IAESTE Exchange Platform Code of Conduct for the Processing of Personal Data In accordance with European Union Regulation 2016/679 dated 27 April 2016 (GDPR)
The International Association for exchange of Students for Technical Experience (IAESTE A.s.b.l.) is a non for profit organisation incorporated in Luxemburg (RCSL number F1180) that has as aims: (a) to provide students in higher education with technical experience relevant to their studies; (b) to offer employers well-qualified and motivated trainees; (c) to be a source of cultural enrichment for trainees and their host communities (Art 2. of the statutes)
The Members of the Association are legal bodies constituted by National Committees or national organisations advised by National Committees, and registered, according to their national laws (Art.7 of the statutes). Accepted Cooperating Institutions are also allowed to participate in the exchange of students (Art.3 of the bylaws).
To make this exchanges possible the Members and Cooperating Institutions, who send students, have to be able to pass the required personal information (passport, Curriculum Vitae, marks, etc.) to the receiving Members and Cooperating Institution, who will pass this information to the concerned organisations as employers, visa authorities, work permit authorities, etc. This exchange of information is done through an exchange platform administrated by IAESTE A.s.b.l.
As IAESTE A.s.b.l. is committed to achieve and maintain members’, cooperating institutions, students’ and employers’ trust, providing a robust security and privacy program that carefully considers data protection matters is an integral part to this mission.
In accordance with the EU Data Protection Directive (European Union Directive 2016/679 dated 27 April 2016.) and implementing Luxembourg national legislation, the IAESTE Exchange Platform Data protection code of conduct is intended to provide an adequate level of protection for Personal Data during international transfers within IAESTE, made on behalf of the Members and Cooperating Institutions (hereafter “Customers”) and under their instructions.
For clarity, a Customer (as defined in Section 2) may be a Controller or a Processor of Personal Data. Where a Customer is a Processor of Personal Data, the IAESTE A.s.b.l. Exchange Platform shall process Personal Data as sub-processors on behalf of the Controller. In these cases the instructions from the Controller regarding the processing of Personal Data shall be given through the Processor.
- Controller means controller, as defined in the EU Data Protection Directive. The term “controller” is defined in the EU Data Protection Directive as “the natural or legal person, public authority, agency, or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law.” In our case it is clearly the National Secretary of the Members or the Person in charge of the Cooperating Institutions to whom the personal data will be sent.
- Customer means (i) a legal entity with which IAESTE A.s.b.l. is executing an agreement to provide the service of the Exchange Platform and such agreement incorporates by reference the IAESTE Exchange Platform Data Protection Code of conduct.
- Data Subject means an individual to whom Personal Data relates.
- EU Data Protection Directive means European Union Directive 2016/679 dated 27 April 2016.
- Personal Data means personal data, as defined in the EU Data Protection Directive, when such data is submitted. The term “personal data” is defined in the EU Data Protection Directive as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural, or social identity.”
- Processor means processor, as defined in the EU Data Protection Directive. The term “processor” is defined in the EU Data Protection Directive as “a natural or legal person, public authority, agency, or any other body which processes personal data on behalf of the controller.”
- Services means the online services provided to Customers by IAESTE A.s.b.l., as listed in Appendix A.
3. Scope and Application
The purpose of the IAESTE Exchange Platform Data Protection Code of conduct is to govern cross-border transfers of Personal Data to and between members of IAESTE A.s.b.l., and to third-party sub-processors as Employers and Authorities (in accordance with agreements with any such third-party sub-processors) when acting as Processors and/or sub-processors on behalf and under the instructions of Customers.
The IAESTE Exchange Platform Data Protection Code of conduct applies to Personal Data submitted to the Services by: (a) Customers established in EEA member states whose processing activities for the relevant data are governed by the EU Data Protection Directive and implementing national legislation; and (b) Customers established in non-EEA member states for which the customer has contractually specified that the EU Data Protection Directive and implementing national legislation shall apply.
IAESTE A.s.b.l. may update the IAESTE Exchange Platform Data Protection Code of conduct. All changes to the IAESTE Exchange Platform Data Protection Code of conduct shall be communicated to members of IAESTE A.s.b.l..
The Board of IAESTE A.s.b.l. shall be responsible for keeping a fully updated list of the members and cooperating Institutions of IAESTE A.s.b.l. and making appropriate notifications to Customers and the “Commission Nationale pour la protection des données” of Luxembourg (C.N.P.D.) in its capacity as lead authority for the IAESTE Exchange Platform Data Protection Code of conduct. IAESTE A.s.b.l. shall not transfer Personal Data to a new member or Cooperating Institution of IAESTE A.s.b.l. until it is appropriately bound by and complies with the IAESTE Exchange Platform Processor Data Protection Code of conduct.
IAESTE A.s.b.l. shall make the most current version of the IAESTE Exchange Platform Data Protection Code of conduct, available at https://iaeste.smartsimple.ie/s_viewpolicies.jsp?companyid=443352 and the members and Cooperating Institutions of IAESTE A.s.b.l. at http://iaeste.org/countries_list.pdf. Significant changes to the IAESTE Exchange Platform Data Protection Code of conduct and/or the list of members and Cooperating Institutions of IAESTE A.s.b.l. will be reported (a) in a timely fashion to Customers and (b) once per year to the relevant data protection authorities accompanied by a brief explanation of the changes.
4. Data Protection Principles
- a. Purpose Limitation
IAESTE A.s.b.l. shall process Personal Data only for the following purposes: (i) processing in accordance with a Customer’s instructions set forth in the Customer’s agreement with IAESTE A.s.b.l.; and (ii) processing initiated by the Customer in its use of the Services. If IAESTE A.s.b.l. cannot comply with such purpose limitation, a member of IAESTE A.s.b.l. shall promptly notify the relevant Customer, and such Customer shall be entitled to suspend the transfer of Personal Data and/or terminate the applicable order form(s) in respect to only those Services, which cannot be provided by IAESTE A.s.b.l. in accordance with such Customer’s instructions. On the termination of the provision of such Services, IAESTE A.s.b.l. and third-party sub-processors shall, at the choice of the Customer, return the Personal Data to the Customer and/or delete the Personal Data as set forth in the applicable customer agreement.
- b. Data Minimization
In accordance to the customers the personal data in the platform will be limited to the strictly necessary data for a smoothly exchange.
- c. Limited Storage Periods
The storage of the data concerned will be limited in the following way:
- Personal data related to the exchange of traineeship and in enclosure as passport copy, grades, Curriculum vitae, etc. will be conserved for two years following its introduction in the platform. After two year they will be deleted.
- The personal data that permits to link a person with an realized traineeship exchange will be stored to permit IAESTE A.s.b.l. at any moment to emit a certificate at the demand of the trainee. This is sometime required when the person is doing the formality to obtain a retirement.
- The anonymised data as general information about the trainee (nationality, age, studies, together with the student and employer report) will be stored indefinitely for statistical and historical processing.
- d. Data Quality
Customers have access to, and control of, Personal Data in their use of the services. To the extent, a Customer, in its use of the services, does not have the ability to anonymize, correct, amend or delete Personal Data, as required by applicable laws, IAESTE A.s.b.l. shall comply with any request by a Customer in a reasonable period of time and to the extent reasonably possible to facilitate such actions by executing any measures necessary to comply with the law, in a reasonable period of time and to the extent reasonably possible to the extent IAESTE A.s.b.l. is legally permitted to do so. IAESTE A.s.b.l. will, to the extent reasonably required for this purpose, inform each member of IAESTE A.s.b.l. to whom the Personal Data may be stored of any anonymization, rectification, amendment or deletion of such data. If any such anonymization, correction, amendment or deletion request is applicable to a third-party sub-processor’s processing of Personal Data, IAESTE A.s.b.l. shall communicate such request to the applicable third-party sub-processor(s).
- e. Data Protection by Design and by Default
The platform is designed to automatically anonymize the data after two years presence in the platform taking into account the exception indicated in point 4.c.ii.
5. Data Subject Rights
IAESTE A.s.b.l. acts as Processor on behalf of Customers. Customers have primary responsibility for interacting with Data Subjects, and the role of IAESTE A.s.b.l. is generally limited to assisting Customers as needed.
- a. Purpose of the data processing
The personal data collected is used exclusively to permit the student to obtain a traineeship and to communicate with him.
- b. Recipient to whom the personal data have been or will be disclosed
The personal data will be send only to the member countries where it is needed and with the students consent. The data will be supervised by the National Secretary of the student’s country, by the National Secretary of the country, where the students is applying to, by the employer of the entity where the student is soliciting and by the administrative authorities of the country as visa authorities, work permit authorities, etc.
- c. The envisaged period for which the personal data will be stored
The personal data will be stored for two years as the process for obtaining and realizing a traineeship can cover two years. After that all data that relate a particular student to a traineeship will be removed with exception of the name, surname and birthdate connected with a traineeship that has been realized. This will permit the Association to emit a traineeship certificate many years after at the demand of the person. The anonymized data will be stored to permit historical and statistical analysis later on.
- d. Right to request rectification or erasure of personal data
The Exchange platform is designed in such a way that every natural person who enters personal data on the exchange platform can at any moment access, correct, amend or delete this data. In case this is not possible for whatever reason that person should address a request to the board of IAESTE A.s.b.l. (email@example.com). IAESTE A.s.b.l. shall provide Customers and data subject with cooperation and assistance in a reasonable period of time and to the extent reasonably possible in relation to any request regarding Personal Data to the extent Customers and data subject do not have access to such Personal Data through their respective uses of the Services.
- e. The right to lodge a complaint with a supervisory authority
The IAESTE A.s.b.l.Board shall be responsible for handling complaints related to compliance with the IAESTE Exchange Platform Data Protection Code of conduct. Data Subjects may lodge a complaint about processing of their respective Personal Data that is incompatible with the IAESTE Exchange Platform Data Protection Code of conduct by contacting the IAESTE A.s.b.l. Board at the email address: firstname.lastname@example.org. IAESTE A.s.b.l. shall promptly communicate the complaint to the Customer to whom the Personal Data relates.
Customers shall be responsible for responding to all Data Subject complaints forwarded by IAESTE A.s.b.l. except in cases where a Customer has disappeared factually or has ceased to exist in law or become insolvent. Where IAESTE A.s.b.l. is aware of such a case, it undertakes to respond directly to Data Subjects’ complaints within thirty (30) days, including the consequences of the complaint and further actions Data Subjects may take if they are unsatisfied by the reply (such as lodging a complaint before the relevant data protection authority, who, in the case of IAESTE A.s.b.l. will be the CNPD of Luxembourg)
- f. Regulatory Inquiries and Complaints
IAESTE A.s.b.l. shall, to the extent legally permitted, promptly notify a Customer if IAESTE A.s.b.l. receives an inquiry or complaint from a data protection authority in which that Customer is specifically named. Upon a Customer’s request, IAESTE A.s.b.l. shall provide the Customer with cooperation and assistance in a reasonable period of time and to the extent reasonably possible in relation to any regulatory inquiry or complaint involving IAESTE A.s.b.l.’s processing of Personal Data.
6. Sub-processing by Third Parties
As set forth in applicable contracts with Customers, members of IAESTE A.s.b.l. may retain third-party sub-processors, and depending on the location of the third-party sub-processor, processing of Personal Data by such sub-processors may involve transfers of Personal Data. Such third-party sub-processors shall process Personal Data only (i) in accordance with the Customer’s instructions set forth in the contract with IAESTE A.s.b.l.; or (ii) if processing is initiated by the Customer in its use of the Services. The third-party sub-processor engaged in processing Personal Data, including a description of its processing activities, is available at demand. Such third-party sub-processors have entered into written agreements with IAESTE A.s.b.l. in accordance with the applicable requirements of Articles 29 and 32 of EU Data Protection Directive and the Sections 3 – 10 of the IAESTE Exchange Platform Data Protection Code of conduct as applicable to the third-party sub-processor’s processing activities.
Notification of New Sub-processors and Objection Rights
As set forth in applicable contracts with Customers, IAESTE A.s.b.l. shall provide Customers with prior notification before a new sub-processor begins processing Personal Data. Within thirty (30) days of receiving such notice, a Customer may object to IAESTE A.s.b.l.’s use of a new sub-processor subject to the following:
It would be unreasonable for a Customer to object to a new sub-processor if (a) the sub-processor is subject to the IAESTE Exchange Platform Data Protection Code of conduct; and (b) has achieved a third-party, internationally-recognized security certification (e.g., ISO 27001) unless the Customer demonstrates reasonable suspicion that the new sub-processor will not be able to comply with its obligations under the IAESTE Exchange Platform Data Protection Code of conduct.
Unless a Customer demonstrates reasonable suspicion that a new third-party sub-processor introduces unreasonable risk to the protection of Personal Data (e.g., a history of security breaches), it would be unreasonable for a Customer to object to a new third-party sub-processor if (a) the new third-party sub-processor is located in a country that provides an adequate level of protection per the European Commission or has entered into a contract with IAESTE A.s.b.l. containing the applicable requirements of the European Commission’s controller-to-processor standard contractual clauses; and (b) the new third-party sub-processor has passed IAESTE A.s.b.l.’s vendor security evaluation based on a third-party, internationally-recognized security framework.
In the event a Customer objects to a new sub-processor, and that objection is not unreasonable under the standards described above, IAESTE A.s.b.l. will use reasonable efforts to make available to the Customer a change in the Services or recommend a commercially reasonable change to the Customer’s configuration or use of the Services to avoid processing of Personal Data by the objected-to new sub-processor without unreasonably burdening the Customer. If IAESTE A.s.b.l. is unable to make available such change within a reasonable period of time, which shall not exceed sixty (60) days, the Customer may terminate the applicable order form(s) in respect only to those Services which cannot be provided by IAESTE A.s.b.l. without the use of the objected-to new sub-processor by providing written notice to IAESTE A.s.b.l. with whom the customer has contracted. Such Customer shall receive a refund of any prepaid fees for the period following the effective date of termination for such terminated Services.
7. Confidentiality and Security Measures
- a. Confidentiality and Training
IAESTE A.s.b.l. shall ensure that its personnel engaged in the processing of Personal Data are informed of the confidential nature of the Personal Data, have executed written confidentiality agreements and have received appropriate training on their responsibilities. Additionally, IAESTE A.s.b.l. shall ensure that its personnel responsible for the development of tools used to process Personal Data have received appropriate training on their responsibilities. IAESTE A.s.b.l. shall also ensure that its personnel engaged in the processing of Personal Data are limited to those personnel who require such access to perform IAESTE A.s.b.l.’s obligations under applicable contracts with Customers.
- b. Data Security
IAESTE A.s.b.l. shall maintain appropriate administrative, technical and physical safeguards for protection of the security, confidentiality and integrity of Personal Data, as set forth in applicable contracts with Customers. IAESTE A.s.b.l. regularly monitors compliance with these safeguards. The IAESTE A.s.b.l. will not materially decrease the overall security of the Services during a Customer’s applicable subscription term.
- c. Security Breach Notification
In the event IAESTE A.s.b.l. becomes aware of any unauthorized access to or disclosure of Personal Data, IAESTE A.s.b.l. will promptly notify affected Customers to the extent such notification is permitted by applicable law.
- d. Third-Party Audits and Certifications
Smart Simple, who acts as a subcontractor, has their own Code of conduct that can be shown on request.
8. Liability and Enforcement
IAESTE A.s.b.l.’s agreements with Customers shall include a reference to the IAESTE Exchange Platform Data Protection Code of conduct. In accordance with such agreements, Customers shall have the right to enforce the IAESTE Exchange Platform Data Protection Code of conduct against IAESTE A.s.b.l., including judicial remedies and the right to receive compensation.
To the extent a Customer (or a Data Subject, if Section 7 of the IAESTE Exchange Platform Data Protection Code of conduct applies) demonstrates that a Data Subject has suffered damages and establishes facts showing that it is likely that such damages have occurred because of the IAESTE A.s.b.l.’s breach of Sections 4-10 of the IAESTE Exchange Platform Data Protection Code of conduct or a third-party sub-processor’s breach of a contract with IAESTE A.s.b.l., IAESTE A.s.b.l. shall be responsible for providing that it – or its third-party sub-processor – was not responsible for the breach giving rise to the damages or that no such breach took place. If IAESTE A.s.b.l. can prove that IAESTE A.s.b.l. and its third-party sub-processors are not responsible for the act leading to the damages suffered by the Data Subject, IAESTE A.s.b.l. may discharge itself from any responsibility.
9. Cooperation with Data Protection Authorities
IAESTE A.s.b.l. shall cooperate with member state data protection authorities with jurisdiction over the IAESTE A.s.b.l. or competent for Customers, reply to any requests they make within a reasonable time frame and abide by the advice and recommendations of the relevant member state data protection authorities regarding the interpretation and application of the IAESTE Exchange Platform Data Protection Code of conduct.
Upon request and subject to duties of confidentiality, IAESTE A.s.b.l. shall provide relevant member state data protection authorities with jurisdiction over IAESTE A.s.b.l. or competent for Customers (i) a copy of IAESTE A.s.b.l.’s annual assessment of compliance with the IAESTE Exchange Platform Data Protection Code of conduct and/or other documentation reasonably requested; and (ii) the ability to conduct an onsite audit of IAESTE A.s.b.l.’s architecture, systems and procedures relevant to the protection of Personal Data.
Appendix A – Services to which the IAESTE Exchange Platform Data Protection Code of conduct Applies
The IAESTE Exchange Platform Data Protection Code of conduct applies to the services branded as the following:
- The Training placement Offer, where the training offer is proposed
- The Student part, that contains the student’s data (that he can fill in himself) that will be shared with the country to which he/she will apply for the traineeship.
- The Employer part, that contains the data of the employer, who offers the traineeship.
- The Nomination part, that generate the acceptance documents that the student needs to travel and realize his/her traineeship.;
- The Employer and Student report part, where the student and the employer can report about the process and the traineeship.
- The Library part that contains all the document relevant to the IAESTE activities in the past and in the present.