Effective Date: 27 May 2025
These Terms and Conditions (“Terms”, “T&Cs”, “Agreement”) govern the use of the AI-based admission evaluation system (“Authentz”, “System”, “Services”) provided by [Insert Full University Name] (“University”, “We”, “Us”) for applicants (“Applicant”, “User”) applying for admission to specific courses. These Terms set legally binding rules for how the Applicant and the University interact when using Authentz. Reading these Terms carefully is essential. They clarify both parties' rights and responsibilities, especially regarding the collection and processing of personal data required for admission evaluation.
For the purposes of this Agreement:
University: [Insert Full Legal University Name], located at [Insert Full University Address]. The University manages the admission process and acts as the Data Controller for personal data processed through this System.
Applicant / User: The individual applying for admission and utilising Authentz to submit required materials. The Applicant is the Data Subject whose personal data is processed.
By accessing or using any part of Authentz—starting a recording session, uploading documents, answering questions, or submitting an application—the Applicant unconditionally agrees to be bound by these Terms. Acceptance is mandatory for using Authentz. Refusal will prevent use of the System, and the University will be unable to process the application. These Terms represent the entire agreement concerning Authentz and supersede any prior understandings, written or oral.
These Terms operate alongside the University's Privacy Policy and Data Protection Policy. Applicants should review those documents for broader data-handling practices. Where a conflict arises about Authentz, these Terms prevail.
2.1. Purpose
The terms listed below have specific meanings within this Agreement. Clear definitions are provided to prevent misunderstanding or ambiguity in the interpretation of these Terms. Where applicable, definitions align with those provided in the General Data Protection Regulation (EU) 2016/679.
2.2. Key Definitions
"Authentz" / "Services": Refers to the specific artificial intelligence-based platform, software, and related functionalities utilized by the University to facilitate the collection, processing, and initial evaluation of Applicant information and materials as part of the admission process for the designated course.
"Applicant" / "User" / "Data Subject": The natural person who is applying for admission to a course at the University and who provides Personal Data through the Authentz. This corresponds to the definition of 'data subject' under GDPR Article 4(1).
"University" / "Controller": [Insert Full University Name], the entity that, alone, determines the purposes (why) and means (how) of processing the Applicant's Personal Data submitted through the Authentz for the evaluation of their admission application. This aligns with the definition of 'controller' under GDPR Article 4(7).
"Processor": The third-party entity providing the Authentz and processing Personal Data strictly on behalf of and under the documented instructions of the University. This aligns with the definition of 'processor' under GDPR Article 4(8).
"Sub-processor": Any third-party entity engaged by the primary Processor, with the University's authorization, to carry out specific processing activities related to the Authentz services.
"Personal Data" (also referred to as Personally Identifiable Information or PII): Any information relating to the Applicant that allows them to be identified, directly or indirectly. This includes, but is not limited to, name, contact details, date of birth, nationality, identification numbers, academic records, employment history, financial details, answers to personal questions, photographs, video recordings, and any online identifiers. This definition aligns with GDPR Article 4(1).
"Special Category Personal Data" (also referred to as Sensitive Personal Information or SPI): Personal Data considered particularly sensitive under GDPR Article 9(1), requiring enhanced protection and specific processing conditions. This includes:
Biometric Data: Facial images and video recordings processed using technology that allows for the unique identification or authentication of the Applicant.
Data Concerning Health: Medical records, physical or mental health conditions, disabilities, or other health-related information provided by the Applicant.
Data Revealing Racial or Ethnic Origin: Information potentially inferred from photos, videos, or answers, if processed for this purpose.
Religious or Philosophical Beliefs / Political Opinions / Trade Union Membership: If revealed in answers to personal questions.
Genetic Data: If specifically requested and processed.
Sex Life or Sexual Orientation: If revealed in answers to personal questions.
"Biometric Data": As defined in GDPR Article 4(14), personal data resulting from specific technical processing relating to physical, physiological or behavioural characteristics of a person, such as facial images or fingerprints, allowing identification. This refers primarily to facial images and video recordings used for identification or evaluation.
"Data Concerning Health": As defined in GDPR Article 4(15), personal data related to the health of a person including records submitted by the Applicant or inferred from their submissions.
"Processing": As defined broadly in GDPR Article 4(2), any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means. This includes collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
"Consent": As defined in GDPR Article 4(11), any freely given, specific, informed and unambiguous indication of the Applicant's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of Personal Data relating to them.
"Explicit Consent": A standard of consent required under GDPR Article 9(2)(a) for processing Special Category Personal Data. It must be affirmed via an express statement (e.g., a specific, unticked checkbox or signed declaration) clearly indicating agreement to the processing of the specified sensitive data for the specified purpose(s).
"GDPR":The General Data Protection Regulation (EU) 2016/679, as applicable in the European Union and European Economic Area, and including, where relevant, the UK General Data Protection Regulation as tailored by the Data Protection Act 2018 in the United Kingdom.
"Third Party": As defined in GDPR Article 4(10), a natural or legal person, public authority, agency or body other than the Applicant (Data Subject), the University (Controller), the Processor, and persons authorised to process data under the direct authority of the Controller or Processor.10 This includes, for example, verification services if used, but excludes the Processor and authorised Sub-processors when acting on behalf of the University.
2.3. Interpretation
In these Terms, unless the context otherwise requires: headings are for convenience only and do not affect interpretation; the singular includes the plural and vice versa; references to Articles or Recitals are references to Articles or Recitals of the GDPR; reference to a 'person' includes individuals, firms, companies, corporations, and unincorporated bodies of persons.
Importance of Precise Definitions for Compliance: The precise definition of terms, especially those related to data categories like "Personal Data," "Special Category Personal Data," and "Biometric Data," drawn directly from GDPR Articles 4 and 9, is foundational for compliance. This accuracy ensures that the correct legal requirements are applied throughout these Terms. For instance, identifying data as "Special Category Personal Data" mandates the application of stricter processing conditions under Article 9, primarily the requirement for "Explicit Consent" as outlined in Article 9(2)(a).29 Failure to correctly classify data and apply the corresponding GDPR rules (e.g., obtaining only standard consent for SPI) would constitute a significant compliance failure. These definitions directly inform the structure and content of subsequent clauses regarding lawful basis, consent mechanisms, security measures, and data subject rights, ensuring the entire framework aligns with GDPR obligations.
The University utilizes Authentz as part of its admission process. The System is designed to facilitate the efficient collection and preliminary assessment of application materials submitted by Applicants. It enables Applicants to provide required information, including documents, recorded video responses, and answers to specific questions, through a digital interface. The AI component of the System may perform functions such as data extraction, verification checks, analysis of responses, and initial evaluation based on criteria set by the University, ultimately providing input to the University's admissions committee for their final review and decision-making process.
To complete the application process using the Authentz, Applicants are required to actively engage with the platform. This involves recording photographic images and video responses to prompts or questions, uploading digital copies of identity documents (e.g., passport, national ID card), financial statements, medical records (if required for the specific course), academic transcripts and certificates, and providing written or verbal answers to personal questions concerning, for example, family background, financial situation, motivations, and suitability for the course. The specific data required is detailed further in Section 4.
The Applicant acknowledges that the System employs artificial intelligence (AI) and machine learning technologies to process the submitted information. These technologies are used for purposes such as analyzing video responses, verifying document authenticity, extracting relevant data points, and potentially generating an initial assessment score or summary based on predefined criteria established by the University. The University aims for transparency regarding the use of AI in this process, while noting that the specific algorithms and underlying technical details may be proprietary to the Authentz provider. Further details on automated decision-making, if applicable, are provided in Section 10.
Use of Authentz and the submission of all required data and materials does not, in any way, guarantee admission to the University or the specific course applied for. The Authentz serves as a tool to assist the University's evaluation process. The final decision regarding admission rests solely with the University's designated admissions committee or relevant academic department, based on a holistic review of the application.
The provision of the Personal Data and Special Category Personal Data requested through Authentz, as detailed below, is a mandatory requirement for the University to comprehensively evaluate the Applicant's application for admission to. Failure by the Applicant to provide any of the required data will render the application incomplete and will prevent the University from conducting the necessary evaluation, resulting in the application not being considered further through this System. The necessity of collecting this data stems from the specific requirements of the admission process for the designated course, which may include verifying identity, assessing academic eligibility, evaluating suitability, determining financial capacity (e.g., for visa purposes or fee status), and assessing health or fitness criteria essential for participation in the course.
The University, through Authentz, collects the following categories of data, which are necessary for the admission evaluation:
Personal Identifiable Information (PII)
Identification & Contact Data:Full name, date of birth, nationality, current residential address, email address, telephone number(s).
Identity Verification Data: Details from submitted identity documents such as passport number, national ID card number, driver's license number.
Academic Data: History of education (institutions attended, dates), academic transcripts, grades, qualifications obtained, standardized test scores (if applicable).
Employment Data: Relevant employment history, job titles, responsibilities (if required for the course application).
Financial Data: Financial statements, bank statements, income details, sponsorship information, or other evidence of financial capacity as required for assessing ability to fund studies or meet visa requirements.
Application Context Data: Answers provided to specific questions regarding motivations, personal background, family circumstances (where relevant and justified for the evaluation), and video/photo recordings made during the AI interview process.
Special Category Personal Data (SPI):
The collection and processing of the following SPI requires the Applicant's explicit consent (see Section 5):
Biometric Data: Facial images and video recordings collected via the Authentz, where these are subject to specific technical processing for the purpose of uniquely identifying or authenticating the Applicant.
Data Concerning Health:Submitted medical records, health declarations, or answers to health-related questions necessary to assess fitness for the specific course demands or required accommodations.
Data Revealing Racial or Ethnic Origin: Potentially derived from photographs or video recordings, processed only where necessary and explicitly consented to for legitimate monitoring purposes (e.g., equality monitoring, if applicable and lawful) or if unavoidably processed as part of biometric identification.
The University strictly adheres to the principle of purpose limitation. All Personal Data and Special Category Personal Data collected from the Applicant through the Authentz will be processed exclusively for the following specified, explicit, and legitimate purposes:
Evaluating the Applicant's eligibility and suitability for admission to the specific course () applied for.
Verifying the Applicant's identity and the authenticity of submitted documents.
Assessing academic performance and qualifications against course entry requirements.
Evaluating non-academic criteria relevant to the course (e.g., communication skills via video interview, motivation via personal statements/answers).
Assessing financial capacity where required for admission or visa purposes.
Assessing health or fitness criteria where directly relevant and necessary for the specific course requirements.
Communicating with the Applicant regarding their application status and related administrative matters.
Complying with legal or regulatory obligations related to the admissions process. The Applicant's data will not be processed for any purpose incompatible with these stated admission evaluation purposes. Specifically, data collected for admission will not be used for unrelated general marketing, fundraising, or sold to third parties without obtaining separate, specific, and explicit consent from the Applicant.
In accordance with the principle of data minimisation, the University collects only the Personal Data and Special Category Personal Data that is adequate, relevant, and strictly limited to what is necessary to achieve the purposes of admission evaluation as outlined above. The University has assessed the necessity of each data category requested in relation to the specific requirements of the course and the evaluation process. While the range of data requested is extensive due to the nature of a comprehensive university application (including identity, academic, financial, and potentially health or biometric data), each category is deemed necessary by the University to conduct a thorough and fair assessment of the Applicant's suitability and eligibility for the specific course. The mandatory collection of this data is predicated on this necessity for the performance of the evaluation task requested by the Applicant (i.e., consideration for admission). Applicants are assured that data not directly relevant to these purposes is not intentionally collected or processed via this System.
The University processes the Applicant's Personal Data based on one or more of the following lawful bases under GDPR Article 6, depending on the specific data and processing activity:
Article 6(1)(b) - Contractual Necessity:Full name, date of birth, nationality, current residential address, email address, telephone number(s).
Article 6(1)(a) - Consent: Where processing is not covered by other lawful bases, or where required by law, particularly for the processing of Special Category Personal Data (see Section 5.2) and potentially for specific optional activities communicated separately.
Article 6(1)(f) - Legitimate Interests:Processing may be necessary for the legitimate interests pursued by the University, such as ensuring the security and integrity of the Authentz and the application process, preventing fraud, or for administrative purposes related to the evaluation, provided these interests are not overridden by the Applicant's fundamental rights and freedoms. The University has balanced its interests against the Applicant's rights in determining the use of this basis.
Article 6(1)(c) - Legal Obligation:Processing is necessary for compliance with a legal obligation to which the University is subject (e.g., specific reporting requirements related to admissions or immigration regulations).
Article 6(1)(e) - Public Task: As a institution of higher education, processing related to admissions may be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the University.
The processing of Special Category Personal Data (SPI), as defined in Section 2.2 and listed in Section 4.2 (including biometric data from photos/videos, health data, financial data potentially revealing sensitive details, and any data revealing racial/ethnic origin, political opinions, religious beliefs etc., if collected), is generally prohibited under GDPR Article 9(1). The University relies on the exception under Article 9(2)(a), which permits processing only with the Applicant's explicit consent. Therefore, the Applicant will be presented with specific, separate requests for explicit consent before any SPI is processed via Authentz. These requests will be clearly distinguishable from these general Terms and Conditions and from each other. Each consent request will:
Be Freely Given: While providing the data and consenting to its processing is mandatory for the application evaluation via this System, the consent itself must be given voluntarily for the specified processing. Consent is not bundled with unrelated services or conditions. The mandatory nature is based on the necessity of the data for the evaluation task itself, as explained in Section 4.
Be Specific: Each consent request will clearly state the specific category of SPI being processed (e.g., "biometric data from video interview," "submitted medical records") and the specific, sole purpose of processing (e.g., "identity verification," "assessment of fitness for course requirements," "financial capacity assessment"). Granular consent will be sought for distinct categories and purposes where appropriate.
Be Informed: Each consent request will explain why the specific SPI is necessary for the admission evaluation for [Course Name], identify who will process the data (the University as Controller, the Authentz provider as Processor, and relevant Sub-processors), and remind the Applicant of their right to withdraw consent at any time (and how to do so, see Section 5.5). The information will be provided in clear and plain language, avoiding technical or legal jargon.
Be Unambiguous & Affirmative:Consent must be given through a clear affirmative action, such as ticking a dedicated, unticked checkbox or clicking a specific confirmation button for each explicit consent request. Pre-ticked boxes, inactivity, or silence will not constitute valid explicit consent.
Example Consent Statement Structure (to be presented separately within the Authentz interface):Consent for Processing Biometric Data: [ ] By ticking this box, I give my explicit consent for [University Name] and its authorized Processors to process my biometric data (specifically, facial images and video recordings collected during the AI-driven interview) for the sole purposes of verifying my identity and evaluating my communication skills and responses as part of my application for admission to [Course Name]. I understand this processing is necessary for my application evaluation via this System. I have read and understood the information provided in the Terms and Conditions regarding this processing and my rights, including the right to withdraw this consent.
Consent for Processing Health Data: [ ] By ticking this box, I give my explicit consent for [University Name] and its authorized Processors to process the medical records and health information I have submitted for the sole purpose of assessing my fitness and eligibility based on the specific health requirements for admission to [Course Name]. I understand this processing is necessary for my application evaluation via this System. I have read and understood the information provided in the Terms and Conditions regarding this processing and my rights, including the right to withdraw this consent.
Consent for Processing Financial Data (if revealing SPI): [ ] By ticking this box, I give my explicit consent for [University Name] and its authorized Processors to process the financial statements and related information I have submitted for the sole purpose of evaluating my financial capacity as required for admission to [Course Name] and/or associated visa application processes. I understand this processing is necessary for my application evaluation via this System. I have read and understood the information provided in the Terms and Conditions regarding this processing and my rights, including the right to withdraw this consent.
Consent for Sharing SPI with Processors: [ ] By ticking this box, I give my explicit consent for [University Name] to share all the Special Category Personal Data for which I have provided consent above with its authorized third-party Processor ([Name AI Provider, if possible]) and relevant Sub-processors, solely for the purpose of facilitating the Authentz's functions in evaluating my application for [Course Name] according to the University's instructions. I understand this sharing is necessary for the System to operate. I have read and understood the information provided in the Terms and Conditions regarding this sharing and my rights, including the right to withdraw this consent.
By providing the necessary consents as described above (particularly the explicit consents for SPI), the Applicant acknowledges and agrees that their Personal Data and SPI will be shared with the third parties identified as the Processor (the Authentz provider) and its authorized Sub-processors. This sharing is strictly limited to what is necessary for these parties to perform the admission evaluation services on behalf of the University and solely in accordance with the University's documented instructions, as governed by a Data Processing Agreement (see Section 6).
The University will maintain verifiable records of the Applicant's consent actions, including what was consented to, when, and how consent was obtained (e.g., timestamped log of checkbox ticks within the Authentz interface). This is necessary to demonstrate compliance with GDPR consent requirements.
The Applicant has the right to withdraw any consent they have given at any time.59 Withdrawal must be as easy as giving consent.59 To withdraw consent, the Applicant must contact the University's Data Protection Officer or designated admissions contact point using the details provided in Section 17. Withdrawal of consent does not affect the lawfulness of any processing activities carried out based on consent before the withdrawal took place.55 However, because the provision of the requested data and consent to its processing (particularly SPI) is mandatory for evaluation via this Authentz, withdrawal of consent for the processing of necessary data will mean that the University can no longer process the application using this System. Consequently, the application evaluation will cease upon withdrawal of consent for mandatory processing. This consequence is a direct result of removing the lawful basis for processing data deemed essential for the evaluation and is communicated here to ensure the Applicant's initial consent is fully informed.
[Insert Full University Name] is the Data Controller for all Personal Data and Special Category Personal Data submitted by the Applicant through Authentz. As Controller, the University determines the purposes for processing (admission evaluation for the specific course) and the essential means of processing, and holds primary responsibility for ensuring compliance with GDPR.
The entity providing the Authentz,, acts as a Data Processor. The Processor handles the Applicant's Personal Data solely on behalf of the University and strictly according to the University's documented instructions. The Processor is not permitted to use the Applicant's data for its own purposes. The relationship between the University (Controller) and the Authentz provider (Processor) is governed by a formal, legally binding Data Processing Agreement (DPA) that complies with the requirements of GDPR Article 28. This DPA contractually obligates the Processor to implement appropriate data protection measures, maintain confidentiality, ensure data security, assist the University in fulfilling data subject rights requests, and adhere to rules regarding the engagement of Sub-processors. The existence of this DPA provides assurance that the processing carried out by the third-party provider is subject to strict data protection controls mandated by the University and GDPR.
The primary Processor () may engage other third-party service providers (Sub-processors) to perform specific technical tasks necessary for the operation of the Authentz (e.g., cloud hosting, data storage, specific analytical functions). The engagement of any Sub-processor is subject to the prior specific or general written authorization of the University (Controller). In the case of general authorization, the Processor is obligated to inform the University of any intended changes concerning the addition or replacement of Sub-processors, giving the University the opportunity to object. Crucially, the primary Processor is required by the DPA (under GDPR Article 28(4)) to impose the same data protection obligations on any Sub-processor as those set out in the DPA between the University and the primary Processor.21 The primary Processor remains fully liable to the University for the performance and compliance of its Sub-processors.
The University shares the Applicant's Personal Data and SPI with the identified Processor and its authorized Sub-processors only to the extent necessary for them to provide and operate the Authentz and perform the associated admission evaluation support services as instructed by the University. All such sharing is governed by the DPA and subject to strict confidentiality and security obligations.
The University is committed to ensuring the security, confidentiality, and integrity of the Applicant's Personal Data and Special Category Personal Data processed through the Authentz. We recognize the sensitivity of the information provided and implement measures to protect it against unauthorized or unlawful processing and against accidental loss, destruction, or damage, in accordance with GDPR principles (Article 5(1)(f) and Article 32).
The University implements and maintains appropriate technical and organisational measures (TOMs) designed to ensure a level of security appropriate to the risks presented by the processing of Applicant data, particularly the sensitive nature of SPI involved.11 These measures take into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing, as well as the likelihood and severity of risks to the rights and freedoms of Applicants. Examples of such measures employed by the University and/or required of its Processor include, but are not limited to:
Encryption:Encrypting Personal Data both during transmission (e.g., using TLS/SSL) and when stored (at rest).
Access Controls: Implementing strict access controls (e.g., role-based access, multi-factor authentication) to ensure that only authorized personnel within the University and the Processor/Sub-processors who have a legitimate need-to-know can access Applicant data.
Pseudonymisation: Employing pseudonymisation techniques where feasible and appropriate to reduce the direct identifiability of data during certain processing stages.
System Resilience & Availability:Ensuring the ongoing confidentiality, integrity, availability, and resilience of processing systems and services, including the ability to restore access to data in a timely manner following an incident.
Secure Environments: Storing data in secure physical and digital environments with appropriate infrastructure protection (e.g., secure data centers, firewalls).
Regular Testing & Assessment: Implementing processes for regularly testing, assessing, and evaluating the effectiveness of the technical and organisational measures (e.g., vulnerability scanning, penetration testing).
Staff Training:Ensuring personnel involved in processing are trained on data protection and security obligations. The Data Processing Agreement between the University and the Authentz provider explicitly requires the Processor (and by extension, its Sub-processors) to implement and maintain appropriate technical and organisational security measures compliant with GDPR Article 32 to protect the Applicant's data. While comprehensive measures are in place, it is important to note that no system can be guaranteed to be 100% secure.
For more comprehensive details on the University's overarching data security framework and practices, Applicants may refer to the University's and/or [Link to Data Protection Policy].
All University personnel and personnel of the Processor and authorized Sub-processors who are granted access to the Applicant's Personal Data are bound by strict obligations of confidentiality, either through contractual agreements or statutory requirements. Access is restricted on a need-to-know basis, limited to those individuals whose roles require access to perform the admission evaluation services.
In compliance with the GDPR principle of storage limitation, the University will retain the Applicant's Personal Data and Special Category Personal Data collected through the Authentz only for as long as is necessary to fulfil the purposes for which it was collected. The primary purpose is the evaluation of the application for admission to and related administrative processes.
The specific duration for which Applicant data is retained is determined based on the following criteria:
Application Outcome:Different retention periods may apply depending on whether the application is successful or unsuccessful.
University Policy: Adherence to the University's official Records Retention Schedule, which defines standard retention periods for various categories of institutional records, including student and applicant data.
Legal and Regulatory Obligations: Compliance with applicable laws and regulations that may mandate minimum retention periods for certain types of data (e.g., financial records, records relevant to potential legal claims or audits, immigration requirements).
Archiving/Research: Data may be retained for longer periods solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, subject to the implementation of appropriate safeguards as required by GDPR Article 89 (e.g., anonymisation or pseudonymisation).
Successful Applicants: If the Applicant is admitted and enrolls at the University, their application data will become part of their permanent student record, which is retained in accordance with the University's student record retention policies..
Unsuccessful Applicants:Personal Data and Special Category Personal Data submitted by unsuccessful applicants will be retained for a period of following the completion of the admission cycle for which the application was submitted. This period allows the University to manage the admission process, address potential queries or appeals, comply with relevant legal obligations, and conduct statistical analysis of admission trends. After this period, the data will be securely disposed of unless a legal requirement mandates longer retention.
Reference to Official Schedule: For detailed retention periods applicable to specific data types, Applicants are referred to the University's official Records Retention Schedule, available at: The necessity for clear retention periods, especially for unsuccessful applicants whose data is extensive and sensitive, is paramount for compliance with storage limitation and transparency principles Providing a specific period or a direct link to the schedule is essential, as merely stating "as long as necessary" is insufficient under GDPR.
Upon the expiration of the applicable retention period, or when the data is no longer necessary for the stated purposes, the University will ensure that the Applicant's Personal Data is securely and permanently deleted or fully anonymized in a manner that prevents re-identification, in accordance with University policy and data protection best practices. The Processor is also contractually obligated to delete or return data upon instruction from the University at the end of the service provision.
Under the General Data Protection Regulation (GDPR), Applicants located within the European Economic Area (EEA) or otherwise protected by GDPR have specific rights concerning their Personal Data processed by the University. The University is committed to facilitating the exercise of these rights.
Applicants have the following rights regarding their Personal Data held by the University:
Table 9.A: Summary of Your Data Protection Rights
| Right | Description | GDPR Article |
|---|---|---|
| Right to be Informed | You have the right to receive clear, transparent, and easily understandable information about how we collect and use your personal data. This information is primarily provided in these Terms and Conditions and our Privacy Policy. | Art 13 & 14 |
| Right of Access | You have the right to request confirmation as to whether we process your personal data, and if so, to access a copy of that data along with supplementary information (e.g., purposes, recipients, retention periods). | Art 15 |
| Right to Rectification | You have the right to request the correction of inaccurate personal data we hold about you, or to have incomplete data completed. | Art 16 |
| Right to Erasure (“Right to be Forgotten”) | You have the right to request the deletion of your personal data under certain conditions (e.g., data no longer needed, consent withdrawn with no other legal basis). This right is not absolute and has limitations. | Art 17 |
| Right to Restrict Processing | You have the right to request that we temporarily limit the way we use your personal data in specific circumstances (e.g., while the accuracy of data is contested). | Art 18 |
| Right to Data Portability | You have the right to receive the personal data you provided to us in a structured, commonly used, machine-readable format, and to transmit it to another controller, where processing is based on consent or contract and automated. | Art 20 |
| Right to Object | You have the right to object to the processing of your personal data when it is based on legitimate interests or public task, or for direct marketing purposes. | Art 21 |
| Rights related to Automated Decision-Making & Profiling | You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal or similarly significant effects on you, subject to certain exceptions (see Section 10). | Art 22 |
| Right to Withdraw Consent | Where processing is based on your consent (especially explicit consent for SPI), you have the right to withdraw that consent at any time (see Section 5.5). | Art 7(3) |
| Right to Lodge a Complaint | You have the right to lodge a complaint with a relevant data protection supervisory authority if you believe your GDPR rights have been infringed. | Art 77 |
To exercise any of these rights (except lodging a complaint directly with a supervisory authority), Applicants should submit a verifiable request in writing to the University's designated contact point.
Data Protection Officer / Designated Contact:
Email:
Postal Address: [Insert Postal Address]
Web Form (if available): The request should clearly state the right(s) the Applicant wishes to exercise and provide sufficient information to allow the University to identify the Applicant and locate their data. The University may need to request additional information to verify the Applicant's identity before processing the request, as a security measure to protect personal data. The University will respond to requests without undue delay and generally within one month of receipt of the request. This period may be extended by two further months where necessary, taking into account the complexity and number of requests. The Applicant will be informed of any such extension within one month of receipt of the request, together with the reasons for the delay.148 Requests are typically handled free of charge. However, the University reserves the right to charge a reasonable fee based on administrative costs or refuse to act on requests that are manifestly unfounded or excessive, particularly if they are repetitive. The University has established internal procedures, including coordination with the Authentz Processor where necessary , to ensure Data Subject Requests are handled effectively and in compliance with GDPR timelines and requirements.
If an Applicant believes that the University's processing of their Personal Data infringes the GDPR, they have the right to lodge a complaint with a data protection supervisory authority. This is typically the authority in the EU/EEA Member State of their habitual residence, place of work, or place of the alleged infringement. Contact details for supervisory authorities can be found on the European Data Protection Board website.
[Option A – If NO solely automated decisions with significant effect:]
The University's admission process involves human oversight. While the Authentz
assists in processing and evaluating application materials, it does not make final
admission decisions based solely on automated processing that produce legal
effects concerning the Applicant or similarly significantly affect them. The outputs
and analyses generated by the Authentz serve as inputs for consideration by the
University's admissions committee or designated staff, who conduct a holistic
review and make the final determination regarding admission. Therefore, the
specific restrictions and rights under GDPR Article 22(1) related to solely
automated decisions are not directly applicable to the final admission outcome.
However, the University remains transparent about the use of AI tools in the
process (see Section 3.3) and Applicants retain all other data subject rights outlined
in Section 9.
[Option B – If YES solely automated decisions occur:]
The Applicant has the right under GDPR Article 22(1) not to be subject to a
decision based solely on automated processing, including profiling, which produces
legal effects concerning them (such as automatic rejection of the application) or
similarly significantly affects them. The Authentz used in this application process
may involve such solely automated decision-making at certain stages. The potential
for such automated decisions necessitates specific justifications and safeguards.
Where solely automated decisions with legal or similarly significant effects are made, the University relies on the following justification(s) under GDPR Article 22(2):
[Choose applicable justification(s):]
In cases where solely automated decisions with legal or similarly significant effects are made based on the justifications in Article 22(2)(a) or (c), the University implements suitable measures to safeguard the Applicant's rights, freedoms, and legitimate interests, as required by GDPR Article 22(3). These safeguards include, at a minimum, the right for the Applicant to:
[Choose applicable justification(s):]
Solely automated decisions producing legal or similarly significant effects will not be based on Special Category Personal Data, unless the Applicant has provided explicit consent for such processing for the specific purpose of the automated decision (under Article 9(2)(a)), or the processing is necessary for reasons of substantial public interest under applicable law (Article 9(2)(g)), and suitable measures to safeguard the Applicant's rights, freedoms, and legitimate interests are in place.
The Authentz utilizes complex algorithms and relies on the data provided by the Applicant. While the University and its Processor strive for accuracy and reliability, the Applicant acknowledges that AI-generated outputs, analyses, or evaluations may potentially contain errors, inaccuracies, or biases.7 The Authentz's evaluation is intended as an input to the University's overall admission review process and, unless explicitly stated otherwise in Section 10, does not constitute the sole basis for the final admission decision.9 THE AI SYSTEM AND RELATED SERVICES ARE PROVIDED ON AN "AS IS" AND "AS AVAILABLE" BASIS. TO THE FULLEST EXTENT PERMITTED BY LAW, THE UNIVERSITY AND ITS PROCESSOR DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT. THE UNIVERSITY DOES NOT WARRANT THAT THE OPERATION OF THE AI SYSTEM WILL BE UNINTERRUPTED, ERROR-FREE, OR COMPLETELY SECURE.7 Applicants are advised to review all submitted information carefully and may be required to verify information independently.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE GOVERNING LAW, IN NO EVENT SHALL THE UNIVERSITY, ITS OFFICERS, EMPLOYEES, AGENTS, OR ITS PROCESSORS BE LIABLE TO THE APPLICANT OR ANY THIRD PARTY FOR ANY INDIRECT, CONSEQUENTIAL, INCIDENTAL, SPECIAL, EXEMPLARY, PUNITIVE, OR ENHANCED DAMAGES, INCLUDING BUT NOT LIMITED TO, LOST PROFITS, LOST OPPORTUNITIES, LOSS OF DATA, OR BUSINESS INTERRUPTION, ARISING OUT OF OR RELATING TO THE APPLICANT'S USE OF, OR INABILITY TO USE, THE AI SYSTEM OR THESE TERMS, REGARDLESS OF WHETHER SUCH DAMAGES WERE FORESEEABLE OR WHETHER THE UNIVERSITY WAS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.163 THE UNIVERSITY'S TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT OR THE USE OF THE AI SYSTEM SHALL NOT EXCEED, WHETHER ARISING UNDER CONTRACT, TORT, OR ANY OTHER LEGAL THEORY.163 THESE LIMITATIONS OF LIABILITY SHALL NOT APPLY TO THE EXTENT PROHIBITED BY APPLICABLE LAW, INCLUDING LIABILITY ARISING FROM THE UNIVERSITY'S GROSS NEGLIGENCE, WILLFUL MISCONDUCT, OR FRAUD. FURTHERMORE, THESE LIMITATIONS DO NOT AFFECT ANY LIABILITY WHICH CANNOT BE EXCLUDED OR LIMITED UNDER APPLICABLE LAW, INCLUDING ANY LIABILITY OF THE UNIVERSITY AS A DATA CONTROLLER TOWARDS THE APPLICANT (DATA SUBJECT) FOR DAMAGES RESULTING FROM A BREACH OF THE GDPR, AS PROVIDED UNDER ARTICLE 82 OF THE GDPR.163 The enforceability of limitations concerning data breaches under GDPR is complex, and this clause aims to limit liability only where legally permissible, acknowledging the data subject's right to compensation under Article 82 for GDPR infringements.58
The Applicant is solely responsible for the truthfulness, accuracy, and completeness of all information and data they submit through the Authentz. Providing false, misleading, or incomplete information may negatively impact the evaluation of the application and may be grounds for rejection or subsequent withdrawal of an offer of admission.
The Applicant retains all ownership rights, title, and interest in and to the Personal Data, documents, photographs, videos, and any other content they submit to the Authentz (“Applicant Content” or “Input”).
By submitting Applicant Content through Authentz, the Applicant grants the University and its authorized Processor and Sub‑processors a limited, non‑exclusive, worldwide, royalty‑free, non‑transferable license to access, use, process, reproduce, store, and display the Applicant Content solely for the purposes of:
All rights, title, and interest in and to Authentz itself (software, algorithms, evaluation methodologies, documentation, trademarks, logos, etc.) remain the exclusive property of the University and/or its licensors. These Terms grant the Applicant only the limited right to use Authentz for submitting their application.
The Applicant agrees not to (and not to attempt to):
The University may suspend or terminate an Applicant’s access to Authentz, without prior notice, if the Applicant has:
Applicants may discontinue using Authentz at any time before final submission. However, missing mandatory data or withdrawing consent will be treated as a withdrawal from the application process via this System.
Upon termination, Personal Data is handled under Section 8 retention rules and access credentials are deactivated. Termination does not automatically delete previously processed data, subject to retention periods and data‑subject rights.
The University may amend these Terms at any time to reflect updates in Authentz, legal requirements, or University policy.
Changes will be posted on the University’s website or within Authentz. Significant changes may also be emailed to Applicants currently in process.
Continued use of Authentz after the effective date of revised Terms constitutes acceptance. Applicants who disagree must cease using Authentz, which may impact processing of their application (see Section 13).
These Terms shall be governed by and construed in accordance with the laws of [USA / England & Wales / …], without regard to conflict‑of‑law principles.
Parties will first attempt good‑faith negotiation. If unresolved, disputes fall under the exclusive jurisdiction of the courts in [City, Country].
Optional arbitration clause: Any dispute not resolved by negotiation shall be finally settled by binding arbitration administered by [Arbitration Body] in accordance with its rules. The arbitration shall take place in [Location] and be conducted in English. The arbitrators’ decision will be final and binding.
This does not prejudice the Applicant’s right to lodge a complaint with a data‑protection supervisory authority (see Section 9.4).
If any provision of these Terms is found invalid, unenforceable, or illegal by a court of competent jurisdiction, the remaining provisions shall remain in full force and effect. The invalid provision will be modified or, if necessary, deleted to ensure validity.