Appendix B

How Long Do We Keep Your Personal Information?

We keep your Personal Information as required by law or our policies to perform our legitimate interests, contracts, and substantial public interests. Many of our record retention schedules can be found at the Utah Division of Archives and Record Services.

Here is a direct link to the retention schedules for the State of Utah which apply if we do not have a retention schedule for the type of records in our retention schedules.

What Are Your Rights Under the GDPR?

As a Data Subject pursuant to the GDPR, you have certain rights. This GDPR Privacy Notice summarizes what these rights under the GDPR involve and how you can exercise these rights. More detail about each right, including exceptions and limitations, can be found in Articles 15-21 and 77 of the GDPR.

PLEASE NOTE: Nothing in this GDPR Privacy Notice is intended by WSU to waive sovereign immunity or any other defenses or immunities afforded by any or all U.S. federal law, Utah state law, and EU law.

The Right of Access

You have the right to request that we confirm whether we are processing your Personal Information. If we are processing your Personal Information, you have the right to access that Personal Information. Upon request, we will provide you with a copy of that Personal Information unless prevented by applicable law.

The Right of Correction

You have the right to request that we correct any inaccurate Personal Information that we maintain about you. You also have the right to request that we complete any incomplete Personal Information that we maintain about you, which could be accomplished by incorporating a supplementary statement that you submit to us. If we agree that the Personal Information is incorrect or incomplete, we will timely correct or complete it.

The Right to Erasure

You have the right to request the erasure of Personal Information that we maintain about you in certain circumstances. These circumstances are identified in Article 17 of the GDPR and include that the Personal Information is no longer necessary in relation to the purpose(s) for which it was collected.

We will consider applicable U.S., state, and EU law and our policies to determine whether the Personal Information is necessary for purposes for which it was collected. If our retention of your Personal Information is no longer necessary, we will comply with your request and will take reasonable steps to inform any other individuals and organizations with whom the Personal Information was shared.

The Right to Restrict Processing of Personal Information

You have the right to request that we restrict the processing of your Personal Information where one of the reasons identified in Article 18 of the GDPR apply. These reasons include that the Personal Information is inaccurate, the processing is unlawful, or we no longer need the Personal Information.

If we grant your request to restrict processing, we will only process that Personal Information with your consent, for the protection of the rights of another natural or legal person, for reasons of important public interest, for the establishment, exercise or defense of legal claims, or as otherwise required by applicable U.S., state, or EU law.

The Right to Data Portability

Where the basis for processing is either consent or performance of a contract between you and us, and where the processing is carried out by automated means, you have the right to receive your Personal Information that you have provided to us. We will provide the Personal Information in a structured, commonly used, and machine-readable format. Where technically feasible and upon your request, we will transmit the Personal Information directly to another entity.

The Right to Withdraw Consent

If the basis for processing your Personal Information is consent, you may revoke your consent at any time. Upon receipt of your notice withdrawing consent, and if there are no other legal grounds for the processing, we will stop processing the Personal Information unless the processing is necessary for the establishment, exercise, or defense of legal claims. Revoking consent does not affect the lawfulness of processing that occurred before the revocation.

The Right to Object to Processing

In certain situations, you may have the right to object to processing of your Personal Information

Public Interest or Legitimate Interests. If the basis for processing your Personal Information is public interest or legitimate interests, you have the right to object to processing the Personal Information. We will cease processing unless we demonstrate overriding legitimate grounds for processing or the processing is necessary for the establishment, exercise, or defense of legal claims.
Direct Marketing. If we are using your Personal Information for direct marketing purposes such as fundraising, you have the right to object at any time, and we will stop using your Personal Information for that purpose

The Right to File a Complaint

You have the right to submit a complaint with an EU supervisory authority, in particular the one in the EU Member State of your habitual residence, place of work, or place of the alleged violation, if you believe that our processing of your Personal Information violates the GDPR. For more information on the process for submitting a complaint, consult the relevant EU supervisory authority.

How to Exercise Your Rights

In order to exercise any of these rights, except the right to file a complaint with an EU supervisory authority, you should submit your request to us by:

Email: security@weber.edu
Telephone: 801-626-6982
Address:

Weber State University
Information Security Office
1465 Edvalson Dept. 2405
Ogden, UT 84408-2405

At that time, you will be asked to:

Identify yourself
Provide information to support that the GDPR applies to you (see Section 2, above)
Identify the specific information or data that you are concerned about
State what right(s) you wish to exercise

To expedite processing your request, please identify the data collection location (e.g., the website where your Personal Information was collected), if known.

How Do We Respond to Requests for Personal Information?

In addition to the rights provided by the GDPR, you may also have rights with respect to your Personal Information pursuant to U.S. federal law, state law, or University policy. When you submit a request to us to exercise your rights, we will respond in accordance with existing our policies and procedures that implement the relevant privacy law(s). These include, but are not limited to, policies pertaining to student education records and policies pertaining to certain health records that we maintains.

Transfer of Personal Information outside the EU

We are based in the U.S. and are subject to U.S. and Utah law. The Personal Information that you provide to us will generally be hosted on U.S. servers. If we transfer your information either (a) from the EU to the U.S. or another country or (b) from the U.S. to another country, we will do so on the basis of one of the following:

An “adequacy decision” by the European Commission; EU-sanctioned “appropriate safeguards” for transfer such as model clauses, a copy of which you may request, if applicable, by contacting us as set forth in Section 12;

Please note that the U.S. is not currently considered a safe harbor country under the GDPR.

Your explicit and informed consent, understanding that though the appropriate safeguards under EU standards have not technically been met, reasonable measures have been taken to decrease the risk of unauthorized access;
It being necessary for the performance of a contract or the implementation of pre-contractual measures with us, in which case we will inform you of the intent to transfer the Personal Information;
It is necessary for the performance of a contract that is in your interest between us and another individual or organization;
It is necessary for us to carry out its public interest mission;
It is necessary for the establishment, exercise, or defense of a legal claim; or
It is necessary to protect your vital interests or the vital interests of another individual where you or the other person are incapable of giving legal consent.

Appendix B to the Weber State University GDPR Notice

Retention, Rights, and Contact Information