|Office of Administration|
|Assistant Vice President of Information Technology|
|Information Security and Technology|
|First Draft 8/13/2019|
|GDPR, European Union, Information Security, Personal Identification Information, International Studies, Study Abroad|
The General Data Protection Regulations ("GDPR") were adopted by the European Commission in order to strengthen and unify data protection for all individuals within the European Union ("EU").
GDPR became effective on May 25, 2018 and applies in European Economic Areas ("EEA") which includes the EU members and the countries of Iceland, Liechtenstein and Norway.
This policy is pending 30-day public comment period.
The State University of New York ("SUNY Empire") is committed to respecting and protecting the privacy rights of persons in the European Economic Area ("EEA"), comprised of the European Union ("EU") and the countries of Iceland, Norway, and Lichtenstein, pursuant to the EU General Data Protection Regulation ("GDPR"). This privacy notice outlines how SUNY Empire collects, processes, discloses and uses information that you share with SUNY Empire through our websites, other electronic systems, paper forms, and otherwise.
Personal Information: information relating to a personally identifiable individual
Personal Information collected by SUNY Empire typically includes an individual's name, email address, phone number, transcript, academic record, student organization membership, work history, work performance, letters of recommendation, demographic information, documentation provided to support financial aid applications, donor information, IP addresses, browser and computer information, how users interact with the SUNY Empire websites and electronic communications, and in some cases medical and health information and information observed as part of a research study.
Sensitive Information: information about an individual that is classed as "sensitive" or "special category" personal data which requires additional protections. This includes information concerning ethnicity, sexual orientation, religious beliefs or health/disability that is used for planning and monitoring purposes, or in order to provide care, help or suitable adjustments. For certain courses of study, other sensitive information may be processed, such as information about past criminal convictions, working with children or vulnerable adults, and fitness to practice in certain regulated professions.
Personal Information SUNY Empire Collects
SUNY Empire State University (SUNY Empire) collects Personal Information in order to fulfill its mission as a public institution of higher education. SUNY Empire requires Personal Information only when necessary.
In addition to this, SUNY Empire may process some information about an individual that is classed as "sensitive" or "special category" personal data, which requires additional protections. This includes information concerning ethnicity, sexual orientation, religious beliefs or health/disability that we use for planning and monitoring purposes, or in order to provide care, help, or suitable adjustments. For certain courses of study, other sensitive information may be processed, such as information about past criminal convictions, working with children or vulnerable adults, and your fitness to practice in certain regulated professions.
Access to, and the sharing of, your "sensitive" personal data are carefully controlled. You will normally be given further details about our use of any such data when we collect it from you.
Applicability of this GDPR Privacy Notice
This GDPR Privacy Notice applies to you if all of the following factors are met:
- You are a natural person-not a corporation, partnership, or other legal entity-who is physically present in the EEA;
- "Personal Information" (any information that relates to or identifies you as an individual as is further described below) is provided while you are physically present in the EEA;
- Such Personal Information is not earlier or later provided to SUNY Empire while you are physically outside the EEA; and,
- Such Personal Information is provided to SUNY Empire:
- During the course of SUNY Empire offering you goods or services;
- While SUNY Empire is monitoring your behavior or health;
- While you are associated with any of SUNY Empire's programs;
- While you are participating in clinical research programs; or
- While you are receiving health treatment.
Please note that information pertaining to current, former, or prospective employment with SUNY Empire within the United States is not considered "Personal Information" and is excluded from this GDPR Privacy Notice.
Legal Basis for Processing Your Personal Information
SUNY Empire's processing activities of your Personal Information may rely on different lawful grounds depending on the circumstances. Generally speaking, we typically rely upon one or more of the following lawful bases to process your Personal Information under the GDPR:
- Necessity to enter or for the performance of a contract ( e.g., online applications, information provided when enrolling, or for payment information to pay tuition)
- Necessity of SUNY Empire's legitimate interests or those of third parties ( e.g., evaluation of candidates for admissions, financial aid, and/or maintain a community for alumni)
- Necessity of SUNY Empire's compliance with legal requirements imposed by state or federal law
- Consent (e.g., for the research projects you may participate in; for processing of special categories of personal data)
We consider the processing of your Personal Information to be either necessary for the performance of our contractual obligations with you (e.g. to manage your education, student experience and welfare while studying at SUNY Empire's), necessary for compliance with a legal obligation ( e.g., visa monitoring), necessary for the performance of tasks we carry out in the public interest ( e.g., teaching and research), or necessary for the pursuit of the legitimate interests of SUNY Empire's or an external organization (e.g., to enable your access to external services). SUNY Empire requires you to provide us with any information we reasonably ask for to enable us to administer our relationship with you. If we require your consent for any specific use of your personal information, we will collect it at the appropriate time, and you can withdraw this at any time. Where we ask for any "sensitive" information, such as that concerning your ethnicity, sexual orientation, religious beliefs or health/disability, you will normally have the option to refuse your consent by not supplying it.
How SUNY Empire Obtains Personal Information
SUNY Empire obtains your Personal Information:
- From You, the Data Subject: SUNY Empire may receive your Personal Information when you visit SUNY ESC' s websites, apply for or attend classes or programs, apply for or take online courses, travel with SUNY Empire to a location in the EEA, attend events sponsored by SUNY Empire in the EEA, participate in clinical research, voluntarily or involuntarily receive medical treatment or services, or otherwise interact with SUNY Empire in the EEA.
- From Third Parties: SUNY Empire may also receive your Personal Information from third parties. Examples include, without limitation, exam scores received from testing agencies, and registration information received from third parties that administer online courses. SUNY Empire also may receive information from other individuals or institutions who provide treatment and services, from public health services, from law enforcement, and from other clinical researchers, as well as from those who process the information provided on behalf of these entities.
- Prospective Students - SUNY Empire uses your Personal Information in order to consider you for admission to a campus or a particular program, to award financial aid and merit-based scholarships, and to track the effectiveness of our communications and programs.
- Students - SUNY Empire uses your Personal Information to provide you higher education services, comply with our legal obligations, enforce SUNY Empire policies and procedures, and to improve the overall student experience on our campuses and effectiveness of our programs. Some examples of these include registering you for classes, tracking attendance, evaluating your academic performance, submitting required reports to federal and state regulatory authorities and our accrediting bodies, providing you with academic and career advising, providing housing and food services, evaluating student organizations, evaluating academic programs, and providing letters of recommendation and transcripts to prospective employers or other institutions.
- Alumni and Friends - SUNY Empire uses your Personal Information to track, maintain, and evaluate our relationship with you, provide you with communications and invitations to campus events, assist you with obtaining employment or admission to another educational institution or program, and to evaluate academic and employment outcomes.
- Prospective Employees - SUNY Empire uses your Personal Information to consider you for employment, evaluate the effectiveness of our recruitment programs, establish minimum requirements for position’s, and to improve the attractiveness of SUNY Empire as an employer
- Current Employees - SUNY Empire uses your Personal Information to perform necessary tasks related to your status as an employee, to contact the appropriate person in the event of an emergency, to investigate violations of SUNY Empire policy, to improve the overall employment experience at SUNY Empire.
- Research Participants - SUNY Empire uses your Personal Information to fulfill the objectives of a particular research project, and to provide any promised compensation or other incentives.
Certain Personal Information collected by SUNY Empire is required for SUNY Empire to be able to provide you with educational services, employment, or treatment as a patient. In the event you do not provide such information, SUNY Empire may be unable to provide you with the requested services.
Use of Personal Information
How SUNY Empire uses your Personal Information depends upon the context in which it was provided:
SUNY Empire may use your Personal Information for other purposes and will provide you with specific information at the time such alternate use arises.
Sharing of Your Personal Information
SUNY Empire does not sell your Personal Information and only shares your Personal Information with third parties if there is a legitimate institutional need to do so. SUNY Empire may share your Personal Information with the following recipients:
- With SUNY System Administration and other campuses within the SUNY System in order to govern, administer, and improve the SUNY system.
- With SUNY Empire's affiliated entities including the Research Foundation for the State University of New York, individual campus foundations, campus faculty student associations, and other affiliated entities in order to provide ancillary services.
- With SUNY Empire's service providers that need access to your Personal Information in order to provide SUNY Empire with services necessary to fulfill SUNY Empire's mission or improve the SUNY Empire student or employee experience.
- With accrediting agencies in order to obtain or maintain accreditations for SUNY Empire's and its affiliates various programs.
- With the Federal, State, and local governments or regulatory authorities as required by law or as necessary to fulfill the mission of SUNY Empire.
Please note that the University may provide anonymized data developed from Personal Information to third parties, such as government entities and research collaborators, and that such anonymized data is outside the scope of this GDPR Privacy Notice.
Your Rights Regarding your Personal Information
SUNY Empire is committed to facilitating the exercise of the rights granted to you by the GDPR in a timely manner. In the context of our processing activities that are subject to the GDPR, you have the following rights regarding your personal information:
- Access, correction and other requests - You have the right to obtain confirmation of whether we process your personal data, as well as the right to obtain information about the personal data we process about you. You also have a right to obtain a copy of this data. Additionally, and under certain circumstances, you may have the right to obtain erasure, correction, restriction and portability of your personal data.
- Right to object - You have the right to object to receiving marketing materials from us by following the opt-out instructions in our marketing emails, as well as the right to object to any processing of your personal data based on your specific situation. In the latter case, we will assess your request and provide a reply in a timely manner, according to our legal obligations.
- Right to withdrawal consent - For all the processing operations that are based on your consent, you have the right to withdraw your consent at any time, and we will stop those processing operations as allowable by law.
In addition to the rights provided by the GDPR, you may also have rights with respect to your Personal Information pursuant to U.S. federal law, state law, and/or SUNY Empire policy. These include, without limitation, policies pertaining to student education records and policies pertaining to certain health records that SUNY Empire maintains.
In order to exercise any of these rights, except the right to file a complaint with an EU supervisory authority, you should submit your request to the identified GDPR SUNY Empire contact listed at the bottom of this Notice.
Please note that when you make requests based on these rights, if we are not certain of your identity, we may need to ask you for further personal information to be used only for the purposes of replying to your request.
Security of your Personal Information
SUNY Empire implements appropriate physical, technical, and organizational security measures to protect your Personal Information consistent with the requirements of law and the policies of the SUNY Empire Board of Trustees.
Retention and Destruction of Your Personal Information
SUNY Empire will retain your Personal Information for as long as there is a legitimate need to do so and in accordance with the SUNY Empire Records Retention and Disposition Policy, and applicable federal and state law. Retention periods vary and are established considering our legitimate interests and all applicable legal requirements.
Data Transfer Outside of the EEA
SUNY Empire is based in the United States and is subject to U.S. and New York State law. Personal Information that you provide to SUNY Empire will generally be hosted on U.S.-based servers. To the extent that SUNY Empire needs to transfer your information either (a) from the EEA to the U.S. or another country or (b) from the U.S. to another country, SUNY Empire will do so on the basis of either (i) an "adequacy decision" by the European Commission; (ii) EU-sanctioned "appropriate safeguards" for transfer such as model clauses, a copy of which you may request, if applicable, by contacting SUNY Empire as set forth below; (iii) your explicit and informed consent; or (iv) it being necessary for the performance of a contract or the implementation of pre-contractual measures with SUNY Empire measures generally taken at your request (e.g., for the transfer of personal data necessary for your application for admission). Please note that the U.S. is not currently considered a safe harbor country under the GDPR.
Applicable Legislation and Regulations
General Data Protection Regulations
Family Educational Rights and Privacy Act
Related References, Policies, Procedures, Forms and Appendices
If you have any concerns or questions regarding this notice or how your Personal Information is used, please contact the university’s Director of Compliance at 518-587-2100 ext 2945 or the student information center at 1-800-847-3000, firstname.lastname@example.org. SUNY Empire will attempt to promptly address any concern you may have about our data collection and use policies. However, if you believe we have not been able to deal with your concern appropriately, you have a right to complain to your local data protection authority, as granted by Article 77 of the GDPR. You also have the right to submit a complaint in the Member State of your residence, place of work, or of an alleged infringement of the GDPR.
In the event sensitive information is passively collected during a transaction that has occurred for the performance of our contractual obligations with you (e.g. to manage your education, student experience and welfare while studying at SUNY Empire), that is necessary for compliance with a legal obligation ( e.g., visa monitoring), necessary for the performance of tasks we carry out in the public interest ( e.g., teaching and research), or necessary for the pursuit of the legitimate interests of SUNY Empire or an external organization (e.g., to enable your access to external services), the sensitive information will be redacted before the documents are processed.