Purposes and Legal Bases for Processing Personal Data.
- SPU collects and processes personal data from individuals as necessary in the exercise of SPU’s legitimate interests, functions, and responsibilities as a private, non-profit institution of higher education. SPU will only process your personal data for lawful purposes under the GDPR related to the university’s charitable, educational, and scientific purposes and arising from your relationship with the university as a prospective, current, or former student (or such a student’s parent or guardian), faculty or staff member, or an employee, contractor, donor, supporter, research subject, visitor to the university or its website, or attendee at a university event.
- SPU will ordinarily collect and process your personal data because it is necessary for the performance of a contract to which you are a party or because the university has another legitimate interest in doing so. SPU may also process data as necessary for compliance with a legal obligation to which SPU, as controller of the data, is subject. SPU may also seek your prior consent for processing your personal data (if, for example, SPU cannot rely on any legal grounds listed previously).
- The purposes for which SPU collects personal data are summarized below:
- Student Admissions
- Staff and Faculty Employment
- Student Employment
- Managing Student Accounts, Payroll Accounts, and Benefits Accounts
- Managing Expenses, Purchasing, and Reimbursements
- Administering Grant, Scholarship, and Financial Aid Programs
- Class Registration, Enrollment, and Education Records (Including Study Abroad)
- Evaluating Academic Performance and Granting Degrees
- Evaluating Faculty and Staff Performance
- Issuing and Use of University Identification Cards and Payment Cards
- Operating Dining Halls and Other Food Service Facilities
- Providing Student Housing and Employee Housing
- Providing Student Support Services
- Providing Academic Advising
- Campus Security Measures
- Complaint and Grievance Procedures
- Offering Access to University Information Services
- Assisting with Clinical, Internship, and Job Placement
- Athletics, Musical, Theatrical, and Other Tickets
- Recruitment and University Marketing
- Alumni and Advancement Communications
- Insurance Claim Processing
- Complying with Legal Obligations
- Maintenance of Accreditation
- Analyzing and Improving Education Programs
- Financial Auditing
Data Collected from Third Parties
In certain instances, SPU (in its capacity as a controller) may acquire your personal data from a third party, and not directly from you. If this occurs, then within a reasonable period of time, but not later than the earlier to occur of (i) the first time SPU communicates with you, and (ii) one month after SPU acquires such personal data, SPU will advise you of the categories of personal data collected, the source from which SPU acquired such personal data, and certain additional information required under GDPR Article 14.
Categories of Recipients Who May Receive Your Personal Data
- The specific categories of recipients who will receive your information depend on whether you are a prospective, current, or former student (or such a student’s parent or guardian), faculty or staff member, or a contractor, donor, supporter, or research subject, or have some other status, and the types of personal data that you provide.
- The categories of recipients are likely to include one or more of the following:
- As to the data collection activities described in section 4, responsible faculty and staff involved in such activities may receive your personal data. Such persons will generally be located in Seattle, Washington.
- Personal data required by federal departments and agencies may be shared with employees of the federal government and their agencies, which may include personnel in the United States Department of Education, the Department of Justice (Office of Civil Rights), the Department of Treasury (Internal Revenue Service), the Department of Homeland Security, and their respective divisions. Such persons will generally be located in Washington, D.C., or Seattle, Washington.
- Personal data required by State of Washington departments and agencies may be shared with employees of the State of Washington, which may include personnel in the Washington Student Achievement Council, the Washington Office of Financial Management, the Washington Department of Revenue, the Washington Attorney General’s Office, and their respective divisions, agencies, and offices. Such persons will generally be located in Seattle, Washington, or Olympia, Washington.
- Third parties who underwrite, administer, or provide services related to the university’s health insurance, benefits, and pension and retirement programs may receive your personal data.
- Lenders and other third parties who assist in originating, monitoring, and collecting student loans, scholarships, and other financial aid programs, may receive your personal data.
- Third party processors who host and process information in the “cloud” on servers located in the United States may receive your personal data.
- SPU may share information with third parties who have entered into contracts with SPU to perform functions on behalf of SPU.
- In an emergency situation, SPU may share information with emergency service providers or others as needed to address the emergency.
Transfer of Personal Data to the United States
Information created in the EU or in an EAA member state will be transferred to SPU in the United States.
The GDPR requires that your personal data be kept no longer than necessary. The applicable time period will depend on the nature of such personal data and will also be determined by legal requirements imposed under applicable laws and regulations
Rights under GDPR
Articles 15-21 of the GDPR give you the right to control your personal data by directing SPU, as controller, to do one or more of the following, subject to certain conditions and limitations:
- allow you to access your personal data to see what information the university has collected concerning you;
- correct (rectify) any inaccuracy in your personal data;
- delete (erase) your personal data, unless SPU can demonstrate that retention is necessary or that SPU has other overriding legitimate grounds for retention;
- restrict the processing of your personal data;
- transfer your personal data to a third party (portability); and
- upon your objection, stop processing personal data when SPU is relying on a legitimate interest basis for processing such data unless SPU can demonstrate compelling legitimate grounds for processing that override your interests in prohibiting such processing.
If SPU obtains your written consent to collect and process your personal data, you can subsequently withdraw such consent as to any further processing of such data by contacting GDPR@spu.edu.
Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal data conducted in reliance on lawful processing grounds other than consent.
Data Provision Voluntary
SPU will sometimes ask you to provide information necessary to perform contracts to which you are a party, or to satisfy certain legal requirements binding upon the university. If you do not provide such information, SPU will not be able to process such contracts or comply with such legal requirements, and you will not be eligible to receive the benefits that may result from the processing of such contracts, or compliance with such requirements.
The GDPR limits SPU’s right to use your personal data for predictive purposes as part of an automated decision-making process, including profiling. Such a process uses your personal data, such as preferences, interests, behavior, locations, and personal movement, to make an analytically-determined decision, instead of a personalized, individual decision. The GDPR limitation does not apply when such automated decision-making is necessary for the performance of a contract to which you are, or will be, a party. If SPU plans to use your personal data in an automated decision-making process, it will seek your consent for such use.
We implement appropriate technical and organizational security measures to protect your information when you transmit it to us and when we store it on our information technology systems.
If you believe your privacy rights under the GDPR have been violated, the GDPR gives you the rights and remedies set forth in GDPR Articles 77-82. These include the right to file a complaint with a supervisory authority.
SPU may update or change this policy at any time in its discretion.
Related Policies and Procedures