GDPR PRIVACY NOTICE FOR EMPLOYEES
THIS NOTICE DESCRIBES HOW YOUR PERSONAL DATA MAY BE PROCESSED BY THE FASHION INSTITUTE OF TECHNOLOGY (“FIT,” “WE,” “OUR,” AND “US”), AND WHAT YOUR RIGHTS ARE WITH RESPECT TO YOUR PERSONAL DATA. PLEASE REVIEW IT CAREFULLY. FOR THIS PURPOSE, THE TERM “EMPLOYEE” INCLUDES FACULTY, OTHER EMPLOYEES, GOVERNING BOARD MEMBERS, STUDENT EMPLOYEES, VOLUNTEERS, CERTAIN INDEPENDENT CONTRACTORS, AND CERTAIN OTHER INDIVIDUALS PROVIDING SERVICES TO FIT. THE TERM “EMPLOYMENT” INCLUDES, BUT IS NOT LIMITED TO, FULL OR PART-TIME EMPLOYMENT, AN APPOINTMENT, ACCEPTANCE AS A VOLUNTEER, SERVICE AS A CONSULTANT, ETC.
This Notice is being provided to you in accordance with the requirements of the General Data Protection Regulation (Regulation (EU) 2016/679, or the “GDPR”).
What is “Personal Data” and “Processing”?
Under the GDPR, “Personal Data” means any information relating to an identified or identifiable Data Subject; specifically including, but not limited to, name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that Data Subject. A Data Subject is a natural person who can be identified, directly or indirectly, by reference to Personal Data. Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Process” and “processed” have a corresponding meaning.
The GDPR prohibits the processing of “special categories” of Personal Data unless certain exceptions apply, because the unauthorized use of this type of Personal Data could create more significant risks to a Data Subject’s fundamental rights and freedoms. For example, an unauthorized disclosure of “special categories” of Personal Data may put Data Subjects at risk of unlawful discrimination. For this purpose, processing of “special categories” of Personal Data includes processing of: (i) Personal Data that reveals; (A) racial or ethnic origin, (B) political opinions, (C) religious or philosophical beliefs, or (D) trade union membership; or (ii) (A) genetic data, (B) biometric data for the purpose of uniquely identifying a natural person, (C) data concerning health, or (D) data concerning a natural personal’s sex life or sexual orientation.
How and When Do We Collect Your Personal Data?
We may lawfully collect your Personal Data in a number of ways for legitimate purposes. For example, we may collect your Personal Data: (i) from the information you provide to us when you interact with us before applying (e.g., when you express your interest in working at FIT); (ii) when you apply for a position at FIT and complete employment forms or other documentation; (iii) when you communicate with us by telephone, email or via our website (e.g., in order to make inquiries or raise concerns); (iv) when you interact with us during your time as an employee at FIT, for one or more of the purposes set out below; and (v) from third parties (e.g., from recruitment organizations, government agencies in connection with visas, or from your previous college, university, or employers), who may provide records or a reference about you. In addition, we may, to the extent permitted by law, monitor your computer and telephone use. Failure to provide any Personal Data reasonably requested of you may result in an automatic disqualification from the recruitment and/or application for employment process.
Much of the Personal Data we process will have been provided by you, but some Personal Data may come from other sources (e.g., other employees, governing board members, or students, as applicable), previous employers, or in some cases, external sources.
We may access personal data about you from publicly available websites (e.g., Google, social media) where there is a legitimate interest for us to do so and it is done in a lawful manner (for example, if the role you have applied for has a significant public-facing element to it, or is involved with publicity and presenting us to the general public). While we do not screen applicants’ online presence, if aspects of your social media profile are brought to our attention and give rise to concerns about your suitability for the role in question, we may need to consider them.
The Types of Personal Data We Collect
We may process (i.e., collect and keep) the following types of Personal Data about you that are described in the Notice, to the extent we obtain it in connection with your employment or other interaction with us and to the extent permitted by law. Such Personal Data might include: (i) your name, and contact information (i.e., local and permanent address, email address and telephone number); (ii) your date of birth, gender and gender identity, Social Security number or taxpayer identification number; (iii) insurance information; (iv) your passport or national identity card details; (v) your country of domicile and your nationality; (vi) your unique employee identification number; and (vii) information relating to your education and employment history, including the school(s) and other colleges or universities you have attended, places where you have worked, the courses you have completed, dates of study and examination results. We also might collect and keep: (i) records relating to your work product, and other information in your employment record (including disciplinary records); (ii) information about both academic and extracurricular interests and activities; (iii) information about criminal convictions and offenses; (iv) information concerning your health and medical conditions (e.g., disability and dietary needs); (v) information about your racial or ethnic origin, religion or similar beliefs, and/or sexual orientation; and (vi) information about your personal or family circumstances.
We also might collect: your recruitment information (including your original employment application form and associated information submitted at that time); other data relating to your recruitment (including your offer of employment or appointment letter and related correspondence, references we collected in relation to your appointment, and any pre-employment assessment of you); and evidence of your right to work in the United States (or, if applicable, another country).
We generally collect your Personal Data, which could include, but is not limited to, your photograph; your current and any previous job descriptions; your current and any previous contracts of employment and related correspondence; your training and development qualifications, requests and requirements; records of your performance appraisals; records, where they exist, of any investigation or review into your conduct or performance; records of absences from work (including, but not limited to, annual vacation, sick, and personal entitlement, leaves of absence for any reason, etc.); correspondence between you and FIT, and between other FIT employees, regarding any matters relating to your employment and any related issues (including, but not limited to, changes to duties, responsibilities and benefits, your retirement, resignation or exit from FIT, and personal and professional references provided by FIT to you or a third party at your request).
We also may collect: certain banking information from you; details related to your employee benefits, including your pension and beneficiary information; your current and previous salary and other earnings, and the amounts you have paid in payroll taxes; and correspondence between you and FIT, and between other FIT employees, relating to your pay, benefits and other remuneration. For example, we maintain records of your use or enrollment in any employee benefits provided by us, which we may collect in the aggregate and monitor to review the effectiveness and desirability of our employee benefit offerings. The legal basis for this processing is that it is in our legitimate interest to ensure that any employee benefits offered by FIT represent good value for money to both you and us. Finally, we might collect the details of your preferred emergency contact, including his or her name, relationship to you, and his or her contact details.
How Your Personal Data Will Be Used
As your employer, FIT needs to keep and process information about you (including your Personal Data) for normal employment purposes. The Personal Data we hold and process will be used lawfully for our management and administrative use. We will keep and use it to enable us to run our business and manage our relationship with you effectively, lawfully and appropriately, during the recruitment process, while you are working for us, and throughout the period you provide services to us, up until the termination of our employment relationship with you. This includes using Personal Data to enable us to comply with any employment contracts, collective bargaining agreements, severance agreements, and similar contracts, to comply with any legal requirements, pursue our legitimate interests as an employer, and protect our legal position in the event of legal proceedings. The legal basis for processing your Personal Data is that it is necessary for you to be employed by us as an employee, where you will be subject to our governing documents. If you do not provide the Personal Data we request, we may be unable, in some circumstances, to comply with our obligations, and we will tell you about the implications of that decision.
We also may process your Personal Data for our compliance with our legal obligations. In this respect, we may use your Personal Data for the following: (i) to meet our compliance and regulatory obligations, such as compliance with anti-money laundering laws, Title IX and other non-discrimination laws, and certain other legal requirements; (ii) in order to assist with investigations (including criminal investigations) carried out by the police and other legal authorities; and (iii) to maintain or acquire accreditation status with regulatory bodies. Finally, we also may process your Personal Data where: (i) it is necessary for medical purposes (i.e., medical diagnosis, provision of health or social care or treatment, or a contract with a health professional); (ii) it is necessary to protect your or another person’s vital interests; or (iii) we have your explicit consent to do so.
How We Share Your Personal Data
For the purposes referred to in this Notice and relying on the lawful bases for processing as set out above, we may share your Personal Data with certain third parties in accordance with applicable law. We may disclose limited Personal Data to a variety of recipients if we determine it to be appropriate and lawful, including: (i) the U.S. Department of Education, the U.S. Department of Labor, the Internal Revenue Service, other federal agencies and relevant state agencies and/or offices; and (ii) our Board of Trustees, other FIT employees (i.e. Human Resources staff), or other individuals where there is a legitimate reason for their receiving the information, including disclosures to: (a) third parties who work with us to provide employment services; (b) third parties who work with us to provide employee benefits (e.g., health, dental, retirement, and fringe benefits); (c) third parties who are contracted to provide IT services for us; (d) organizations operating anti-plagiarism software on our behalf; (e) internal and external auditors, attorneys, and other professional service providers; and (f) certain third parties interested in tracking employee progress, including: (1) current or potential education providers; (2) current or potential employers (e.g., to provide references); (3) professional and regulatory bodies in relation to the confirmation of qualifications, professional registration, conduct, and the accreditation of courses; (4) government departments and agencies where we have a statutory obligation to provide information; (5) police or law enforcement agencies; (6) next-of-kin (where there is a legitimate reason for disclosure); (7) third parties conducting surveys (e.g., a compensation survey); and (8) third parties engaged in fundraising and alumni relations efforts on our behalf.
Retention of Your Personal Data
Your Personal Data will be stored in accordance with our records retention policy, which is governed in part by New York and/or Federal law, and is available at FIT Records Retention.
Your Rights with Respect to Your Personal Data
Under the GDPR, you have a number of rights with respect to your Personal Data. You have the right, in certain circumstances, to request: (i) access to your Personal Data, (ii) rectification of mistakes or errors and/or erasure of your Personal Data, (iii) that we restrict processing, and (iv) that we provide your Personal Data to you in a portable format. If you wish to make a request under the GDPR, you should submit your request in writing via the appropriate FIT GDPR form and submit it to FIT’s Data Protection Officer (contact information is below). If you would like more information about, or if you would like to exercise any of these individual rights, please contact the Data Protection Officer (contact information is below).
Note that you are only entitled to make requests with respect to your own Personal Data and not information relating to any other person. Any request is generally limited to Personal Data held at the time of the request, with the exception of routine uses or changes while a request is under review. FIT will review all requests to determine whether the Personal Data at issue is subject to the GDPR, because the rights under the GDPR apply only to such data. Note that FIT collects and processes most data in the United States outside of the scope of the GDPR. FIT will complete its review of the request and notify you of the determination within one calendar month from FIT’s receipt of the request. The time to review and notify may be extended for two months if the request is complex, or if FIT has received several requests from you. If FIT needs to extend the time for review, FIT will notify you and explain the extension. Once a determination is made, FIT will inform you in writing. If FIT determines that the request is manifestly unfounded or excessive, taking into account the repetitiveness of the request, FIT may request a reasonable fee to address the request and will inform you of this requirement. Please further note that the rights provided by the GDPR are not absolute and are subject to the legal requirements under the GDPR, and FIT has legal and accreditation obligations in addition to the GDPR.
For Requests for Access
Upon a request for access, FIT will review the request. If the request is denied, FIT will notify you of the reasons for denial and advise you of your right to file an internal complaint with FIT or with the applicable Supervisory Authority (see information on complaints, below). If the request is approved, FIT will provide access to the Personal Data in a concise, transparent, and understandable form and may, depending on the nature and volume of the records implicated, require you to review them in person, although you may request a copy so long as it does not infringe on the rights of others.
For Requests to Rectify
Upon a request to rectify a mistake or error in Personal Data, FIT will endeavor, where possible, to restrict processing of such data until its accuracy is verified. FIT will make a determination as to whether the Personal Data is inaccurate or incomplete and should be amended. Personal Data that refers to a mistake that has already been resolved may, in itself, be considered accurate, as long as the correct information is also included in your record. If the request is denied, FIT will notify you of the reasons for denial and advise you of your right to file an internal complaint with FIT or with the applicable Supervisory Authority (see information on complaints, below). If the request is approved, FIT will rectify the mistake or error by identifying the Personal Data affected by the change, explain how the inaccuracy has been rectified, and attach a record of the rectification. If FIT has previously disclosed this Personal Data to others, FIT will endeavor to contact each recipient and inform them of the rectification, unless doing so would be a disproportionate effort or impossible.
For Requests to Erase
Upon a request to erase Personal Data, FIT will make a determination as to whether the Personal Data may be erased. If the request is denied, FIT will notify you of the reasons for denial and advise you of your right to file an internal complaint with FIT or with the applicable Supervisory Authority (see information on complaints, below). If the request is approved, FIT will implement the erasure by identifying the Personal Data at issue, explaining how the Personal Data has been erased, and attaching a record of the erasure. FIT will delete Personal data subject to an approved request were administratively practicable, and FIT will outline the general methodology for erasure for the data subject. If FIT has previously disclosed this Personal Data to others, FIT will endeavor to contact each recipient and inform them of the erasure, unless doing so would be a disproportionate effort or impossible. If FIT has previously disclosed the Personal Data to the public, such as in an online environment, FIT will take steps to inform others who are processing the data to take steps to erase links to, copies of, or other forms of replication. FIT may take into account available technology and the cost of implementation in any erasure request.
For Requests to Restrict
Upon a request to restrict processing of Personal Data, FIT will make a determination as to whether the data subject has the right to such restriction; whether FIT should comply with the request and to what extent; and, if restriction is necessary, whether recipients of Personal Data must be notified of the restriction. If the request is denied, FIT will notify you of the reasons for denial and advise you of your right to file an internal complaint with FIT or with the applicable Supervisory Authority (see information on complaints, below). If the request is approved, FIT will immediately restrict processing of the Personal Data. FIT will notify any recipient of the Personal Data of the restriction, unless doing so would be a disproportionate effort or impossible. In cases of temporary restrictions of processing, if the basis for the restriction no longer exists, FIT will notify the data subject before the restriction is lifted.
For Data Portability Requests
Upon receipt of a data portability request, FIT will make a determination as to whether the right of data portability applies to the specifically requested personal data and whether the request should be approved or denied. If the request is denied, FIT will notify you of the reasons for denial and advise you of your right to file an internal complaint with FIT or with the applicable Supervisory Authority (see information on complaints, below). If the request is approved, FIT will notify the data subject of the data being transmitted and allow determination of where such data is transmitted; will transfer all approved personal data to the best of FIT’s ability and outline the process to do so; and, if FIT has previously transmitted the Personal Data at issue to a processor, FIT may need to contact the processor for compliance with the request, unless doing so would be a disproportionate effort or impossible. Where FIT receives Personal Data from another controller in response to a data subject’s request for data portability, FIT is not obligated to accept and process such Personal Data and will do so only where it is necessary, relevant, and not excessive. If FIT accepts the Personal Data, FIT will process the data in line with all of its data protection procedures, including ensuring a legal basis exists for processing and ensuring third party rights and freedoms are not affected.
For Requests to Object
Upon receipt of a request to object, FIT will make a determination as to whether the right applies to the specifically requested personal data and whether the request should be approved or denied, taking into consideration the importance of the processing to FIT’s particular needs, the impact the processing will have on the data subject’s interest, rights, and freedoms, and a balancing between the needs of FIT and the data subject. If the request is denied, FIT will notify you of the reasons for denial, including the reasons FIT is not taking action on the request and the specific reasoning as to why FIT’s compelling legitimate grounds outweigh the data subject’s interest, rights, and freedoms, and advise you of your right to file an internal complaint with FIT or with the applicable Supervisory Authority (see information on complaints, below). If the request is approved, FIT will notify the data subject of the personal data being suppressed or erased. FIT will attempt to notify persons to whom or entities to which the Personal Data has been sent for processing, unless doing so would be a disproportionate effort or impossible.
For Requests to Challenge Automated Decision-Making
To the extent you believe FIT has engaged in automated decision-making so and wish to request to challenge such actions, you may file such a request. Upon receipt of a request, FIT will make a determination as to whether human intervention is required for the automatic decision-making determination and whether the automated decision-making should be reversed or affirmed. FIT will notify you whether human intervention is required. If so, FIT will employ human intervention in the automatic decision making process, meaning FIT will have an individual with authority to make a determination regarding the subject matter of the automated decision review the personal data and make a logic-based determination. FIT will then either affirm or reverse the automated decision-making outcome, and advise you of the reasons for affirming or reversing the outcome. If FIT determines human intervention is not required or that the automated decision should be affirmed, FIT will advise you of your right to file an internal complaint with FIT or with the applicable Supervisory Authority (see information on complaints, below).
If FIT requested, and you provided your explicit consent for the processing of your Personal Data, you have the right (in certain circumstances) to withdraw that consent at any time. However, withdrawal of consent will not affect the lawfulness of the processing before your consent was withdrawn.
Questions, Concerns, and Complaints
If you have questions, concerns or complaints about how we are using your Personal Data, we may be able to resolve your complaints, and we request that you contact the Data Protection Officer (contact information is below). Complaints should be made in writing via FIT’s GDPR Complaint Form. Complaints may be made anonymously, including by employees who have a concern regarding policies and procedures or compliance with policies and procedures, but anonymous complaints should provide sufficient information to appropriately address the complaint. Send the completed complaint form to FIT’s Data Protection Officer (contact information is below). FIT will review your complaint, investigate the allegations as necessary, document its findings, and will endeavor to complete its review of your complaint within one calendar month from its receipt of the complaint. If corrective action is necessary as a result of the complaint, FIT will document and implement corrective measures. When appropriate in FIT’s discretion, you will be informed of any action(s) taken in response to the complaint. FIT is not required to take any action in response to complaints if it determines that no action is necessary.
You also have the right to lodge a complaint with the applicable Supervisory Authority if you believe that we have not complied with the requirements of the GDPR with regard to your Personal Data, or if you are not happy with the response you receive from us regarding your complaint.
All members of the FIT community are prohibited from engaging in retaliation against an individual who, in good faith, reports or complains of a GDPR violation or participates in any way in the investigation or other process related to a GDPR complaint, whether made to FIT or to a Supervisory Authority. Reports or complaints of retaliation will be investigated and any individuals found to have engaged in retaliation may be subject to disciplinary action in accordance with the processes and procedures set forth under FIT’s Code of Student Conduct or other applicable policy (for students) or as determined by the Vice President for Human Resources and Labor Relations or their designee (for employees).
Relevant FIT Contacts
FIT may be a “controller” and also may be a “processor” of your Personal Data for the purposes of the GDPR. If you have any questions or concerns as to how your Personal Data is collected and/or processed, as an employee you are encouraged to initially contact the Office of Human Resources, (212) 217-3650, [email protected]. You can also contact FIT’s Data Protection Officer, the Chief Information Security Officer, (212) 217-3415, [email protected]. FIT has also appointed as its EU Representatives its Italian Resident Directors, Madeleine Kaplan, [email protected], and Davide Volonte, [email protected].