DreamApply Privacy Policy guidelines

This guideline describes the information that  the DreamApply system gathers about the applicant, how this personal information is used, processed and disclosed. Also the steps taken to protect this information. This guideline can be used to incorporate into your institution’s Privacy Policy. The management of the Applicant Data is subject to your Institution’s own Privacy Policy, and any request for access, correction or deletion should be handled by the university/institution representative following your internal Privacy Policy using the tools made available by DreamApply.

1. Data controller and data processor

The role of DreamApply is to serve as data processor and therefore process personal data on behalf of the Institution. The Institution determines the purposes of the processing of personal data and, via facilities provided by DreamApply, authorises and oversees any such data processing. The Institution therefore serves as the data controller.

2. Categories of data that is collectable via DreamApply

It’s possible to collect different types of personal data through DreamApply. DreamApply has provided different tools for its clients to process applications, create reports and manage marketing activities. It’s the responsibility of the institution/university to make sure that all the information they gather about the applicant is in compliance with the General Data Protection Regulation.

2.1 User Data (personal data) of the Applicants

Personal information necessary for submitting application(s) to the Institution  contact information, information about prior education and experiences on the field, identification information, information about language skills and other relevant info necessary for applying. The Institution decides the information necessary for applying based on national law, Institution practise and specific programme where the Applicant is applying.

2.2 User Data (sensitive data) of the Applicants

Sensitive data may not be collected by the Institution, except data about health. Health information may be collected by the Institution only in occasions where it is absolutely necessary for fulfilling the contract with the Applicant or required by the law. In case the Institution will collect sensitive data via DreamApply portal it has the obligation to notify the Provider.

2.3 Data about the administrators registered on DreamApply by Institution

Name, e-mail, position in the Institution, access rights, and action on the DreamApply.

3. How the collected data is processed

The information collected through DreamApply can be used in various ways in order to process applications, providing service, support universities, make improvements and maintain the system and improve security.

3.1 Application filing and processing within the Institution

3.2 Statistical reports gathering

3.3 Automatic requirements analysis

3.4 Offer and document generation

3.5 During marketing activities collection of contacts, study interests and data about information channels

3.5 Non-perzonalised data usage

4. The purpose and duration of data processing

4.1 The purpose of processing:  

4.1.1 Managing Applicants and their applications to the Institution.

4.1.2 Managing the marketing of the Institution.

4.1.3 Providing support services in relation with the points 4.1.1 and 4.1.2 to the Institution.

4.2 The duration of data processing

The institution decides the duration of the processing based on the national laws as well as the study term. The Institution decides the duration of storing the data. The institution has the technical possibility and shall delete the personal data according to its regulations when it is no longer necessary to process for the purposes it was collected and is not required to be processed by the law.

5. Data Security

DreamApply is using the best practices and customs in the information technology field to protect and ensure an utmost security level at network edge and on our servers (automatic security tests, logging, monitoring, intrusion prevention, behavioral monitoring to block unauthorized attempts, etc).

DreamApply IT Infrastructure is PCI DSS Level 1 Service Provider compliant. That means that DreamApply have been scanned and audited by an approved third party to have the same level of protection/data security as top big banks.

Data never leaves DreamApply servers and is located in EU at all times. All servers and data are currently located in France:

  • Paris, France
  • Helsinki, Finland

6. How can you make DreamApply GDPR compliant?

Follow the simple steps to make sure your DreamApply system is GDPR compliant:

Step 1 Consents

Set up consents for applicants so they know their rights

Step 2 Accessing and sharing data

Make sure all admins have proper rights and data processing and sharing follows GDPR and your local guidelines

Step 3 Deleting applicant data and purging applications

Data needs to be deleted upon the request of the data owner or as the need for the specific data is no longer there (after a term ends).

Was this article helpful?

Related Articles