Personal Data Protection Law – EIU | Eyad International University
Personal Data Protection Policy for Eyad International University (EIU)

1. Introduction
Eyad International University is committed to protecting the privacy and personal data of all individuals, including students, staff, faculty, visitors, and other members of the university community. This policy outlines how personal data is collected, processed, and protected in compliance with applicable laws, regulations, and best practices.

2. Purpose and Scope
This policy applies to all personal data that is collected and processed by the university. It governs the use of personal data related to students, staff, faculty, applicants, alumni, and any other individuals whose data is handled by the university. The primary purpose of this policy is to ensure that personal data is collected and used in a lawful, transparent, and secure manner.

3. Data Collection and Use
EIU collects personal data for academic, administrative, and operational purposes, including but not limited to:

  • Enrollment and registration for academic programs
  • Course management and assessment
  • Student services (e.g., housing, health services, career counseling)
  • Staff and faculty recruitment, payroll, and performance management
  • Communication and outreach to students, alumni, and other stakeholders

Personal data collected may include, but is not limited to:

  • Contact information (name, email, address, phone number)
  • Educational background and academic records
  • Employment history (for staff and faculty)
  • Financial information (e.g., tuition payments, scholarships)
  • Health and medical information (where applicable)
  • ID numbers, biometric data (if relevant), and other identifiers

Personal data will only be collected for specific, legitimate purposes and will not be used in ways incompatible with these purposes.

4. Consent and Transparency
EIU will ensure that individuals are informed about the collection and processing of their personal data and that their consent is obtained where required. In some cases, personal data processing may be based on contractual necessity (e.g., enrollment), legal obligation, or legitimate interests.

  • Clear Information: EIU will provide clear and accessible information to individuals about the purposes of data collection, how it will be used, and how long it will be retained.
  • Explicit Consent: Where necessary, individuals will be asked to provide explicit consent for the collection and processing of their personal data, particularly in cases involving sensitive information (e.g., health data).

5. Data Minimization
EIU will ensure that only the minimum amount of personal data necessary for the specified purpose will be collected. This principle will be applied to avoid the collection of excessive or irrelevant data.

6. Data Security
EIU is committed to ensuring the confidentiality, integrity, and availability of personal data through appropriate technical and organizational measures. These measures include:

  • Secure storage of personal data (both physical and digital)
  • Encryption and secure transmission protocols for online data
  • Regular audits and assessments of data security practices
  • Access control mechanisms to ensure that only authorized personnel can access personal data

7. Data Subject Rights
EIU recognizes the rights of individuals over their personal data, which include:

  • Right to Access: Individuals have the right to request access to their personal data held by the university.
  • Right to Rectification: Individuals can request corrections to inaccurate or incomplete personal data.
  • Right to Erasure: In certain circumstances, individuals can request that their personal data be deleted (the "right to be forgotten").
  • Right to Object: Individuals can object to the processing of their personal data, particularly in cases of direct marketing.
  • Right to Data Portability: Individuals can request their personal data in a structured, commonly used, and machine-readable format.

Requests for access or corrections to personal data should be made to the university’s designated Data Protection Officer (DPO) or equivalent.

8. Data Retention
Personal data will be retained only for as long as necessary to fulfill the purposes for which it was collected, in accordance with university policies and applicable laws. After this period, personal data will be securely deleted or anonymized.

9. Third-Party Sharing
EIU may share personal data with third parties, such as service providers, government authorities, or academic collaborators, where necessary and with proper safeguards in place. All third parties receiving personal data will be required to handle it in compliance with this policy and applicable laws.

10. International Data Transfers
In cases where personal data is transferred across borders, EIU will ensure that such transfers are conducted in compliance with applicable laws, including taking appropriate measures to ensure the security and protection of the data in accordance with international standards.

11. Breach Notification
In the event of a personal data breach, EIU will follow a strict breach notification procedure. This includes:

  • Informing relevant authorities within the timeframe required by law (e.g., 72 hours under GDPR)
  • Notifying affected individuals when necessary, particularly when the breach could pose a significant risk to their rights and freedoms

12. Data Protection Officer (DPO)
The university will appoint a Data Protection Officer (DPO) or an equivalent role responsible for overseeing compliance with this policy and ensuring that personal data is handled in accordance with applicable laws. The DPO will be the primary contact point for students, staff, and others seeking information about data protection practices or wishing to exercise their data protection rights.

13. Staff Training and Awareness
To ensure the effective implementation of this policy, all staff, faculty, and university personnel who handle personal data will receive appropriate training on data protection principles and practices.

14. Policy Review and Updates
This Personal Data Protection Policy will be reviewed regularly and updated as necessary to ensure ongoing compliance with applicable laws and regulations. Any changes to the policy will be communicated to all stakeholders.