GDPR Statement

Note: The European Union General Data Protection Regulation (EU GDPR) Privacy Notice will be updated periodically as EU GDPR is implemented, as member states finalize regulations, and as additional official guidance information becomes available.

Introduction

The University of Alabama (UA) is an institution of higher education involved in education, research, and community development. For UA to educate its students in person and online, engage in world-class research, and provide community services, it is essential and necessary that UA collect, process, use, and maintain data of its students, employees, applicants, research subjects, and others involved in its educational, research, and community programs.

The EU GDPR broadly applies to data about people who reside in the European Union or data about individuals when it is transferred from the EU. The EU GDPR limits when and how personal data can be collected, stored, processed, and used. It also provides these individuals with certain rights related to their personal data, including notice or consent, rights of access, and in some cases, requests for deletion.  These same rights are codified in other international legislation, including the UK Data Protection Act.

UA may be a data “controller” or “processor” with regard to certain activities as defined under the EU GDPR. UA is committed to protecting the rights of individuals in compliance with the EU GDPR.

Definitions

Controller:
Controllers are responsible for decisions about the collection, use, and protection of personal data.

Personal data:
Under the EU GDPR, personal data is defined as any information relating to an identified or identifiable natural person. An identifiable natural person is an actual person (not a corporation or other business entity) who can be identified, directly or indirectly, by reference to:

  • Any identifiers, such as name, ID numbers, location data, online identifier; or
  • Factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.

Processor:
Processors are responsible for processing, analyzing, storing, and deleting personal data on behalf of the controller.

Special Categories of Personal Data:
Any data that:

  • Reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership.
  • Are genetic data or biometric data sufficient to uniquely identify a natural person.
  • Are concerning a natural person’s sex life or sexual orientation.

Lawful Basis for Collecting and Processing of Personal Data

UA has lawful basis to collect, process, use, and maintain data of its students, employees, applicants, research subjects, and others involved in its educational, research, and public service programs. The lawful basis includes, without limitation: admission; registration; delivery of classroom, online, and study abroad education; grades; communications; employment; applied research; development; program analysis for improvements; and records retention.

Most of UA’s collection and processing of personal data will fall under the following categories:

  • Processing which is necessary for the purposes of the legitimate interests pursued by UA or third parties in providing education, employment, research and development, and public service.
  • Processing which is necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract.
  • Processing which is necessary for compliance with a legal obligation to which UA is subject.
  • Processing for which the data subject has given consent for UA to use his or her personal data for one or more specific purposes.

There will be some instances where the collection and processing of personal data will be pursuant to other lawful bases. This basis will be identified for each application.

Types of Personal Data Collected and How it Will be Used

UA collects a variety of personal data to meet one of its lawful basis, as referenced above. Most often the data is used for academic admissions, enrollment, educational programs, job hiring, provision of medical services, participation in research, development, and public service.

The information we hold about you may include the following:

  • Personal details such as name, title, address, telephone number, email address, marital status, nationality, date of birth, photograph, household income, parental status, details of dependents;
  • Emergency contact information;
  • National Insurance number (where you have voluntarily provided it);
  • Education and employment information (including the school(s), college(s), and other educational locations you have attended; places where you have worked; the courses you have completed; dates of study and examination results);
  • Other personal background information collected during the admissions process, e.g. your socioeconomic classification, and details of your parents’ occupation and education;
  • Examination records (including records relating to assessments of your work, details of examinations taken, and your predicted and actual examination grades);
  • Information captured in your student record, including progression, achievement of milestones and progression reports;
  • Visa, passport, and immigration information;
  • Fees and financial support record (including records relating to the fees paid, student loan information and financial support, scholarships, and sponsorship);
  • Supervision, teaching, and tutorial activities; and training needs analysis and skills acquisition records;
  • Placement and internship record or study at another institution as an established component of your course of studies, or career development opportunity;
  • Information about your engagement with University support services or University facilities;
  • Information about your use of library facilities, including borrowing and fines;
  • Information about disciplinary actions (including academic misconduct), dispensations from regulations, and about any appeals and complaints raised;
  • Attendance at University degree and award ceremonies and other on-campus events;
  • Information about your use of our information and communications systems, including CCTV and building access information;
  • We may also process the following "special categories" of more sensitive personal data:
  • Information about your sex and gender identity;
  • Information about your race or ethnicity and religious beliefs;
  • Information about your health, including any disability and/or medical condition;
  • Information about criminal convictions and offenses, including proceedings or allegations.

If you have specific questions regarding the collection and use of your personal data, please contact Compliance, Ethics and Regulatory Affairs (205-348-2334, cera@ua.edu).

Where UA Acquires Personal Data

UA receives personal data from multiple sources. Most often, UA acquires this data directly from the data subject or under the direction of the data subject who has provided it to a third party.

Rights of the Data Subject Under the EU GDPR

If you are an individual data subject under the EU GDPR, you may obtain the following information and exercise the following rights:

  • the identity and the contact details of the controller and, where applicable, the controller’s representative;
  • the contact details of UA’s GDPR Compliance Program;
  • an explanation of the purposes and legal basis/legitimate interests of the data collection/processing;
  • the identification of the recipients of the personal data;
  • notice if UA intends to transfer personal data to another country or international organization;
  • notice of the time period that the personal data will be stored;
  • the right to access personal data, rectify incorrect personal data, erase personal data, restrict or object to processing, and the right to data portability;
  • the right to withdraw consent at any time, if processing is based on consent;
  • the right to lodge a complaint with a supervisory authority (established in the EU);
  • an explanation of why the personal data are required, and possible consequences of the failure to provide the data;
  • notice of the existence of automated decision-making, including profiling; and
  • notice if the collected data are going to be further processed for a purpose other than that for which the information was collected.

Exercising of these rights is a guarantee to be afforded a process and not the guarantee of an outcome.

Any data subject who wishes to exercise any of the above-mentioned rights may do so by submitting a Data Subject Access Request form or by contacting CERA at (205)348-2334/privacy@ua.edu.  Departments or individuals working at UA who receive a request from a data subject asking to exercise their rights via any other method of communication should complete an Internal Data Subject Access Request to allow for tracking and documentation of data subject requests.  

Information We May Collect Automatically

To the extent permitted by law, UA and our third party vendors may supplement the information we collect from and about you with information from other sources, such as publicly available information about your online and offline activity from social media services, commercially available sources, and information from other business partners.

  • IP Address and Other Identifiers: When you access and interact with our website or programs, UA and our third party providers may collect information about your visits in order to permit you to connect to and obtain the services and to understand the frequency with which specific visitors visit various parts of our site. For example, we may collect your Internet Protocol (“IP”) address, which identifies the computer or third party that you use to access our services, or information about your browser type, authentication identifiers, and other software and hardware information. If you access the UA website through a mobile or other device, we may collect your mobile device identifier, geolocation data (including your precise location), or other transactional information for that device. We may combine this information with other information that we have collected to make our services and our communications to you more targeted to your interests.
  • Social Media Information and Content: If you access or log in to our site through a social media service or connect a service to a social media service, the information we collect may also include your user ID and/or user name associated with that social media service, any information or content you have permitted the social media service to share with us, such as your profile picture, email address or friends lists, and any information you have made public in connection with that social media service. When you access our sites through social media services or when you connect a service to social media services, you are authorizing UA to collect, store, and use such information and content in accordance with this Privacy Statement and UA Privacy Policies.
  • Cookies and Other Tracking Technologies: Our services may also use cookies. Cookies are small text files that are stored on a user’s computer and allow websites to remember information about users. UA and our third parties use cookies for a variety of purposes in order to enhance the quality of our sites. We use transient (also called “session ID”) cookies to provide continuity from page to page. A session ID cookie expires when you close your browser. We also use persistent cookies. Persistent cookies allow your browser to be recognized when you return after your first visit to that part of our site. Cookies allow us to personalize your return visits to our site. You have the choice to set your browser to accept all cookies, reject all cookies, or notify you when a cookie is set. (Each browser is different, so check the “Help” menu of your browser to learn how to change your cookie preferences.) It is up to you whether to allow us to send you cookies. Please note that by blocking any or all cookies, you may not have access to certain features, content, or personalization available through our site.
  • Web beacons and other tracking technologies: The site may use other tracking tools, including so-called “pixel tags,” “web beacons,” “web bugs,” “clear GIFs,”etc. (collectively “Web Beacons”) to collect user activity information about your activities on our site. These are small electronic images embedded in web content (including online ads) and email messages and are ordinarily not visible to users. Like cookies, web beacons enable us to track pages and content (including ads) accessed and viewed by users. Also, when we send HTML-formatted (as opposed to plain text) emails to you, web beacons may be embedded in such emails to allow us to monitor readership levels so that we can identify aggregate trends and individual usage to provide our audiences with more relevant content or offers. Web beacons in emails may recognize activities such as when an email was opened, how many times an email was forwarded, which links in the email were clicked on, etc. Web beacons cannot be declined when delivered via a regular web page. However, web beacons can be refused when delivered via email. If you do not wish to receive web beacons via email, you will need to disable HTML images or refuse HTML (select Text only) emails via your email software.
  • Third Party Tracking: Third parties that support UA by serving advertisements or providing services, such as allowing you to share content or tracking aggregate usage statistics of our site, may also use these technologies to collect similar information when you interact with our services (such as websites and emails). These third parties may also use these technologies, along with activity information they collect, to recognize you across the devices you use, such as a mobile device and a laptop or other computer. UA does not control these third-party technologies and their use is governed by the privacy policies of third parties using such technologies.

Information Contained in User Content

Some parts of our site may allow users to post or transmit messages, comments, screen names, computer files, and other materials. You should be careful about what personal information you choose to make public through these services.

Information from Other Sources

To the extent permitted by law, UA and our third party vendors may supplement the information we collect from and about you with information from other sources, such as publicly available information about your online and offline activity from social media services, commercially available sources, and information from other business partners.

Security of Personal Data Subject to the EU GDPR

UA is committed to ensuring the security of your information. We have put in place reasonable physical, technical, and administrative safeguards designed to prevent unauthorized access to or use of the information collected online. All personal data collected or processed by UA under the scope of the EU GDPR will comply with the security controls and systems and process requirements and standards as set forth by UA.

Sharing Your Information

UA will not share your information with third parties except as necessary to meet one of UA’s lawful purposes, including but not limited to:

  • legitimate interest;
  • contract compliance;
  • pursuant to consent provided by you;
  • as required by law;
  • as necessary to protect UA’s interests; or
  • with third parties acting on our behalf who have agreed to protect the confidentiality of the data.

Data Retention

Data collected by UA which falls under the purview of University Archives and Records Management is collected for the time periods specified by the current retention schedule, Public Universities of Alabama Functional Analysis & Records Disposition Authority Revision (RDA), 2017 edition.

Changes to this Privacy Notice

UA may, in its discretion, periodically update this EU GDPR Privacy Notice.

Additional Information

UA has an EU GDPR Compliance Program to support its requirements and to assist with questions or complaints. If you need assistance, would like to make a request, or file a complaint, contact Compliance, Ethics, and Regulatory Affairs at 205-348-2334, privacy@ua.edu.

For more information regarding the EU GDPR, please review the information available at UA General Data Protection Regulation Compliance. The most current versions of UA Privacy Policies are maintained in the UA Policy Library.