2018 GDPR PRIVACY NOTICE FOR ALUMNI AND SUPPORTERS
THIS NOTICE DESCRIBES HOW YOUR PERSONAL DATA MAY BE PROCESSED BY ST. LAWRENCE UNIVERSITY (“SLU,” “WE,” “OUR,” AND “US”) AND WHAT YOUR RIGHTS ARE WITH RESPECT TO YOUR PERSONAL DATA. PLEASE REVIEW IT CAREFULLY.
This Notice is being provided to you in accordance with the requirements of the General Data Protection Regulation (Regulation (EU) 2016/679, or the “GDPR”).
If you engage with SLU for another purpose (e.g. as a prospective or current student, as a previous student, as a faculty member or employee, or as a visitor to our website or campus), there are other privacy notices that explain how we process your Personal Data – please consult the other applicable privacy notices on this webpage for more information.
What is “Personal Data” and “Processing”?
Under the GDPR, “Personal Data” means any information relating to an identified or identifiable Data Subject; specifically including, but not limited to, name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that Data Subject. A Data Subject is an identifiable natural person, i.e., one who can be identified, directly or indirectly, in particular, by reference to Personal Data. Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Process” and “processed” have a corresponding meaning.
The GDPR prohibits the processing of “special categories” of Personal Data unless certain exceptions apply, because this type of data could create more significant risks to a Data Subject’s fundamental rights and freedoms. For example, an unauthorized disclosure of “special categories” of Personal Data may put Data Subjects at risk of unlawful discrimination. For this purpose, processing of “special categories” of Personal Data includes processing of: (i) Personal Data that reveals; (A) racial or ethnic origin, (B) political opinions, (C) religious or philosophical beliefs, or (D) trade union membership; or (ii) (A) genetic data, (B) biometric data for the purpose of uniquely identifying a natural person, (C) data concerning health; or (D) data concerning a natural personal’s sex life or sexual orientation.
How and When Do We Collect Your Personal Data?
We may lawfully collect your Personal Data in a number of ways for our legitimate purposes, for example: (i) from the information you provided to us while you were affiliated with us or any information you have since provided to us; (ii) your student records and transcripts; (iii) any communication with us by telephone, email or via our website; (iv) through social media accounts; (v) your recorded attendance at alumni events or any requests for alumni newsletters and publications; (vi) when you make donations to us; and (vii) information about you received from third parties, for example employers, colleagues, and former fellow students.
By providing us with your email address, home address, and/or telephone number(s), you are agreeing that we may (unless you notify us otherwise) use those channels to contact you for the purposes outlined in this Notice. If you are a new contact for us, we initially will ask you how you would like to receive news and communications from us. If you already are receiving such communications, you may change your preferences (or ask us to stop sending you communications completely) by contacting the Data Protection Officer listed below. You may request changes at any time. When you provide Personal Data to us, we will assume (unless you notify us otherwise) that we can use this information for other purposes outlined in this Notice. We may supplement information from other public sources that we consider to be reliable (e.g., your public social media profile(s), SLU publications, high profile news reports or articles) and may check the accuracy of such information with you from time to time.
The Types of Personal Data We Process
We process Personal Data (provided by you or created by us), including: (i) your current name and any previous name(s) you have had; (ii) unique personal identifiers (e.g., student number, date of birth, photograph); (iii) your current and previous contact information; (iv) your application details, our assessment of your application, and details of any offer(s) of study we have made; (v) your academic records; (vi) matriculation and graduation information; (vii) records of your academic qualifications (including those prior to becoming affiliated with us); (viii) other details concerning your academic progress or achievement (e.g., awards or prizes); and (ix) a record of your academic, career, or life achievements in order to promote and improve our reputation and to help you to network with SLU alumni effectively.
We also may retain Personal Data (provided by you or created by us), including: (i) details of your achievements since you completed your course(s) of study; (ii) membership in our alumni groups, and external clubs and societies; and (iii) your previous and current employment status and information, including job title, sector, income, work contact details, dates of employment, and retirement.
We retain Personal Data (provided by you or created by us), relating to our alumni events, including: (i) known relationships with other alumni; (ii) your previous attendance at such events; (iii) information about your areas of personal interest; (iv) Personal Data relating to your attendance at events and your personal preferences (e.g., dietary or accommodation requirements or requests); and (v) records of any communications (verbal or written) we have had with you, including the purpose and outcome of those communications.
We value all financial contributions from our alumni and other supporters, and, accordingly, retain Personal Data (provided by you or created by us), including: (i) the purpose for and amount of any donations; (ii) records of other support previously provided to us by you; (iii) the method(s) of payments used and related payment preferences; and (iv) certain of your bank details (for processing direct debit or other financial transactions). Some of this financial information needs to be retained for a number of years for statutory purposes (e.g., anti-fraud and accounting matters).
In addition, we may research your capacity to provide financial support resulting in the creation of Personal Data, including: (i) your estimated income or asset worth (where this information is not provided by you); (ii) your potential capacity to make a gift, including classifying you as a major gift prospect based on a combination of your giving history, your attendance at our events, and any other interactions you may have with us since you graduated, including any indications from you about your capacity or willingness to give to us; and (iii) gifts you have made to other charitable organizations. Our research may include incorporating information from public sources that we consider to be reliable (e.g., your public social media profile(s), high profile news reports or articles). In using these sources, we have considered the potential intrusion of your privacy. The assessment attempts to exclude you from unwelcome or inappropriate encounters in order to maintain your ongoing relationship with SLU.
How We Use Your Personal Data
We process your Personal Data, as specified below, for a number of purposes, including: (i) maintaining a record of your academic progress and achievements with us or elsewhere; (ii) retaining a record of your academic, career, or other achievements in order to promote and improve our reputation and to help you to network with other alumni effectively; (iii) to engage you in events we believe will be of interest to you, including alumni and open events, volunteering opportunities, and other ways you can contribute to the experiences of our students (including prospective students), faculty and staff, and alumni; (iv) providing you with information about our developments, including major initiatives and programs relating to either our academic endeavors or the provision of services and facilities to members and the wider public; (v) encouraging you to make a financial contribution to SLU and processing any such contributions; (vi) assessing the likelihood that you may make a financial contribution (gift) to SLU; and (vii) promoting third party services we believe will be of interest to you.
We also may keep additional Personal Data, as appropriate and where we have determined that it is necessary for the purposes of our legitimate interests. Where we have determined that the legal basis for processing your Personal Data is that such processing is necessary for the purposes of our legitimate interests, we have concluded that our interests do not inappropriately impact your fundamental rights and freedoms. You may ask us to explain our determination at any time by contacting us, as explained below.
If required by the GDPR, we will obtain your explicit consent to process special categories of Personal Data. Whenever we are processing data based on your consent, you have the right to withdraw that consent at any time.
How We Share Your Personal Data
We believe that most alumni understand in detail the complex interactions between SLU and alumni. It is our strong preference to remain in contact with you after you leave SLU. Where SLU and its partners are distinct legal entities, SLU will have a data sharing agreement to govern the sharing of Personal Data of alumni and other supporters. For clarity, we may share a database of alumni and supporter records within our institution.
Further, we share Personal Data on a confidential basis, where appropriate, with: (i) other educational institutions that partner with us; (ii) third party agencies who provide us with data in the public domain about alumni and supporters, as outlined above; (iii) selected companies who provide SLU-branded or SLU-endorsed products and services; (iv) volunteer partners closely related to us (e.g., SLU trustees, development board members, alumni group representatives); and (v) other third parties we contract with to provide services to you on our behalf, or services to us. We will also facilitate communication between individual alumni, but in doing so we do not release Personal Data without prior permission. We do not sell, trade, or otherwise transfer your Personal Data to outside parties, except as explained herein. This does not include trusted third parties who assist us, as noted above, with operating our website, conducting our business, or providing services to you, so long as those parties agree to keep this information confidential. We also may release your Personal Data when we believe the release is appropriate to comply with the law, enforce our website policies, or protect ours or others’ rights, property, or safety. However, non-personally identifiable website visitor information (i.e., information that has been “pseudonymised” as described in the GDPR) may be provided to other parties for marketing, advertising, or other uses.
Retention of Your Personal Data
Your Personal Data will be stored in accordance with our retention policy, which is governed in part by New York law and available at [HYPERLINK].
Your Rights with Respect to Your Personal Data
Under the GDPR, you have a number of rights with respect to your Personal Data. You have the right, in certain circumstances, to request: (i) access to your Personal Data; (ii) rectification of mistakes or errors and/or erasure of your Personal Data; (iii) that we restrict processing of your Personal Data; and (iv) Personal Data portability.
In certain circumstances, you also may have the right to object to processing of your Personal Data.
If SLU requested, and you provided, your explicit consent for the processing of your Personal Data, you have the right (in certain circumstances) to withdraw such consent at any time. However, withdrawal of consent will not affect the lawfulness of the processing before your consent was withdrawn. If you would like more information about your Personal Data, or if you would like to exercise any of the individual rights discussed herein or in the GDPR, please contact our Data Protection Officer (contact information is below).
If you have questions, concerns, or complaints about how we are processing your Personal Data, we request that you contact the Data Protection Officer (contact information is below) who may be able to resolve your issue or answer your questions. You also have the right to lodge a complaint with the applicable European Union Supervisory Authority if you believe that we have not complied with the requirements of the GDPR with regard to your Personal Data.
Relevant SLU Contacts
SLU may be a “controller” and also may be a “processor” (as those terms are used in the GDPR) of your Personal Data for the purposes of the GDPR. If you have any questions or concerns as to how your Personal Data is collected and/or processed by SLU you can contact: Vice President for Community and Employee Relations Lisa Cania, firstname.lastname@example.org