GDPR Privacy Notice
Weber State University (from now on referred to as “we,” “us”, and “our”) are committed to respecting and protecting the privacy rights of persons (from now on referred to as “you” and “your”) while you are physically present in the European Economic Area (from now on referred to as the “EEA”). This commitment is in compliance with the EEA General Protection Regulation (from now on referred to as (“the GDPR”).
2. Does This GDPR Privacy Notice Apply to Me?
This policy applies to you if all of the following applies:
- You are a “Person” or “Data Subject” as defined by the GDPR—meaning a natural person and not a corporation, partnership, or legal entity within the meaning of the GDPR—and you are physically present in the EEA.
- We process—meaning collect, record, organize, structure, store, adapt, alter, retrieve, consult, use, disclose by transmission, disseminate, make available, align, combine, restrict, erase, or destroy—your Personal Information—meaning any information relating to an identified or identifiable Person through direct or indirect ways;
- Your Personal Information is provided to us while you are in the EEA (not earlier or later when you are outside the EEA); and
- Your Personal Information is provided to us when:
- We are offering goods or services to you in the EEA; or
- We are monitoring your behavior in the EEA.
Please note that information pertaining to current, former, or prospective employment with the University in the United States is not considered “Personal Information” and is excluded from this GDPR Privacy Notice.
3. What Personal Information Do We Process?
A. General Categories
Depending on the specific purpose for processing Personal Information, we may process the following general categories of Personal Information:
- Telephone numbers
- Email addresses
- Drug test
- Identification numbers including but not limited to social security numbers and driver’s license numbers
- WSU identification numbers
- Personal identification numbers
- Demographic information
- Education history and transcripts
- Entrance exam scores
- Background check information
- Personal references
- Emergency contact information
- Financial information including but not limited to credit and debit card numbers, tax information, and financial aid information
- Transaction history
- Business information
- Passport and visa information
- Work history
- Medical history
- Donation history
- Insurance information
- Military service
- IP addresses
- Location information
- Device information
- Education records including but not limited to coursework, correspondence, evaluations, disciplinary complaints, and other records, and files maintained by us as part of the educational process
- Any requests for accommodations or leave
- Other information to support our mission and legitimate purposes as a Utah public University, some types of which are set forth in the table in Appendix A
B. Special Categories
In order to fulfill certain of the purposes identified herein, we may need to request special categories of Personal Information—information revealing racial or ethnic origin, or data concerning health.
Though not routinely required, there might also be instances where we process special category data such as political opinions, religious or philosophical beliefs, or trade union membership; genetic data; biometric data for the purpose of uniquely identifying a natural person; and data concerning a natural person’s sex life or sexual orientation. In limited instances, we may ask for information about your criminal history, generally as part of applications for specific limited enrollment programs or for employment purposes, but generally do so once you have arrived at the University.
4. Why We Processes Your Personal Information
We process your Personal Information for a variety of reasons depending on your role and the activities you engage in at the University. Because some roles overlap other roles, review the chart in Appendix A below to see what types of Personal Information we may process that relates to you.
5. What Are Our Legal Bases For Processing Your Information?
- We process your personal information as permitted by the GDPR, including under the following legal bases:
- To Perform a Contract: Our processing of your Personal Information is necessary for us to perform a contract or to take steps at your request prior to enter into a contract relating to your employment and our provision of educational services and related programs and activities;
- Legitimate Interest: Our processing of your Personal Information is necessary for our legitimate interest in providing you employment and facilitating your assistance in helping us provide educational services and related programs and activities as part of our core mission as a Utah public university;
- Vital Interest: Our processing of your personal data is to protect an interest that is essential to your life or the life of someone else; or
- Legal Obligations: the processing is necessary to comply with the law of the EEA or a member state of the EEA.
Special Categories of Data. In general, we process special categories of data in order to fulfill a substantial public interest in providing educational services and related programs and activities to students, staff, faculty and the public. At times, the processing might be to protect an interest that is essential to your life or the life of someone else.
If we do not have another legal basis for processing your special category Personal Information or criminal conviction Personal Information, we will ask for your consent.
Consent. In very limited circumstances, usually only in instances where we are collecting special categories of Personal Information, we may rely upon the legal basis of consent. If we require your consent for any specific use of your Personal Information, we will collect it at the appropriate time. Your consent (and right to withdraw consent) may be specifically limited to only the particular information for which consent is needed.
Please note that by providing us with special categories of Personal Information which are unsolicited by us (such as in essays, assignments, etc.), you have consented to give us that information and you understand that we will treat that information the same as we treat other information that we gather in a similar manner.
6. How Do We Receive Your Personal Information?
A. From You, the Data Subject:
We may receive your Personal Information when you visit our websites (see General Privacy Notice), apply for or attend our classes or programs, apply for or take online courses with the University, work for or apply for employment with the University from a location in the EEA, attend events sponsored by the University, or otherwise interact with the University from the EEA.
B. From Third Parties:
We may receive your Personal Information when other individuals or organizations provide it to us. Some examples are given below:
For employment applicants or staff and faculty: Some examples of how we may receive your Personal Information from other individuals or organizations include from previous employers, educational or vocational programs you have attended, references, or companies or individuals with whom we have contracted to perform services in relation to your employment or our provision of educational services and programs.
For students and student applicants: Some examples of how we may receive your Personal Information from other individuals or organizations include college entrance exam scores received from testing agencies, college applications received from the Common Application, Inc., online course registration information received from third parties that administer online courses (e.g., Coursera, Inc.), data collected from other schools or the Utah System of Higher Education, or companies or individuals with whom we have contracted to perform services in relation to our provision of educational services and programs.
7. Who Processes Your Personal Information?
A. Our Personnel:
We may share your Personal Information internally with staff, faculty, researchers, or other agents of the University who been authorized to receive your Personal Information.
B. Our Related Organizations:
We may share your Personal Information with our related organization such as corporations, which we own (e.g. Weber State University Development Foundation, etc.).
C. Third Parties:
We may share your Personal Information with third parties, such as: U.S. and foreign government entities to fulfill statutory or regulatory obligations (e.g., visa processing); other entities to facilitate access to grant funding sources; partner institutions or companies to facilitate training or educational activities; and other vendors to provide services related to your affiliation with us.
Please note that we may provide anonymized data developed from Personal Information to third parties, such as government entities and research collaborators, and that such anonymized data is outside the scope of this GDPR Privacy Notice.
8. Existence of Automated Individual Decision-Making
We do not typically use automated individual decision-making tools related to providing services and experiences related to the provision of educational services and related programs and activities.
In general, you will not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, unless the decision is necessary for entering into or performing a contract or unless you explicitly consent.
9. See Appendix B for information about retention, rights, and contact information.
10. Updates to GDPR Notice
We may update this notice from time to time. Any changes will become effective upon posting of the revised notice.
Please note: Nothing in this Notice is intended by us to waive sovereign immunity or any other defenses or immunities afforded by any or all U.S. federal law, Utah state law, and EEA law.