DPDP Act, 2023
Privacy notice
This notice is issued under the Digital Personal Data Protection Act, 2023 (DPDP Act) and the Rules framed thereunder. It sets out how Vikram Dev University (the "Data Fiduciary") processes your personal data.
1. Identity of the Data Fiduciary
Vikram Dev University, Po: Jeypore, Dist: Koraput, Odisha, 764 001. Communications to [email protected]. The University is a "Data Fiduciary" within the meaning of Section 2(i) of the DPDP Act.
2. What we collect
The University collects only such personal data as is necessary for the purposes set out below. The principal categories are:
- Identification data: name, date of birth, gender, photograph, signature.
- Contact data: postal address, email, telephone.
- Identity-document data: caste / community certificate, income certificate, disability certificate, Aadhaar (only where lawful and only for authentication and APAAR registration).
- Academic data: marks, grades, transcripts, attendance, examination scripts, project reports, theses.
- Financial data: fee payments, scholarship disbursements, payroll for staff.
- Health and disability data: collected only where reasonable accommodation is sought, and processed by the PwD Cell only.
- Browsing data: log files generated when you use this website, retained for 180 days as required by the CERT-In Directions, 2022.
3. Why we collect it
- Admission, registration, and academic record-keeping.
- Conduct of examinations and publication of results.
- Issue of degrees, transcripts, and other academic documents, including DigiLocker delivery.
- Disbursement of scholarships and financial assistance.
- Statutory reporting to the UGC, AICTE, NAAC, NIRF, AISHE, the State Government, and the Government of India.
- Recruitment, employment, and pay administration.
- Grievance redressal, anti-ragging investigations, and POSH inquiries.
- Cyber-security incident detection, response, and CERT-In reporting.
4. Lawful basis
The University processes personal data on one or more of the following bases under the DPDP Act:
- Consent (Section 6): for purposes notified at the point of collection.
- Certain legitimate uses (Section 7): for the performance of a function of the State and any service or benefit provided by the State, for compliance with a judgment or decree, in response to a medical emergency, or in connection with employment.
5. Consent and withdrawal
Where the University processes data on the basis of consent, you have the right to withdraw that consent at any time. Withdrawal is as straightforward as the giving of consent: write to the Data Protection Officer at the address below. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal, nor does it affect processing on a non-consent legitimate use under Section 7.
6. Retention
| Category | Retention |
|---|---|
| Admission applications, unsuccessful | One year from the close of the admission cycle |
| Student academic records | Permanent. Student transcripts and degree records are kept indefinitely as required for credential verification |
| Examination scripts | Three years from the date of declaration of result, unless under appeal |
| Financial records | Eight years (in accordance with audit norms) |
| Recruitment applications, unsuccessful | One year from the close of the recruitment cycle |
| HR records, current employees | Term of employment plus eight years |
| Server, application, and security logs | 180 days, in accordance with the CERT-In Directions of 28 April 2022 |
| Cookies, strictly necessary | Session, or up to one year for accessibility-preference cookies |
7. Sharing
The University shares personal data only with parties to whom such sharing is required by law, by the legitimate uses set out in the DPDP Act, or with your explicit consent. The principal recipients are:
- University Grants Commission, AICTE, NAAC, NIRF, AISHE.
- Department of Higher Education, Government of Odisha; SAMS Odisha; PG-SAMS Odisha; OASIS.
- Examination bodies and the central authentication services (DigiLocker, ABC, NAD, APAAR).
- Banks and the State payment gateway, for fee and scholarship transactions.
- Statutory authorities such as CERT-In and law-enforcement agencies, on lawful demand.
- External evaluators, examiners, and auditors under written engagement and confidentiality.
Personal data is not transferred outside India except where required by an express statutory provision or by the Central Government's notification under the DPDP Act.
8. Your rights as a data principal
- The right to access information about your personal data being processed (Section 11).
- The right to correction and erasure of personal data (Section 12).
- The right to grievance redressal (Section 13).
- The right to nominate another individual to exercise these rights in the event of your death or incapacity (Section 14).
Requests in exercise of these rights should be addressed to the Data Protection Officer at the address below. The University responds within the statutory timelines.
9. Data Protection Officer & Grievance Officer
- Data Protection Officer
- Designated under Section 10 of the DPDP Act, 2023. [email protected]
- Grievance Officer
- The Registrar, Vikram Dev University. [email protected]
- Statutory escalation
- The Data Protection Board of India, established under the DPDP Act, 2023.
10. Children
The University does not knowingly process the personal data of children under eighteen years for advertising or behavioural-tracking purposes. Where a child is an applicant or a student, parental consent is obtained at the point of admission, and processing is limited strictly to academic and welfare purposes.
11. Cookies and analytics
This site uses a small set of strictly-necessary cookies to remember your accessibility preferences (text size, contrast, language). The site does not set advertising or third-party analytics cookies, and does not load any third-party tracking script. Map tiles on the affiliated-colleges page are served by OpenStreetMap and may set their own technical cookies; see their privacy policy for details.
12. Breach notification
In the event of a personal-data breach, the University will notify the Data Protection Board of India and each affected data principal in the manner and within the timelines prescribed by the DPDP Rules, 2025. Cyber-security incidents will additionally be reported to CERT-In within six hours of awareness, in accordance with the CERT-In Directions of 28 April 2022. See the Cyber security policy.
Last updated: 26 April 2026 · Reviewed by: Data Protection Officer