Information Technology Services

General Data Protection Regulation (GDPR) Privacy Notice

GDPR Privacy Notice [1]

(General Data Protection Regulation)

This notice provides certain required information to persons located in the European Union (“EU”), a European Economic Area (“EAA”) member state, or Switzerland. Before Union College collects any “personal data” from you, you are entitled under Regulation (EU) 2016/679 (commonly known as the EU General Data Protection Regulation, or the “GDPR”), to the information in this notice. The GDPR does not apply to the processing of personal data from data subjects prior to May 25, 2018.

The GDPR defines:

  1. personal data” as information that identifies you, or may be used to identify you, such as your name, an identification number, location data, an online identifier, or factors specific to your physical, physiological, genetic, mental, economic, cultural or social identity;
  2. controller” as the entity that determines the purposes and means of the processing of personal data;
  3. processor” as the entity that processes personal data on behalf of the controller; and
  4. data subject” as a natural person who is identified, or can be identified, by reference to his or her personal data.

If you would like to review the GDPR Articles cited in this notice, please click here, https://www.eugdpr.org/.

Controller

The Identity and Contact Details of the Controller

Under the GDPR, Union College will be deemed the “controller” of your personal data.  If you would like to contact Union College in its capacity as controller, please contact:

Ellen Yu
Chief Information Officer
Information Technology Services | Union College
807 Union Street
Schenectady, New York 12308
yue@union.edu

Controller’s Representative

The Identity and Contact Details of the Controller’s Representative

The GDPR requires Union College to designate a representative located in the EU. Union College’s representative is: TBD.

Data Protection Officer (DPO)

Union College is not a public authority or body. At present, the College’s core activities do not include the regular and systematic monitoring of data subjects on a large scale, nor does it process on a large scale either special categories of data (as described in GDPR Article 9) or personal data relating to criminal convictions and offenses (as described in GDPR Article 10). For these reasons, the GDPR does not obligate Union College to designate a data protection officer (“DPO”). If, in the future, Union College voluntarily designates a DPO, this notice shall be updated to identify and include contact information for the DPO.

Union College’s Purposes and Legal Basis for Processing Personal Data

Union College will only process your personal data for lawful purposes under the GDPR related to the College’s charitable, educational, and scientific purposes and arising from your relationship with the College as a prospective, current, or former student (or such a student’s parent or guardian), faculty or staff member, or an employee, contractor, donor, supporter, research subject, visitor to the College or its website, or attendee at a College event.

Union College will ordinarily collect and process your personal data because it is necessary for the performance of a contract to which you are a party or because the College has another legitimate interest in doing so. When Union College cannot rely on either of such legal grounds, it will seek your prior consent. For example, GDPR Article 9 generally requires Union College to obtain your prior consent if it collects special categories of personal data protected under the GDPR (e.g., racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, the processing of genetic or biometric data to uniquely identify a natural person, health data, or data related to one’s sexual activities or orientation).

The purposes for which Union College collects personal data, and the legal bases for processing such personal data, are summarized in the chart that appears below.

In the chart: each reference to (a) “necessary for the performance of a contract” shall be deemed to mean, “Necessary for the performance of a contract or agreement to which you are a party, or preliminary steps leading up to such a contract or agreement;” (b) Union College’s “legitimate interest” shall require a prior “balancing test” determination by the College that its legitimate interest in processing your personal data is not overridden by your interests or fundamental rights and freedoms in protecting such personal data; and (c) your “prior consent” shall mean your voluntarily consent, given prior to the processing of your personal data. If you would like additional information as to Union College’s legitimate interest “balancing test” determination under clause (b), please contact the Controller at yue@union.edu.

Purpose for Processing

Legal Basis for Processing

Student Admissions Applications and Other Student Data: Obtaining admissions applications, transcripts, test scores, and related documents from applicants to determine their qualification for admission, and preparing related correspondence, including acceptance and rejection letters; obtaining job applications, resumes, background checks, motor vehicle records, and other background materials from students applying for jobs

  • Such processing is necessary for the performance of a contract.
  • Union College has a legitimate interest in collecting information needed to evaluate an applicant’s personal, educational, and work background in order to make admissions and employment decisions and otherwise process such applications, and in compiling statistical information to evaluate the College’s diversity, affirmative action, and equal opportunity performance
  • Your prior consent

Staff and Faculty Job Applications: Preparing acceptance and rejection letters; obtaining job applications, resumes, background checks, motor vehicle records, and other background materials from job applicants

  • Such processing is necessary for the performance of a contract
  • Union College has a legitimate interest in collecting information needed to evaluate an applicant’s personal, educational, and work background in order to make an employment decision and otherwise process such applications, and in compiling statistical information to evaluate the College’s diversity, affirmative action, and equal opportunity performance
  • Your prior consent

Managing Student Accounts: Establishing and administering student accounts, issuing invoices, processing payments and refunds, preparing related correspondence, and, if necessary, pursuing collection efforts

  • Such processing is necessary for the performance of a contract
  • Union College has a legitimate interest in charging tuition, fees, and other charges and collecting amounts due related to a student’s education in order to maintain the College’s fiscal stability

Managing Payroll Accounts: Collecting forms needed to satisfy regulatory requirements (such as IRS W-4 and W-9 forms), and other documents necessary to prepare payroll checks, bank account information, make withholdings, issue IRS W-2 forms, process pension and retirement contributions and payments, and related employee payroll matters

  • Such processing is necessary for the performance of a contract
  • Union College has a legitimate interest in collecting necessary information so that the College can, in a timely and accurate manner, and in compliance with applicable laws, pay its employees their salaries, make appropriate withholdings, and make required reports to and file required documents with the IRS
  • Your prior consent

Managing Benefits Accounts: Collecting and processing benefit election and claim forms in order to manage employee benefits including medical, vision, dental, and other insurance coverages, pension and retirement accounts, charity contributions, transit benefits, FSA and HSA accounts, beneficiary designations, and related employee benefit matters.

  • Such processing is necessary for the performance of a contract
  • Union College has a legitimate interest in collecting necessary information so that the College can, in a timely and accurate manner, and in compliance with applicable laws, provide employees, their dependents, and retirees with employee benefits, and make required reports to and file required documents with the IRS and other government bodies and third-party benefit administrators
  • Your prior consent

Managing Expenses, Purchasing, and Reimbursements: Collecting, issuing, and processing expense requests, purchasing invoices, receipts, approvals, payment records, bank accounts, checks, and electronic payments

  • Such processing is necessary for the performance of a contract
  • Union College has a legitimate interest in collecting necessary information so that the College can account for expenses, pay bills on time, recover amounts owed to the College, and otherwise administer the College’s day-to-day financial affairs

Administering Grant, Scholarship, and Financial Aid Programs: Accepting, reviewing, and making decisions related to financial assistance programs, including preparing, executing, monitoring, and enforcing grant, scholarship, and loan agreements and notes documenting such financial assistance

  • Such processing is necessary for the performance of a contract
  •  Union College has a legitimate interest in helping students find financial resources to pay for their education, in complying with third-party lender and federal and state requirements, and documenting and administering such financial assistance programs
  • Your prior consent

Class Registration, Enrollment, and Education Records: Registering students for courses, confirming completion of required course work, accepting, reviewing, and evaluating student course work, operating education software to support teaching, conducting institutional statistical research to measure effectiveness, and for accreditation and collaborative purposes

  • Such processing is necessary for the performance of a contract
  • Union College has a legitimate interest in establishing that students are enrolled and completing classes necessary to satisfy enrollment requirements (which may also be a condition to eligibility for certain benefits) and degree requirements, and scheduling and staffing courses, in assigning and evaluating homework, administering tests, and facilitating group instruction and learning

International Programs Office: Collecting, processing, and using personal data to review and process study abroad and study away applications and administer study abroad and study away programs on behalf of Union College

  • Such processing is necessary for the performance of a contract
  •  Union College has a legitimate interest in providing study abroad and study away programs alone or in conjunction with third parties, processing personal data for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract, processing personal data necessary to protect the vital interests of the data subject or of another person
  • Your prior consent

Evaluating Academic Performance and Granting Degrees: Assigning grades and other performance measures (such as with respect to clinical programs); confirming satisfaction of required classwork and out-of-class requirements applicable to the awarding of degrees; preparing transcripts and diplomas; maintaining long-term graduation and performance records and providing these to employers

  • Such processing is necessary for the performance of a contract
  • Union College has a legitimate interest in evaluating student performance, awarding degrees, recognizing outstanding achievements, holding graduation ceremonies, and providing its graduates and prospective employers with information confirming such performance, degrees, and achievements

Evaluating Faculty and Staff Performance: Preparing and processing evaluations (including self-evaluations), maintaining personnel and disciplinary files, compiling other performance measure data

  • Such processing is necessary for the performance of a contract
  • Union College has a legitimate interest in evaluating the performance of faculty and staff members for purposes of promotions, tenure decisions, disciplinary action, setting salaries, and improving productivity

Issuing and Use of College Identification, Payment: Issuing (a) identification cards bearing faculty, staff or student photos and embedded with personal information for use in accessing College facilities, events, and resources; (b) making payments; and (c) other College purposes, and monitoring all such usages

  • Such process is necessary for the performance of a contract
  • Union College has a legitimate interest in identifying whether an individual is a student, faculty, or staff member, or who is otherwise authorized to be on College property and to access College programs and services, in classifying persons as either College community members or trespassers, in establishing the authority of individuals to take certain actions, and in facilitating the flow of persons, information, and payments throughout the College

Operating Dining Halls and Other Food Service Facilities: Running cafeterias, restaurants, snack bars, and on-campus convenience stores, and administering credit, debit, and payment programs related to such services

  • Such processing is necessary to the performance of a contract
  • Union College has a legitimate interest in confirming that only authorized persons use food service facilities, in verifying that such use conforms to meal plan and payment requirements, and in identifying personal dietary constraints and preferences in order to offer appropriate food options

Providing Student Housing: Providing and operating dormitories and other student housing and residence life programs

  • Such processing is necessary for the performance of a contract
  • Union College has a legitimate interest in controlling access to student housing so that housing facilities are occupied only by eligible persons and accessed only by permitted persons at permitted times in order to safely and securely operate such facilities, and in collecting and maintaining personal information for use in cases of emergencies
  • Your prior consent

Providing Student Support Services: Providing accommodations under disabilities laws, offering tutoring services and supplemental instruction, student conduct, providing physical and mental health and wellness care and counseling

  • Such processing is necessary for the performance of a contract
  • Union College has a legitimate interest in promoting, assisting, and monitoring student accessibility, educational progress, physical and mental health and well-being, and evaluating the use and outcomes of such services
  • Your prior consent

Campus Security Measures: Taking measures to protect persons and property (both physical, personal, and digital) through encryption, firewalls, password, reset questions, surveillance cameras, login systems, card-swiping and similar entrance/exit tracking devices, and other security efforts.

  • Such processing is necessary for the performance of a contract
  • Union College has a legitimate interest in insuring the physical and digital security of its campus and the members of the Union College community, and in preventing, detecting, and taking enforcement action with respect to criminal and other unlawful and/or unauthorized activity; such legitimate interest includes sharing security information with federal, state, and local law enforcement authorities, as required or permitted by law

Complaint and Grievance Procedures: Enabling students, staff and faculty to file and process complaints and grievances by such means as Campus Safety, sexual harassment complaints, Human Resources complaints, and Honor Code grievance appeals process

  • Such processing is necessary for the performance of a contract
  • Union College has a legitimate interest in providing procedures for College members to report dishonest behavior, wrongful actions, injurious conduct, and conflicts of interest, and to contest College decisions that are perceived to be unfair or otherwise inappropriate

Offering Access to College Information Services: Providing a user identity account including Union College email account, storing information on College servers (and servers of third party processors), allowing students, faculty, staff, and alumni, and other authorized persons the right to use College-licensed software, providing access to educational platforms, assessment tools, social media, library applications, archives, and digital collections

  • Such processing is necessary for the performance of a contract
  • Union College has a legitimate interest in providing access to College information services for learning and communication purposes, in assuring the College’s compliance with applicable licenses and contracts relating to the use of such services, in securing data on such systems, in monitoring the system, and in performing system maintenance, analytics, and upgrades

Assisting With Clinical, Out-of-Class, Internship and Job Placement: Identifying hospitals, clinics, schools and employers who will offer clinical practice opportunities, classroom teaching experience, and similar internships; helping place students and graduates in jobs

  • Such processing is necessary for the performance of a contract
  • Union College has a legitimate interest in setting up off-campus learning opportunities for students that will supplement their on-campus instruction, and enhance their job readiness and future employment prospects, including obtaining personal information necessary to  process background checks for such positions and in helping graduates find employment
  • Your prior consent

Ticketing: Processing information related to selling or otherwise issuing tickets for athletic, musical, theatrical, and other College events and conferences

  • Such processing is necessary for the performance of a contract
  • Union College has a legitimate interest in holding events open both to the College community and to the general public and in charging and collecting admission fees for such events

Recruitment and College Marketing: Tracking inquiries and website activity (including through the use of “cookies” and similar tracking files) to identify and recruit prospective students, faculty, and staff

  • Union College has a legitimate interest in identifying both qualified students to attend the College and qualified faculty and staff to work at the College

Research: Conducting educational, scientific, and other research and related statistical analysis

  • Union College has a legitimate interest in carrying out experiments, interviews, clinical evaluations, longitudinal studies and other research activities to advance knowledge and translate such research into activities and applications that benefit society
  • Your prior consent

Alumni and Advancement Communications: Maintaining contact information for alumni and donors in order to send correspondence, magazines, newsletters, online communications, invitations, and to seek and accept gifts and donations

  • Union College has a legitimate interest in maintaining an ongoing relationship with alumni for informational, networking, job placement, continuing education, and fund-raising purposes, and in communicating the College’s programs and successes to the general public

Insurance Claim Processing: Obtaining and evaluating personal information pertaining to claims of bodily injury, property damage, and other liability claims, including collecting medical reports and health insurance information, personal financial data, police reports, or other relevant information, including information required by Union College’s insurers

  • Such processing is necessary for the performance of a contract
  • Union College has a legitimate interest in obtaining the factual information needed to evaluate the merits of a claim so in order to decide on the appropriate resolution of incidents involving loss or injury
  • Your prior consent

Complying with Legal Obligations: Compiling and providing information required under applicable laws, including, without limitation, the Internal Revenue Code, Title IV and Title IX, U.S. Department of Education laws and regulations, the Immigration and Naturalization Service, and the Department of Homeland Security

  • Union College has a legitimate interest in complying with legal obligations imposed under European, federal, state, and local laws

Categories of Personal Data Collected

In certain instances, Union College, in its capacity as a controller, may acquire your personal data from a third party, and not directly from you. If this occurs, then within a reasonable period of time, but not later than the earlier to occur of (a) the first time Union College communicates with you, and (b) one month after Union College acquires such personal data, Union College will advise you of the categories of personal data collected, the source from which Union College acquired such personal data, and certain additional information required under GDPR Article 14.

Recipients/Categories of Recipients Who May Receive Your Personal Data

The specific categories of recipients who will receive your information depend on whether you are a prospective, current, or former student (or such a student’s parent or guardian), faculty or staff member, or a contractor, donor, supporter, or research subject, or have some other status, and the types of personal data that you provide.  The categories of recipients are likely to include one or more of the following:

  • As to the Union College data collection activities described in the preceding chart, responsible faculty and staff involved in such activities may receive your personal data (for example, personnel in the Registrar’s office will have access to personal data related to student admissions, class registration, enrollment, grades and transcript); such persons will generally be located in Schenectady, New York;
  • As to personal data required by federal departments and agencies, employees of the federal government, including personnel in the United States Department of Education, the Department of Justice (Office for Civil Rights), the Department of Treasury (Internal Revenue Service), the Department of Homeland Security, and their respective divisions, and agencies may receive your personal data; such persons will generally be located in Washington D.C.;
  • As to personal data required by State of New York departments and agencies, employees of the State of New York, including personnel in the New York State Board of Education, the New York State Department of Taxation and Finance, and the New York State Attorney General’s Office, and their respective divisions, agencies, and offices, may receive your personal data; such persons will generally be located in Albany, New York or New York City, New York;
  • Third parties who underwrite, administer, or provide services related to the College’s health insurance, benefits, and pension and retirement programs may receive your personal data;
  • Lenders and other third parties who assist in originating, monitoring, and collecting student loans, scholarships, and other financial aid programs, may receive your personal data; and
  • Third party processors who host and process information in the “cloud” on servers located in the United States may receive your personal data.

If you would like more detailed information as to the specific identify of recipients receiving particular personal data, please contact the Controller at yue@union.edu.

Transfer of Personal Data to the United States

Personal data that you provide while in the EU, an EAA member state, or Switzerland will be transferred to the United States. The GDPR permits such transfer when necessary for the performance of a contract between you and Union College, or if Union College obtains your explicit consent to such transfer. In transferring your personal data to a processor, Union College will employ suitable safeguards, including those described in the Information Security section below, to protect the privacy and security of your personal data so that it is only used in a manner consistent with your relationship with the College and this privacy notice.

How Long Will Your Personal Data Be Stored?

The GDPR requires that your personal data be kept no longer than necessary. The applicable time period will depend on the nature of such personal data and will also be determined by legal requirements imposed under applicable laws and regulations. For a link to a table setting forth current College record and data retention policies, click here Non-Financial Records Retention Policy.  If you have specific questions concerning how long a certain type of personal data will be retained, please contact the Controller at yue@union.edu.

You Have Certain Rights to Control Your Personal Data

Articles 15-21 of the GDPR give you the right to control your personal data by directing Union College, as controller, to do one or more of the following, subject to certain conditions and limitations:

  1. allow you to access your personal data to see what information the College has collected concerning you;
  2. correct (rectify) any inaccuracy in your personal data;
  3. delete (erase) your personal data, unless Union College can demonstrate that retention is necessary or that Union College has other overriding legitimate grounds for retention;
  4. restrict the processing of your personal data;
  5. transfer your personal data to a third party (portability); and
  6. upon your objection, stop processing personal data when Union College is relying on a legitimate interest basis for processing such data unless Union College can demonstrate compelling legitimate grounds for processing that override your interests in prohibiting such processing.

If You Consent to the Processing of Your Data, You Can Withdraw Such Consent

If Union College obtains your written consent to collect and process your personal data, you can subsequently withdraw such consent as to any further processing of such data by contacting the Controller at yue@union.edu.

GDPR Remedies Include the Right to File A Complaint With The Supervisory Authority

If you believe your privacy rights under the GDPR have been violated, the GDPR gives you the rights and remedies set forth in GDPR Articles 77-82.  These include the right to file a complaint with the Italian data protection supervisory authority:

Garante Per La Protezione Dei Dati Personali
Piazza di Monte Citorio, 121
00186 Roma
Tel. + 39 06 69677 1
Fax. + 39 06 69677 785
Email: garante@garanteprivacy.it
Website:  http://www.garanteprivacy.

Are You Obligated to Provide Personal Data?

As discussed above, Union College will sometimes ask you to provide information necessary to perform contracts to which you are a party, or to satisfy certain legal requirements binding upon the College. If you do not provide such information, Union College will not be able to process such contracts or comply with such legal requirements, and you will not be eligible to receive the benefits that may result from the processing of such contracts, or compliance with such requirements. For example, if you do not provide personal data needed to process an admission, financial aid, student housing application or agreement, you will not be admitted to the College, awarded financial aid, or allowed to live in student housing. Similarly, if you do not provide legally required information needed to process a visa, or as part of a legally required background check process related to a job or internship position, your visa will not be approved and you will not be eligible for such job or internship.

You Have The Right to Know If Union College Uses Your Personal Data In Automated Decision-Making, Including Profiling

The GDPR limits Union College’s right to use your personal data for predictive purposes as part of an automated decision-making process, including profiling. Such a process uses your personal data, such as preferences, interests, behavior, locations, and personal movement, to make an analytically-determined decision, instead of a personalized, individual decision. The GDPR limitation does not apply when such automated decision-making is necessary for the performance of a contract to which you are, or will be, a party. Union College does not intend to use personal data in an automated decision-making process, except in the context of such a contract. However, if it does, it will seek your consent for such use.

Information Security

All personal data and special categories of sensitive personal data collected or processed by Union College under the scope of this Policy must comply with the security controls and systems and process requirements and standards as set forth in the Union College Data Classification and Handling Policy found at:

https://www.union.edu/information-technology-services/policies/data-classification-policy

[1] We would like to acknowledge and thank Loyola University for being able to base parts of our GDPR Privacy Policy on its policy on GDPR Privacy.