For the purposes of this section, the term ‘process’ has the meaning given to it under the GDPR and may include any operation or a series of operations performed on EU personal data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

EU personal data that is collected by us may have been sourced directly from you, a third party (e.g. our European associates) or implied from your use of our services.

We process EU personal data in accordance with this section and our Privacy Obligations. To the extent of any inconsistencies between other sections of our Privacy Obligations and this section in relation to the processing of EU personal data, this section will prevail.

GDPR Principles

Any EU personal data will be:

  • processed lawfully, transparently and in a fair manner;
  • collected only for the purposes identified in our Privacy Obligations or any other agreed specified purposes and not further processed in a manner incompatible with those purposes;
  • collected in an adequate and relevant manner and limited to what is necessary in relation to the purposes for which the EU personal data is processed;
  • kept current and up-to-date in accordance with our Privacy Obligations;
  • stored in a form which permits us to identify you, but only for the period necessary in relation to the relevant purposes identified in our Privacy Obligations;
  • stored and processed securely to protect EU personal data against unlawful or unauthorized access and accidental loss, damage or disclosure in accordance with our Privacy Obligations.

Lawful bases for processing

We will collect and process EU personal data only where:

  • you have given consent;
  • the processing of EU personal data is necessary for the performance of a contract with you (such as to deliver the services you have requested or that have been requested on your behalf); and
  • the processing of EU personal data is necessary for the purposes of Unitec’s ‘legitimate interests’, provided that such processing does not outweigh your rights or freedoms. Some ‘legitimate interests’ are listed in the ‘Use of Personal Information’ section of this Policy.

Where we rely on your consent to process personal data, you have the right to withdraw, restrict or decline your consent at any time and where we rely on legitimate interests, you have the right to object.

We do not use automatic decision making, such as profiling, to make a decision that may produce a legal effect concerning a data subject of EU personal data.

Rights of EU Personal data subjects

In addition to other rights you may have as set out in our Privacy Obligations, you may exercise the data protection rights set out below in relation to your EU personal data:

  • Access and Portability: a request can be made by you for a copy of your EU personal data (and any other information relating to your EU personal data permitted under Article 15 of the GDPR) held by us. In addition, you may request to be provided with such EU personal data in a structured, commonly used and machine readable format (including for the purposes of transferring to another party).
  • Restrictions and Objections: You may request that we limit our use of your EU personal data or processing by requesting that we no longer use your EU personal data or limit how we use your data; this may include where you believe it is not lawful for us to hold your EU personal data or instances where your EU personal data was provided for direct marketing purposes and now you no longer want us to contact you.

Our responsibilities as a ‘Data Controller’ and ‘Data Processor’

We may act as the ‘data controller’, the ‘data processor’ or, in some instances, both the data collector and data processor simultaneously in relation to EU personal data.

We will be a data controller where we determine the purposes and means of the processing of EU personal data alone or jointly with others. To the extent we are a data controller with respect to EU personal data, we:

  • set out in this statement how we collect personal information (including EU personal data), how it is stored, to whom such personal information is disclosed and how the EU personal data is otherwise processed;
  • appoint processors only under agreements that the processor will comply with the GDPR;
  • will maintain a record of processing activities which are under our responsibility (where required by GDPR);
  • co-operate with relevant authorities which enforce the GDPR;
  • implement appropriate technical and organisation security measures to protect EU personal data and report any data breaches to authorities and affected individuals as required by the GDPR.

If a third party discloses EU personal data to us for a specific purpose, we will be acting as a data processor in processing the EU personal data for that purpose. Where we act as a data processor, we will:

  • act only on the controller’s documented instructions;
  • impose confidentiality obligations on all personnel who process the EU personal data;
  • not appoint sub-processors without the prior written consent of the controller;
  • at the instruction of the controller, return or destroy the EU personal data; and
  • where applicable, assist the controller in complying with the rights of the data subjects of the EU personal data;
  • maintain and keep accurate records of processing activities (where required by GDPR); and
  • implement appropriate technical and organisation security measures to protect EU personal data and report any data breaches to controller without undue delay.

Disclosure to third parties

If we are required to disclose your EU personal data to third parties, including data processors or sub-processors, we will notify the third party that it has an obligation to handle any EU personal data in accordance with the GDPR.

In the event we are responsible for a transfer of EU personal data outside of the EU, such transfer will be for the necessary and lawful performance of our services, including the establishment, exercise or defence of an IP or legal right.

Express consent to transfer:

Further to the section above, by providing us with your EU personal data, you are consenting to the disclosure of your EU personal data to third parties outside of the EU. You also acknowledge that we are not required to ensure that those third parties comply with its obligation under the GDPR.

Return to the Unitec Privacy Policy page.

If you have any questions, comments or complaints about our handling of your EU personal data, or wish to contact us regarding your EU personal data, please email marketing@unitec.ac.nz.