.

 

II. The Type of Data Collected and the School's Purposes and Legal Bases to Process the Data

 

The School processes your personal data for the purpose of furthering its charitable, educational, and scientific missions and in connection with your relationship with the School as a prospective, current, or former student (or such student's parent or guardian), a faculty or staff member, or an employee, contractor, donor, supporter, research subject, visitor to the School or its website, or attendee at a School event.

 

The categories of personal data we process about you may include the following:

 

  • Identity data – includes name, aliases, date of birth, title, gender, and identification numbers
  • Contact data – includes mailing and email addresses, phone and fax numbers, and emergency contact information
  • Background data– includes historical information related to past employment, education, references, and other records
  • Financial data – includes information related to personal and family finances
  • Technical data – includes technical information related to your use and access of School websites, online applications and tools, such as internet protocol (IP) address, login data, and browser and operating system type and version
  • Profile data – includes usernames and passwords, profile pictures, interests, application preferences, and feedback
  • Marketing and Communication data – includes your preference in receiving marketing from the School and your communication preferences
  • Sensitive data – includes data defined as "sensitive data" in Section I of this Notice, including data related to racial or ethnic origin, health, sex life and sexual orientation

 

The School processes your personal data only when we have a legal basis to do so.  Most commonly, it is necessary for the School to process your personal data for the following legal bases recognized by the GDPR:

 

  • To take steps to enter a contract with you, or to perform a contract to which you are a party.
  • Where the School or a third party has a legitimate interest, and your interests and fundamental rights do not override those interests.
  • To protect the vital interests of health and safety of you or a third party.
  • To comply with a legal or regulatory obligation.

 

When the School cannot rely on any of these legal bases, or if it is necessary for the School to process your sensitive personal data, it will seek your prior consent. The purposes for which the School collects your personal data, and the legal bases for processing such personal data, are summarized in the below chart.  Where the School relies on a legitimate interest, it identifies the legitimate interests.  The School may have more than one legal basis to process your personal data depending on the specific purpose for which your personal data is used.

 

Data Processing Purpose & Uses

Category of Data Collected

Lawful Basis(es) for Processing

Recruiting and Marketing.  Data is processed to identify you; track inquiries and website activity; identify and recruit prospective students, faculty, and staff; and market the School's courses, programs, and services.
  • Identity
  • Contact
  • Technical
  • Profile
  • Marketing and Communication
  • Necessary to enter a contract
  • Necessary to pursue the School's legitimate interest in recruiting qualified students, faculty and staff to the School.
  • Prior consent
Application by candidate located in the EU for School or program admission.  Data is processed to identify you, administratively process your application for admission to the School or to a particular program (such as study abroad, certificate, or degree programs), verify information provided, evaluate your qualification for admission, and communicate the outcome to you. The data is also used to manage student accounts (including invoicing, processing payments and refunds, pursuing collection efforts if necessary); administer financial aid, grant and scholarship programs; manage student affairs and provide student support services (such as services for disability accommodations, advising, safety, and wellness); provide clinical, internship or job placement services; manage academic affairs and provide academic support services; and provide IT and technology services (such as School email accounts, learning management systems and applications, network and communication gateways, intranet sites, and data warehousing). The data may also be used to prevent or detect fraud, for disciplinary or academic integrity proceedings, to meet legal or regulatory reporting and compliance requirements, to evaluate the School's diversity and equal opportunity performance, and for research and statistical purposes.
  • Identity
  • Contact
  • Background
  • Financial
  • Technical
  • Profile
  • Marketing and Communication
  • Sensitive
  • Necessary to enter and/or perform a contract
  • Necessary to pursue the School's legitimate interest in furthering its charitable, educational, and scientific missions, and providing excellent and competitive educational services
  • Necessary to comply with legal or regulatory obligations
  • Necessary to protect the vital interest of you or another
  • Prior consent where sensitive data is collected
Register, Enroll and Participate in Programs and Courses while in the EU.  Data is processed to identify you; facilitate your participation in programs and courses; track attendance, course and program progress and completion; assign coursework; evaluate academic performance; administer tests; facilitate instruction; prepare educational records (such as transcripts and diplomas); and provide related services while you are in the EU such as transportation, lodging, health and safety, and insurance. The data is also used to manage student accounts (including invoicing, processing payments and refunds, pursuing collection efforts if necessary); administer financial aid, grant and scholarship programs; manage student affairs and provide student support services (such as services for disability accommodations, advising, safety, and wellness); provide clinical, internship or job placement services; manage academic affairs and provide academic support services; and provide IT and technology services (such as School email accounts, learning management systems and applications, network and communication gateways, intranet sites, and data warehousing). The data may also be used to prevent or detect fraud, for disciplinary or academic integrity proceedings, to meet legal or regulatory reporting and compliance requirements, to evaluate the School's diversity and equal opportunity performance, and for research and statistical purposes.
  • Identity
  • Contact
  • Background
  • Financial
  • Technical
  • Profile
  • Marketing and Communication
  • Sensitive
  • Necessary to enter and/or perform a contract
  • Necessary to pursue the School's legitimate interest in furthering its charitable, educational, and scientific missions, and providing excellent and competitive educational services
  • Necessary to comply with legal or regulatory obligations
  • Necessary to protect the vital interest of you or another
  • Prior consent where sensitive data is collected
Applications for employment in the EU.  Data is processed to identify you, administratively process your application, verify information provided, evaluate your employment qualifications, conduct background checks, and communicate the outcome to you. The data is also used to maintain personnel files, prepare and process performance evaluations, manage payroll, provide and administer employment benefits, manage employee relations; provide IT and technology services (such as School email accounts, network and communication gateways, intranet sites, and data warehousing); manage complaint, grievance, and disciplinary proceedings; to prevent or detect fraud; to meet legal or regulatory reporting and compliance requirements; to evaluate the School's diversity and equal opportunity performance, and for research and statistical purposes.
  • Identity
  • Contact
  • Background
  • Financial
  • Technical
  • Profile
  • Marketing and Communication
  • Sensitive
  • Necessary to enter and/or perform a contract
  • Necessary to comply with legal or regulatory obligations
  • Necessary to protect the vital interest of you or another
  • Prior consent where sensitive data is collected
Complaint, Grievance, and Disciplinary Procedures for incidents arising in the EU.  Data is processed to identify you; administratively process complaints or grievances, or engage in disciplinary procedures; verify information provided; evaluate and investigate incidents; protect health and safety; communicate with you; communicate the outcome to appropriate parties; and provide information required by third parties to meet legal or regulatory reporting and compliance requirements.
  • Identity
  • Contact
  • Background
  • Profile
  • Sensitive
  • Necessary to perform a contract
  • Necessary to comply with legal or regulatory obligations
  • Necessary to protect the vital interest of you or another
  • Prior consent where sensitive data is collected
Offering Access to School Information and Technology Services to Persons in EU.  Data is processed to identify you; provide a School email account; allow students, faculty, staff, and alumni, and other authorized persons the right to access and use School licensed software, tools and applications; and storing data.
  • Identity
  • Contact
  • Financial
  • Technical
  • Profile
  • Marketing and Communication
  • Necessary to enter and/or perform a contract
  • Necessary to comply with legal or regulatory obligations
Research Involving Personal Data of Persons in the EU.  Data may be processed to conduct educational, scientific, and other research and related statistical analysis Terms and conditions of research projects are negotiated before acceptance to ensure ability to comply with applicable research grants, agreements, laws, rules regulations and policies.
  • Varies depending on research.
  • Necessary to enter and/or perform a contract
  • Necessary to pursue the School's legitimate interest in carrying out research activities to advance knowledge and create applications that benefit society
  • Prior consent where sensitive data is collected
Alumni and donors in the EU.  Data is processed to identify you; communicate with and provide services to alumni and donors; and to seek and accept gifts and donations. The data may also be used for research and statistical purposes.
  • Identity
  • Contact
  • Background
  • Financial
  • Technical
  • Profile
  • Marketing and Communication
  • Sensitive
  • Necessary to enter and/or perform a contract
  • Necessary to pursue the School's legitimate interest furthering its charitable, educational, and scientific missions, and providing excellent and competitive educational services
  • Prior consent where sensitive data is collected
Comply with Legal and Regulatory Obligations. Data is processed to comply with applicable laws and regulations, including, without limitation, the Internal Revenue Code, Title IV and Title IX, U.S. Department of Education laws and regulations, the Immigration and Naturalization Service, the Department of Homeland Security, and regional and national accreditation requirements and standards.
  • Identity
  • Contact
  • Background
  • Financial
  • Sensitive
  • Necessary to enter and/or perform a contract
  • Necessary to pursue the School's legitimate interest furthering its charitable, educational, and scientific missions, and providing excellent and competitive educational services
  • Necessary to comply with legal or regulatory obligations
  • Necessary to protect the vital interest of you or another

 

If you have additional questions regarding the type of personal data collected about you, or the School's purpose or legal basis for processing your personal data, please contact the School at the contact provided below.

 

III. Other Recipients of Your Personal Data

 

We may share your personal data with other recipients in connection with the purposes and lawful bases stated in Section II of this Notice.  Categories of recipients who may receive your personal data may include the following:

 

  • School faculty and staff responsible for or involved in the activities described in the above chart.
  • Public safety authorities, such as local, state, federal or international law enforcement.
  • Health care providers, such as hospitals and clinics.
  • Security providers, such as private campus safety personnel.
  • Regional and national accreditors and professional licensing bodies.
  • Third parties who underwrite, administer, or provide services related to the School's programs or to individuals associated with the School, such as independent contractors, marketing services, event hosting, international service providers, payment processors, insurance and benefits providers and administrators, lenders and service providers who assist in student loans, scholarship and other financial aid programs.
  • Third parties to whom personal data is required to be communicated in order for the School to comply with legal obligations established by any and all applicable laws and regulations, such as local, state, federal or international legal, governmental and regulatory entities.
  • Third-party data processors who host and/or process information on behalf of the School.
  • Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets.

 

We require third parties to respect the security of your personal data and to treat it in accordance with applicable law.

 

IV. International Data Transfers

 

Personal data that you provide while in GDPR Countries will be transferred internationally to the School, which is located in the United States, and may be transferred to third parties in other countries in connection with the purposes and lawful bases stated in Section II of this Notice.  In the international transfer of your personal data, the School will employ suitable safeguards to protect the privacy and security of your personal data so that it is only used in a manner consistent with this Notice.

 

V. Data Security

 

The School, by design, has put in place appropriate security measures to protect personal data from unauthorized access, alteration, disclosure or destruction.  In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know, and who process your personal data at our direction.  Where there is a personal data breach, we will notify you and any applicable regulatory authority where we are legally required to do so.

 

VI. Data Retention

 

The School retains your personal data for as long as necessary to fulfill the purposes for which we collected it.  To determine the appropriate retention period for personal data, we consider the nature of the personal data, the purpose for which personal data is processed and retained, and the applicable legal, accounting, reporting and regulatory requirements applicable to such data. Details of retention periods for different aspects of your personal data are available in our retention policy which you can request from us by contacting the School at the contact provided below. In some circumstances we may anonymize your personal data (so that it can no longer be associated with you), in which case we may use this information indefinitely without further notice to you.

 

VII. Your Rights Regarding Your Personal Data

 

Under the GDPR, you have a number of rights regarding your personal data, subject to exceptions stated in the GDPR or its implementing regulations.  Specifically, you have the right to:
  • Request access to your personal data and receive a copy of the personal data that we hold about you.
  • Request correction of your personal data that we hold which is inaccurate or incomplete.
  • Request erasure of your personal data from our records.  Where it is necessary for the School to maintain the data for legal, accounting, reporting, or regulatory reasons, we may not be able to comply with your request and will notify you if that is the case.
  • Object to processing of your personal data where we are relying on a legitimate interest for processing such data, unless the School can demonstrate compelling legitimate grounds for processing that override your interest in prohibiting such processing.
  • Request restriction of processing your personal data under certain circumstances.
  • Request the transfer (portability) of your personal data to a third party.
  • Withdraw consent at any time where the School relies solely on the legal basis of consent to process your personal data.  If you withdraw consent, the withdrawal will not change the fact that your data has been processed legally up to that point.  If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
  • File a complaint concerning your personal data with the applicable EU supervisory authority.  Supervisory authority contact information is available .

 

Nearly all of your rights are qualified in various ways and there are numerous exemptions.  For additional information about your rights, the full text of the GDPR is available at .

 

If you wish to exercise any of these rights, please contact the School at the contact provided below. The School strives to respond to all legitimate requests within one month.  It may take us longer than a month if your request is particularly complex or you have made a number of requests.  In this case, we will notify you and keep you updated.

 

VIII. Are You Obligated to Provide Personal Data?

 

Through this Notice, the School informs you that it may process your personal data in accordance with this Notice, and as permitted or required by law.  If you do not agree with this Notice, please do not provide any personal data to the School.

 

If you choose not to provide personal data that is necessary for the School to provide you with specific products or services, the School may not be able to provide those products or services to you.  For example, if you do not provide personal data needed to perform a contract for educational services with you, such as information necessary to process admissions, financial aid, or employment applications, you will not be admitted to the School, awarded financial aid, or employed by the School.

 

IX. Contact Information and Rights Requests

 

If you would like to contact the School in its capacity as a controller, including to ask questions about this Notice, the GDPR, and the personal data being processed by the School, or if you wish to exercise any of your rights under the GDPR or lodge a complaint involving a violation of this Notice or the GDPR, please contact:

 

Saybrook University
475 14th Street, 9th Floor
Oakland, CA 94612
[email protected]

 

Please note that the School is not a public authority or body.  Also, its core activities do not include the regular and systematic monitoring of data subjects on a large scale, nor processing on a large scale of special categories of data or personal data relating to criminal convictions and offenses.  For these reasons, the GDPR does not obligate the School to designate a data protection officer within the meaning of the GDPR.

 

Updated: 9/4/2018