Terms and Conditions for Use of the University/EduCorePro Admission Evaluation System

Effective Date: 27 May 2025

PLEASE READ THESE TERMS AND CONDITIONS CAREFULLY BEFORE USING THE AI ADMISSION EVALUATION SYSTEM. YOUR ACCESS TO AND USE OF THIS SYSTEM IS CONDITIONED UPON YOUR ACCEPTANCE OF AND COMPLIANCE WITH THESE TERMS.

1. Introduction & Acceptance of Terms

1.1 Overview and Purpose

These Terms and Conditions (“Terms”, “T&Cs”, “Agreement”) govern the use of the AI-based admission evaluation system (“EduCorePro”, “System”, “Services”) provided by [Insert Full University Name] (“University”, “We”, “Us”) for applicants (“Applicant”, “User”) applying for admission to specific courses. These Terms set legally binding rules for how the Applicant and the University interact when using EduCorePro. Reading these Terms carefully is essential. They clarify both parties' rights and responsibilities, especially regarding the collection and processing of personal data required for admission evaluation.

1.2 Identification of Parties

University: [Insert Full Legal University Name], located at [Insert Full University Address]. The University manages the admission process and acts as the Data Controller for personal data processed through this System.

Applicant / User: The individual applying for admission and utilising EduCorePro to submit required materials. The Applicant is the Data Subject whose personal data is processed.

1.3 Binding Agreement

By accessing or using any part of EduCorePro—starting a recording session, uploading documents, answering questions, or submitting an application—the Applicant unconditionally agrees to be bound by these Terms. Acceptance is mandatory for using EduCorePro. Refusal will prevent use of the System, and the University will be unable to process the application. These Terms represent the entire agreement concerning EduCorePro and supersede any prior understandings, written or oral.

1.4 Relationship to Other Policies

These Terms operate alongside the University's Privacy Policy and Data Protection Policy. Applicants should review those documents for broader data-handling practices. Where a conflict arises about EduCorePro, these Terms prevail.

2. Definitions

2.1 Purpose

The terms listed below have specific meanings within this Agreement. Clear definitions are provided to prevent misunderstanding or ambiguity in the interpretation of these Terms. Where applicable, definitions align with those provided in the General Data Protection Regulation (EU) 2016/679.

2.2 Key Definitions

"EduCorePro" / "Services": Refers to the specific artificial intelligence-based platform, software, and related functionalities utilized by the University to facilitate the collection, processing, and initial evaluation of Applicant information and materials as part of the admission process for the designated course.

"Applicant" / "User" / "Data Subject": The natural person who is applying for admission to a course at the University and who provides Personal Data through the EduCorePro. This corresponds to the definition of 'data subject' under GDPR Article 4(1).

"University" / "Controller": [Insert Full University Name], the entity that, alone, determines the purposes (why) and means (how) of processing the Applicant's Personal Data submitted through the EduCorePro for the evaluation of their admission application. This aligns with the definition of 'controller' under GDPR Article 4(7).

"Processor": The third-party entity providing the EduCorePro and processing Personal Data strictly on behalf of and under the documented instructions of the University. This aligns with the definition of 'processor' under GDPR Article 4(8).

"Sub-processor": Any third-party entity engaged by the primary Processor, with the University's authorization, to carry out specific processing activities related to the EduCorePro services.

"Personal Data" (also referred to as Personally Identifiable Information or PII): Any information relating to the Applicant that allows them to be identified, directly or indirectly. This includes, but is not limited to, name, contact details, date of birth, nationality, identification numbers, academic records, employment history, financial details, answers to personal questions, photographs, video recordings, and any online identifiers. This definition aligns with GDPR Article 4(1).

"Special Category Personal Data" (also referred to as Sensitive Personal Information or SPI): Personal Data considered particularly sensitive under GDPR Article 9(1), requiring enhanced protection and specific processing conditions. This includes:

• Biometric Data: Facial images and video recordings processed using technology that allows for the unique identification or authentication of the Applicant.
• Data Concerning Health: Medical records, physical or mental health conditions, disabilities, or other health-related information provided by the Applicant.
• Data Revealing Racial or Ethnic Origin: Information potentially inferred from photos, videos, or answers, if processed for this purpose.
• Religious or Philosophical Beliefs / Political Opinions / Trade Union Membership: If revealed in answers to personal questions.
• Genetic Data: If specifically requested and processed.
• Sex Life or Sexual Orientation: If revealed in answers to personal questions.

"Biometric Data": As defined in GDPR Article 4(14), personal data resulting from specific technical processing relating to physical, physiological or behavioural characteristics of a person, such as facial images or fingerprints, allowing identification. This refers primarily to facial images and video recordings used for identification or evaluation.

"Data Concerning Health": As defined in GDPR Article 4(15), personal data related to the health of a person including records submitted by the Applicant or inferred from their submissions.

"Processing": As defined broadly in GDPR Article 4(2), any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means. This includes collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

"Consent": As defined in GDPR Article 4(11), any freely given, specific, informed and unambiguous indication of the Applicant's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of Personal Data relating to them.

"Explicit Consent": A standard of consent required under GDPR Article 9(2)(a) for processing Special Category Personal Data. It must be affirmed via an express statement (e.g., a specific, unticked checkbox or signed declaration) clearly indicating agreement to the processing of the specified sensitive data for the specified purpose(s).

"GDPR": The General Data Protection Regulation (EU) 2016/679, as applicable in the European Union and European Economic Area, and including, where relevant, the UK General Data Protection Regulation as tailored by the Data Protection Act 2018 in the United Kingdom.

"Third Party": As defined in GDPR Article 4(10), a natural or legal person, public authority, agency or body other than the Applicant (Data Subject), the University (Controller), the Processor, and persons authorised to process data under the direct authority of the Controller or Processor. This includes, for example, verification services if used, but excludes the Processor and authorised Sub-processors when acting on behalf of the University.

2.3 Interpretation

In these Terms, unless the context otherwise requires: headings are for convenience only and do not affect interpretation; the singular includes the plural and vice versa; references to Articles or Recitals are references to Articles or Recitals of the GDPR; reference to a 'person' includes individuals, firms, companies, corporations, and unincorporated bodies of persons.

Importance of Precise Definitions for Compliance: The precise definition of terms, especially those related to data categories like "Personal Data," "Special Category Personal Data," and "Biometric Data," drawn directly from GDPR Articles 4 and 9, is foundational for compliance. This accuracy ensures that the correct legal requirements are applied throughout these Terms. For instance, identifying data as "Special Category Personal Data" mandates the application of stricter processing conditions under Article 9, primarily the requirement for "Explicit Consent" as outlined in Article 9(2)(a). Failure to correctly classify data and apply the corresponding GDPR rules (e.g., obtaining only standard consent for SPI) would constitute a significant compliance failure. These definitions directly inform the structure and content of subsequent clauses regarding lawful basis, consent mechanisms, security measures, and data subject rights, ensuring the entire framework aligns with GDPR obligations.

3. Description of the AI Admission System & Services

3.1 Service Description

The University utilizes EduCorePro as part of its admission process. The System is designed to facilitate the efficient collection and preliminary assessment of application materials submitted by Applicants. It enables Applicants to provide required information, including documents, recorded video responses, and answers to specific questions, through a digital interface. The AI component of the System may perform functions such as data extraction, verification checks, analysis of responses, and initial evaluation based on criteria set by the University, ultimately providing input to the University's admissions committee for their final review and decision-making process.

3.2 Applicant Interaction

To complete the application process using EduCorePro, Applicants are required to actively engage with the platform. This involves recording photographic images and video responses to prompts or questions, uploading digital copies of identity documents (e.g., passport, national ID card), financial statements, medical records (if required for the specific course), academic transcripts and certificates, and providing written or verbal answers to personal questions concerning, for example, family background, financial situation, motivations, and suitability for the course. The specific data required is detailed further in Section 4.

3.3 AI Functionality Disclosure

The Applicant acknowledges that the System employs artificial intelligence (AI) and machine learning technologies to process the submitted information. These technologies are used for purposes such as analyzing video responses, verifying document authenticity, extracting relevant data points, and potentially generating an initial assessment score or summary based on predefined criteria established by the University. The University aims for transparency regarding the use of AI in this process, while noting that the specific algorithms and underlying technical details may be proprietary to the EduCorePro provider. Further details on automated decision-making, if applicable, are provided in Section 10.

3.4 No Guarantee of Admission

Use of EduCorePro and the submission of all required data and materials does not, in any way, guarantee admission to the University or the specific course applied for. The EduCorePro serves as a tool to assist the University's evaluation process. The final decision regarding admission rests solely with the University's designated admissions committee or relevant academic department, based on a holistic review of the application.

4. Mandatory Data Collection & Purpose Limitation

4.1 Mandatory Nature

The provision of the Personal Data and Special Category Personal Data requested through EduCorePro, as detailed below, is a mandatory requirement for the University to comprehensively evaluate the Applicant's application for admission. Failure by the Applicant to provide any of the required data will render the application incomplete and will prevent the University from conducting the necessary evaluation, resulting in the application not being considered further through this System.

The necessity of collecting this data stems from the specific requirements of the admission process for the designated course, which may include verifying identity, assessing academic eligibility, evaluating suitability, determining financial capacity (e.g., for visa purposes or fee status), and assessing health or fitness criteria essential for participation in the course.

4.2 Categories of Data Collected

The University, through EduCorePro, collects the following categories of data, which are necessary for the admission evaluation:

Personal Identifiable Information (PII)

• Identification & Contact Data: Full name, date of birth, nationality, current residential address, email address, telephone number(s).
• Identity Verification Data: Details from submitted identity documents such as passport number, national ID card number, driver's license number.
• Academic Data: History of education (institutions attended, dates), academic transcripts, grades, qualifications obtained, standardized test scores (if applicable).
• Employment Data: Relevant employment history, job titles, responsibilities (if required for the course application).
• Financial Data: Financial statements, bank statements, income details, sponsorship information, or other evidence of financial capacity as required for assessing ability to fund studies or meet visa requirements.
• Application Context Data: Answers provided to specific questions regarding motivations, personal background, family circumstances (where relevant and justified for the evaluation), and video/photo recordings made during the AI interview process.

Special Category Personal Data (SPI)

The collection and processing of the following SPI requires the Applicant's explicit consent (see Section 5):

• Biometric Data: Facial images and video recordings collected via the EduCorePro, where these are subject to specific technical processing for the purpose of uniquely identifying or authenticating the Applicant.
• Data Concerning Health: Submitted medical records, health declarations, or answers to health-related questions necessary to assess fitness for the specific course demands or required accommodations.
• Data Revealing Racial or Ethnic Origin: Potentially derived from photographs or video recordings, processed only where necessary and explicitly consented to for legitimate monitoring purposes (e.g., equality monitoring, if applicable and lawful) or if unavoidably processed as part of biometric identification.

4.3 Purpose Limitation (GDPR Article 5(1)(b))

The University strictly adheres to the principle of purpose limitation. All Personal Data and Special Category Personal Data collected from the Applicant through EduCorePro will be processed exclusively for the following specified, explicit, and legitimate purposes:

• Evaluating the Applicant's eligibility and suitability for admission to the specific course applied for.
• Verifying the Applicant's identity and the authenticity of submitted documents.
• Assessing academic performance and qualifications against course entry requirements.
• Evaluating non-academic criteria relevant to the course (e.g., communication skills via video interview, motivation via personal statements/answers).
• Assessing financial capacity where required for admission or visa purposes.
• Assessing health or fitness criteria where directly relevant and necessary for the specific course requirements.
• Communicating with the Applicant regarding their application status and related administrative matters.
• Complying with legal or regulatory obligations related to the admissions process.

The Applicant's data will not be processed for any purpose incompatible with these stated admission evaluation purposes. Specifically, data collected for admission will not be used for unrelated general marketing, fundraising, or sold to third parties without obtaining separate, specific, and explicit consent from the Applicant.

4.4 Data Minimisation (GDPR Article 5(1)(c))

In accordance with the principle of data minimisation, the University collects only the Personal Data and Special Category Personal Data that is adequate, relevant, and strictly limited to what is necessary to achieve the purposes of admission evaluation as outlined above. The University has assessed the necessity of each data category requested in relation to the specific requirements of the course and the evaluation process.

While the range of data requested is extensive due to the nature of a comprehensive university application (including identity, academic, financial, and potentially health or biometric data), each category is deemed necessary by the University to conduct a thorough and fair assessment of the Applicant's suitability and eligibility for the specific course. The mandatory collection of this data is predicated on this necessity for the performance of the evaluation task requested by the Applicant (i.e., consideration for admission). Applicants are assured that data not directly relevant to these purposes is not intentionally collected or processed via this System.

5. Lawful Basis for Processing & Consent

5.1 Lawful Bases Identification (GDPR Article 6)

The University processes the Applicant's Personal Data based on one or more of the following lawful bases under GDPR Article 6, depending on the specific data and processing activity:

• Article 6(1)(b) - Contractual Necessity: Full name, date of birth, nationality, current residential address, email address, telephone number(s).
• Article 6(1)(a) - Consent: Where processing is not covered by other lawful bases, or where required by law, particularly for the processing of Special Category Personal Data (see Section 5.2) and potentially for specific optional activities communicated separately.
• Article 6(1)(f) - Legitimate Interests: Processing may be necessary for the legitimate interests pursued by the University, such as ensuring the security and integrity of the EduCorePro and the application process, preventing fraud, or for administrative purposes related to the evaluation, provided these interests are not overridden by the Applicant's fundamental rights and freedoms.
• Article 6(1)(c) - Legal Obligation: Processing is necessary for compliance with a legal obligation to which the University is subject.
• Article 6(1)(e) - Public Task: As an institution of higher education, processing related to admissions may be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the University.

5.2 Explicit Consent for Special Category Data (GDPR Article 9)

The processing of Special Category Personal Data (SPI), as defined in Section 2.2 and listed in Section 4.2 (including biometric data from photos/videos, health data, financial data potentially revealing sensitive details, and any data revealing racial/ethnic origin, political opinions, religious beliefs, etc., if collected), is generally prohibited under GDPR Article 9(1). The University relies on the exception under Article 9(2)(a), which permits processing only with the Applicant's explicit consent. Therefore, the Applicant will be presented with specific, separate requests for explicit consent before any SPI is processed via EduCorePro. These requests will be clearly distinguishable from these general Terms and Conditions and from each other. Each consent request will:

• Be Freely Given: While the provision of certain data and its processing is mandatory for the evaluation of the application via this System, the consent itself must be given voluntarily for the specified processing. Consent will not be bundled with unrelated services or conditions.
• Be Specific: Each request will clearly state the exact category of SPI being processed (e.g., "biometric data from video interview," "submitted medical records") and the sole purpose for which it is processed. Granular consent will be obtained where multiple categories are involved.
• Be Informed: Each request will explain why the specific SPI is necessary for the admission evaluation for [Course Name], identify who will process the data (the University as Controller, the EduCorePro provider as Processor, and relevant Sub-processors), and inform the Applicant of their right to withdraw consent at any time (see Section 5.5).
• Be Unambiguous & Affirmative: Consent will be given through a clear affirmative action, such as ticking an unticked checkbox or clicking a dedicated confirmation button. Pre-ticked boxes, inactivity, or silence will not constitute valid consent.

Example Consent Statements (to be presented separately within the EduCorePro interface):

• Consent for Processing Biometric Data: [ ] By ticking this box, I give my explicit consent for [University Name] and its authorized Processors to process my biometric data (specifically, facial images and video recordings collected during the AI-driven interview) for the sole purposes of verifying my identity and evaluating my communication skills and responses as part of my application for admission to [Course Name]. I have read and understood the relevant Terms and Conditions and my rights, including my right to withdraw this consent.
• Consent for Processing Health Data: [ ] By ticking this box, I give my explicit consent for [University Name] and its authorized Processors to process the medical records and health information I have submitted for the sole purpose of assessing my fitness and eligibility based on the health requirements for admission to [Course Name]. I have read and understood the relevant Terms and Conditions and my rights, including my right to withdraw this consent.
• Consent for Processing Financial Data (if revealing SPI): [ ] By ticking this box, I give my explicit consent for [University Name] and its authorized Processors to process the financial statements and related information I have submitted for the sole purpose of evaluating my financial capacity as required for admission to [Course Name] and/or associated visa application processes. I have read and understood the relevant Terms and Conditions and my rights, including my right to withdraw this consent.
• Consent for Sharing SPI with Processors: [ ] By ticking this box, I give my explicit consent for [University Name] to share all the Special Category Personal Data for which I have provided consent above with its authorized third-party Processor ([Name AI Provider, if possible]) and relevant Sub-processors, solely for the purpose of facilitating the EduCorePro's functions in evaluating my application according to the University's instructions. I have read and understood the relevant Terms and Conditions and my rights, including my right to withdraw this consent.

5.3 Consent for Third-Party Sharing

By providing the necessary consents as described above (particularly the explicit consents for SPI), the Applicant acknowledges and agrees that their Personal Data and SPI will be shared with the third parties identified as the Processor (the EduCorePro provider) and its authorized Sub-processors. This sharing will be strictly limited to what is necessary for these parties to perform the admissions evaluation services on behalf of the University and will be carried out solely in accordance with the University's documented instructions under a Data Processing Agreement (see Section 6).

5.4 Recording Consent (GDPR Article 7(1))

The University will maintain verifiable records of the Applicant's consent actions, including the specific consent granted, the time and date, and the method by which it was obtained (e.g., timestamped log of checkbox selections within the EduCorePro interface), to demonstrate compliance with GDPR requirements.

5.5 Right to Withdraw Consent (GDPR Article 7(3))

The Applicant has the right to withdraw any consent they have given at any time.59 Withdrawal must be as easy as giving consent.59 To withdraw consent, the Applicant must contact the University's Data Protection Officer or designated admissions contact point using the details provided in Section 17. Withdrawal of consent does not affect the lawfulness of any processing activities carried out based on consent before the withdrawal took place.55 However, because the provision of the requested data and consent to its processing (particularly SPI) is mandatory for evaluation via this EduCorePro, withdrawal of consent for the processing of necessary data will mean that the University can no longer process the application using this System. Consequently, the application evaluation will cease upon withdrawal of consent for mandatory processing. This consequence is a direct result of removing the lawful basis for processing data deemed essential for the evaluation and is communicated here to ensure the Applicant's initial consent is fully informed.

6. Data Processing Roles & Third-Party Sharing

6.1 University as Data Controller

[Insert Full University Name] is the Data Controller for all Personal Data and Special Category Personal Data submitted by the Applicant through EduCorePro. As Controller, the University determines the purposes for processing (admission evaluation for the specific course) and the essential means of processing, and holds primary responsibility for ensuring compliance with GDPR.

6.2 AI Provider as Data Processor

The entity providing the EduCorePro acts as a Data Processor. The Processor handles the Applicant's Personal Data solely on behalf of the University and strictly according to the University's documented instructions. The Processor is not permitted to use the Applicant's data for its own purposes.

The relationship between the University (Controller) and the EduCorePro provider (Processor) is governed by a formal, legally binding Data Processing Agreement (DPA) that complies with GDPR Article 28. This DPA contractually obligates the Processor to:

• Implement appropriate data protection measures
• Maintain confidentiality and ensure data security
• Assist the University in fulfilling data subject rights requests
• Follow rules for engaging Sub-processors

The DPA ensures that all processing by the third-party provider is subject to strict data protection controls mandated by the University and GDPR.

6.3 Use of Sub-processors

The primary Processor may engage other third-party service providers (Sub-processors) to perform specific technical tasks necessary for the operation of the EduCorePro (e.g., cloud hosting, data storage, analytics).

Any Sub-processor engagement is subject to the prior written authorization of the University. Under GDPR Article 28(4), the primary Processor must impose the same data protection obligations on Sub-processors as in the DPA, and remains fully liable for their performance and compliance.

6.4 Purpose of Sharing

The University shares the Applicant's Personal Data and Special Category Personal Data with the identified Processor and its authorized Sub-processors only as necessary for the operation of EduCorePro and for admission evaluation services as instructed by the University. All such sharing is governed by the DPA and subject to strict confidentiality and security obligations.

7. Data Security & Confidentiality

7.1 Security Commitment

The University is committed to ensuring the security, confidentiality, and integrity of the Applicant's Personal Data and Special Category Personal Data processed through the EduCorePro. We recognize the sensitivity of the information provided and implement measures to protect it against unauthorized or unlawful processing and against accidental loss, destruction, or damage, in accordance with GDPR principles (Article 5(1)(f) and Article 32).

7.2 Technical and Organisational Measures (TOMs - GDPR Article 32)

The University implements and maintains appropriate technical and organisational measures (TOMs) designed to ensure a level of security appropriate to the risks presented by the processing of Applicant data, particularly the sensitive nature of SPI involved. These measures take into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing, as well as the likelihood and severity of risks to the rights and freedoms of Applicants.

Examples of measures employed by the University and/or required of its Processor include:

• Encryption: Encrypting Personal Data during transmission (e.g., TLS/SSL) and at rest.
• Access Controls: Role-based access, multi-factor authentication, and other measures to ensure only authorized personnel can access data.
• Pseudonymisation: Using techniques to reduce direct identifiability during certain processing stages.
• System Resilience & Availability: Maintaining confidentiality, integrity, and availability, with recovery plans for incidents.
• Secure Environments: Hosting in secure physical and digital environments (e.g., data centers, firewalls).
• Regular Testing & Assessment: Vulnerability scanning, penetration testing, and effectiveness evaluation.
• Staff Training: Ensuring all relevant personnel are trained in data protection and security obligations.

The Data Processing Agreement between the University and the EduCorePro provider requires the Processor and any Sub-processors to maintain GDPR-compliant security measures. While robust protections are in place, no system can be guaranteed to be 100% secure.

7.3 Reference to University Policies

For more comprehensive details on the University's overarching data security framework and practices, Applicants may refer to the University's Data Protection Policy and other relevant security guidelines [Insert Link].

7.4 Confidentiality

All University personnel, as well as personnel of the Processor and authorized Sub-processors, who are granted access to the Applicant's Personal Data are bound by strict confidentiality obligations, either through contractual agreements or statutory requirements. Access is restricted on a need-to-know basis and limited to individuals whose roles require it for admission evaluation services.

8. Data Retention

8.1 Principle of Storage Limitation (GDPR Article 5(1)(e))

In compliance with the GDPR principle of storage limitation, the University will retain the Applicant's Personal Data and Special Category Personal Data collected through the EduCorePro only for as long as is necessary to fulfil the purposes for which it was collected. The primary purpose is the evaluation of the application for admission to and related administrative processes.

8.2 Retention Criteria

The specific duration for which Applicant data is retained is determined based on the following criteria:

• Application Outcome: Different retention periods may apply depending on whether the application is successful or unsuccessful.
• University Policy: Adherence to the University's official Records Retention Schedule, which defines standard retention periods for various categories of institutional records, including student and applicant data.
• Legal and Regulatory Obligations: Compliance with applicable laws and regulations that may mandate minimum retention periods for certain types of data (e.g., financial records, records relevant to potential legal claims or audits, immigration requirements).
• Archiving/Research: Data may be retained for longer periods solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, subject to the implementation of appropriate safeguards as required by GDPR Article 89 (e.g., anonymisation or pseudonymisation).

8.3 Specific Retention Period for Applicant Data

• Successful Applicants: If the Applicant is admitted and enrolls at the University, their application data will become part of their permanent student record, which is retained in accordance with the University's student record retention policies.
• Unsuccessful Applicants: Personal Data and Special Category Personal Data submitted by unsuccessful applicants will be retained for a period following the completion of the admission cycle for which the application was submitted. This period allows the University to manage the admission process, address potential queries or appeals, comply with relevant legal obligations, and conduct statistical analysis of admission trends. After this period, the data will be securely disposed of unless a legal requirement mandates longer retention.

Reference to Official Schedule: For detailed retention periods applicable to specific data types, Applicants are referred to the University's official Records Retention Schedule [Insert Link]. Providing a specific period or direct link to the schedule is essential for compliance with storage limitation and transparency principles.

8.4 Post-Retention Action

Upon the expiration of the applicable retention period, or when the data is no longer necessary for the stated purposes, the University will ensure that the Applicant's Personal Data is securely and permanently deleted or fully anonymized in a manner that prevents re-identification, in accordance with University policy and data protection best practices. The Processor is also contractually obligated to delete or return data upon instruction from the University at the end of the service provision.

9. Applicant's Data Subject Rights (GDPR Chapter 3)

9.1 Introduction to Rights

Under the General Data Protection Regulation (GDPR), Applicants located within the European Economic Area (EEA) or otherwise protected by GDPR have specific rights concerning their Personal Data processed by the University. The University is committed to facilitating the exercise of these rights.

9.2 Listing of Rights

Applicants have the following rights regarding their Personal Data held by the University:

9.3 How to Exercise Rights

To exercise any of these rights (except lodging a complaint directly with a supervisory authority), Applicants should submit a verifiable request in writing to the University's designated contact point.

Data Protection Officer / Designated Contact:

Email: [Insert Email Address]
Postal Address: [Insert Postal Address]
Web Form (if available): [Insert Link]

The request should clearly state the right(s) the Applicant wishes to exercise and provide sufficient information to allow the University to identify the Applicant and locate their data. The University may request additional information to verify the Applicant's identity before processing the request, as a security measure to protect personal data.

The University will respond to requests without undue delay and generally within one month of receipt. This period may be extended by two further months where necessary, taking into account the complexity and number of requests. The Applicant will be informed of any such extension within one month of receipt, along with reasons for the delay.

Requests are typically free of charge. However, the University reserves the right to charge a reasonable fee based on administrative costs or refuse to act on requests that are manifestly unfounded or excessive, particularly if they are repetitive.

The University has established internal procedures, including coordination with the EduCorePro Processor where necessary, to ensure Data Subject Requests are handled effectively and in compliance with GDPR timelines and requirements.

9.4 Right to Lodge a Complaint

If an Applicant believes that the University's processing of their Personal Data infringes the GDPR, they have the right to lodge a complaint with a data protection supervisory authority. This is typically the authority in the EU/EEA Member State of their habitual residence, place of work, or place of the alleged infringement.

Contact details for supervisory authorities can be found on the European Data Protection Board website.

10. Automated Decision-Making & Profiling (GDPR Article 22)

10.1. Disclosure of Automated Processing

[Option A – If NO solely automated decisions with significant effect:]
The University's admission process involves human oversight. While the EduCorePro assists in processing and evaluating application materials, it does not make final admission decisions based solely on automated processing that produce legal effects concerning the Applicant or similarly significantly affect them. The outputs and analyses generated by the EduCorePro serve as inputs for consideration by the University's admissions committee or designated staff, who conduct a holistic review and make the final determination regarding admission. Therefore, the specific restrictions and rights under GDPR Article 22(1) related to solely automated decisions are not directly applicable to the final admission outcome. However, the University remains transparent about the use of AI tools in the process (see Section 3.3) and Applicants retain all other data subject rights outlined in Section 9.

[Option B – If YES solely automated decisions occur:]
The Applicant has the right under GDPR Article 22(1) not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them (such as automatic rejection of the application) or similarly significantly affects them. The EduCorePro used in this application process may involve such solely automated decision-making at certain stages. The potential for such automated decisions necessitates specific justifications and safeguards.

10.2. Justification for Solely Automated Decisions

Where solely automated decisions with legal or similarly significant effects are made, the University relies on the following justification(s) under GDPR Article 22(2):

• Article 22(2)(a): The decision is necessary for entering into, or performance of, a contract between the Applicant and the University (i.e., processing the application efficiently to determine eligibility for potential enrollment).
• Article 22(2)(c): The decision is based on the Applicant's explicit consent. If relying on this, ensure a separate, explicit consent mechanism is implemented specifically for the solely automated decision-making itself, meeting all Article 7/9 requirements.
• Article 22(2)(b): Authorized by law. This is unlikely applicable unless specific legislation exists.

10.3. Safeguards for Solely Automated Decisions

In cases where solely automated decisions with legal or similarly significant effects are made based on the justifications in Article 22(2)(a) or (c), the University implements suitable measures to safeguard the Applicant's rights, freedoms, and legitimate interests, as required by GDPR Article 22(3). These safeguards include, at a minimum, the right for the Applicant to:

• Obtain human intervention (request that a University staff member reviews the automated decision).
• Express their point of view regarding the decision.
• Contest the automated decision. Applicants wishing to exercise these rights should contact the University using the details provided in Section 9.3.

10.4. Information about Logic and Consequences

Logic Involved: The EduCorePro analyzes the data submitted by the Applicant (including academic records, document contents, video responses, answers to questions) using algorithms designed to assess factors relevant to admission criteria for [Course Name]. These factors may include academic achievement patterns, consistency of information, communication skills demonstrated in video, relevance of experience, financial capacity verification, and health requirement checks. The system may generate scores, flags, or summaries based on this analysis. Providing highly detailed algorithmic logic is often impractical due to complexity and proprietary concerns, but this overview aims to meet the requirement for "meaningful information."

Significance and Envisaged Consequences: The processing performed by the EduCorePro is intended to assist the University in efficiently and consistently evaluating a large volume of applications. The output of the EduCorePro (e.g., scores, summaries, verification results) forms part of the information reviewed by the University's admissions staff [If Option A chosen] / may directly lead to a decision at certain stages. The envisaged consequence is that the EduCorePro's processing will contribute significantly to the overall assessment of the Applicant's suitability for admission.

10.5. Special Category Data Restriction (GDPR Article 22(4))

Solely automated decisions producing legal or similarly significant effects will not be based on Special Category Personal Data, unless the Applicant has provided explicit consent for such processing for the specific purpose of the automated decision (under Article 9(2)(a)), or the processing is necessary for reasons of substantial public interest under applicable law (Article 9(2)(g)), and suitable measures to safeguard the Applicant's rights, freedoms, and legitimate interests are in place.

11. Disclaimers & Limitation of Liability

11.1. EduCorePro Performance Disclaimer

The EduCorePro utilizes complex algorithms and relies on the data provided by the Applicant. While the University and its Processor strive for accuracy and reliability, the Applicant acknowledges that AI-generated outputs, analyses, or evaluations may potentially contain errors, inaccuracies, or biases. The EduCorePro's evaluation is intended as an input to the University's overall admission review process and, unless explicitly stated otherwise in Section 10, does not constitute the sole basis for the final admission decision.

THE AI SYSTEM AND RELATED SERVICES ARE PROVIDED ON AN "AS IS" AND "AS AVAILABLE" BASIS. TO THE FULLEST EXTENT PERMITTED BY LAW, THE UNIVERSITY AND ITS PROCESSOR DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT. THE UNIVERSITY DOES NOT WARRANT THAT THE OPERATION OF THE AI SYSTEM WILL BE UNINTERRUPTED, ERROR-FREE, OR COMPLETELY SECURE.

Applicants are advised to review all submitted information carefully and may be required to verify information independently.

11.2. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE GOVERNING LAW, IN NO EVENT SHALL THE UNIVERSITY, ITS OFFICERS, EMPLOYEES, AGENTS, OR ITS PROCESSORS BE LIABLE TO THE APPLICANT OR ANY THIRD PARTY FOR ANY INDIRECT, CONSEQUENTIAL, INCIDENTAL, SPECIAL, EXEMPLARY, PUNITIVE, OR ENHANCED DAMAGES, INCLUDING BUT NOT LIMITED TO, LOST PROFITS, LOST OPPORTUNITIES, LOSS OF DATA, OR BUSINESS INTERRUPTION, ARISING OUT OF OR RELATING TO THE APPLICANT'S USE OF, OR INABILITY TO USE, THE AI SYSTEM OR THESE TERMS, REGARDLESS OF WHETHER SUCH DAMAGES WERE FORESEEABLE OR WHETHER THE UNIVERSITY WAS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

The University's total aggregate liability arising out of or related to this agreement or the use of the AI system shall not exceed, whether arising under contract, tort, or any other legal theory. These limitations of liability shall not apply to the extent prohibited by applicable law, including liability arising from the University's gross negligence, willful misconduct, or fraud. Furthermore, these limitations do not affect any liability which cannot be excluded or limited under applicable law, including any liability of the University as a data controller towards the Applicant (data subject) for damages resulting from a breach of the GDPR, as provided under Article 82 of the GDPR.

The enforceability of limitations concerning data breaches under GDPR is complex, and this clause aims to limit liability only where legally permissible, acknowledging the data subject's right to compensation under Article 82 for GDPR infringements.

11.3. Applicant Responsibility

The Applicant is solely responsible for the truthfulness, accuracy, and completeness of all information and data they submit through the EduCorePro. Providing false, misleading, or incomplete information may negatively impact the evaluation of the application and may be grounds for rejection or subsequent withdrawal of an offer of admission.

12. Intellectual Property

12.1. Applicant Data Ownership

The Applicant retains all ownership rights, title, and interest in and to the Personal Data, documents, photographs, videos, and any other content they submit to the EduCorePro (“Applicant Content” or “Input”).

12.2. License to University

By submitting Applicant Content through EduCorePro, the Applicant grants the University and its authorized Processor and Sub-processors a limited, non-exclusive, worldwide, royalty-free, non-transferable license to access, use, process, reproduce, store, and display the Applicant Content solely for the purposes of:

• Facilitating the operation of EduCorePro.
• Evaluating the Applicant’s application for admission to [Course Name].
• Verifying submitted information.
• Performing related administrative tasks essential to the admission process.
• Complying with legal obligations related to the admission process.

This license terminates upon the secure deletion or anonymization of the Applicant Content in accordance with the data-retention policies outlined in Section 8.

12.3. University / Processor IP Ownership

All rights, title, and interest in and to EduCorePro itself (software, algorithms, evaluation methodologies, documentation, trademarks, logos, etc.) remain the exclusive property of the University and/or its licensors. These Terms grant the Applicant only the limited right to use EduCorePro for submitting their application.

12.4. Restrictions on Use

The Applicant agrees not to (and not to attempt to):

• Copy, modify, translate, create derivative works of, or publicly display EduCorePro.
• Reverse-engineer, decompile, or disassemble any part of EduCorePro.
• Rent, lease, sell, sublicense, assign, or otherwise transfer rights in EduCorePro.
• Remove or obscure proprietary notices or labels on EduCorePro or its documentation.

13. Termination / Suspension

13.1. Grounds for Termination / Suspension by University

The University may suspend or terminate an Applicant’s access to EduCorePro, without prior notice, if the Applicant has:

• Violated these Terms or any other University policy.
• Provided false, inaccurate, incomplete, or misleading information.
• Engaged in fraudulent, unlawful, or abusive activity in connection with EduCorePro.
• Withdrawn consent necessary for mandatory data processing (Section 5.5).

13.2. Applicant Termination

Applicants may discontinue using EduCorePro at any time before final submission. However, missing mandatory data or withdrawing consent will be treated as a withdrawal from the application process via this System.

13.3. Effect of Termination

Upon termination, Personal Data is handled under Section 8 retention rules and access credentials are deactivated. Termination does not automatically delete previously processed data, subject to retention periods and data-subject rights.

14. Changes to Terms & Conditions

14.1. Right to Modify

The University may amend these Terms at any time to reflect updates in EduCorePro, legal requirements, or University policy.

14.2. Notification

Changes will be posted on the University’s website or within EduCorePro. Significant changes may also be emailed to Applicants currently in process.

14.3. Acceptance of Changes

Continued use of EduCorePro after the effective date of revised Terms constitutes acceptance. Applicants who disagree must cease using EduCorePro, which may impact processing of their application (see Section 13).

15. Governing Law & Dispute Resolution

15.1. Governing Law

These Terms shall be governed by and construed in accordance with the laws of [USA / England & Wales / …], without regard to conflict-of-law principles.

15.2. Dispute Resolution

Parties will first attempt good-faith negotiation. If unresolved, disputes fall under the exclusive jurisdiction of the courts in [City, Country].

Optional arbitration clause: Any dispute not resolved by negotiation shall be finally settled by binding arbitration administered by [Arbitration Body] in accordance with its rules. The arbitration shall take place in [Location] and be conducted in English. The arbitrators’ decision will be final and binding.

This does not prejudice the Applicant’s right to lodge a complaint with a data-protection supervisory authority (see Section 9.4).

16. Severability

If any provision of these Terms is found invalid, unenforceable, or illegal by a court of competent jurisdiction, the remaining provisions shall remain in full force and effect. The invalid provision will be modified or, if necessary, deleted to ensure validity.

17. Contact Information