You are here:

GDPR Privacy Notice

1. Purpose

The University of Utah (the “University”) is committed to respecting and protecting the privacy rights of persons in the EEA, comprised of the European Union (“EU”) and the countries of Iceland, Norway, and Lichtenstein, pursuant to the EU General Data Protection Regulation (“GDPR”). This GDPR Privacy Notice describes the University’s commitment to the privacy of persons in the EEA, and supplements the University’s Privacy Statement for certain persons in the European Economic Area (“EEA”).

2. Does This GDPR Privacy Notice Apply to Me?

This GDPR Privacy Notice applies to you if:

  • You are a “Person” or “Data Subject”—meaning a natural person, not a corporation, partnership, or other legal entity—who is physically present in the EEA;
  • It is with respect to your “Personal Information”—meaning any information relating to an identified or identifiable person—that is provided while you are physically present in the EEA;
  • Such Personal Information is not earlier or later provided to the University while you are outside the EEA; and
  • Such Personal Information is provided to the University:
    • During the course of the University offering you goods or services;
    • While the University is monitoring your behavior or health;
    • While you are associated with any of the University’s programs;
    • While you are participating in clinical research programs; or
    • While you are receiving health treatment.

Please note that information pertaining to current, former, or prospective employment with the University in the United States is not considered “Personal Information” and is excluded from this GDPR Privacy Notice.

3. What Personal Information Does the University Process?

A. General Categories

Depending on the specific purpose for processing Personal Information, the University may process the following general categories of Personal Information:

  • Names
  • Addresses
  • Telephone numbers
  • Email addresses
  • Identification numbers including but not limited to social security numbers and driver’s license numbers
  • University identification numbers
  • Personal identification numbers
  • Usernames
  • Passwords
  • Demographic information, including residential information
  • Education history
  • Entrance exam scores
  • Background check information, including criminal records
  • Personal references
  • Emergency contact information
  • Financial information and family financial information including credit and debit-card numbers, tax information, financial aid information, and insurance and benefits information
  • Transaction history
  • Business information
  • Passport and visa information
  • Work history
  • Donation history
  • Insurance information
  • Military service
  • IP addresses
  • Location information
  • Device information
  • Metadata
  • Education records including but not limited to coursework, correspondence, evaluations, disciplinary complaints, and other records, and files maintained by the University as part of the educational process
  • Any requests for accommodations or leave
  • Medical history and treatment information
  • Family medical history information
  • Disability information
  • Biometric and genetic information
  • Photographs

B. Special Categories

In order to fulfill certain of the purposes identified in the table below, the University may need to request special categories of Personal Information—information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; genetic data; biometric data for the purpose of uniquely identifying a natural person; data concerning health or treatment; or data concerning a natural person’s sex life or sexual orientation.  

Before the University processes your special-category Personal Information or your criminal-conviction Personal Information, if any, the University will ask for your affirmative consent unless the University has another legal basis for the processing, in which case the University will inform you of that basis.

 4. Why the University Processes Your Personal Information

The University requires Personal Information only when necessary. The table below describes the purposes for which the University processes your personal data and the legal basis for the processing.

Purpose of Processing

Legal Basis

As part of the admissions process, we collect applicant Personal Information to evaluate applications. We also may obtain Personal Information from third parties, such as other schools, references, family members, and education as part of an application package.

Legitimate Interest: Personal Information collected through the application is necessary to evaluate candidates for admissions and for our internal statistical and analytics purposes.

Contract: Personal Information collected through the University application is necessary for the performance of a contract to provide you education services or to take steps at your request prior to entering into a contract to provide you education services.

 

To support course registration

Legitimate Interest: Personal Information collected for matriculated students, staff, faculty and members of the public, as appropriate for the course, to register in courses or classes

Contract: Personal Information collected through course-registration sites is necessary for the performance of a contract to provide you education services.

To evaluate and determine whether financial aid opportunities are available to an applicant

Legitimate Interest: Personal Information collected through the financial aid application is necessary to evaluate whether the applicant is eligible to receive financial aid and for our internal statistical and analytics purposes.

Contract: Personal Information collected through the financial aid application is necessary for the performance of a contract to provide you financial aid or to take steps at your request prior to entering into a contract to provide you financial aid.

To facilitate housing for individuals studying or participating in programs at or through the University

Legitimate Interest: Personal Information will be collected to facilitate housing.

Contract: Personal Information will be collected to perform on a contract or to take steps at your request.

To provide training and educational programs

Legitimate Interest: To facilitate provision of on-line education courses to matriculated students, staff, faculty and members of the public, as appropriate for the course

Contract: Personal Information collected through the application is necessary for the performance of a contract to provide you education services or to take steps at your request prior to entering into a contract to provide you education services.

To facilitate application for and sponsoring of visas to study, work, and/or research at the University, including all functions necessary to comply with applicable immigration laws

Legitimate Interest: To facilitate employment, research, and study opportunities and comply with relevant laws

Contract: Personal Information will be collected to perform on a contract or to take steps at your request.

To process employment applications and independent-contractor information

Legitimate Interest: For individuals interested in employment opportunities, processing applications

To receive donations

Legitimate Interest: To collect and process donations/gifts and donor information

To purchase tickets to events

Contract: To process ticket payment for a variety of events

For event registration

Legitimate Interest: To process registration for sports, cultural, educational and other events

To purchase parking passes and permits

Contract: To facilitate payments for parking passes and permits

To submit requests for services (e.g., IT, help desk, help line, etc.)

Legitimate Interest: To process service requests from students, staff and faculty

 

Contract: If there is a contract that governs your use of such services, Personal Information is processed pursuant to that contract.

Travel arrangements

Legitimate Interest: To facilitate travel arrangements and coordination for students and affiliated travelers through University programs

 

Contract: If there is a contract that governs your use of travel sites, Personal Information is processed pursuant to that contract.

Emergency situations

Vital Interest: Our processing of your Personal Information to protect an interest that is essential to your life or the life of someone else

To stay connected with University alumni

Legitimate interest: To maintain strong relationships with University alumni and for communicating unsolicited non-commercial messages.

To provide treatment and health services

Legitimate interest: Our processing of your Personal Information for the purposes of preventative or occupational medicine, for assessing the working capacity of an employee, for medical diagnosis, for providing health or social care or treatment, or for managing health or social care systems and services on the basis of United States and state laws

Contract: If there is a contract that governs the terms of treatment, Personal Information is processed pursuant to that contract.

To protect vital interests when the subject is incapable of providing consent

Legitimate interest: Our processing Personal Information, such as health related personal information, when necessary to protect the vital interests of a data subject who is physically or legally incapable of giving consent 

Information made public by you

Legitimate interest: Our processing of data made public by you for purposes of processing admissions, sponsoring of visas, processing applications for employment, responding to emergency situations, providing treatment and health services, protecting vital interests when the subject is incapable of consent, as necessary for judicial proceedings, as necessary for public health, or for other reasons that are described when you are asked to provide the data.

Judicial proceeding

Legitimate interest: Our processing that is necessary for the establishment, exercise, or defense of legal claims or where courts are acting in their judicial capacity

Public interest and as required by law

Legitimate interest: Our processing Personal Information necessary for reasons of substantial public interest on the basis of United States or state laws that is proportionate to the aim pursued and which contains appropriate safeguarding measures

Public health

Legitimate interest: Our processing Personal Information that is necessary for public interest reasons in the area of public health, including protection against threats to health or ensuring high standard of quality and safety of health care, medicinal products, or medical devices

Research

Legitimate interest: Our processing Personal Information for scientific and historical research purposes or statistical purposes

 

5. How Does the University Receive Your Personal Information? 

  1. From Third Parties:
    The University may also receive your Personal Information from third parties. Examples include college entrance exam scores received from testing agencies, and online course registration information received from third parties that administer online courses. The University also may receive information from other individuals or institutions who provide treatment and services, from public health services, from law enforcement, and from other clinical researchers, as well as from those who process the information provided on behalf of these entities.
  2. From You, the Data Subject:
    The University may receive your Personal Information when you visit the University’s websites, apply for or attend classes or programs, apply for or take online courses, travel with the University to a location in the EEA, attend events sponsored by the University in the EEA, participate in clinical research, voluntarily or involuntarily receive medical treatment or services, or otherwise interact with the University in the EEA.

6. Who Processes Your Personal Information?

  1. University Personnel:
    Your Personal Information may be processed by University trustees and employees, including faculty, researchers, medical professionals, financial-aid counselors, human-resources professionals, law-enforcement officers, and others, as may be necessary to carry out the purposes for processing the information and University activities.
  2. University Related Organizations:
    The University may share your Personal Information with the University’s related organizations.
  3. Third Parties:
    The University may share your Personal Information with third parties, such as: educational-platform providers and course partners to further the purposes for processing the information and University activities; U.S. and foreign government entities to fulfill regulatory obligations (e.g., visa processing or public health or legal processing) and to facilitate access to funding sources (e.g., financial aid); partner institutions to facilitate study abroad activities; and vendors to provide services related to your affiliation with the University (e.g., print diplomas, arrange housing) and to improve the University’s outreach efforts.   

    The University may disclose your Personal Information to legal or governmental regulatory authorities as required by applicable law. We may also disclose your Personal Information to third parties as required by applicable law in connection with claims, disputes, or litigation, when otherwise required by applicable law, if we determine disclosure is necessary to protect the health and safety of you or us, to enforce our legal rights, or to enforce contractual commitments that you have made.

The University may share your Personal Information with third parties who complete transactions or perform services on our behalf or for your benefit, including functions related to payment and operation, legal processes, benefits assistance, and for quality control purposes. The University also may share your information with other entities or individuals as described in the University of Utah Health’s Notice of Privacy Practices: http://uofuhealth.utah.edu/privacy-office/docs/notice-of-privacy-practices-english.pdf.  

Please note that the University may provide anonymized data developed from Personal Information to third parties, such as government entities and research collaborators, and that such anonymized data is outside the scope of this GDPR Privacy Notice.

7. How Long Does the University Keep Your Personal Information?

The University keeps your Personal Information as required by law or our policies to perform our legitimate interests, contracts, and substantial public interests. Many of our record retention schedules can be found at the Utah Division of Archives and Record Services’ website.

Here is a direct link to the retention schedules for the State of Utah which apply if we do not have a retention schedule for the type of records in our retention schedules https://axaemarchives.utah.gov/solr/axaem/EntityGRSItem

8. What Are Your Rights as a Data Subject?

As a Data Subject pursuant to the GDPR, you have certain rights.  This GDPR Privacy Notice summarizes what these rights under the GDPR involve and how you can exercise these rights.  More detail about each right, including exceptions and limitations, can be found in Articles 15-21 and 77 of the GDPR.

Please note:   Nothing in this GDPR Privacy Notice is intended by the University to waive sovereign immunity or any other defenses or immunities afforded by any or all U.S. federal law, Utah state law, other applicable state law in the United States, and EU law.

The Right of Access

You have the right to request that the University confirm whether it is processing your Personal Information.  If the University is processing your Personal Information, you have the right to access that Personal Information, and the University will provide you with a copy of that Personal Information unless prevented by applicable law.

The Right of Correction

You have the right to request that the University correct any inaccurate Personal Information that it maintains about you.  You also have the right to request that the University complete any incomplete Personal Information that it maintains about you, which could be accomplished by incorporating a supplementary statement that you submit.  If the University concurs that the Personal Information is incorrect or incomplete, the University will promptly correct or complete it.  

The Right to Erasure

You have the right to request the erasure of Personal Information that the University maintains about you in certain circumstances.  These circumstances are identified in Article 17 of the GDPR and include that the Personal Information is no longer necessary in relation to the purpose(s) for which it was collected.

Subject to applicable U.S., state, and EU law, and University policies, including but not limited to its Privacy Statement, and provided that there are no overriding legitimate grounds for the University to retain the Personal Information, the University will comply with the request and will take reasonable steps to inform any third parties with whom the Personal Information was shared.

The Right to Restrict Processing of Personal Information

You have the right to request that the University restrict the processing of your Personal Information where one of the reasons identified in Article 18 of the GDPR apply.  These reasons include that the Personal Information is inaccurate, the processing is unlawful, or the University no longer needs the Personal Information.

If the University grants your request to restrict processing, the University will only process that Personal Information with your consent, for the protection of the rights of another natural or legal person, for reasons of important public interest, for the establishment, exercise or defense of legal claims, or as otherwise required by applicable U.S., state, or EU law.

The Right to Data Portability

Where the basis for processing is either consent or performance of a contract between you and the University, and where the processing is carried out by automated means, you have the right to receive your Personal Information that you have provided to the University. The University will provide the Personal Information in a structured, commonly used, and machine-readable format.  Where technically feasible and upon your request, the University will transmit the Personal Information directly to another entity. 

The Right to Withdraw Consent

If the basis for processing your Personal Information is consent, you may revoke your consent at any time.  Upon receipt of your notice withdrawing consent, and if there are no other legal grounds for the processing, the University will stop processing the Personal Information unless the processing is necessary for the establishment, exercise, or defense of legal claims.  Revoking consent does not affect the lawfulness of processing that occurred before the revocation.

The Right to Object to Processing

In certain situations, you may have the right to object to processing of your Personal Information

  • Public Interest or Legitimate InterestsIf the basis for processing your Personal Information is public interest or legitimate interests, you have the right to object to processing the Personal Information. The University will cease processing unless it demonstrates overriding legitimate grounds for processing or the processing is necessary for the establishment, exercise, or defense of legal claims.
  • Direct MarketingIf the University is using your Personal Information for direct marketing purposes such as fundraising, you have the right to object at any time, and the University will stop using your Personal Information for that purpose.

The Right to File a Complaint

You have the right to submit a complaint with an EU supervisory authority, in particular the one in the EU Member State of your habitual residence, place of work, or place of the alleged violation, if you believe that the University’s processing of your Personal Information violates the GDPR. 

For more information on the process for submitting a complaint, consult the relevant EU supervisory authority: http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/ index_en.htm.

9. How to Exercise Your Rights

In order to exercise any of these rights, except the right to file a complaint with an EU supervisory authority, you should submit your request to the University’s Information Security Office:

Email: iso-grc@utah.edu

Telephone: 801-587-1925

Address: 

UIT Information Security Office

The University of Utah

102 S 200 E, Suite 110

Salt Lake City, UT 84111

At that time, you will be asked to:

  • Identify yourself
  • Provide information to support that the GDPR applies to you (see Section 2, above)
  • Identify the specific information or data that you are concerned about
  • State what right(s) you wish to exercise

To expedite processing your request, please identify the data-collection location (e.g., the website where your Personal Information was collected), if known.

10. How Does the University Respond to Requests for Personal Information?

In addition to the rights provided by the GDPR, you may also have rights with respect to your Personal Information pursuant to U.S. federal law, state law, or University policy.  When you submit a request to the University to exercise your rights, it will respond in accordance with existing University policies and procedures that implement the relevant privacy law(s). These include, but are not limited to, policies pertaining to student education records and policies pertaining to certain health records that the University maintains. 

11. Existence of Automated Individual Decision-Making

The University may use automated decision-making, including profiling, to help identify prospective University supporters and its activities. The logic would take an all-factor approach to assessing a possible donor’s propensity to support the University and may result in a prospective donor being contacted to explore support opportunities.

You will not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, unless the decision is necessary for entering into or performing a contract or unless you explicitly consent.

12. Transfer of Personal Information outside the EEA

The University is based in the U.S. and is subject to U.S. and Utah law.  Personal Information that you provide to the University will generally be hosted on U.S. servers.  To the extent that the University needs to transfer your information either (a) from the EEA to the U.S. or another country or (b) from the U.S. to another country, the University will do so on the basis of either (i) an “adequacy decision” by the European Commission; (ii) EU-sanctioned “appropriate safeguards” for transfer such as model clauses, a copy of which you may request, if applicable, by contacting the University as set forth in Section 9; (iii) your explicit and informed consent; or (iv) it being necessary for the performance of a contract or the implementation of pre-contractual measures with the University, in which case the University will inform you of the intent to transfer the Personal Information.  Please note that the U.S. is not currently considered a safe harbor country under the GDPR. 

13. How Do I Contact the University, the Data Controller?

The University is the data controller.  If you have any questions about anything contained in this GDPR Privacy Notice, please contact the University’s Information Security Office:

Email: iso-grc@utah.edu

Telephone: 801-587-1925

Address: UIT Information Security Office

The University of Utah

102 S 200 E, Suite 110

Salt Lake City, UT 84111

14. GDPR

If you are interested in reviewing an English version of the GDPR, please see http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN.

15. Updates to GDPR Privacy Notice

The University may update this GDPR Privacy Notice from time to time.  Any changes will become effective upon posting of the revised GDPR Privacy Notice.

 

Last Updated: 12/14/18