Data Protection Policy
ATU is committed to a policy of protecting the rights and freedoms of individuals with respect to the processing of their personal data.
ATU Data Protection Policy
Click here for the ATU Data Protection Policy
Data Protection Principles
- Personal data shall only be processed fairly, lawfully and in a transparent manner (Principle of Lawfulness, Fairness and Transparency);
- Personal data shall be obtained only for specified, explicit, lawful, and legitimate purposes, and shall not be further processed in any manner incompatible with those purposes (Principle of Purpose Limitation);
- Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (Principle of Data Minimisation);
- Personal data shall be accurate, and where necessary, kept up-to-date (Principle of Accuracy);
- Personal data shall not be kept in a form which permits identification of a data subject for longer than is necessary for the purposes for which the personal data is processed (Principle of Data Storage Limitation);
- Personal data shall be processed in a secure manner, which includes having appropriate technical and organisational measures in place to prevent and / or identify unauthorised or unlawful access to, or processing of, personal data; and prevent accidental loss or destruction of, or damage to, personal data (Principles of Integrity and Confidentiality);
Organisations are responsible for, and must be able to demonstrate compliance with, these principles (Principle of Accountability).
Data Subject Rights
Data subjects have a number of rights under the GDPR:
- The right to information. Data subjects have the right to be provided with certain information about the data processing done within the University. ATU provides this information in its Privacy Notices.
- The right to obtain access to personal data. Data subjects have the right to be provided with a copy of their personal data along with certain details in relation to the processing of their personal data.
- The right to rectification. Data subjects have the right to have inaccurate personal data that the University holds in relation to them rectified. In some circumstances, if the personal data is incomplete, an individual can require the controller to complete the data, or to record a supplementary statement.
- The right to be forgotten (erasure). Individuals have the right to have their data erased in certain situations such as where the data is no longer required for the purpose for which it was collected, the individual withdraws consent or the information is being processed unlawfully. There is an exemption to this for scientific or historical research purposes or statistical purposes if the erasure would render impossible or seriously impair the achievement of the objectives of the research. Individuals can ask the controller to ‘restrict’ processing of the data whilst complaints (for example, about accuracy) are resolved or the processing is unlawful.
- The right to object and restrict processing. Data subjects have the right to object to specific types of processing which includes processing for direct marketing. The data subject needs to demonstrate grounds for objecting to the processing relating to their particular situation except in the case of direct marketing where it is an absolute right.
- Rights in relation to automated decision making, including profiling. Data subjects have the right not to be subjected to processing which is wholly automated unless one of a number of limited exceptions applies.
- Right to data portability. Data subjects have the right to request information in a structured, commonly used and machine-readable form so that it can be sent to another data controller. This only applies to personal data that is processed by automated means (not paper records); to personal data which the data subject has provided to the controller, and only when it is being processed on the basis of consent or a contract.
These are not absolute rights and do not always apply. There continues to be a number of exemptions to these rights to ensure, for example, legal requirements can be met.
To exercise your rights, contact the Data Protection Officer directly.
If you wish to obtain a copy of your academic transcript, please contact the relevant School/Campus directly.
Data Protection Officer