This Personal Data Protection Statement has been prepared to help you understand how Nanyang Technological University (NTU) collects, uses and discloses your personal data.
NTU will collect, use and disclose your personal data in accordance with the Personal Data Protection Act 2012 ("Act"). In general, before we collect any personal data from you, we will notify you of the purposes for which your personal data may be collected, used and disclosed, as well as obtain consent for the intended purposes.
If you have any questions on this policy or in relation to how NTU manages, protects and/or processes your personal data, please contact our Data Protection Officer (the "DPO") via email: firstname.lastname@example.org.
B. Purposes for the Collection, Use & Disclosure of Personal Data
Depending on your relationship with NTU (whether as a student, employee, alumnus, donor or service provider, etc), the personal data which we collect from you may be used and/or disclosed for the following purposes:
- Evaluating your application to be a student with us;
- Administering and managing your relationship as our student, including candidature matters, exchange programmes, scholarships, awards, fees, your achievements, your degree or certification, placements, secondments or internships with external organisations, programmes or courses run by other organisations;
Dealing with Student Experience activities. “Student Experience” refers to activities, (e.g. festival celebrations, graduation ceremonies, orientation and student group camps, conferences, programmes, student benefit activities) which may be provided by NTU to enhance or enrich your life as a student with us, create networking opportunities for you, foster community spirit within the community, encourage holistic development of students both inside and outside the classroom and to assist you in planning and preparing for your life after graduation;
- Carrying out your instructions or responding to any enquiry given by you or on your behalf;
- Contacting you or communicating with you via various modes of communication such as voice call, text message or fax message, email or postal mail for the purposes of administering and managing your relationship with us;
- Dealing with, administering and or managing your use of NTU facilities including your accommodation needs, provision of IT services and recreation facilities;
- Complying with or as required by any request or direction of any governmental authority; or responding to requests for information from hospitals, embassies, public agencies, ministries, statutory boards or other similar authorities;
- Any other purposes which NTU may inform you in writing from time to time, but for which NTU will seek your separate consent.
C. Disclosure of Personal Data to Third Parties, Disclosure Permitted By Statutory Exemption under the Act
In order to conduct our operations more smoothly, NTU may disclose your personal data to our third party service providers, and affiliates or related corporations. This is because such third parties would be processing your personal data on NTU's behalf for the purposes mentioned above.
NTU will not disclose your personal data to any third parties without first obtaining your consent permitting us to do so or unless any such disclosure is permitted under any of the statutory exemptions under the Act, e.g.
- the disclosure is required by law; or is necessary for any investigation or proceedings;
- the purpose of such disclosure is clearly in your interests and consent cannot be obtained in a timely way;
- the disclosure is necessary to respond to an emergency that threatens the life, health or safety of yourself or another individual.
For the full list of exemptions, please refer to the Act which is publicly available at https://sso.agc.gov.sg/Act/PDPA2012.
D. Request for Access, Correction and/or Withdrawal of Personal Data
Subject to certain exceptions in the Act, you may request to review and update the personal data currently in our possession or withdraw your consent for the collection, use and disclosure of your personal data in our possession. Please submit your request to email@example.com.
If you request to access your personal information, we will ask you to verify your identity and specify what information you wish to access. NTU will provide you with the relevant personal data within a reasonable time after the request has been made. A fee may be charged for handling the request and you will be notified in advance of this.
For a request to correct your personal data, NTU will correct your personal data as soon as practicable after verifying your identity. We will send the corrected personal data to every other organisation to which the personal data was disclosed by NTU within a year before the date the correction was made, unless that other organisation does not need the corrected personal data, or if you so consent, only to specific organisations to which the personal data was disclosed by us.
NTU will similarly process your request within a reasonable time after a request to withdraw consent has been made. In some cases, the request to withdraw consent may adversely impact your relationship with NTU. We will notify you in advance of any such impact.
E. Administration and Management of Personal Data
NTU will take appropriate measures to keep your personal data accurate, complete and updated.
We will also take reasonable efforts to take appropriate preventive measures to ensure that your personal data is adequately protected and secured. Appropriate security arrangements will be put in place to prevent any unauthorised access or misuse of your personal data.
We will similarly take reasonable efforts to ensure that the personal data in our possession is destroyed or anonymised as soon as (i) the purpose for which that personal data was collected is no longer being served by the retention of such data; and (ii) retention is no longer necessary for any other legal or business purposes.
F. Additional information to deal with the European Union General Data Protection Regulation (EU) 2016/679 ("GDPR")
This section F applies only if a particular circumstance or activity applicable to NTU requires the application of the GDPR to NTU. Subject to the aforesaid, in such cases, this section F would apply to residents of the European Union only.
Generally, we process personal data on the basis of consent. Apart from consent, under the GDPR, we may also lawfully process your personal data on one or more of the following bases:
Lawful basis for processing
- The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Process your personal data on the basis of a balance of interests to pursue our or a third party's legitimate interests. This is carried out for one or more of the purposes set out at section B of this document.
Further, we may process your personal data for the legitimate interests of promoting the good of NTU and/or alumni community, and maintaining NTU's relationship with its former students (i.e. alumni) to grow the NTU spirit in its students and former students. The latter would apply to an alumnus.
- Necessary for compliance with a legal obligation to which NTU is subject.
- Necessary in order to protect the vital interests of the data subject or of another natural person.
We practise data minimisation and strive to collect only what is necessary in relation to the purposes for which such personal data is processed and to maintain the relevant relationship between us such as the student relationship in the case where you are a student. The consequence of not providing such requested personal data may result in our inability to start that relationship with you, to maintain that relationship with you or to provide you with our products or services.
Where your personal data is transferred to a country for which the European Commission has not made an adequacy decision, we will take appropriate steps to ensure that the foreign recipient organisation of the personal data is bound by legally enforceable obligations to protect the transferred personal data. This may include us entering into an appropriate contract with the foreign recipient organisation dealing with the personal data transfer.
Where the GDPR is applicable, you have the following rights (subject to any exceptions under the GDPR):
Access. You have the right to request confirmation of whether we process your personal data, a copy of the personal data we are processing about you, and other information relating to your personal data as provided for in the GDPR.
Rectification. You have the right to have incomplete or inaccurate personal data that we process about you rectified.
Erasure. You have the right to request that we delete personal data that we process about you if one of the grounds for erasure under the GDPR applies.
Restriction of processing. You have the right to restrict our processing of your personal data if one of the grounds for such restriction under the GDPR applies, such as where you believe such data to be inaccurate; our processing is unlawful; or that we no longer need to process such data for a particular purpose, pursuant to the full terms of the grounds as provided in the GDPR.
Data portability. You have the right to obtain personal data we hold about you, in a structured, commonly used, electronic format, and to transmit such data to another data controller, if certain conditions under the GDPR are satisfied.
Objection to processing. You have the right to object to our processing of your personal data where such personal data is being processed by us for the performance of a task carried out in the public interest, or in the exercise of official authority vested in us, or for the purposes of the legitimate interests pursued by us. Additionally, you have the right at any time to object to our processing of your personal data for direct marketing.
Further, you have the right to object to our processing of your personal data for scientific or historical research purposes or statistical purposes, subject to condition(s) in the GDPR.
- Withdrawing Consent. If you have consented to our processing of your personal data, you have the right to withdraw your consent at any time, free of charge.
You also have the right to lodge a complaint with the local data protection authority or the European data protection authority applicable to you if you believe that we have not complied with applicable data protection laws.
You may contact NTU's Data Protection Office at firstname.lastname@example.org to address any of your concerns.
In general, we do not use automated individual decision-making for the formation and management of your relationship with us. If we should rely on such processing in a particular situation, we will do so in accordance with the GDPR.
G. Updates on the NTU Personal Data Protection Statement
As part of our effort to ensure that we properly manage, protect and process your personal data, we will be continually reviewing our policies, procedures and processes.
We may amend the terms of this NTU Personal Data Protection Statement at our absolute discretion. The amended NTU Personal Data Protection Statement will be posted on our website and can be viewed at ntu.edu.sg/Pages/Privacy.aspx.
We recommend that you check our website from time to time to remain updated as to any changes in our personal data policy or any other policies.