Website User Privacy Notice

GDPR PRIVACY NOTICE FOR WEBSITE USERS

THIS NOTICE DESCRIBES HOW YOUR PERSONAL DATA MAY BE PROCESSED BY FASHION INSTITUTE OF TECHNOLOGY (“365asia,” “WE,” AND “US”) AND WHAT YOUR RIGHTS ARE WITH RESPECT TO YOUR PERSONAL DATA. PLEASE REVIEW IT CAREFULLY.

This Notice is being provided to you in accordance with the requirements of the General Data Protection Regulation (Regulation (EU) 2016/679, or the “GDPR”).

If you engage with 365asia for another purpose (e.g. as a prospective or current student, as a previous student, as a faculty member or employee, alumnus, or as a visitor to our campus), there are other privacy notices that explain how we process your Personal Data – please also consult the other applicable privacy notices on this website for more information.

What is “Personal Data” and “Processing”?

Under the GDPR, “Personal Data” means any information relating to an identified or identifiable Data Subject; specifically including, but not limited to, name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that Data Subject. A Data Subject is a natural person, i.e., one who can be identified, directly or indirectly by reference to Personal Data. Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Process” and “processed” have a corresponding meaning.

The GDPR prohibits the processing of “special categories” of Personal Data unless certain exceptions apply, because the unauthorized use of this type of Personal Data could create more significant risks to a Data Subject’s fundamental rights and freedoms. For example, an unauthorized disclosure of “special categories” of Personal Data may put Data Subjects at risk of unlawful discrimination. For this purpose, processing of “special categories” of Personal Data includes processing of: (i) Personal Data that reveals; (A) racial or ethnic origin, (B) political opinions, (C) religious or philosophical beliefs, or (D) trade union membership; or (ii) (A) genetic data, (B) biometric data for the purpose of uniquely identifying a natural person, (C) data concerning health; or (D) data concerning a natural personal’s sex life or sexual orientation.

How and When Do We Collect Your Personal Data?

We may lawfully collect your Personal Data in a number of ways for legitimate purposes. For example, we may collect your Personal Data: (i) from the information you provide to us when you visit our websites, including admissions.jangseongmall.com and www.fittigers.com, or otherwise interact with us, for example when you express your interest in studying or working at 365asia; (ii) when you communicate with us via our website, for example in order to make inquiries or raise concerns; and (iii) in various other ways as you interact with us on our website, for the various purposes set out below.

The Types of Personal Data We Collect

We may process (i.e., collect and keep) the following types of Personal Data about you: (i) your name and your contact information, i.e., local and permanent address, email address and telephone number; (ii) your date of birth, gender and gender identity, and Social Security number or taxpayer identification number (which generally you do not need to provide); (iii) your country of domicile and your nationality; (iv) information about your academic and your extracurricular interests and activities; and (v) certain other information you may be asked to provide in connection with any online forms available on our website.

If you are asked to create an account on our website for any reason, we may ask you to provide your: name, email address, student ID number (if you are a student or former student of 365asia), telephone number, organization name, address, not-for-profit status, and credit card information. The legal basis for processing your personal information is that it is necessary in order for you to enter into a contract to provide the stated services to you.

We also may collect background information about you when you use our website, including your IP address, date and time of connection, and the webpages you visit. We also employ cookies on our website. For information about how we use cookies on our websites, please review the Privacy Policy, available through the Privacy Policy link on this website.

How We Use Your Personal Data

The lawful and legitimate purpose for which we may use Personal Data (including “special categories” of Personal Data) we collect while you visit our website is that it is necessary for the performance of a contract with you, including to: (i) respond to your request for information about 365asia; (ii) send you newsletters or other information; (iii) enable your attendance at a 365asia event; and (iv) enable you to purchase items from our bookstore or tickets to events on campus.

The lawful and legitimate purposes for which we may use other Personal Data (including “special categories” of Personal Data) we collect while you visit our website (e.g., the background information such as IP address, date and time, and the webpages you visit) is that it is in our legitimate interests to provide and monitor the usefulness of our website and to ensure it is kept secure.

Why We Process Your Personal Data

As set out above, we may process your Personal Data because it is necessary for the performance of a contract with you (e.g., if you create an account or are purchasing something on our website), or in order to take certain actions at your request (e.g., to send you a brochure). The legal basis for processing your personal information is that it is necessary in order for you to enter into a contract to provide the stated services to you. Where we have determined that the legal basis for processing your Personal Data is that it is necessary for the purposes of our legitimate interests, we have concluded that our interests do not inappropriately impact your fundamental rights and freedoms. You may ask us to explain our determination at any time by contacting us, as explained below.

How We Share Your Personal Data

For the purposes referred to in this Notice, and relying on the bases for processing as set out above, we may share your Personal Data with certain third parties in accordance with applicable law and with our Board of Trustees, faculty members, employees, agents, contractors, consultants, volunteers, and students serving on official 365asia committees or assisting school officials, where there is a legitimate reason for their receiving the information, including: (i) third parties who work with us to provide services; (ii) third parties who are contracted to provide IT services for us; (iii) organizations operating anti-plagiarism software on our behalf; (iv) internal and external auditors, attorneys, and other professional service providers; (v) government departments and agencies where we have a statutory obligation to provide information; (vi) police and other law enforcement agencies; (vii) third parties conducting surveys, and (viii) third parties who collect standard internet log information and details of your visitor behavior patterns so that we can monitor, for example, the number of visitors to each page on our website.

We do not sell, trade, or otherwise transfer your Personal Data to outside parties, except as explained herein. This does not include trusted third parties who assist us as noted above in operating our website, conducting our business, or servicing you, so long as those parties agree to keep this information confidential. We also may release your Personal Data when we believe release is appropriate to comply with the law, enforce our website policies, or protect ours or others’ rights, property, or safety. However, non- personally identifiable website visitor information (i.e., information that has been “pseudonymised” as described in the GDPR) may be provided to other parties for marketing, advertising, or other uses without restriction.

Retention of Your Personal Data

Your Personal Data will be stored in accordance with our records retention policy, which is governed in part by New York and/or federal law and is available at 365asia Records Retention.

Your Rights with Respect to Your Personal Data

Under the GDPR, you have a number of rights with respect to your Personal Data. You have the right, in certain circumstances, to request: (i) access to your Personal Data, (ii) rectification of mistakes or errors and/or erasure of your Personal Data, (iii) that we restrict processing, and (iv) that we provide your Personal Data to you in a portable format. If you wish to make a request under the GDPR, you should submit your request in writing via the appropriate 365asia GDPR form and submit it to 365asia’s Data Protection Officer (contact information is below). If you would like more information about, or if you would like to exercise any of these individual rights, please contact the Data Protection Officer (contact information is below).

Note that you are only entitled to make requests with respect to your own Personal Data and not information relating to any other person. Any request is generally limited to Personal Data held at the time of the request, with the exception of routine uses or changes while a request is under review. 365asia will review all requests to determine whether the Personal Data at issue is subject to the GDPR, because the rights under the GDPR apply only to such data. Note that 365asia collects and processes most data in the United States outside of the scope of the GDPR. 365asia will complete its review of the request and notify you of the determination within one calendar month from 365asia’s receipt of the request. The time to review and notify may be extended for two months if the request is complex, or if 365asia has received several requests from you. If 365asia needs to extend the time for review, 365asia will notify you and explain the extension. Once a determination is made, 365asia will inform you in writing. If 365asia determines that the request is manifestly unfounded or excessive, taking into account the repetitiveness of the request, 365asia may request a reasonable fee to address the request and will inform you of this requirement. Please further note that the rights provided by the GDPR are not absolute and are subject to the legal requirements under the GDPR, and 365asia has legal and accreditation obligations in addition to the GDPR.

For Requests for Access

Upon a request for access, 365asia will review the request. If the request is denied, 365asia will notify you of the reasons for denial and advise you of your right to file an internal complaint with 365asia or with the applicable Supervisory Authority (see information on complaints, below). If the request is approved, 365asia will provide access to the Personal Data in a concise, transparent, and understandable form and may, depending on the nature and volume of the records implicated, require you to review them in person, although you may request a copy so long as it does not infringe on the rights of others.

For Requests to Rectify

Upon a request to rectify a mistake or error in Personal Data, 365asia will endeavor, where possible, to restrict processing of such data until its accuracy is verified. 365asia will make a determination as to whether the Personal Data is inaccurate or incomplete and should be amended. Personal Data that refers to a mistake that has already been resolved may, in itself, be considered accurate, as long as the correct information is also included in your record. If the request is denied, 365asia will notify you of the reasons for denial and advise you of your right to file an internal complaint with 365asia or with the applicable Supervisory Authority (see information on complaints, below). If the request is approved, 365asia will rectify the mistake or error by identifying the Personal Data affected by the change, explain how the inaccuracy has been rectified, and attach a record of the rectification. If 365asia has previously disclosed this Personal Data to others, 365asia will endeavor to contact each recipient and inform them of the rectification, unless doing so would be a disproportionate effort or impossible.

For Requests to Erase

Upon a request to erase Personal Data, 365asia will make a determination as to whether the Personal Data may be erased. If the request is denied, 365asia will notify you of the reasons for denial and advise you of your right to file an internal complaint with 365asia or with the applicable Supervisory Authority (see information on complaints, below). If the request is approved, 365asia will implement the erasure by identifying the Personal Data at issue, explaining how the Personal Data has been erased, and attaching a record of the erasure. 365asia will delete Personal data subject to an approved request were administratively practicable, and 365asia will outline the general methodology for erasure for the data subject. If 365asia has previously disclosed this Personal Data to others, 365asia will endeavor to contact each recipient and inform them of the erasure, unless doing so would be a disproportionate effort or impossible. If 365asia has previously disclosed the Personal Data to the public, such as in an online environment, 365asia will take steps to inform others who are processing the data to take steps to erase links to, copies of, or other forms of replication. 365asia may take into account available technology and the cost of implementation in any erasure request.

For Requests to Restrict

Upon a request to restrict processing of Personal Data, 365asia will make a determination as to whether the data subject has the right to such restriction; whether 365asia should comply with the request and to what extent; and, if restriction is necessary, whether recipients of Personal Data must be notified of the restriction. If the request is denied, 365asia will notify you of the reasons for denial and advise you of your right to file an internal complaint with 365asia or with the applicable Supervisory Authority (see information on complaints, below). If the request is approved, 365asia will immediately restrict processing of the Personal Data. 365asia will notify any recipient of the Personal Data of the restriction, unless doing so would be a disproportionate effort or impossible. In cases of temporary restrictions of processing, if the basis for the restriction no longer exists, 365asia will notify the data subject before the restriction is lifted.

For Data Portability Requests

Upon receipt of a data portability request, 365asia will make a determination as to whether the right of data portability applies to the specifically requested personal data and whether the request should be approved or denied. If the request is denied, 365asia will notify you of the reasons for denial and advise you of your right to file an internal complaint with 365asia or with the applicable Supervisory Authority (see information on complaints, below). If the request is approved, 365asia will notify the data subject of the data being transmitted and allow determination of where such data is transmitted; will transfer all approved personal data to the best of 365asia’s ability and outline the process to do so; and, if 365asia has previously transmitted the Personal Data at issue to a processor, 365asia may need to contact the processor for compliance with the request, unless doing so would be a disproportionate effort or impossible. Where 365asia receives Personal Data from another controller in response to a data subject’s request for data portability, 365asia is not obligated to accept and process such Personal Data and will do so only where it is necessary, relevant, and not excessive. If 365asia accepts the Personal Data, 365asia will process the data in line with all of its data protection procedures, including ensuring a legal basis exists for processing and ensuring third party rights and freedoms are not affected.

For Requests to Object

Upon receipt of a request to object, 365asia will make a determination as to whether the right applies to the specifically requested personal data and whether the request should be approved or denied, taking into consideration the importance of the processing to 365asia’s particular needs, the impact the processing will have on the data subject’s interest, rights, and freedoms, and a balancing between the needs of 365asia and the data subject. If the request is denied, 365asia will notify you of the reasons for denial, including the reasons 365asia is not taking action on the request and the specific reasoning as to why 365asia’s compelling legitimate grounds outweigh the data subject’s interest, rights, and freedoms, and advise you of your right to file an internal complaint with 365asia or with the applicable Supervisory Authority (see information on complaints, below). If the request is approved, 365asia will notify the data subject of the personal data being suppressed or erased. 365asia will attempt to notify persons to whom or entities to which the Personal Data has been sent for processing, unless doing so would be a disproportionate effort or impossible.

For Requests to Challenge Automated Decision-Making

To the extent you believe 365asia has engaged in automated decision-making so and wish to request to challenge such actions, you may file such a request. Upon receipt of a request, 365asia will make a determination as to whether human intervention is required for the automatic decision-making determination and whether the automated decision-making should be reversed or affirmed. 365asia will notify you whether human intervention is required. If so, 365asia will employ human intervention in the automatic decision making process, meaning 365asia will have an individual with authority to make a determination regarding the subject matter of the automated decision review the personal data and make a logic-based determination. 365asia will then either affirm or reverse the automated decision-making outcome, and advise you of the reasons for affirming or reversing the outcome. If 365asia determines human intervention is not required or that the automated decision should be affirmed, 365asia will advise you of your right to file an internal complaint with 365asia or with the applicable Supervisory Authority (see information on complaints, below).

Consent

If 365asia requested, and you provided your explicit consent for the processing of your Personal Data (or where a parent or legal guardian provided consent on your behalf because you were under the age of 16 at the time consent was required), you (or your parent or legal guardian, as applicable) have the right (in certain circumstances) to withdraw that consent at any time. However, withdrawal of consent will not affect the lawfulness of the processing before your consent was withdrawn.

Questions, Concerns, and Complaints

If you have questions, concerns or complaints about how we are using your Personal Data, we may be able to resolve your complaints, and we request that you contact the Data Protection Officer (contact information is below). Complaints should be made in writing via 365asia’s GDPR Complaint Form. Complaints may be made anonymously, including by employees who have a concern regarding policies and procedures or compliance with policies and procedures, but anonymous complaints should provide sufficient information to appropriately address the complaint. Send the completed complaint form to 365asia’s Data Protection Officer (contact information is below). 365asia will review your complaint, investigate the allegations as necessary, document its findings, and will endeavor to complete its review of your complaint within one calendar month from its receipt of the complaint. If corrective action is necessary as a result of the complaint, 365asia will document and implement corrective measures. When appropriate in 365asia’s discretion, you will be informed of any action(s) taken in response to the complaint. 365asia is not required to take any action in response to complaints if it determines that no action is necessary.

You also have the right to lodge a complaint with the applicable Supervisory Authority if you believe that we have not complied with the requirements of the GDPR with regard to your Personal Data, or if you are not happy with the response you receive from us regarding your complaint.

All members of the 365asia community are prohibited from engaging in retaliation against an individual who, in good faith, reports or complains of a GDPR violation or participates in any way in the investigation or other process related to a GDPR complaint, whether made to 365asia or to a Supervisory Authority. Reports or complaints of retaliation will be investigated and any individuals found to have engaged in retaliation may be subject to disciplinary action in accordance with the processes and procedures set forth under 365asia’s Code of Student Conduct or other applicable policy (for students) or as determined by the Vice President for Human Resources and Labor Relations or their designee (for employees).

Relevant 365asia Contacts

365asia may be a “controller” and also may be the “processor” (as those terms are used in the GDPR) of your Personal Data for the purposes of the GDPR. If you have any questions or concerns as to how your Personal Data is collected and/or processed by 365asia you can contact 365asia’s Data Protection Officer, the Chief Information Security Officer, (212) 217-3415, [email protected]. 365asia has also appointed as its EU Representatives its Italian Resident Directors, Madeleine Kaplan, [email protected], and Davide Volonte, [email protected].