CV-HGS GDPR POLICY AND CONSENT NOTICE 6.1.22 1

Catholic Virtual™, a division of Hudson Global Scholars, LLC European Union
General Data Protection Regulation (GDPR) Policy
For Individuals Located in the European Economic Area

This Policy is being provided in accordance with the provisions of the European Union General Data Protection Regulation [Regulation (EU) 2016/679 “on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data”] (“GDPR”), describes how Personal Data of students/parents/legal guardians will be processed, secured and stored by Catholic Virtual (“CV”), a division of Hudson Global Scholars, LLC (“HGS”), in its capacity as Data Controller, pursuant to Article 12 of the GDPR, and explains students’/parents’/legal guardians’ rights with regard to such Personal Data. What is “Personal Data” and “Processing”?

Under the GDPR, “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. The GDPR prohibits processing of “special categories” of Personal Data unless certain exceptions apply, because this type of data could create a more significant risk to a Data Subject’s fundamental rights and freedoms and put a Data Subject at risk of unlawful discrimination. The following data is included in “special categories” of Personal Data: data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation (hereafter “Sensitive Personal Data”).

HGS may collect and keep the following types of Personal Data and other information from students/parents/legal guardians:

1. Student Information: Name, address, date of birth, sex, passport/visa information (non-US students applying for college/university admission/credit), citizenship information (for students applying for CV-HGS GDPR POLICY AND CONSENT NOTICE 6.1.22 2 college/university admission/credit), local student identification number (if applicable) and social security number (if applicable).
2. Parent/Legal Guardian Information: Name, address, phone number, e-mail address and credit card information (if applicable).
3. Student Educational Record/Data Based Tracking: HGS Programs/Courses and Services selected by the student, course enrollments, course withdrawals, participation, attendance, grades and other academic information in the student’s record.
4. Student-Teacher Communications: Calendar information and phone logs regarding courses and teacher communications, and e-mails between students and teachers.
5. Education History: Information relating to a student’s education history, including the school(s) and other colleges or universities a student has attended, the courses a student has completed, dates of study and examination results.
6. Classes Attended by Students: Classes attended by students are recorded for use solely by the students in the class during the period in which a student is actively enrolled in the class.
7. Website Usage Data and Credentials: IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when HGS products and services are used and other technical information.
8. Credentials: Passwords, password hints and similar security information used for authentication and account access.
9. User Profile: Any combination of Personal Data that allows HGS to provide Educational Services to a Student.

HGS will only use such Personal Data for educational purposes, including the facilitation of the use of HGS programs, products and services, including courses (“Educational Services”).

HGS only uses Personal Data in a lawful, transparent, and fair manner. Depending on the specific Personal Data concerned and the factual context, when HGS processes Personal Data as a controller for individuals in regions such as the European Economic Area, Switzerland, and the UK, it relies on the following legal bases as applicable in the individual’s jurisdiction:

1. Educational Contract: When HGS enters into a contract directly with a student (or his/her parent/legal guardian if the student is under the age of 16) or with a student’s local school to provide Educational Services to a student (“Educational Contract”), HGS processes the student’s/parent’s/legal guardian’s Personal Data on the basis of this Educational Contract in order to (i) prepare, enter into and perform the Educational Contract in order to provide the student with the HGS Educational Services (which includes billing, compliance with contractual obligations, and related administration and support); (ii) develop, test, and improve the HGS Educational Services and troubleshoot Educational Services and features; and (iii) ensure authentication, integrity, security, and safety of accounts, activity, and HGS Educational Services, including detecting and preventing malicious conduct and violations of HGS’s terms and policies or the terms and policies of its third-party service providers, prevent or investigate bad or unsafe experiences, and address security threats. If HGS does not collect and process such Personal Data for these purposes, HGS may not be able to provide the student with its Educational Services;
2. Consent: HGS relies on the explicit consent of students, and/or their parents/legal guardians (on their own behalf and/or on behalf of any students under the age of 16) in order to provide the Educational Services to students.
3. Legal Obligations: HGS processes Personal Data to comply with all applicable United States Federal and State Laws and Regulations and applicable European Union Laws and Regulations (hereafter collectively referred to as “Laws and Regulations”) for the provision of Educational Services to students, through HGS and its Divisions, HGS’s affiliates, and HGS’s Partner Schools, including but not limited to HGS accreditation authorities and applicable US State Departments of Education; to respond to valid legal requests from, and other communications with, competent public, governmental, judicial, or other regulatory authorities; to investigate or participate in civil discovery, litigation or other adversarial legal proceeding; to comply with Laws and Regulations related to the safety and security of students, and to comply with the legal obligations to which it is subject as a legal entity in the State of Delaware, US with offices in the state of Maryland, US. This includes detecting, investigating, preventing, and stopping fraudulent, harmful, unauthorized, or illegal activity (“fraud and abuse detection”) and compliance with privacy Laws and Regulations; and
4. HGS’s (or others') Legitimate Educational Interests: HGS processes Personal Data of students/parents/legal guardians based on such legitimate educational interests to; (i) ensure authentication, integrity, security, and safety of accounts, activity, and HGS Educational Services, including detecting and preventing malicious conduct and violations of HGS’s terms and policies or the terms and policies of its third-party providers, prevent or investigate bad or unsafe experiences, and address security threats (iv) comply with Laws and Regulations, codes of practice, guidelines, or rules applicable to HGS and respond to requests from, and other communications with, competent public, governmental, judicial, or other regulatory authorities, as well as to meet HGS’s corporate and social responsibility commitments, protect HGS’s rights and property and the rights of HGS’s customers, resolve disputes, and enforce agreements.

Consent of the student or, if the student is under the age of 16, the student’s parent/legal guardian is a legal basis upon which HGS relies to comply with GDPR. Consent is required before HGS collects, processes or discloses Personal Data of the student and/or of the student’s parent/legal guardian in order for the student to receive Educational Services through HGS. In accordance with GDPR, such consent must be freely given, specific, informed and an unambiguous indication of the student’s/parent’s/legal guardian’s agreement to the processing of the student’s/parent’s/legal guardian’s Personal Data. The refusal to allow HGS to collect and process such Personal Data may make it impossible to provide Educational Services and comply with applicable Laws and Regulations governing HGS. Such Personal Data is processed and used by HGS, its employees, consultants, third-party agents and third-party service providers solely for educational purposes. HGS does not sell Personal Data or sell advertising based on anonymized Personal Data.

HGS processes the Personal Data collected from students/parents/legal guardians during their association with HGS to conduct the following lawful and legal purposes:

1. Provision of Educational Services: HGS processes the Personal Data of students/parents/legal guardians to provide Educational Services to students, through HGS and its Divisions, HGS affiliates, and HGS Partner School, including but not limited to (i) recruitment and admissions; (ii) academic matters (i.e., registration, grading, attendance, managing progress, academic misconduct investigations, certification(s), and graduation); (iii) maintaining student records; and (iv) for non-academic reasons including: (A) safeguarding and promoting the welfare of students; (B) ensuring students' safety and security; (C) financial matters (i.e., administering fees and tuition payments), and (D) matriculation, graduation, degree, and transcript information.
2. Legal Reasons: HGS processes the Personal Data of students/parents/legal guardians to comply with all applicable Laws and Regulations for the provision of Educational Services to students, through HGS and its Divisions, HGS’s affiliates, and HGS’s Partner Schools, including but not limited to HGS accreditation authorities and applicable US State Departments of Education; to respond to valid legal requests from, and other communications with, competent public, governmental, judicial, or other regulatory authorities; to investigate or participate in civil discovery, litigation or other adversarial legal proceeding; to comply with Laws and Regulations related to the safety and security of students, and to comply with the legal obligations to which it is subject as a legal entity in the State of Delaware, US with offices in the state of Maryland, US. This includes detecting, investigating, preventing, and stopping fraudulent, harmful, unauthorized, or illegal activity (“fraud and abuse detection”) and compliance with privacy Laws and Regulations.

Personal Data of students/parents/legal guardians will be protected in accordance with all applicable Laws and Regulations, including the GDPR, FERPA, and other applicable European Union and US State and Federal laws regarding the privacy of such Personal Data. HGS will only disclose Personal Data or provide access to such Personal Data in compliance with GDPR, FERPA, and other applicable US State and Federal laws, and HGS will require third parties that contract with it and have access to such information to do the same. HGS will not use Personal Data to target a student/parent/legal guardian for advertising, or sell or use such Personal Data to create profiles about a student (other than for purposes of the student’s education in an HGS course or program). All HGS students are provided a unique password to access online courses. It is the student’s responsibility to keep his/her password in confidence.

To reduce the risk of unauthorized access to student data, maintain data accuracy, and ensure the correct use of information, HGS has put in place commercially reasonable physical, electronic, and managerial procedures to safeguard and secure Personal Data and other information it collects. HGS also uses Secure Sockets Layer (“SSL”) protocol on student account information and registration pages to protect Sensitive Personal Data. Student Personal Data and other information is contained behind secured networks and is only accessible by a limited number of HGS employees, contractors, third-party agents and third-party service providers who have special access rights to such systems, and are required to keep the information confidential. All transactions are processed through a gateway provider and are not stored or processed on HGS servers. HGS’s website is scanned on a regular basis for security holes and known vulnerabilities in order to make the use of the HGS site as safe as possible.

Personal Data of students/parents/legal guardians may be provided to third parties as required by US State or Federal law. To the extent that third party service providers assist HGS in the provision of online Educational Services, those service providers are provided the minimum amount of data required to perform the tasks for which they have been engaged, consistent with applicable Laws and Regulations, including GDPR and FERPA. The third-party service providers have no independent rights to such data and have agreed to maintain the confidentiality of the data, to use it solely for the purpose of performing the school-based tasks for which they have been engaged and to safeguard the data as required by law and by contract. As permitted by the applicable Laws and Regulations, HGS may share Personal Data with other companies in order to improve the academic performance of HGS courses or programs or so that HGS may offer its Educational Services to students. Additionally, Personal Data is shared with the following entities/persons with a legitimate educational purpose and need to know:

• HGS’s CEO, administrative team, and professional staff;
• Other professionals who have a legitimate educational or legal interest in student data as designated by the CEO;
• School officials, administrators, teachers and teaching facilitators with legitimate educational interest;
• Educational institutions, organizations or home-based education programs which already have access to the student’s educational records;
• Other schools to which a student is transferring;
• Specified officials for audit or evaluation purposes;
• Accrediting organizations;
• Specified attorneys/officials/courts to comply with a judicial order or lawfully issued subpoena;
• Appropriate officials in cases of health and safety emergencies; and
• An agent representative of the student or family.

Recorded classes are available to all students in the class, as well as to teachers, facilitators and administrators of partner schools during the period in which a student is actively enrolled in the class.

Under the GDPR, students/parents/legal guardians have a number of rights with respect to their Personal Data, including the right to information which is the purpose of this Policy and Consent Notice. Students/parents/legal guardians have the right, in certain circumstances, to request: (i) access to their Personal Data, (ii) rectification of mistakes or errors and/or erasure of their Personal Data, (iii) that HGS restrict processing, and (iv) that HGS provide their Personal Data to them in a portable format. In certain circumstances, students/parents/legal guardians also may have the right to object to HGS’s processing of their Personal Data.

If HGS requested, and a student/parent/legal guardian, as applicable, provided explicit consent for the processing of a student’s/parent’s/legal guardian’s Personal Data (or where a parent or legal guardian provided consent on a student’s behalf because he/she is under the age of 16) and HGS is processing the student’s Personal Data for “information society services” (as defined in the GDPR [generally, online services that a student/parent/legal guardian pays for]), the student (or his/her parent or legal guardian, as applicable) has the right (in certain circumstances) to withdraw that consent at any time. However, withdrawal of consent will not affect the lawfulness of the processing before such consent was withdrawn. If a student/parent/legal guardian would like more information about, or would like to exercise any of these individual rights, he/she may contact HGS’s Data Protection Officer (contact information below).

HGS may be “controller” and also may be a “processor” (as those terms are used in the GDPR) of Personal Data of students/parents/legal guardians for the purposes of the GDPR.

The Data Controller, under the GDPR is HGS. The Data Protection Officer, under the GDPR responsible for the safety obligations related to the automatic processing of Personal Data of students/parents/legal guardians, is HGS’s Chief Information Officer. The form to contact the Data Protection Officer can be accessed using the following link DATA-PROTECTION-OFFICER.

Other inquiries may be addressed to:
Hudson Global Scholars, LLC
Attn: Chief Information Officer/Chief Academic Officer
7151 Columbia Gateway Drive, Suite C
Columbia, Maryland 21046

Catholic Virtual™, a division of Hudson Global Scholars, LLC European Union General Data Protection Regulation (GDPR) Consent Notice For Individuals Located in the European Economic Area This Consent Notice (“Notice”) is being provided in accordance with the provisions of the European Union General Data Protection Regulation [Regulation (EU) 2016/679 “on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data”], describes how Personal Data of students/parents/legal guardians will be processed by Catholic Virtual (“CV”), a division of Hudson Global Scholars, LLC in its capacity as Data Controller, pursuant to Article 12 of the GDPR, and explains Your rights with regard to such Personal Data.

Consent under the GDPR - any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her.

Data Controller - the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

Educational Services – includes educational programs, products, and services, including courses, supplied by HGS.

GDPR – the European Union General Data Protection Regulation [Regulation (EU) 2016/679 “on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data”].

HGS – includes Hudson Global Scholars, LLC, its Divisions and its K-12 educational affiliates.

Personal Data - any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing - any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Sensitive Personal Data – Personal Data that may put a Data Subject at risk of unlawful discrimination, including but not limited to racial or ethnic origin, political opinions, and religious or philosophical beliefs. You - as used in this Notice, “You” means the student on his/her own behalf, the student’s parents/legal guardians on behalf of the student (for students under the age of 16); and the parent/legal guardians on their own behalf.