2018 GDPR PRIVACY NOTICE
FOR WEBSITE USERS
THIS NOTICE DESCRIBES HOW YOUR PERSONAL DATA MAY BE PROCESSED BY ST LAWRENCE UNIVERSITY (“SLU,” “WE,” AND “US”) AND WHAT YOUR RIGHTS ARE WITH RESPECT TO YOUR PERSONAL DATA. PLEASE REVIEW IT CAREFULLY.
This Notice is being provided to you in accordance with the requirements of the General Data Protection Regulation (Regulation (EU) 2016/679, or the “GDPR”).
If you engage with SLU for another purpose (e.g. as a prospective or current student, as a previous student, as a faculty member or employee, alumnus, or as a visitor to our campus), there are other privacy notices that explain how we process your Personal Data – please consult the other applicable privacy notices on this webpage for more information.
What is “Personal Data” and “Processing”?
Under the GDPR, “Personal Data” means any information relating to an identified or identifiable Data Subject; specifically including, but not limited to, name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that Data Subject. A Data Subject is an identifiable natural person, i.e., one who can be identified, directly or indirectly, in particular, by reference to Personal Data. Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Process” and “processed” have a corresponding meaning.
The GDPR prohibits the processing of “special categories” of Personal Data unless certain exceptions apply, because this type of data could create more significant risks to a Data Subject’s fundamental rights and freedoms. For example, an unauthorized disclosure of “special categories” of Personal Data may put Data Subjects at risk of unlawful discrimination. For this purpose, processing of “special categories” of Personal Data includes processing of: (i) Personal Data that reveals; (A) racial or ethnic origin, (B) political opinions, (C) religious or philosophical beliefs, or (D) trade union membership; or (ii) (A) genetic data, (B) biometric data for the purpose of uniquely identifying a natural person, (C) data concerning health; or (D) data concerning a natural personal’s sex life or sexual orientation.
How and When Do We Collect Your Personal Data?
We may lawfully collect your Personal Data in a number of ways for legitimate purposes, for example: (i) from the information you provide to us when you visit our website(s) or otherwise interact with us before enrolling, for example when you express your interest in studying at SLU; (ii) when you communicate with us via our website, for example in order to make inquiries or raise concerns; and (iii) in various other ways as you interact with us on our website, for the various purposes set out below.
The Types of Personal Data We Process
We may process (i.e., collect and keep) the following types of Personal Data about you: (i) your name and your contact information, i.e., local and permanent address, email address and telephone number; (ii) your date of birth, gender and gender identity, and Social Security number or taxpayer identification number [which generally you do not need to provide]; (iii) your country of domicile and your nationality; (iv) information about your academic and your extracurricular interests and activities; and (v) certain other information you may be asked to provide in connection with any online forms available on our website.
If you are asked to create an account on our website for any reason, we may ask you to provide your: name, e-mail address, student ID number (if you are a student or former student of SLU), telephone number, organization name, address, not-for-profit status, and credit card information. The legal basis for processing your personal information is that it is necessary in order for you to enter into a contract to provide the stated services to you.
How We Use Your Personal Data
The lawful and legitimate purpose for which we may use Personal Data (including “special categories” of Personal Data) we collect while you visit our website is that it is necessary for the performance of a contract with you, including to: (i) respond to your request for information about SLU; (ii) send you newsletters or other information; (iii) enable your attendance at a SLU event; and (iv) enable you to purchase items from our bookstore or tickets to sporting events or other events on campus.
The lawful and legitimate purposes for which we may use other Personal Data (including “special categories” of Personal Data) we collect while you visit our website (e.g., the background information such as IP address, date and time, and the webpages you visit) is that it is in our legitimate interests to provide and monitor the usefulness of our website and to ensure it is kept secure.
Why We Process Your Personal Data
As set out above, we may process your Personal Data because it is necessary for the performance of a contract with you (e.g., if you create an account or are purchasing something on our website), or in order to take certain actions at your request (e.g., to send you a brochure). The legal basis for processing your personal information is that it is necessary in order for you to enter into a contract to provide the stated services to you.
Where we have determined that the legal basis for processing your Personal Data is that it is necessary for the purposes of our legitimate interests, we have concluded that our interests do not inappropriately impact your fundamental rights and freedoms. You may ask us to explain our determination at any time by contacting us, as explained below.
How We Share Your Personal Data
For the purposes referred to in this Notice, and relying on the bases for processing as set out above, we may share your Personal Data with certain third parties in accordance with applicable law and with our Board of Trustees, faculty members, employees, agents, contractors, consultants, volunteers, and students serving on official SLU committees or assisting school officials, where there is a legitimate reason for their receiving the information, including: (i) third parties who work with us to provide services; (ii) third parties who are contracted to provide IT services for us; (iii) organizations operating anti-plagiarism software on our behalf; (iv) internal and external auditors, attorneys, and other professional service providers; (v) government departments and agencies where we have a statutory obligation to provide information; (vi) police and other law enforcement agencies; (vii) third parties conducting surveys, and (viii) third parties who collect standard internet log information and details of your visitor behavior patterns so that we can monitor, for example, the number of visitors to each page on our website.
We do not sell, trade, or otherwise transfer your Personal Data to outside parties, except as explained herein. This does not include trusted third parties who assist us as noted above in operating our website, conducting our business, or servicing you, so long as those parties agree to keep this information confidential. We also may release your Personal Data when we believe release is appropriate to comply with the law, enforce our website policies, or protect ours or others’ rights, property, or safety. However, non-personally identifiable website visitor information (i.e., information that has been “pseudonymised” as described in the GDPR) may be provided to other parties for marketing, advertising, or other uses without restriction.
Retention of Your Personal Data
Your Personal Data will be stored in accordance with our retention policy, which is governed in part by New York law and available at [HYPERLINK].
Your Rights with Respect to Your Personal Data
Under the GDPR, you have a number of rights with respect to your Personal Data. You have the right, in certain circumstances, to request: (i) access to your Personal Data, (ii) rectification of mistakes or errors and/or erasure of your Personal Data, (iii) that we restrict processing, and, (iv) data portability.
In certain circumstances, you also may have the right to object to processing of your Personal Data.
If SLU requested, and you provided your explicit consent for the processing of your Personal Data (or where a parent or legal guardian provided consent on your behalf because you were under the age of 16 at the time consent was required), you (or your parent or legal guardian, as applicable) have the right (in certain circumstances) to withdraw that consent at any time. However, withdrawal of consent will not affect the lawfulness of the processing before your consent was withdrawn.
If you would like more information about, or if you would like to exercise any of these individual rights, please contact our Data Protection Officer (contact information is below).
If you have questions, concerns or complaints about how we are using your Personal Data, we may be able to resolve your complaints, and we request that you contact the Data Protection Officer (contact information is below). You also have the right to lodge a complaint with the applicable Supervisory Authority if you believe that we have not complied with the requirements of the GDPR with regard to your Personal Data, or if you are not happy with the response you receive from us regarding your complaint.
Relevant SLU Contacts
SLU may be a “controller” and also may be a “processor” (as those terms are used in the GDPR) of your Personal Data for the purposes of the GDPR. If you have any questions or concerns as to how your Personal Data is collected and/or processed by SLU you can contact: Vice President for Community and Employee Relations Lisa Cania, firstname.lastname@example.org