Home > V. Administrative, Financial, and Facilities Policies > Ch.46 - European Union General Data Protection Regulation

46.2 What the University Does with Data Regulated by the General Data Protection Regulation

  1. Personal data. The University may obtain, hold, and process the personal data of EU residents, including personal details, family and social circumstances, education and training records, technological identifiers, and information regarding employment, finances, and research. 
  2. Special category data.
    1. The University may obtain, hold, and process special category data from EU residents, which is data revealing:
      1. racial or ethnic origin;
      2. political opinions;
      3. religious or philosophical beliefs;
      4. trade union membership; 
      5. physical or mental health;
      6. data concerning a natural person’s sex life or sexual orientation; or 
      7. genetic data or biometric data processed for the purpose of uniquely identifying a natural person. The University may obtain special category data from the EU resident directly, or in some cases from a third party involved in the services provided by a third party.
    2. In those cases where the University processes EU residents’ special category data, and where the EU resident has not made the information public, the University will seek and obtain explicit consent of the EU resident unless it requires the data for:
      1. protection of the vital interests of the student or another person;
      2. exercise or defense of a legal claim;
      3. substantial public interest; or
      4. purposes of medical or health care.
    3. Any University processing of special category data will be consistent with this policy and will relate to the University’s provision of services. Where possible, the University will anonymize the special category data used for monitoring and reporting purposes.  
  3. Personal data of students/applicants. The University holds the personal data and special category data of EU residents who are applicants or enrolled students in order to implement and manage all services and processes relating to students, including student recruitment, admission, registration, teaching and learning, examination, graduation, extracurricular programs and activities, and other services such as accommodation, student support, counseling, health care, career guidance, and other services. Information facilitating these purposes is maintained and processed, and, without it, the University might not be able to provide its services to these individuals or to others. Information is transmitted between and among various University units for operational reasons as is necessary and appropriate for intended purposes.  

    Personal data of EU residents who are applicants or enrolled students at the University is collected and processed by the University as it is necessary for the performance of the contract under which the University provides services to students. Some processing activities also may be performed under a legal obligation, where necessary to protect the vital interests of the student or another party (for example, disclosures to external parties to ensure safety and well-being); where it is necessary for performing a task in the public interest or in the exercise of official authority (for example, disclosing information for the benefit of public health concerns); or where it is necessary for legitimate interests pursued by the University or a third party (in such case, the legitimate interests will relate to the efficient, lawful, and appropriate delivery of services, and will not operate to the detriment of the interests or rights of individuals). In the event any of these lawful bases do not apply to University processing of student data, the University will seek the consent of the EU resident whose personal data is at issue. 

    The University may disclose students’ personal data and special category data to external agencies to which it has obligations. It may also disclose EU residents’ personal data to examining bodies, legal representatives, police or law enforcement agencies, suppliers or service providers, research institutions, sponsoring organizations, or regulatory authorities. The University may disclose information regarding students’ University debt to collection agencies in order to pursue the debt. 
  4. Personal data of employees/applicants. The University holds the personal data and special category data of EU residents who are job applicants and employees in order to implement and manage all services and processes relating to employees, including recruitment, hiring and/or appointment, training and professional development, testing, certification, programs and activities, and other services such as accommodation, employee support, counseling, health care, career guidance, and other services. Information facilitating these purposes is obtained and processed, and, without it, the University might not be able to provide its services to these individuals or to others. Information is transmitted between and among various University units for operational reasons as is necessary and appropriate for intended purposes.  

    Personal data of EU residents who are University employees or job applicants is collected and processed by the University as it is necessary for the performance of the contractual relationship under which the University provides services to employees. Some processing activities also may be performed under a legal obligation, where necessary to protect the vital interests of the employee or another party (for example, disclosures to external parties to ensure safety and well-being); where it is necessary for performing a task in the public interest or in the exercise of official authority (for example, disclosing information for the benefit of public health concerns); or where it is necessary for legitimate interests pursued by the University or a third party (in such case, the legitimate interests will relate to the efficient, lawful, and appropriate delivery of services, and will not operate to the detriment of the interests or rights of individuals). In the event any of these lawful bases do not apply to University processing of employee data, the University will seek the consent of the EU resident whose data is at issue. 

    The University may disclose personal data and special category data of EU residents who are employees or job applicants to external agencies to which it has obligations. It may also disclose such EU residents’ personal data to examining, licensing or certification bodies, legal representatives, police or law enforcement agencies, suppliers or service providers, research institutions, sponsoring organizations, or regulatory authorities. 
  5. Personal data of research subjects. The University holds the personal data and special category data of EU residents who are subjects of human research in order to implement and manage all services and processes relating to research, including research subject enrollment, intervention or interaction with research subjects, publishing of research data, and other services. Information facilitating these purposes is obtained and processed, and, without it, the University might not be able to provide its services to these individuals or to others.  

    All personal data and special category data of EU residents who are human research subjects that is processed by the University is governed by this policy and by II-27.4 General Policy and Procedures for Review of Research Projects Involving Use of Human Subjects, and the University will process it with the consent of the EU resident whose personal data or special category data is at issue. Some processing activities also may be performed under a legal obligation, where necessary to protect the vital interests of the research subject (for example, disclosures to external parties to ensure safety and well-being); where it is necessary for performing a task in the public interest or in the exercise of official authority (for example, disclosing information for the benefit of public health concerns); or where it is necessary for legitimate interests pursued by the University or a third party (in such case, the legitimate interests will relate to the efficient, lawful, and appropriate delivery of services, and will not operate to the detriment of the interests or rights of individuals). 

    Personal data of EU residents who are subjects of human research is collected and processed by the University as it is necessary for the performance of the contract under which the University receives research funding. 

    The University may disclose personal data and special category data of EU residents who are research subjects to external agencies to which the University has obligations. It may also disclose such EU residents’ personal data or special category data to examining bodies, legal representatives, police or law enforcement agencies, suppliers or service providers, research institutions, sponsoring organizations, or regulatory authorities. 
  6. Personal data of health care patients. The University holds the personal data and special category data of EU residents who are patients of the University’s health care enterprise. Information facilitating diagnosis, evaluation and treatment, billing for services, and services related to the provision of health care to these patients is obtained and processed, and, without it, the University might not be able to provide its services to these individuals or to others. All personal data and special category data of EU residents who are University patients is processed by the University on the basis of the consent of the EU resident whose personal data or special category data is at issue unless another lawful basis applies. 

    Some processing activities may be performed under a legal obligation, where necessary to protect the vital interests of the health care patient (for example, disclosures to external parties to ensure safety and well-being); where it is necessary for performing a task in the public interest or in the exercise of official authority (for example, disclosing information for the benefit of public health concerns); or where it is necessary for legitimate interests pursued by the University or a third party (in such case, the legitimate interests will relate to the efficient, lawful and appropriate delivery of services, and will not operate to the detriment of the interests or rights of individuals). 

    Personal data of some EU residents who are patients is collected and processed by the University as it is necessary for the performance of a contract under which the University provides care to these patients. 

    The University may disclose personal data and special category data of EU residents who are University patients to external agencies to which the University has obligations. It may also disclose such EU residents’ personal data to examining bodies, legal representatives, police or law enforcement agencies, suppliers or service providers, research institutions, sponsoring organizations, or regulatory authorities.