GDPR Data Protection & Privacy Terms

1. Data Controller Information

Brussels College acts as the Data Controller for all personal data collected through our platforms, websites, and services. We are responsible for ensuring that your personal data is processed lawfully, fairly, and transparently.

Data Controller: Brussels College ASBL/VZW
Registered Address: Brussels, Belgium
Contact Email: [email protected]
Data Protection Officer (DPO): [email protected]

2. Scope and Applicability

This Data Protection and Privacy Policy applies to all individuals who interact with Brussels College platforms and services, including but not limited to:

• Prospective Students: Individuals submitting inquiries, applications, or registration forms
• Current Students: Enrolled students accessing student portals, learning management systems, and institutional services
• Alumni: Former students maintaining engagement with BC
• Education Agencies and Partners: Representatives submitting student applications or partnership proposals
• Staff and Faculty: Employees, contractors, and academic personnel
• Visitors and Website Users: Anyone accessing our websites or digital platforms
• Third-Party Service Providers: Vendors, consultants, and business partners

3. Types of Personal Data Collected

Depending on your interaction with BC, we may collect and process the following categories of personal data:

3.1 Identity and Contact Information

• Full name, date of birth, nationality, gender
• Email address, phone number, postal address
• Passport or national ID number (for student applications)
• Emergency contact details
• Profile photographs

3.2 Academic and Professional Information

• Educational qualifications and transcripts
• Previous institutions attended
• English language proficiency test scores (IELTS, TOEFL, etc.)
• Curriculum vitae (CV) and employment history
• Professional certifications and licenses
• Academic performance records and assessments

3.3 Financial Information

• Payment card details (processed securely through third-party payment processors)
• Bank account information (for refunds and scholarships)
• Tuition fee payment records
• Financial aid and scholarship applications
• Proof of solvency and financial support documents

3.4 Immigration and Visa Information

• Visa application documents and status
• Residence permits and immigration status
• Travel history and documentation
• Proof of health insurance coverage

3.5 Technical and Usage Data

• IP addresses and device identifiers
• Browser type, operating system, and language preferences
• Login credentials and authentication data (encrypted)
• Website navigation patterns and interaction data
• Cookies and tracking technologies (see Section 12)
• Learning management system (LMS) activity logs

3.6 Special Categories of Personal Data

In limited circumstances and with your explicit consent, we may process special categories of data including:

• Health information (for disability accommodations, medical emergencies)
• Dietary requirements (for religious or health reasons)
• Disability or accessibility needs
• Biometric data (if used for campus security or ID verification)

We only collect special category data where legally permitted and necessary for specific purposes, with appropriate safeguards in place.

4. Legal Basis for Processing

We process your personal data based on one or more of the following legal grounds under GDPR Article 6 and Article 9:

4.1 Consent

You have given explicit consent for us to process your personal data for specific purposes (e.g., marketing communications, newsletter subscriptions, event participation).

4.2 Contract Performance

Processing is necessary to fulfill our contractual obligations with you, such as:

• Processing student applications and enrollment
• Providing educational services and academic support
• Managing tuition fees and payments
• Issuing certificates, diplomas, and transcripts

4.3 Legal Obligation

We are required to process your data to comply with legal and regulatory requirements, including:

• Belgian higher education regulations and reporting requirements
• Immigration and visa compliance (cooperation with Belgian Immigration Office)
• Tax and financial reporting obligations
• Health and safety legislation
• Anti-money laundering and fraud prevention

4.4 Legitimate Interests

Processing is necessary for our legitimate business interests, provided these do not override your fundamental rights:

• Institutional administration and operational efficiency
• Quality assurance and accreditation compliance
• Marketing and promotional activities (with opt-out options)
• Alumni relations and engagement
• Research and statistical analysis (anonymized data)
• Network and information security
• Fraud prevention and detection

4.5 Vital Interests

In rare cases, processing may be necessary to protect your vital interests or those of others (e.g., medical emergencies).

5. Purpose of Data Collection and Processing

We collect and process your personal data for the following specific purposes:

5.1 Student Admission and Enrollment

• Processing applications and assessing eligibility
• Verifying academic credentials and qualifications
• Conducting entrance assessments and interviews
• Issuing admission letters and enrollment confirmations
• Facilitating visa application processes

5.2 Educational Service Delivery

• Providing access to learning platforms and digital resources
• Recording academic progress and assessments
• Facilitating student-faculty communication
• Organizing examinations and issuing results
• Providing academic counseling and support services
• Managing internships and placement programs

5.3 Financial Administration

• Processing tuition fee payments and refunds
• Managing scholarship and financial aid programs
• Issuing invoices and payment receipts
• Debt collection (where necessary)

5.4 Communication and Engagement

• Responding to inquiries and providing customer support
• Sending important institutional notifications and updates
• Marketing communications (with consent and opt-out options)
• Event invitations and alumni relations
• Surveys and feedback collection

5.5 Compliance and Safety

• Meeting regulatory and accreditation requirements
• Campus security and access control
• Health and safety management
• Prevention and investigation of misconduct or fraud
• Legal claims and dispute resolution

5.6 Quality Improvement and Research

• Analyzing trends and improving educational programs
• Institutional research (using anonymized data)
• Accreditation and quality assurance reporting

6. Data Retention Periods

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, and resolve disputes. Specific retention periods include:

After the retention period expires, we will securely delete or anonymize your personal data unless we are legally required to retain it longer.

7. Your Data Protection Rights

Under GDPR, you have the following rights regarding your personal data:

7.1 Right of Access (Article 15)

You have the right to request a copy of the personal data we hold about you. We will provide this information free of charge within one month of your request.

7.2 Right to Rectification (Article 16)

If your personal data is inaccurate or incomplete, you have the right to request correction or completion of your information.

7.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You may request deletion of your personal data in certain circumstances, such as:

• The data is no longer necessary for the purpose it was collected
• You withdraw consent and there is no other legal basis for processing
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed

Note: This right is not absolute. We may be legally required to retain certain data (e.g., academic records, financial transactions).

7.4 Right to Restriction of Processing (Article 18)

You can request that we limit how we use your data in specific situations, such as when you contest the accuracy of the data or object to processing.

7.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another data controller.

7.6 Right to Object (Article 21)

You have the right to object to:

• Processing based on legitimate interests
• Direct marketing communications (including profiling)
• Processing for research or statistical purposes

7.7 Right to Withdraw Consent (Article 7)

Where processing is based on your consent, you have the right to withdraw it at any time. This will not affect the lawfulness of processing conducted before withdrawal.

7.8 Right to Lodge a Complaint

You have the right to lodge a complaint with the Belgian Data Protection Authority (Autorité de protection des données / Gegevensbeschermingsautoriteit) if you believe your data protection rights have been violated.

Belgian DPA Contact:
Website: www.dataprotectionauthority.be
Email: [email protected]

7.9 How to Exercise Your Rights

To exercise any of these rights, please contact our Data Protection Officer at:

Email: [email protected]
Subject Line: "Data Subject Rights Request"
Required Information: Full name, student/staff ID (if applicable), description of request, verification of identity

We will respond to your request within one month. In complex cases, this may be extended by two additional months with notification.

8. Data Security Measures

Brussels College implements comprehensive technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

8.1 Technical Security Measures

• Encryption: All data transmission uses SSL/TLS encryption (HTTPS protocol)
• Data Storage: Personal data stored on secure servers with encryption at rest
• Access Controls: Role-based access controls ensuring only authorized personnel can access data
• Authentication: Multi-factor authentication (MFA) for sensitive systems
• Firewalls and Intrusion Detection: Advanced network security monitoring
• Regular Backups: Encrypted backup systems with disaster recovery procedures
• Security Updates: Regular patching and updating of systems

8.2 Organizational Security Measures

• Staff Training: Regular data protection and cybersecurity training for all staff
• Confidentiality Agreements: All staff sign confidentiality and data protection agreements
• Access Limitation: Personal data access on a need-to-know basis only
• Data Protection Impact Assessments (DPIAs): Conducted for high-risk processing activities
• Incident Response Plan: Procedures for detecting, reporting, and responding to data breaches
• Vendor Management: Due diligence and contractual safeguards with third-party processors
• Physical Security: Secure facilities with controlled access to data storage areas

8.3 Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify the Belgian Data Protection Authority within 72 hours of becoming aware
• Inform affected individuals without undue delay if the breach poses a high risk
• Provide details of the breach, likely consequences, and measures taken to mitigate harm

9. Data Sharing and Third-Party Disclosure

Brussels College does not sell your personal data to third parties. We may share your data with the following categories of recipients for legitimate purposes:

9.1 Internal Recipients

• Academic departments and faculty members (for educational services)
• Admissions and student services teams
• Finance and accounting departments
• IT and technical support personnel
• Senior management (for institutional administration)

9.2 External Third Parties

Service Providers and Processors:

• Cloud hosting and IT infrastructure providers
• Learning Management System (LMS) platforms
• Payment processing services (for tuition fees)
• Email and communication platforms
• Customer Relationship Management (CRM) systems
• Analytics and website optimization tools

All service providers are bound by data processing agreements (DPAs) compliant with GDPR Article 28, ensuring they process data only on our instructions and maintain appropriate security measures.

Educational and Accreditation Bodies:

• Belgian Ministry of Education (for regulatory compliance)
• Accreditation agencies and quality assurance organizations
• Partner universities and educational institutions (with consent)
• Professional certification bodies

Government and Regulatory Authorities:

• Belgian Immigration Office (for visa and residence permit processing)
• Tax authorities (for legal compliance)
• Law enforcement agencies (when legally required)
• Courts and dispute resolution bodies (when necessary)

Other Third Parties:

• Education agents and recruitment partners (with your consent)
• Scholarship and funding organizations
• Insurance providers (for student health insurance)
• Banks and financial institutions (for refunds and payments)
• Professional advisors (legal, audit, consulting)

9.3 International Data Transfers

Some of our service providers may be located outside the European Economic Area (EEA). When transferring your data internationally, we ensure adequate protection through:

• Adequacy Decisions: Transfers to countries deemed adequate by the European Commission
• Standard Contractual Clauses (SCCs): EU-approved contract terms with recipients
• Binding Corporate Rules: For transfers within multinational organizations
• Explicit Consent: Obtained for specific transfers when required

We conduct Transfer Impact Assessments (TIAs) to ensure your data receives equivalent protection to that guaranteed within the EEA.