European Union General Data Protection Regulation (GDPR)
What is the GDPR?
The EU GDPR provides broad privacy protections to individuals physically located in the European Economic Area ("data subject(s)"). Under certain circumstances, the EU GDPR may apply to The University of Akron’s (the “University”) activities in the European Economic Area, for example, when a student attends a semester- long study abroad program in the European Economic Area.
When subject to the EU GDPR, the University must comply with the regulation's core privacy principles, which principles provide that personal data shall be:
- Processed lawfully, fairly and in a transparent manner;
- Collected for specific, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- Limited to what is necessary in relation to the purposes for which they are processed;
- Accurate and kept up to date;
- Retained only as long as necessary; and
Personal data is defined very broadly under the EU GDPR, and consists of any information relating to an identified or identifiable person and includes a person's name, identification number, location data, online identifier, or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that person.
Lawful Basis for Processing Personal Data
When subject to the EU GDPR, the University must have a lawful basis to process a data subject's personal data. Although there will be some instances where the processing of personal data will be pursuant to other lawful bases (e.g. processing necessary to protect the vital interests or safety of a data subject; processing related to legal action involving the university; etc.), the University likely will process personal data relying on one or more of the following lawful bases:
- Processing for the purposes of the legitimate interests pursued by the University or a third party;
- Processing when necessary for administering employment or social security benefits in accordance with applicable law or any applicable collective bargaining agreement, subject to the implementation of appropriate safeguards to prevent further unauthorized disclosure;
- Processing for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- Processing with third party service providers under contract with the University to support the administration of University operations and policies;
- Processing for compliance with a legal obligation to which The University of Akron is subject;
- Processing with parties affiliated with the University for the purpose of contacting the data subject about goods, services, charitable giving or experiences that may be of interest to the data subject;
- Processing pursuant to the consent of a data subject for one or more specific purposes; and
- Processing de-identified or aggregate form data without limitation.
Types of Personal Data Processed
In order for the University to achieve its core mission, it is essential and necessary for the University to process personal data of its students, employees, applicants, research subjects, alumni, and others involved in the University's educational, research, and community programs. The University of Akron processes personal information for various lawful reasons, including, without limitation, academic admissions and enrollment; student registration; residence life; delivery of classroom, on-line, and study abroad education programs; administration and oversight of recreation programs, student organizations, and other various student affairs activities; distribution of grades, materials, and other communications by and among students, faculty, and staff; employment; applied research; program development and analysis; job hiring and employment; provision of medical services or health insurance; engagement with the community at-large; compliance with its internal policies, procedures, and guidelines, as well as all applicable federal, state, and local laws; and records retention.
Personal data processed by the University typically includes name, address, email, phone number, transcripts, work history, financial information, information for payroll, research subject information, medical and health information (for admissions, student health services, travel, etc.), and donations.
University Rules that apply to specific personal data include:
- Policies and Procedures for Student Records
- Information Technology Security and System Integrity Policy
- Customer Information Security Policy
- Social Security Number Use Policy
- Identity Theft Detection, Prevention and Mitigation Policy
- Policies and Procedures for Release, Privacy and Security of Selected Health Information
If a data subject refuses to provide personal data that is required by The University of Akron in connection with one of the University's lawful bases to collect such personal data, such refusal may make it impossible for the University to provide education, employment, research, or other requested services.
Where the University of Akron gets Personal Data
The University of Akron receives personal data from multiple sources, most often directly from the data subject or under the direction of the data subject who has provided it to a third party (e.g., application for admission to The University of Akron through use of the Common App).
Individual Rights of the Data Subject under the EU GDPR
Subject to all other applicable laws and regulations, including all laws of the United States of America and the State of Ohio (USA), data subjects have following rights under the EU GDPR:
- To access the personal data we maintain about you;
- To be provided with information about how we process your personal data;
- To correct or modify your personal data;
- To have your personal data deleted;
- To object to or restrict how we process your personal data;
- To request your personal data to be transferred to a third party; and
- To file a complaint.
To exercise the above rights, student data subjects should contact the University's Registrar email@example.com. Applicants for employment as faculty may exercise these rights by contacting the Office of the Academic Affairs Provost's Manager, Ms. Laurel Rooks firstname.lastname@example.org. Applicants for employment as staff may contact Human Resources at email@example.com.
The University of Akron will consider and process a data subject's request within a reasonable period of time. Please be aware that under certain circumstances, the EU GDPR or other applicable law may limit a data subject's exercise of the above rights.
Security of Personal Data subject to the EU GDPR
The University of Akron will comply with all of its published data protection polices in the processing of a data subject's personal data.
The University of Akron keeps the data it collects for the time periods specified in its record retention policies.
The University of Akron is a large organization with many people sharing responsibility for the content of our website. Please help us respond to your comments and inquiries by sending them to the appropriate University department. If you have questions about this Privacy Statement, please email us at firstname.lastname@example.org.