definitions:

Collect or Process Data	Collection, storage, recording, organizing, structuring, adaptation or alteration, consultation, use, retrieval, disclosure by transmission/dissemination or otherwise making data available, alignment or combination, restriction, erasure or destruction of personal data, whether or not by automated means.
Consent	Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Under the EU GDPR: Consent must be a demonstrable, clear affirmative action. Consent can be withdrawn by the data subject at any time and must be as easy to withdraw consent as it is to give consent. Consent cannot be silence, a pre-ticked box or inaction. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment. Request for consent must be presented clearly and in plain language. Maintain a record regarding how and when consent was given.
Controller	The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
FLAG International	FLAG is a U.S.-based nonprofit international exchange organization/office.
Identified or Identifiable Person	An identified or identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that person. Examples of identifiers include but are not limited to: name, photo, email address, identification number under the FLAG IP, FLAG associated student ID#, FLAG Account (User ID), myFLAG (User ID), physical address or other location data, IP address or other online identifier
Lawful Basis	Processing of personal data shall be lawful only if and to the extent that at least one of the following applies: The data subject has given consent to the processing of his or her personal data for one or more specific purposes; Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; Processing is necessary for compliance with a legal obligation to which the controller is subject; Processing is necessary in order to protect the vital interests of the data subject or of another natural person; Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
Legitimate Interest	Processing of personal data is lawful if such processing is necessary for the legitimate business purposes of the data controller/processor, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
Personal Data	Any information relating to an identified or identifiable person (the data subject).
Processor	A natural or legal person, public authority, agency or other body who processes personal data on behalf of the controller.
Special Categories of Sensitive Personal Data	Special categories of sensitive personal data that require consent by the data subject before collecting or processing are: Racial or ethnic origin Political opinions Religious or philosophical beliefs Trade union membership Genetic, biometric data for the purposes of uniquely identifying a natural person Health data Data concerning a person’s sex life or sexual orientation

Procedures

5.1 Data Governance
Document Lawful Basis for Collection or Processing	FLAG and FLAG's International Partners who collect or process personal data protected by the EU GDPR must document the lawful basis for the collection or processing of personal data and special categories of sensitive personal data they collect or process, why they collect it, and how long they keep it. All data at FLAG is kept in compliance with FLAG's Records Retention Schedule and in compliance with FLAG's responsibilities to the U.S. Department of State. *Typical policy retention requirements is no less than 3 years.

5.1 Data Governance

Document Lawful Basis for Collection or Processing

FLAG and FLAG's International Partners who collect or process personal data protected by the EU GDPR must document the lawful basis for the collection or processing of personal data and special categories of sensitive personal data they collect or process, why they collect it, and how long they keep it.

All data at FLAG is kept in compliance with FLAG's Records Retention Schedule and in compliance with FLAG's responsibilities to the U.S. Department of State. *Typical policy retention requirements is no less than 3 years.

5.2. Privacy Notice
FLAG's Privacy Notice	FLAG's Privacy Notice to data subjects must specify the lawful basis for FLAG to collect or process personal data and include: whether their personal data are being collected or processed and for what purpose categories of personal data concerned to whom personal data is disclosed storage period (records retention period) existence of individual rights to rectify incorrect data, erase, restrict or object to processing how to lodge a complaint the source of the personal data (if not collected from the data subject) the existence of automated decision-making, including profiling (if applicable) FLAG's privacy policy is available by emailing a request direct through https://flag-intl.org/contactus.html

5.2. Privacy Notice

FLAG's Privacy Notice

FLAG's Privacy Notice to data subjects must specify the lawful basis for FLAG to collect or process personal data and include:

whether their personal data are being collected or processed and for what purpose
categories of personal data concerned
to whom personal data is disclosed
storage period (records retention period)
existence of individual rights to rectify incorrect data, erase, restrict or object to processing
how to lodge a complaint
the source of the personal data (if not collected from the data subject)
the existence of automated decision-making, including profiling (if applicable)

FLAG's privacy policy is available by emailing a request direct through https://flag-intl.org/contactus.html

5.3 Consent
Documentation of Consent	FLAG and FLAG's International Partners collect affirmative consent before it collects or processes sensitive personal data.
Withdrawal of Consent	FLAG allows individuals a request to withdraw their consent. This consent form can be located at https://flag-intl.org/contactus.html.

5.4 Individual Rights
Exercise of Rights	Any individual wishing to exercise their rights under this policy should contact FLAG under https://flag-intl.org/contactus.html or by phone at +1 (800) 942-3524 (FLAG).

Breach Notification

FLAG and any FLAG International Partner that suspects that a breach or disclosure of personal data has occurred must immediately notify FLAG's Operation Director, Terri Cunha at +1 (800) 942-3524 (FLAG).

Any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed shall be reported to the Supervisory Authority of the EU member state within 72 hours of notice of the breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

Implementation

FLAG and FLAG International Partners that collect data should perform an analysis to determine whether and to what extent the office collects personal data that could originate from natural persons in EU member states. Offices that collect such information must document the processing and storage of the data. All FLAG personnel who deal with GDPR-covered data goes through appropriate training.

*No exceptions exist for this policy.

Enforcement

Violations of the policy may result in loss of partnership, system, network, and data access privileges, administrative sanctions (up to and including termination or expulsion) as outlined in FLAG's disciplinary procedures, as well as personal civil and/or criminal liability.

To report suspected instances of noncompliance with this policy, please contact FLAG's Operation Director, Terri Cunha at +1 (800) 942-3524 (FLAG).

Enforcement of the EU GDPR shall be carried out by the appropriate Data Protection Authority within the European Union.