Privacy
This privacy notice (Privacy Notice) sets out how American University of Beirut – Mediterraneo / AUB Limited (University) collects, uses and protects your personal data through the use of this website or from other sources, for the purpose of carrying out its operations as an educational institution. The University shall also collect and process personal data in relation to prospective students, parents/guardians of prospective students, prospective staff members (either for academic or non-academic positions), alumni, visitors, third parties (including but not limited to service providers, external examination boards, public authorities, agencies, institutions and organisations) and any other data subject who may be involved in or connected to any process, transaction, interaction, or activity carried out by the University, as well as personal data of the University’s website visitors.
The University is the controller and responsible for your personal data (collectively referred to as the University, “we”, “us” or “our”) in this Privacy Notice.
We have appointed a data protection officer (DPO), who is responsible for overseeing questions in relation to this Privacy Notice. If you have any questions about this Privacy Notice, including any requests to exercise your legal rights, please contact the DPO using the information set out in the contact details in section 10.
The Types of Personal Data We Collect About You
Personal data means any information about an individual from which that person can be identified. We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
• Identification Data includes name and surname, first name, last name;
• Contact Information includes email address, mobile phone number, personal email;
• Parent/Guardian Information includes parents’ names and surnames, email of the parent, parents’ phone number;
• Demographic Data includes country of residency, birth country, nationality;
• Personal Characteristics includes gender, date of birth, student’s date of birth;
• Educational Information includes school name (city, country), school website, academic qualifications;
• Communication Preferences includes preferred method of communication, information prospective students would like to receive;
• Professional Information includes role, job position, previous work experience;
• Application Documents includes CV/resume, personal statement, documents related to achievements;
• Academic Records includes grades of students, performance of students, standardized exams;
• Program Details includes students’ degree programme, students’ programme year, confirmed major and official exams;
• Identification Documents includes ID/passport, student ID;
• Financial Information includes bank account details, bank account details of benefactor, account name;
• Authentication Data includes signature, students’ signature, top management signature;
• Profile Data includes profile picture;
• Accommodation Preferences includes students’ choice of accommodation, students’ roommate preferences;
• Enrollment and Payment Data includes students’ enrollment deposit payment confirmation;
• Emergency Contact Information includes students’ emergency contacts, students’ emergency contacts’ phone number;
• Health Information includes students’ health issues, conditions, disabilities;
• Travel and Visit Information includes reason of visit, date and time of check-in, date and time of check-out;
• Scholarship and Assistance Data includes financial assistance and scholarships; and
• Visual Data includes CCTV video footage.
How is Your Personal Data Collected
We use different methods to collect data from and about you including through:
Your interactions with us: You may give us your personal data by filling in online forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:
• apply for enrolment;
• apply for job opportunities;
• visit our premises;
• engage us in the context of procurement of supplies, works or services; and/or
• communicate with us.
Third parties or publicly available sources: We will receive personal data about you from various third parties and public sources as set out below:
• Previous Universities or educational institutions;
• Previous supervisors;
• Public authorities or organisations; and/or
• Service providers.
How We Use Your Personal Data
Legal Basis
The law requires us to have a legal basis for collecting and using your personal data. We rely on one or more of the following legal bases:
• Performance of a contract with you: Where we need to perform the contract we are about to enter into or have entered into with you.
• Legitimate interests: We may use your personal data where it is necessary to conduct our business and pursue our legitimate interests, for example to maintain safety and security within the University’s premises, and to host events. We make sure we consider and balance any potential impact on you and your rights (both positive and negative) before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
• Legal obligation: We may use your personal data where it is necessary for compliance with a legal obligation that we are subject to. We will identify the relevant legal obligation when we rely on this legal basis.
Purposes for Which We Will Use Your Personal Data
The processing configurations by user type are outlined below:
Table A: Prospective Students and Parents/ Guardians of Students and of Prospective Students
| Purpose | Categories of Data | Legal Basis |
|---|
| Student recruitment | Identification Data, Contact Information, Demographic Data, Communication Preferences, Educational Information | Contract with data subject or pre-contractual steps at their request |
| Student enrolment | Identification Data, Contact Data, Personal Characteristics, Identification Documents, Academic Records, Professional Information | Contract with data subject or pre-contractual steps at their request |
| Future enrolment opportunities or admission decisions audits | Identification Data, Contact Data, Personal Characteristics, Identification Documents, Academic Records, Professional Information | Contract with data subject or pre-contractual steps at their request |
| Communication | Identification Data, Contact Data, Academic data, Demographic Data, Personal Characteristics | Contract with data subject or pre-contractual steps at their request |
| Engagement and marketing | Identification Data, Contact Data | Legitimate interests (safety and security) |
| Email communication | Identification Data, Contact Data | Legitimate interests (safety and security) |
| Safety and security | Video footage | Legitimate interests (safety and security) |
| Financial Dashboard Reporting and creating new students records in the university students information systems | Identification Data, Contact Information, Parent/Guardian Information, Financial Information, Demographic Data, Personal Characteristics | Contract with data subject or pre-contractual steps at their request |
Table B: Prospective Academic and Non-Academic Staff
| Purpose | Categories of Data | Legal Basis |
|---|
| Receival, review of applications and following the hiring process | Identification Data, Contact Data, Educational Information, Professional Information, Application Documents, Identification Documents | Contract with data subject or pre-contractual steps at their request |
| Recruitment administration | Identification Data, Contact Data, Educational Information, Professional Information, Application Documents, Identification Documents | Contract with data subject or pre-contractual steps at their request |
| Records for hiring new Academic Staff | Identification Data, Contact Data, Educational Information, Professional Information, Application Documents | Contract with data subject or pre-contractual steps at their request |
Table C: Visitors of the University, external users of the University’s services
| Purpose | Categories of Data | Legal Basis |
|---|
| Visitor Log | Identification data, Authentication data | Legitimate Interests |
| Safety and security (CCTV) | Video footage | Legitimate Interests |
| Library Digital Platforms | Identification Data, Contact Information | Contract with data subject or pre-contractual steps at their request |
Table D: Benefactors, external service providers, third parties and any other data subject who may be involved in or connected to any process, transaction, interaction, or activity carried out by the University
| Purpose | Categories of Data | Legal Basis |
|---|
| Provision of services and/or goods by External Service Providers - Procurement | Identification Data, Contact Data, Authentication Data, Identification Documents | Contract with data subject or pre-contractual steps at their request |
| Billing and payment management | Identification Data, Contact Data, Financial Data | Contract with data subject or pre-contractual steps at their request |
| Donations | Identification Data, Contact Data, Financial Data, Employment Data | Legitimate Interests |
Table E: Website visitors
| Purpose | Categories of Data | Legal Basis |
|---|
| Website and Social media management | Identification data, Visual data, Contact data, Demographic data, Academic data | Legitimate Interests |
| Marketing and engagement | Identification Data, Contact Data | Legitimate Interests |
Cookies and Log Information
A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer, if you agree. Cookies contain information that is stored on your device.
Types of cookies
• First party cookies: these are cookies that are set directly by the website to your browser and are often used to recognise your device when it revisits that site and to remember your preferences as you browse the website. Basically, these are our cookies.
• Third party cookies: these are installed by parties other than the owner of the website a user visits. We use third party cookies for aggregating and analysing traffic, in order to better optimise and continuously improve this website and help provide users with the best possible experience.
In addition, cookies may be either “session cookies” or “persistent cookies”. Your computer automatically removes session cookies once you close your browser. Persistent cookies will survive on your computer until the expiry date, specified in the cookie itself, is reached. We use both session and persistent cookies. Wherever it is practical to do so, we use anonymous cookies. These are cookies that allow us to understand your use of our website but without capturing any information that could be used to identify you as an individual. Where a cookie does capture information (such as IP address) that can identify you, and where the cookie is not strictly necessary for you to be able to use the website, you can opt-out of website tracking.
We use the following categories of cookies:
• Strictly necessary cookies: These are cookies that are required for the operation of our website. These essential cookies are always enabled because our website won’t work properly without them. You can switch off these cookies in your browser settings but you may then not be able to access all or parts of our website.
• Functionality cookies: These are used to recognise you when you return to our website. This enables us to remember your preferences (for example, your choice of language or region).
• Analytics: These allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.
• Targeting cookies: These cookies record your visit to our website, the pages you have visited and the links you have followed. We may also share this information with third parties for this purpose so that they can serve you with relevant advertising on their websites.
| Name | Type of Cookies | First or Third-Party Cookies | Duration (days) | Domain |
|---|
| _stidv | Targeting | Third-party cookies | 273 | sharethis.com |
| ar_debug | Targeting | Third-party cookies | Session | doubleclick.net |
| DSID | Targeting | Third-party cookies | Session | doubleclick.net |
| _gat_<id> | Analytical | First-party cookies | Session | aubmed.ac.cy |
| WSS_FullScreenMode | Functional | First-party cookies | Session | aubmed.ac.cy |
| pubconsent-v2 | Functional | Third-party cookies | 390 | sharethis.com |
| _stid | Targeting | Third-party cookies | 273 | sharethis.com |
| _ga | Analytical | First-party cookies | 390 | aubmed.ac.cy |
| _gid | Analytical | First-party cookies | 390 | aubmed.ac.cy |
| _ga_<id> | Analytical | First-party cookies | 390 | aubmed.ac.cy |
| osano_consentmanager | Functional | Third-party cookies | 365 | sharethis.com |
| _gl_au | Targeting | First-party cookies | 390 | aubmed.ac.cy |
| euconsent-v2 | Functional | Third-party cookies | 390 | sharethis.com |
| IDE | Targeting | Third-party cookies | 390 | doubleclick.net |
| _gpas | Analytical | First-party cookies | 390 | aubmed.ac.cy |
| g_state | Functional | First-party cookies | 390 | aubmed.ac.cy |
| SOCS | Functional | Third-party cookies | 212 | google.com |
| NID | Targeting | Third-party cookies | 212 | google.com |
As indicated in the table, please note that Google may also use cookies, over which we have no control. These third parties may include, for example, advertising networks and providers of external services like web traffic analysis services. These third party cookies are likely to be functionality, analytics or targeting cookies. To deactivate the use of third party targeting cookies, you may visit the relevant website to manage the use of these types of cookies.
You can choose which analytical, functionality and targeting cookies we can set by accessing the cookie banner. However, if you use your browser settings to block all cookies (including strictly necessary cookies) you may not be able to access all or parts of our website. All cookies will expire as indicated in the table above.
Disclosures of Your Personal Data
We may share your personal data where necessary with the parties set out below for the purposes set out above:
• Cloud service providers / technology platforms;
• Learning & education systems;
• Professional services / consulting firms;
• Security & infrastructure service providers;
• Parties to legal proceedings;
• Partners; and/or
•Public authorities/ institutions/ organisations/ agencies.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions, where applicable.
Data Transfers Outside the EU/EEA
We may transfer your personal data outside the EU/EEA area, including to Lebanon. We may transfer your personal data to third countries that the European Commission has deemed to provide an adequate level of protection.
Whenever we transfer your personal data to third parties situated in countries which have laws that do not provide the same level of data protection as the EU/EEA area, we always ensure that a similar degree of protection is afforded to it by ensuring that the following safeguards are implemented:
We generally rely on the European Commission’s approved Standard Contractual Clauses (SCCs) as appropriate safeguards for data transfers to third countries, which ensure that the transferred personal data is afforded the same level of protection as it enjoys within the EU/EEA. You may obtain a copy of these safeguards or information on where they have been made available by contacting us using the details set out below.
In the absence of the above appropriate safeguards, the transfer of personal data to other third countries is carried out only if we have your explicit consent, or the transfer is necessary for the performance of a contract between you and us or the implementation of pre-contractual measures taken at your request, or the transfer is necessary for important reasons of public interest, or the transfer is necessary for the establishment, exercise or support of legal claims, or the transfer is necessary for the purposes of overriding legitimate interests pursued by us.
Data Security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Data Retention
How long will you use my personal data for?
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
Your Legal Rights
You have a number of rights under data protection laws in relation to your personal data. You have the right to:
• Request access to your personal data (commonly known as a "subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
• Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
• Request erasure of your personal data in certain circumstances. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
• Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) as the legal basis for that particular use of your data. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your right to object.
• Request the transfer of your personal data to you or to a third party in a structured, commonly used, machine-readable format.
• Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent.
• Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in scenarios such as establishing accuracy, unlawful usage where you oppose erasure, or when defending legal claims.
If you wish to exercise any of the rights set out above, please contact our DPO at
[email protected].
NO FEE USUALLY REQUIRED: You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
WHAT WE MAY NEED FROM YOU: We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights).
TIME LIMIT TO RESPOND: We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Contact Details
If you have any questions about this privacy policy or about the use of your personal data or you want to exercise your privacy rights, please contact our DPO through email at:
[email protected]
American University of Beirut – Mediterraneo / AUB Limited
Complaints
You have the right to make a complaint to the Cyprus Office of the Commissioner for Personal Data Protection by:
o Phone: +357 22818456
o Postal address: P.O.Box 23378, 1682 Nicosia, Cyprus.
Changes to the Privacy Notice and Your Duty to Inform Us of Changes
We keep our privacy policy under regular review. This version was last updated on November 2025.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us, for example a new address or email address.
Third-Party Links
This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.
