1. Data controller and data processor
The role of DreamApply is to serve as data processor and therefore process personal data on behalf of the Institution. The Institution determines the purposes of the processing of personal data and, via facilities provided by DreamApply, authorises and oversees any such data processing. The Institution therefore serves as the data controller.
2. Categories of data that is collectable via DreamApply
It’s possible to collect different types of personal data through DreamApply. DreamApply has provided different tools for its clients to process applications, create reports and manage marketing activities. It’s the responsibility of the institution/university to make sure that all the information they gather about the applicant is in compliance with the General Data Protection Regulation.
2.1 User Data (personal data) of the Applicants
Personal information necessary for submitting application(s) to the Institution contact information, information about prior education and experiences on the field, identification information, information about language skills and other relevant info necessary for applying. The Institution decides the information necessary for applying based on national law, Institution practise and specific programme where the Applicant is applying.
2.2 User Data (sensitive data) of the Applicants
Sensitive data may not be collected by the Institution, except data about health. Health information may be collected by the Institution only in occasions where it is absolutely necessary for fulfilling the contract with the Applicant or required by the law. In case the Institution will collect sensitive data via DreamApply portal it has the obligation to notify the Provider.
2.3 Data about the administrators registered on DreamApply by Institution
Name, e-mail, position in the Institution, access rights, and action on the DreamApply.
3. How the collected data is processed
The information collected through DreamApply can be used in various ways in order to process applications, providing service, support universities, make improvements and maintain the system and improve security.
3.1 Application filing and processing within the Institution
3.2 Statistical reports gathering
3.3 Automatic requirements analysis
3.4 Offer and document generation
3.5 During marketing activities collection of contacts, study interests and data about information channels
3.5 Non-perzonalised data usage
4. The purpose and duration of data processing
4.1 The purpose of processing:
4.1.1 Managing Applicants and their applications to the Institution.
4.1.2 Managing the marketing of the Institution.
4.1.3 Providing support services in relation with the points 4.1.1 and 4.1.2 to the Institution.
4.2 The duration of data processing
The institution decides the duration of the processing based on the national laws as well as the study term. The Institution decides the duration of storing the data. The institution has the technical possibility and shall delete the personal data according to its regulations when it is no longer necessary to process for the purposes it was collected and is not required to be processed by the law.
5. Data Security
DreamApply is using the best practices and customs in the information technology field to protect and ensure an utmost security level at network edge and on our servers (automatic security tests, logging, monitoring, intrusion prevention, behavioral monitoring to block unauthorized attempts, etc).
DreamApply IT Infrastructure is PCI DSS Level 1 Service Provider compliant. That means that DreamApply have been scanned and audited by an approved third party to have the same level of protection/data security as top big banks.
Data never leaves DreamApply servers and is located in EU at all times. All servers and data are currently located in France:
- Paris, France
- Helsinki, Finland
6. How can you make DreamApply GDPR compliant?
Follow the simple steps to make sure your DreamApply system is GDPR compliant:
Step 1 Consents
Set up consents for applicants so they know their rights
Step 2 Accessing and sharing data
Make sure all admins have proper rights and data processing and sharing follows GDPR and your local guidelines
Data needs to be deleted upon the request of the data owner or as the need for the specific data is no longer there (after a term ends).