46.3 Asserted Rights and Obligations of EU Residents with Respect to the University's Processing of Personal Data

  1. Individual rights. Subject to the university’s immunities and defenses as an instrumentality of the State of Iowa, EU residents whose personal data or special category data the University processes, have the following rights with respect to this data:
    1. The right to request access to their personal data held by the University.
    2. The right to have inaccurate or incomplete personal data rectified.
    3. The right to erasure of personal data, provided, however, that this may occur only in those very rare circumstances where the University has no legitimate reason to continue to hold/process that data, including legitimate reasons such as defense of legal claims. The University generally must maintain basic student records and some employment records indefinitely.
    4. The right to restrict processing of their personal data in certain situations.
    5. The right to data portability: EU residents may request in digital form those portions of the University’s personal data regarding them that pertain to their role at the University. For example, students may request data regarding their academic progress in order to provide it to other institutions or potential employers; and employees may request their respective personnel files.  
    6. The right to object to:
      1. the University’s processing of their personal data in certain circumstances such as the sending and receipt of direct marketing material; or 
      2. automated decision making without human intervention in certain circumstances.
    7. The right to withdraw consent in those circumstances where the University’s processing of personal data or special category data is based on the consent of the person whose data is at issue. To withdraw consent, the EU resident must contact the unit that obtained the consent or the University’s Data Protection Officer and follow the instructions provided.
    8. The right to report a concern regarding the University’s processing of the EU resident’s personal data or special category data by contacting the Data Protection Officer with information describing the concern. 
  2. Individual responsibilities. Individuals have responsibilities with respect to personal data held/processed by the University, as described in the University’s policies on the various types of personal data it processes, listed below. All members of the University community must familiarize themselves with these policies and are responsible for complying with them. 
    1. Information technology resources are subject to the University’s security and privacy protections in II-19.3 of the Policy on Acceptable Use of Information Technology Resources;
    2. Research subject data is subject to II-27.4 General Policy and Procedures for Review of Research Projects Involving Use of Human Subjects;
    3. Data from surveys and questionnaires is subject to II-27.5 Policy on Administrative Surveys and Questionnaires;
    4. Use of social security numbers in University records is subject to II-36 Social Security Numbers;
    5. Student records are subject to IV-6 Treatment of Student Education Records;
    6. Data regarding employees is subject to V-18 Personnel Records; and 
    7. Personal data and special category data regarding EU residents is subject to this policy, V-46 Compliance with EU General Data Protection Regulation (GDPR).
  3. Individuals who fail to comply with the University’s policies may be subject to University discipline and/or other legal recourse, including, without limitation, personal liability under the European Union General Data Protection Regulation, subject to the immunities and defenses available to the individual resulting from a relationship with the University of Iowa as an instrumentality of the State of Iowa.