Prospective Students’ Privacy Notice

Who are we (Introduction)?

Emeritus (together with its relevant subsidiaries, associates, and affiliated companies as listed in Annexure-1 of this Notice, collectively referred to as “Emeritus”, “us”, “we”, or “the Company”) is committed to protecting and securing the confidentiality of, and to lawfully handling and effectively
managing the personal data we collect from our prospective students.

Our Vision and Mission Statement

(Global Data Protection Office at) Emeritus is committed to maintaining trust, meeting expectations, and upholding the rights of the individuals whose personal data we collect by efficiently protecting their personal data, diligently complying with the applicable privacy laws, persistently adhering to the
privacy principles, and conscientiously following the privacy best practices. We understand the value of personal data and the significance of its processing in running our business, and we reinforce our pledge to remain bound to our obligations of fairness and transparency while handling personal data
and related operations.

What is the purpose of this notice?

This Prospective Students’ Privacy Notice (“Notice”) outlines and describes how personal data or information of prospective students is collected, managed, and processed by Emeritus. Emeritus is committed to handling the personal data of its prospective students with fairness and transparency, and in a lawful manner. This Notice covers the minimum controls and obligations that Emeritus is committed towards for ensuring that the personal data of our prospective students is collected, used, retained, and disclosed in a secure, lawful, transparent, and compliant manner.

Whom is this notice directed to (Scope)?

This Notice applies to prospective students of the educational programs and course(s) offered by Emeritus (collectively “you”, “your”) and is designed to inform you of the personal data that we collect, our purposes of processing that data and your rights in connection with it.

This Notice applies to all our courses and educational services, including whenever we collect and process your personal data in that context for the purposes identified below. Please note however that there may be cases from time to time where we need to update this Notice, for example to reflect changing legal requirements or processing activities, and in the event we make any material changes to this Notice then we will let you know.

This Notice does not apply to personal data belonging to other categories of individuals like our students, program applicants, vendors, employees, contractors, job applicants, consultants, or clients engaged with or by Emeritus. See our Students’ and Program Applicants’ Privacy Notice; Employees’, Consultants’, and Employment Candidates’ Privacy Notice; and Emeritus Privacy Notice for more information. However, as more than one of the above notices may apply to you depending upon the context in which your personal data is collected and processed (e.g., an employee may also be a student), be sure to carefully read each applicable notice that we provide to you so that you are fully informed.

What other rules or notices apply?

In some cases, local laws and regulations that apply to the processing of your personal data may be more restrictive than this Notice. Those more restrictive requirements will apply in that case. Emeritus will provide you with additional privacy notices or information where applicable law(s) so require. Residents of the United States (U.S.) should see our U.S. Privacy Notice which supplements this and our other privacy notices for them. In addition, this Notice may be supplemented from time to time with more specific privacy information or notices, for example when you use a particular Emeritus app or portal.

What are the categories/types of personal data we collect about you?

The personal data that we collect, and process may vary depending upon the course/program you select, the requirements of the university partner offering that course, and obligations arising under applicable laws. The personal data that we collect from you is stored within the electronic records/database stored on servers (including cloud servers) located in Singapore, Japan, Canada, U.S.,
India or in another country (including third countries that are not covered by an adequacy decision of the European Commission), as well as within physical records/database.

Emeritus collects the personal data only to the extent it requires it for a particular purpose(s), and it may collect the following types of personal data from you:

Categories of personal data Examples of personal data attributes within each category
Identification/Identity data Full name, gender, title, country of residence, nationality, citizenship, location, online identifier, IP address, date of birth, age
Contact details Personal and/or official phone number(s), personal and/or official email address(es)
Educational and employment
data
Educational qualification, number of years of work experience, job function, industry, job title, name of the employer
Electronic identification data Login ID, password, IP data, website visit logs, browser details
User generated data Content of your communication with us, responses to surveys,
focus groups and quizzes, feedback and suggestions
Other personal details General/random information (not necessary for the program
delivery or management) like mother’s maiden name or pet’s name for verifying your identity for resetting your login credentials in case of lost/forgotten particulars including your username and password

Sensitive personal data

Sensitive personal data or special categories of personal data (“SPD”) are personal data which are particularly sensitive in nature and merit specific protection as the context of their processing could create greater risks to the fundamental rights and freedoms of the individuals. SPD, if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual. The examples of SPD may vary depending upon the context and the laws of the respective countries from where the SPD originates and may include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, sex life or sexual orientation, or data concerning health.

Emeritus does not require collecting or processing any sensitive personal data or special categories of personal data from our prospective students.

Should we require SPD for any purpose(s), we will obtain your explicit consent towards such collection and processing in terms of this Notice at the point where the SPD will be disclosed by you.

Where the applicable law(s) provide other legal bases for processing SPD (as an exception to obtaining explicit consent), we may rely upon such legal basis as may be available to us in a particular situation. In the event you voluntarily disclose/share/upload/post/make public your SPD on our website, or any other public forum owned or controlled by us, you understand that the said SPD may be processed by us in accordance with the applicable law(s) and this Notice.

Personal data of others provided by you

In certain situations, you may provide to us the personal data of others (for example, your friends, colleagues, family members, etc.) such as in the form of a referral towards our programs and courses, etc.

How do we collect your personal data (Source)?

Personal data collected directly from you through our website

Emeritus collects your personal data that you voluntarily provide to us for receiving the relevant details and information about the course offerings, programs, topics, subjects, specialities, and universities you may be interested in, from us through various modes and communication channels. We may collect your personal data through different mediums like a webform that you fill and submit on our program landing pages(s) for details about that particular program as well as other related programs, or a general form on our website for receiving generic or non-specific information about the courses/programs we offer.

It is your responsibility and obligation to ensure that all personal data submitted to us is accurate, correct, complete, and up to date at the time of submission. You are required to check and verify before submission that the personal data submitted to us belongs to you and not to any other individual (unless you are legally authorized to submit such other individual’s personal data in terms of this Notice), and follow the standard process defined and established by us for referrals. Please keep us informed of any changes to the personal data you have submitted with us.

Personal data collected directly from you, on our behalf and under our instructions, through our third-party affiliates’/partners’ websites

Emeritus partners with vendors, service providers, and institutions in the field of education and/or related activities for marketing its courses and programs. We publish the course/program information along with our webform on the affiliates’/partners’ website. We collect your personal data that you voluntarily provide to us (through the webform) for receiving more details and information about a particular program as well as other related programs and courses, through various modes and communication channels.

Your personal data collected through such third-party websites is transferred securely to Emeritus. It is your responsibility and obligation to ensure that all personal data submitted is accurate, correct, complete, and up to date at the time of submission. You are required to check and verify before submission that the personal data submitted belongs to you and not to any other individual (unless you are legally authorized to submit such other individual’s personal data in terms of this Notice) and follow the standard process defined and established by us for referrals. Please keep us informed of any changes to the personal data you have submitted with us.

Personal data collected independently by others and shared with us

Emeritus may indirectly collect your personal data from third parties for marketing its courses and programs to you in the following ways:

  1. Emeritus’s third-party affiliates/partners (describes in section B above) independently host the course/program information along with the webform for collection of personal data on their website. These affiliates/partners collect, as data controllers, your personal data that you voluntarily provide to them (through the webform) for receiving more details and information about a particular program as well as other related programs and courses, through various modes and communication channels. Your personal data so collected is shared with Emeritus in accordance with the applicable privacy laws.
  2. Various third-party data brokers may independently collect and/or compile your personal data through several mediums and sources. Such data brokers are the data controllers towards such personal data and are under an obligation to collect and process (including sharing and transfer) such data in strict compliance with the applicable privacy laws. Emeritus may collect your personal data from these third-party data brokers via direct access to their database and/or by obtaining such data in the form of marketing lists. Emeritus collects and processes your personal data shared with it by the third-party data brokers in strict compliance with the applicable privacy laws.

Personal data shared with us by others as referral

Various individuals like, our present or past students, prospective students, your friends, colleagues, or family members, etc. may refer you to us as a potential student for enrolment to different courses and programs. In order to identify and associate you with your referrer, send details about our courses and programs that you may be interested in through various modes of communication (in compliance with the applicable privacy laws), and in some cases to register and onboard you to the desired courses and programs, we may receive some personal data from the following categories from your referrer:

  • Identification/Identity data
  • Contact details
  • Educational and employment data

Even if you have been referred to us, you may still be required to register yourself through our course application page for completing the enrolment and onboarding process. You may be asked to again provide the personal data initially provided to us by your referrer, along with the additional information (personal data) required for the course registration.

Personal data of others provided by you

In certain situations, you may provide to us the personal data of others (for example, your friends, colleagues, family members, etc.) such as in the form of a referral towards our programs and courses, etc. In such a situation, it becomes your responsibility to inform the individual concerned about the processing of their personal data for the relevant purposes. You must confirm to us that you have been authorized to submit such details with us and allow us send details and information about a particular program as well as other related programs and courses, through various modes and communication channels to such individuals referred by you.

Our referral and group enrolment process has been designed to meet the complex requirements of the global privacy laws especially the General Data Protection Regulation (“GDPR”). We monitor, review, and revise this process proactively to remain in strict compliance with such laws while processing your personal data for the given purpose. Referrals and group enrolments are accepted only in accordance with the established process.

Personal data collected via tracking technologies

When you visit our website or use our service, we and third parties may use cookies and other tracking technologies to collect personal data from you. This may include tracking your activities across time and third-party sites or services. For more information about this processing and your choices regarding it, see our Cookie Notice.

Why do we collect your personal data?

Purpose(s) of processing

Emeritus uses your personal data for sharing with you the relevant details and information about its course offerings, programs, topics, subjects, specialities, and universities that you may be interested in, through multiple channels of communication. We may process your personal data for sending you the details about a particular program of your interest as well as other related programs, or generic or non-specific information about the courses/programs we offer.

Lawful (legal) basis for processing

Privacy law of certain jurisdictions require that one of the available lawful bases of processing, as prescribed by such privacy law, must be relied upon (satisfied) by Emeritus before processing your- personal data for each of the purposes listed earlier. The lawful basis that Emeritus relies upon for a particular processing activity may differ from the lawful basis relied upon for another processing activity i.e., different lawful bases may be relied upon to lawfully conduct different processing activities. All or some of the following lawful bases of processing may be available under the privacy law of a particular jurisdiction (country):
  1. Consent: You have given consent (explicit/express or deemed/implied, depending upon theprivacy law applicable) to the processing of your personal data for one or more specific purposes.
  2. Performance of a contract: Processing of your personal data is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract.
  3. Compliance with legal obligation: Processing is necessary for compliance with a legal obligation to which Emeritus is subject.
  4. Protection of vital interests: Processing is necessary in order to protect your vital interests or of another natural person.
  5. Public interest: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  6. Legitimate interest: Processing is necessary for the purposes of the legitimate interests pursued by Emeritus or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms under applicable privacy laws.
Processing of sensitive personal data or special categories of personal data (‘SPD’) has been covered earlier under the section ‘What are the categories/types of personal data we collect about you?’. The most common processing activities that we use (process) your personal data for, along with the respective legal basis, are listed below:
Processing activities Lawful (legal) basis for processing
Sending details and information about our course offerings, programs, topics, subjects, specialities, and universities you are interested in (you will have an option to unsubscribe to such communication anytime). Consent
Sending information about other courses/programs related to the program, topic, or subject of your interest (you will have an option to unsubscribe to such communication anytime). Consent
Sending generic or non-specific information about the courses/programs we offer (you will have an option to unsubscribe to such communication anytime). Consent
Responding to your questions and queries, and clarifying your doubts (if any), on our course offerings, programs, topics, subjects, specialities, and universities through our program advisors (PAs). Legitimate interest
Recording of your calls with our PAs. Consent
Verifying your contact information like phone number and email ID using OTP or other mechanism. Legitimate interest
Creating your account and generating login details including username and password. Legitimate interest
Verifying your identity for resetting your login credentials in case of lost/forgotten particulars including your username and password Legitimate interest
Assessing/evaluating your eligibility for a course/program you are interested in basis the parameters defined by the concerned university partner. Legitimate interest
Inviting you for focus groups, surveys, and other similar initiatives for receiving feedback and suggestion for enhancing overall quality of our services and course offerings. Legitimate interest
Inviting you to seminars, webinars, and other events that may or may not be related to the course(s) and program(s) you are interested in (separate registration may be required for attending these events). Legitimate interest
Responding to your general questions and queries. Legitimate interest
Investigating and addressing your complaints and issues. Legitimate interest
Sharing your personal data with the university partner(s) concerned with the courses/programs you have expressed interest in.Please see ‘Disclosure to other third parties’ section of this Notice for more information. Legitimate interest
Complying with applicable laws, rules, regulations, codes of practice or guidelines and associated administrative activities:
Responding to requests by government or law enforcement authorities conducting any investigation. Compliance with legal obligation
Using personal data in connection with legal claims or litigation. Legitimate interest
Complying with directions, orders including subpoenas or other legal process(es) of competent courts, legal or regulatory bodies (including but not limited to disclosures to such regulatory bodies). Compliance with legal obligation
Investigating, preventing, or taking suitable action regarding illegal activities, suspected fraud, security issues, enforcing our terms and conditions, or this Notice, or to protect our rights, property, or safety, and those of others. Legitimate interest
Processing personal data for audit checks and other regulatory purposes. Legitimate interest
Sanction checks/screening in compliance with applicable sanction laws across geographies, and similar programs of the university partners (for example, sanctions list of the Office of Foreign Assets Control). Compliance with legal obligation
Implementing whistleblower program (or other complaint mechanism) and setting-up of hotline and web-portal for collecting whistleblower reports (anonymous or identified). Compliance with legal obligation
Monitoring and ensuring network and information security, including preventing unauthorized access to our systems and preventing attacks through virus, malicious software etc., and ensuring business continuity. Legitimate interest
Ensuring compliance with applicable terms and conditions and/or applicable policies and procedures. Legitimate interest
Internal reporting and/or accounting purposes. Legitimate interest
Successors in the event of a merger, acquisition, or reorganization. Legitimate interest
Reaching out to you for corporate and individual referrals. Legitimate interest
Training our workforce/employees on different processes that may involve processing of your personal data. Legitimate interest
Social media marketing (for example, Facebook lookalike): We may be targeting advertising on social media to groups of individuals identified by such social media as having similar interests or characteristics than our existing contacts. This processing activity is based on our legitimate interest to increase the audience of person likely to be interested in our services. In such case, we will be acting as joint controller with the social media (which contact details can be found on the social media’s platform). Such targeted audience will be provided with the possibility to object to the display of targeted advertising by the social media. We will not have any personal data on this audience, except to the extent it decides to click on the advertisement and/or access our website.. Legitimate interest
Conducting business analytics, marketing research, and data analysis. Legitimate interest
For business planning purposes, marketing, advertising, and sales efforts. Legitimate interest
For any other purpose as disclosed to you at the point of collection or pursuant to your consent. Consent
Where Emeritus wishes to use your personal data for a new purpose that has not been included in the table above, Emeritus will process your personal data, for such new purpose, as per the provisions of the applicable privacy law(s). Where required, Emeritus will notify you of the new purpose in accordance with the applicable law(s) and obtain your consent (or rely on any another lawful basis available with us) before processing your personal data for the new purpose.

Legitimate interest as the lawful (legal) basis for processing – additional information

You have the right to object at any time, on grounds relating to your situation, to processing of your personal data carried out for our legitimate interests or of a third party.

Please refer to the section ‘What are your rights with respect to your personal data?’ for more details.

Performance of a contract as the lawful (legal) basis for processing – additional information

Where the collection and use of your personal data is based on your consent, you are entitled to withdraw that consent at any time by contacting us (please refer to the ‘Contact Us’ section of this Notice), or by clicking the ‘unsubscribe’ link in our marketing emails. Please note that your withdrawal of consent could have an adverse impact on our ability to engage with you and would not affect the lawfulness of processing that has already occurred based on your consent.

With whom do we share your personal data (Disclosure)?

Disclosure within the Emeritus group of companies (affiliates)

Emeritus is a global company, and we may share your personal data or provide such access to other companies within the Emeritus group (that exclusively manage the programs/courses of relevance to you under an agreement with the concerned university partners) for providing you with details and information about our course offerings, programs, topics, subjects, specialities, and universities you are interested in and also other courses/programs related to the program, topic, or subject of your interest. This Notice also applies to the processing activities of our affiliates on your personal data in such contexts and is provided for and on behalf of those affiliates where they also act as controllers of your personal data, including those listed under Annexure-1 of this Notice.

Disclosure to third party service providers

Emeritus may share your personal data with the following third-party service providers. These thirdparty service providers will require access to your personal data to perform certain limited functions for Emeritus however, they may not generally use, for their own purposes, your personal data that they process:

  • Technology service providers like network and IT security, internet services, video communications, customer support and communication, telecom services for running the business operation and protecting it from external and internal threats.
  • Service providers for business continuity management and contingency planning in the event of business disruptions.
  • Platforms (service providers) for hosting interactive webinars that can be attended live or later (on-demand).
  • Service providers and platforms supporting our outreach initiatives and assisting us in establishing communication (with you) through various channels like email, text (SMS), WhatsApp, voice call, etc.
  • Service providers providing the following services:
    • Business analytics
    • Marketing research
    • Focus groups, surveys, and data analysis
    • Cloud services and data storage
    • Couriers
    • Verification services towards your contact information like email ID and phone number
    • Social media platforms (for example, Facebook, LinkedIn) for assisting us with our social media marketing initiatives.
    • Service providers conducting sanction checks and screening.
    • Third-party service providers for establishing and implementing whistleblower program by setting-up and independently managing hotline and web-portal for collecting whistleblower reports (anonymous or identified).

We take reasonable steps, such as obtaining contractual commitments from our third-party service providers, to limit and protect the use of your personal data by our service providers.

Disclosure to other third parties

Emeritus my share your personal data with the following (non-agent) third parties (list not exhaustive):

  • Professional advisors and consultants including law firms, tax consultants,
    business/management consultants, auditors etc. for running the operations efficiently and in a compliant manner.
  • Regulators, government bodies, supervisory authorities, and law enforcement agencies in order to comply with applicable laws, rules and regulations including those related to audit and assessment of educational programs, licensing and approvals, and revenue andtaxation.
  • Prospective (and actual) sellers or buyers, legal entities, and their advisers in connection with any financing, merger, acquisition, or sale of any of our business or assets.
  • Third-party business partners (including our university partners) that offer courses, programs, or services similar to those you have expressed interest in or that may otherwise be of interest to you. We shall rely upon your consent (separately obtained as and when required), or any other lawful basis available at the time, before sharing your personal data for the stated purpose.

In addition to the above, Emeritus also shares your personal data, more specifically as stated, with the following third parties:

Recipients Categories of personal data Why we share (Purpose)
University partners
Universities that offer the course(s)/program(s) that you have expressed interest in.

Please note that UniversityPartner’s privacy policy shall apply in their processing of your personal data.

  • Identification/Identity data
  • Contact details
  • Educational and employment data
  • Sharing with you details and informa ion about its course offerings, programs, subjects, and specialities, and also about other courses/programs
    related to the program, topic, or subject of your interest after obtaining
    your consent in accordance with the applicable law(s)
  • Audit

We share your personal data with the (non-agent) third parties primarily for our legitimate interests but may also rely upon one of the other lawful bases, listed under the section ‘Lawful (legal) basis for processing’, that may be legally available to us. Where required by the applicable privacy law(s), we
will seek your consent before sharing your personal data with the third parties.

Third parties with whom your personal data has been shared may, in some cases, independently determine the purposes and uses of your personal data; in such cases, that third party recipient’s own privacy policy (notice) will govern their use of your personal data.

Disclosure without notification

In some cases, or circumstances, we may disclose your personal information to third parties without notifying you. These circumstances could include:

  • Where Emeritus is required to do so as per applicable laws/rules/regulations, or by order of a
    court, tribunal, or any other regulatory authority, or other legal process or compulsion.
  • Where Emeritus, in good faith, believes that such disclosure is reasonably necessary to comply with a legal obligation, process, order, or request.
  • Where Emeritus is legally required to or believes in good faith that such disclosure is reasonably necessary to safeguard the rights, property or other interests of Emeritus, its employees, vendors, clients, customers of clients, third parties or the public as required and permitted by the applicable
    law(s).
  • Where provision of the information would be disproportionate or would result in the impossibility or serious impairment of achieving the objectives of processing.

International (cross-border) transfer of personal data

Due to the global nature of our business which comprises of partnership with various universities across the globe with international student enrolments to the courses and programs offered, presence of several Emeritus group companies (affiliates) worldwide, vendors/service providers (processors) that are present in and operating out of different countries and facilitate and support our services, and other third parties (esp. those listed in the earlier section) established in an overseas location, your personal data may be shared, disclosed, or transferred to these parties in other countries where the privacy and data protection law(s) may differ from those in your country. The cross-border transfer may include transfer to third countries (including onward transfers) that are not covered by the adequacy decision of the European Commission (Secretary of State in case of UK).

The cross-border transfer of your personal data shall be done in compliance with the concerned provisions and requirements of the privacy law(s) applicable on your personal data that may inter-alia include:

  • In the case of personal data within scope of the privacy law(s) of the European Economic Area (EEA) or United Kingdom (UK), your personal data may be transferred cross-border on one of the following bases:
    • When such transfer is being done to a country or a territory that is covered by an adequacy decision issued by the European Commission (Secretary of State in case of UK).
    • When we have provided for appropriate safeguards in the form of Standard
      Contractual Clauses (SCCs), adopted by the European Commission (Information
      Commissioner in case of UK), signed with the recipient of your personal data in the non-adequate third country.
    • When we have obtained explicit consent from you after informing you of any possible risks of such transfer to a third country for you as an individual due to the absence of an adequacy decision and appropriate safeguards.
  • In the case of personal data within scope of the privacy law(s) of ountries other than the European Economic Area and United Kingdom, your personal data may be transferred cross-border on one of the following bases:
    • Emeritus has signed appropriate data transfer and/or processing agreement with the recipient of your personal data in the other country.
    • Under any other provisions and/or conditions enabling such transfer as provided by the privacy law(s) applicable on your personal data.

How long do we retain your personal data?

Emeritus will retain your personal data for as long as necessary for the purpose(s) for which it has been collected, in accordance with the applicable law(s), and as set out in our retention policy and/or schedule. The duration for which we retain your personal data may differ depending upon the purpose(s) it’s being processed for.

We will retain and use your personal data to the extent necessary to comply with our legal obligations, for example, to comply with statutory audits, resolve disputes, comply with orders or requests issued by competent court(s), and enforce our legal agreements and policies.

In some circumstances we may anonymize your personal data so that it can no longer be associated with you, in which case we may use such information without further notice to you.

How do we protect your personal data (Data Security)?

Emeritus implements appropriate technical and organizational measures to ensure security of your personal data and to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services. These measures are designed to prevent accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted,
stored, or otherwise processed by us.

We make every reasonable effort to ensure safety and security of your personal data in accordance with the applicable law(s) and industry standards while considering the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Despite all our efforts, risk of personal data breach persists as no method of internet transmission or storage guarantees complete security. In an unlikely event of a personal data breach, we will assess and investigate the event and take necessary actions, including those related to notification to the relevant supervisory authority and to the individuals impacted, in compliance with the applicable law(s) within the timelines prescribed.

What are your rights with respect to your personal data?

You may check and update certain personal data within our systems either by logging to your password-protected account (only in certain cases) or by contacting us at privacy@emeritus.org. It is your responsibility to ensure that your personal data, that you have shared with us, is accurate, correct, complete, and up to date in our records.

Privacy laws in some jurisdictions, especially those in the European Economic Area (EEA) and the United Kingdom (UK), and in some U.S. states, provide individuals with certain rights in relation to the processing of their personal data (subject to conditions and exceptions provided in such laws). These
rights are jurisdiction-specific and may not be available to all. For example, in case you are located in the European Union (EU) (or UK) or our affiliate that you interact with (that collects and processes your personal data) is located in the EU (or UK), all of the rights listed below may be available to you. Some or all these rights (and even some additional rights) may be available to you under the privacy law(s) of other jurisdictions as well but that depends upon the scope of privacy law(s) applicable on your personal data. U.S. data subjects should see our U.S. Privacy Notice for more details related to their rights.

  • Right of access: to obtain from us a confirmation as to whether or not personal data concerning you are being processed.
  • Right to rectification: to get your inaccurate personal data corrected or rectified, and incomplete personal data completed.
  • Right to erasure: to have your data deleted (this is not an absolute right and is subject to exemptions available under the applicable privacy law).
  • Right to restriction of processing: to obtain restriction of processing.
  • Right to data portability: to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format and have it transmitted to another controller.
  • Right to object : on grounds relating to your particular situation especially where we are relying
    on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.
  • Right to object to automated decision making and profiling: to not be subject to a decision based solely on automated processing, including profiling, which produces legal effects
    concerning you.

We will process your request to exercise the above rights in accordance with the law(s) applicable in relation to the rights exercised by you. As permitted by applicable law, we may refuse requests that are unreasonably repetitive, require disproportionate technical effort, risk the privacy of others, may
compromise an ongoing investigation, or are impractical. We do not discriminate against you for exercising any of your rights in a manner that would violate applicable law.

As a policy, Emeritus allows you to access your personal data, verify and challenge the accuracy and completeness of your personal data, and have it corrected, amended, or deleted if inaccurate and, in limited circumstances, object to processing of your personal data even if the law in your jurisdiction
does not accord you those rights, but we will apply our discretion in how we process such requests except as otherwise required by applicable law. We may require you to establish your identity and provide evidence to justify the amendment of your personal data held by us. You can exercise these rights by contacting us per the Contact Us section below, or in the case of U.S. data subjects as set forth in our U.S. Privacy Notice.

In addition, we enable you to exercise certain choices regarding cookies and certain other tracking technologies, as explained in our Cookie Notice.

To exercise a data subject right or make an inquiry about your personal data, please write to us at privacy@emeritus.org. We may need to verify and confirm your identity before we process and fulfil your request. This is another appropriate security measure to protect your personal data.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights) unless, and subject to applicable law, your request for access is clearly unfounded, excessive, or repetitive. Alternatively, we may refuse to comply with the request in such circumstances in accordance with the applicable laws.

Right to complain: You may have the right to lodge a complaint with your local data protection authority about our processing of your personal data. For more information, please contact your local data protection authority. We would, however, welcome the opportunity to discuss, address, and resolve your concerns before you reach out to your local data protection authority. So, please contact us in the first instance at privacy@emeritus.org.

Contact us.

Any questions, concerns, or complaints about the operation of this Notice can be addressed to the Data Protection Officer at privacy@emeritus.org. In addition, you may submit your concerns or complaints about our privacy practices to our Data Protection Officer at privacy@emeritus.org or at the following address:

Emeritus Institute of Management
78 Shenton Way,
#20-02 Singapore-079120

Whenever we receive a formal complaint, we attempt to contact the complainant individually and resolve his/her grievances and/or concerns truthfully and with utmost transparency.

In addition to contacting us, in certain countries you have the right to lodge a complaint with your local data protection authority if you so choose.

In case you are located in the European Union (EU) or United Kingdom (UK), you may contact our representative in the EU or UK:

Global Alumni (for the EU)

  • Global Alumni (for the EU)
  • by writing to Global Alumni at Calle Acanto, 11, 28045, Madrid, Spain

EIM Learning UK Ltd. (for UK)

  • by emailing: UKRep@Emeritus.org
  • by writing to EIM Learning UK Ltd. at WeWork, 10 York Road, London, England, SE1 7ND

Definitions.

Personal data means any data related to an identified or identifiable living natural person, provided, however, that if an applicable law has a different definition of personal data (or a similar term referring
to information relating to an individual), such definition shall be applied to the extent applicable.

Sensitive personal data (SPD) means Personal Data which is more significantly related to the notion of a reasonable expectation of privacy. However, data may be considered more or less sensitive depending on context or jurisdiction.

Process and Processing means (1) any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, accessing, consultation, interpretation, assessment, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction; and (2) any other action that may be taken with respect to Personal Data.

(Data) Controller means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.

(Data) Processor means a natural or legal person (other than an employee of the controller), public authority, agency or other body which processes personal data on behalf of the controller.

Adequacy decision means a formal decision made by the European Union (EU) which recognises that another country, territory, sector or international rganisation provides an equivalent level of protection for personal data as the EU does.

Onward transfer means a transfer of personal data to a fourth party or beyond. For instance, the first party is the data subject (you), the second party is the controller (Emeritus), the third party is the processor, and the fourth party is a sub-contractor of the processor.

Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

University partners mean the universities on whose behalf we deliver and manage the respective educational courses.

Annexure-1

List of Affiliates

Name Jurisdiction Organizational ID
Eruditus Learning Solutions Pte Ltd Singapore 201230726W
Eruditus Executive Education FZ-LLC UAE 91917
EIM Learning S.C. Mexico ELE2103084DA
Emeritus Institute of Management, Inc. USA 6959273
Emeritus Institute of Management Pte.Ltd. Singapore 201510637C
Erulearning Solutions Pvt. Ltd. India U80904MH2016PTC288248
Emeritus Enterprise, Inc. USA 6595607
Emeritus Institute of Management DO Brasil Ltda Brazil 46.284.205/0001-47
EIM Learning UK Ltd. UK 11617490