John Cabot University logo
John Cabot University

John Cabot University’s Terms & Conditions: 4 Critical Legal Risks and How to Fix Them

Our expert review of John Cabot University’s T&Cs reveals 4 major legal risks, including GDPR compliance gaps and cross-border data transfer issues. See actionable redlines and solutions.

When Legal Loopholes Cost Millions: A Deep Dive into John Cabot University’s Terms & Conditions

When we examined John Cabot University’s Terms & Conditions, our analysis revealed four critical legal and logical errors that could expose the institution to significant regulatory fines, litigation, and reputational damage. With GDPR fines reaching up to €20 million or 4% of annual turnover, and transatlantic data transfers under intense regulatory scrutiny, these issues are not just theoretical—they represent real financial and operational risks.

1. Ambiguity in Data Processor Disclosure and Oversight

John Cabot University lists specific data processors but also reserves the right to appoint others without clear disclosure or oversight mechanisms. This ambiguity can lead to GDPR Article 28 violations, risking fines and loss of trust if a processor mishandles data.

Legal Analysis
high Risk
Removed
Added
However, it is possible that JCU identifies other subjects designated asmay appoint additional Data Processors but not included in the tablelisted above. In such cases, in any case these subjectsJCU will be functional to theupdate this list within 30 days, ensure written data processing operated by JCUagreements are in place per Article 28 GDPR, and boundprovide notice to the principle of purpose as well as to the respect of the current legislation on the protection of personal data subjects regarding any material changes.

Legal Explanation

The original clause is ambiguous and lacks a mechanism for timely disclosure or oversight of new data processors, risking non-compliance with GDPR Article 28. The revision ensures transparency, contractual safeguards, and timely updates.

2. Unclear Basis and Mechanism for International Data Transfers

The T&Cs reference the EU-U.S. Privacy Shield, which was invalidated by the Court of Justice of the European Union in 2020 (Schrems II). Relying on outdated or ambiguous mechanisms for cross-border data transfers exposes JCU to immediate regulatory action and potential data transfer bans.

Legal Analysis
critical Risk
Removed
Added
The personalPersonal data of the data subjects may be transferred to (i) Canada for whichoutside the European Commission has expressed its Adequacy Decision on December 20EEA only where an adequate level of protection is ensured, 2001, in compliance with the European Parliament and Council Directive 95/46/EC and regarding adequacy of the protection provided by the Canadian Personal Information Protection and Electronic Documents Act,current EU law. For transfers to (ii) the United States of America through a certified data controller pursuant to the Privacy Shield Agreement[1], as well asJCU relies on Standard Contractual Clauses (iiiSCCs) to California (USA) in this case adoptingand supplementary measures as required by the clauses "EU controller to non-EU or EEA processor" referred to inSchrems II decision 2010/87 / EU with the controller(CJEU, July 2020).

Legal Explanation

The original clause relies on the Privacy Shield, which was invalidated in 2020. The revision aligns with current EU law and CJEU requirements, reducing risk of unlawful data transfers and regulatory penalties.

3. Incomplete Data Subject Rights Communication

While JCU outlines data subject rights, it does not specify timeframes for responding to requests or provide clear procedures for exercising these rights. This omission can lead to non-compliance with GDPR Articles 12-23, risking complaints and fines up to €20 million.

Legal Analysis
high Risk
Removed
Added
In the case provided, the data subject has the right to obtain access to personal data from JCU and the rectification or erasure of them or the restriction of the processing that concerns him/her or to object to processing (articlesData subjects may exercise their rights under Articles 15 to -22 of GDPR). Data subjects have the right to lodge a complaint with the Supervisory Authority. The data subject can provide his/her requests to JCU by writing to the Referent for the protection of the data subjectcontacting JCU’s rights (also known as DPO – Data Protection Officer) located in Via della Lungara, 233, 00165 Rome, Italy, or by sending a communication to at the address [email protected]above. JCU will respond to such requests within one month, extendable by two months for complex cases, and provide clear procedures for submitting and tracking requests.

Legal Explanation

The original clause omits statutory response timeframes and procedures, risking non-compliance with GDPR Article 12. The revision provides clarity, accountability, and regulatory alignment.

4. Overbroad Data Retention Clauses

The T&Cs allow for retention of personal data for up to 10 years after first contact, regardless of the nature of the interaction. Without a clear, necessity-based justification, this exceeds GDPR’s data minimization and storage limitation principles, increasing exposure to regulatory scrutiny and potential class actions.

Legal Analysis
high Risk
Removed
Added
- ifIf the data subject obtains the status of "becomes a student" the, personal data are retained for the entire duration of the course of study and only as long as necessary for legal or contractual obligations, not exceeding 10 years after the student has left John Cabot University;leaving JCU. - ifIf the data subject does not obtain the status of "become a student", personal data isare retained only as long as necessary for 10the purposes collected, and in any case no longer than 2 years after the firstlast contact, unless a longer period is required by law.

Legal Explanation

The original clause allows for excessive retention without necessity-based justification, violating GDPR’s storage limitation principle. The revision limits retention to what is strictly necessary and aligns with regulatory expectations.

---

Conclusion: Proactive Legal Safeguards Are Essential

Our analysis shows that even well-intentioned privacy policies can contain critical gaps that expose organizations to multimillion-euro fines, operational disruptions, and reputational harm. Proactive redlining and regular legal review are essential for robust compliance and risk management.

  • How confident are you in your organization’s cross-border data transfer mechanisms?
  • Are your data retention and subject rights policies airtight against regulatory scrutiny?
  • What would a €20 million GDPR fine mean for your institution?

**This analysis is for educational purposes only and does not constitute legal advice. For actual legal guidance, consult with a licensed attorney. This assessment is based on publicly available information and professional legal analysis. See erayaha.ai’s terms of service for liability limitations.**