GDPR Data Policy

Revised: July 2022

LIM College, (also referred to as, “Laboratory Institute of Merchandising”), (“College”, “us”, “we”) recognizes the General Data Protection Regulation (GDPR) and the rights of European Union citizens whose information may reside in its data processing systems. The College’s data privacy policies, applicable to all persons whose data is collected, is contained in the College’s Privacy Policy. This Policy describes the College’s preparedness and efforts towards compliance with the GDPR where personal data is processed for EU Citizens. 

1. Data Subjects:

The College identifies “Data Subjects” as any natural person to whom personal data relates. Within the context of the College, the data subjects fall into the following categories:

  • Students (prospective, current, alumni)
  • Employees (applicants, current, past)
  • Other contacts (agents, partners, vendors, etc.)

2. Personal Data:

As defined within the context of GDPR, personal data is any data that can be directly or indirectly related to a natural person (data subject). Personal data includes any identifiable personal data that can connect personal data to a data subject (e.g. name, citizen ID, phone number, e-mail address, gender, nationality, address, interests, career details, etc.).

3. Sensitive Personal Data:

The College may, from time to time, be required to process sensitive personal data. Sensitive personal data includes data relating to medical information, gender, religion, race, sexual orientation, trade union membership, and criminal records and proceedings.

4. Processing Personal Data:

The College shall, so far as is reasonably practicable, make efforts to ensure that all personal data is:

  • Fairly and lawfully processed
  • Processed for a lawful purpose
  • Adequate, relevant, and not excessive
  • Accurate and up-to-date
  • Processed in accordance with the data subject's rights
  • Secure
  • Subject to adequate precautions and protections in all transfers of data to overseas programs

5. The Lawful Basis for Processing Data:

GDPR requires a lawful basis for processing personal data. The College houses personal data to recognize, process, and communicate with its data subjects of prospective students, current students, prospective employees, current employees, and alumni. The processing of this data is lawful and necessary and falls into one or more of the following categories:

  1. Consent: We use personal information while processing data for communicating with prospective students and prospective employees. The data subjects give us their implied consent to process their personal data by completing an application, which is an intent to come to the College (students, employees, etc.).
  2. Contract: We use personal information while processing data that is necessary as part of the relationship the College has with the individual, e.g.:
    1. academic processing for students.
    2. payroll and financial and tax processing for employees.
  3. Legal obligation: We will share personal information with companies, organizations, or individuals outside the College, if we have a good-faith belief that access, use, preservation, or disclosure of the information is reasonably necessary to:
    1. meet any applicable law, regulation, legal process, or enforceable governmental request; e.g., the processing is necessary for the College to comply with the US federal laws, as well as New York State and federal reporting requirements;
    2. enforce applicable Terms of Service, including investigation of potential violations;
    3. detect, prevent, or otherwise address fraud, security, or technical issues;
    4. protect against harm to the rights, property, or safety of the College, our users, or the public, as required or permitted by law.
  4. Public task: This processing is necessary for the College to perform a task in the public interest or for our official functions as a private college within the State of New York and the USA, and the task or function has a clear basis in law. Examples of these are:
    1. Providing student statistical information to the National Student Clearinghouse
    2. IPEDS reporting

6. Confidential Data:

Any information which falls under the definition of personal data and is not otherwise exempt will remain confidential and will only be disclosed to third parties with appropriate consent.

7. Cookies and Other Technology:

Unless you take steps to browse the Internet anonymously, LIM College, like most institutions and organizations on the Internet, tracks web browsing patterns to inform understanding of how our sites are being used. Generic information is collected through the use of “cookies,” which are text files placed on your computer, to evaluate usage patterns, so we can improve both content and distribution. You may refuse the use of cookies by selecting the appropriate settings on your browser; however, doing so may prevent you from using the full functionality of all of our websites. The generic information we collect is based on IP address, which is the location of a computer or network.

Some sections of LIM College websites use Google Analytics, a web analytics service provided by Google, Inc. Google Analytics uses cookies to help us analyze how users use our sites. The information generated by the cookie about your use of the website includes your IP address. This information will be transmitted to and stored by Google on its servers. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity, and providing other services relating to Internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google. By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above.

Please visit the following pages for more information on Google Analytics' terms of use and Google’s privacy practices.

Please visit the following site for more information on LIM College's Privacy Policy.

8. US Laws of FERPA, GLBA, and HIPAA:

The College is also required to protect personal data with respect to the laws of the United States as well as provide information to state and federal authorities with respect to these laws. The College complies with data requirements under the United States FERPA (The Family Educational Rights and Privacy Act), GLBA (The Gramm-Leach-Bliley Act), and HIPAA (Health Insurance Portability and Accountability Act of 1996). 

9. Data Controller, Data Processors, and External Data Processors:

The College acts as a data controller for all the personal data of its data subjects. The data is processed by two parties.

  • The College acts as its own data processor where systems are used to process the College’s data.
  • In certain cases, data is provided by the subject to or transferred by the College to external vendors who process the data on the College’s behalf. The College will make every reasonable effort to require its external data processors to comply with this policy.
  • The College will make reasonable efforts to address approved changes to personal data requests by its internal and external processors.

10. Rights of Access to Information:

Data subjects have the right of access to information held by the College. Any data subject wishing to access his or her personal data should submit a request using the colleges Preference Center.

  • Submitting a Verifiable Request: To submit a verifiable request, submit your request within the Preference Center.
    • Types of requests:
      • Right to be informed
      • Right to access / know
      • Right to rectification
      • Right to delete / forget
      • Right for data portability
      • Right to restrict processing
      • Right to withdraw consent
      • Right to object processing
      • Right to object to automated processing
  • The College will endeavor to respond to any such written requests within 30 days.
  • The College will need to verify the identity of the data subject making the request.
  • Once the identity of the data subject has been verified, the College will determine if the request can be carried out or if the College has to refuse the request based on current regulations or contract obligations between the data subject and the College.
  • If the request is approved, the request will be processed within the College’s internal and external data processing areas.
  • If the request is refused, the data subject will be notified as to why the request was denied.

11. Exemptions:

Certain data is exempted from the provisions of the Rights of Access to Information under GDPR. Below are examples of some of the exceptions:

  • National security and the prevention or detection of crime
  • The assessment of any tax or duty
  • Where the processing is necessary to exercise a right or obligation conferred or imposed by law upon the College
  • Data that may violate another person’s privacy

12. Accuracy:

The College will make reasonable efforts to ensure that all personal data held in relation to all data subjects is accurate.

13. Data from Minors:

The College is committed to protecting the privacy of children. Therefore, the College does not knowingly collect or process data from children under 16 years of age, except in compliance with children's online privacy protection law. Accordingly, children under the age of 16 may only use services and programs offered by the College with the permission and supervision of their parents. Additionally, teachers and departments of the College that provide programs and services in the classroom with children under 16 years of age are required to obtain the express consent of such children's parents in compliance with the applicable law, prior to permitting such children to access or use the services or programs.

14. Compliance and Cooperation with Regulatory Authorities:

If an individual believes that the College has not complied with this policy or acted otherwise than in accordance with the GDPR, the person should contact the College at the address above and file their complaint.

15. Data Security:

We implement appropriate technical and organizational security measures to protect your information when you transmit it to us and when we store it in our information technology systems. For more information, refer to the college's Data Security Policy.

16. Secure Destruction:

When data held in accordance with this policy is destroyed, it will be destroyed securely at the time of destruction.

17. Retention of Data:

The College may retain data for differing periods of time for different purposes, as required by statute or best practices. Individual departments incorporate these retention times into the processes and manuals. Other statutory obligations, legal processes, and inquiries may also require the retention of certain data. The College may store data such as registers, photographs, exam results, achievements, books, works, etc. indefinitely in its archive.

18. Updates to this Policy:

LIM College may update this Policy or revise it from time to time. You should contact us as described in the next section or check back at this Site periodically to obtain a current copy of this Policy.

19. Contact:

Any specific questions about your data or exercising your data privacy rights can be addressed to: compliance@limcollege.edu, or by submitting a request using the college “Request Center”.