top of page

Data Protection

All staff members, students and visitors must comply with European City Campus Data Protection Policy.



European City Campus is committed to data protection by default and by design and supports the data protection rights of all those with whom it works, including, but not limited to, staff, students, visitors, alumni and research participants. This policy sets out the accountability and responsibilities of European City Campus, the staff and students to comply fully with the provisions of the Personal Data Protection Act, No. 9 of 2022 ('PDPA') and recognises that handling personal data appropriately and in compliance with data protection legislation enhances trust, is the right thing to do and protects European City Campus relationship with all its stakeholders.

European City Campus holds and processes personal data about individuals such as employees, students, graduates and others, defined as ‘data subjects’ by the law. Such data must only be processed in accordance with the PDPA.

This policy covers the following areas:

  • Purpose of the policy

  • Scope of the policy

  • Responsibilities under the policy

  • Data protection by design and default

  • Responsibilities of management and data users

  • Handling of personal data by students

  • Data subject rights

  • Internal data sharing

  • Direct marketing

  • Data protection breaches

Purpose of policy

This policy sets out the responsibilities of European City Campus, the staff and students to comply fully with the provisions of the PDPA. This policy has the framework that everybody processing personal data should follow to ensure compliance with data protection legislation.


This policy applies to all staff and students in all cases where European City Campus or its students are the data controller or a data processor of personal data. The policy applies in these cases regardless of who created the data, where it is held, or the ownership of the equipment used.

Responsibilities under the policy

European City Campus as data controller has a corporate responsibility to implement and comply with data protection legislation. This corporate responsibility is delegated to Data Stewards in each area.  Thus, in determining the purposes for which, and the manner in which, personal data is processed.

Data security

All users of personal data within European City Campus must ensure that personal data is always held securely and not disclosed to any unauthorised third party either accidentally, negligently or intentionally. The Information Security Policy, the Policy on Taking Sensitive Information and Personal Data outside the Secure Computing Environment and the Computing Regulations must be read in conjunction with this Data Protection Policy.

Privacy notices

When European City Campus collects personal data from individuals, the requirement for "fairness and transparency" must be adhered to. This means that European City Campus must provide data subjects with a ‘privacy notice’ to let them know that how and for what purpose their personal data are processed. Any data processing must be consistent or compatible with that purpose. 

Conditions of processing/lawfulness

In order to meet the ‘lawfulness’ requirement, processing personal data must meet at least one of the following conditions:

  1. The data subject has given consent.

  2. The processing is required due to an Admission.

  3. It is necessary due to a legal obligation.

  4. It is necessary to protect someone’s vital interests.

  5. It is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

  6. It is necessary for the legitimate interests of the controller or a third party.

For special categories of personal data, at least one of the following conditions must be met:

  1. The data subject has given explicit consent.

  2. The processing is necessary for the purposes of employment, social security and social protection law.

  3. The processing is necessary to protect someone’s vital interests.

  4. The processing is carried out by a not-for-profit body.

  5. The processing is manifestly made public by the data subject

  6. The processing is necessary for legal claims

  7. The processing is necessary for reasons of substantial public interest.

  8. The processing is necessary for the purposes of medicine, the provision of health or social care or treatment or the management of health or social care systems and services.

  9. The processing is necessary for public health

  10. The processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to certain safeguards.

Data retention

Personal data must not be kept longer than necessary for the purposes for which it was originally collected. This applies to all personal data, whether held on core systems, local PCs, laptops or mobile devices or held on paper. If the data is no longer required, it must be securely destroyed or deleted. European City Campus’s Privacy Notices give an indication as to how long personal data must be kept  and are based on both legal and business requirements:

Data protection by design and default

European City Campus has an obligation to consider the impact on data privacy during all processing activities. This includes implementing appropriate technical and organisational measures to minimise the potential negative impact processing can have on the data subjects’ privacy.

Data protection impact assessment

When considering new processing activities or setting up new procedures or systems that involve personal data, privacy issues must always be considered at the earliest stage and a Data Protection Impact Assessment (DPIA) must be conducted. The DPIA is a mechanism for identifying and examining the impact of new initiatives and putting in place measures to minimise or reduce privacy risks during the design stages of a process and throughout the lifecycle of the initiative. This will ensure that privacy and data protection control requirements are not an after-thought.

Anonymisation and pseudonymisation

Further mechanisms of reducing risks associated with handling personal data are to apply anonymisation or pseudonymisation. Wherever possible, personal data must be anonymised or, where that is not possible, pseudonymised. 

Responsibilities of management and data users

Heads of European City Campus and Managers of Administrative and Support Services in European City Campus have a responsibility to ensure compliance with the PDPA and this policy, and to develop and encourage good information handling practices within their areas of responsibility. All users of personal data within European City Campus have a responsibility to ensure that they process the data in accordance with the Principles and the other conditions set down in the legislation. 

Handling research data

Before commencing any research which will involve obtaining or using personal data and special categories of personal data, the researcher must give proper consideration to this policy and the guidance and how these will be properly complied with. The researcher must ensure that the fairness, transparency and lawfulness principle is complied with and that privacy by design and default is applied. This means that wherever feasible, research data must be anonymised or pseudonymised at the earliest possible time.

Handling of research data by students

The use of personal data by students is governed by the following:

  • Where a student collects and processes personal data in order to pursue a course of study with European City Campus, and this course of study is not part of a European City Campus-led project, the student rather than European City Campus is the data controller for the personal data used in the research.

  • However, the domestic use exemption applies – if the data is extracted from a database already held by European City Campus, and remains the data controller for the database, but the student will be the data controller for the extracted data.

  • Once a thesis containing personal data is submitted for assessment, European City Campus becomes the data controller for that personal data.

  • Where a research student processes personal data whilst working on a project led by a European City Campus research group, European City Campus is the data controller.

Academic and academic-related staff must ensure that students they supervise are aware of the following:

  • A student should only use personal data for European City Campus related purposes with the knowledge and express consent of an appropriate member of academic staff.

  • The use of European City Campus related personal data by students should be limited to the minimum consistent with the achievement of academic objectives. Wherever possible data should be anonymised so that students are not able to identify the subject.

Data subject rights

European City Campus must comply with the rights to information, to subject access, to rectification, to object, to erasure, to portability, to restrict processing and in relation to automated decision-making and profiling. These rights can be restricted for personal data used in research.


Subject access requests and the right to data portability

Individuals have the right to request to see or receive copies of any information that European City Campus holds about them, and in certain circumstances to have that data provided in a structured, commonly used and machine-readable format so it can be forwarded to another data controller. European City Campus must respond to these requests within four weeks. It is a personal criminal offence to delete relevant personal data after a subject access request has been received.

Right to erasure, to restrict processing, to rectification and to object

In certain circumstances data subjects have the right to have their data erased. This only applies

  • where the data is no longer required for the purpose for which it was originally collected, or

  • where the data subject withdraws consent, or

  • where the data is being processed unlawfully.

In some circumstances, data subjects may not wish to have their data erased but rather have any further processing restricted.

If personal data is inaccurate, data subjects have the right to require European City Campus to rectify inaccuracies. In some circumstances, if personal data are incomplete, the data subject can also require the controller to complete the data, or to record a supplementary statement.

Data subjects have the right to object to specific types of processing such as processing for direct marketing, research or statistical purposes. The data subject needs to demonstrate grounds for objecting to the processing relating to their particular situation except in the case of direct marketing where it is an absolute right. Individuals receiving any of these requests should not act to respond but instead should contact European City Campus immediately.

Rights in relation to automated decision making and profiling

In the case of automated decision making and profiling that may have significant effects on data subjects, they have the right to either have the decision reviewed by a human being or to not be subject to this type of decision making at all. These requests must be forwarded to European City Campus immediately.

Data sharing

When personal data is transferred internally, the recipient must only process the data in a manner consistent with the original purpose for which the data was collected. If personal data is shared internally for a new and different purpose, a new privacy notice will need to be provided to the data subjects.

When personal data is transferred externally, a legal basis must be determined and a data sharing agreement between European City Campus and the third party must be signed, unless disclosure is required by law, such as certain requests from the Department for Work and Pensions or Inland Revenue, or the third party requires the data for law enforcement purposes.

Direct marketing

Direct marketing does not only cover the communication of material about the sale of products and services to individuals, but also the promotion of aims and ideals. For European City Campus, this will include notifications about events, fundraising, and selling goods or services. Marketing covers all forms of communications, such as contact by post, fax, telephone and electronic messages, whereby the use of electronic means such as emails and text messaging is governed by the Privacy and Electronic Communications Regulations 2003 (PECR). European City Campus must ensure that it always complies with relevant legislation every time it undertakes direct marketing and must cease all direct marketing activities if individual requests it to stop.

Data protection breaches

European City Campus is responsible for ensuring appropriate and proportionate security for the personal data that it holds. This includes protecting the data against unauthorised or unlawful processing and against accidental loss, destruction or damage of the data. European City Campus makes every effort to avoid data protection incidents, however, it is possible that mistakes will occur on occasions. Examples of personal data incidents might occur through:

  • Loss or theft of data or equipment

  • Ineffective access controls allowing unauthorised use

  • Equipment failure

  • Unauthorised disclosure (e.g. email sent to the incorrect recipient)

  • Human error

  • Hacking attack

Any data protection incident must be brought to the attention of the Management Department of European City Campus, which will investigate and decide if the incident constitutes a data protection breach. If a reportable data protection breach occurs, then European City Campus will try to fix the data protection breach as soon as possible. If European City Campus is unable to fix the data protection breach, European City Campus will hand it over to the Cyber Security of Sri Lanka to fix the data protection breach.

bottom of page