University of Illinois System

Supplemental Privacy Notice - PIPL

点击这里查看中文版本

This University of Illinois Supplemental Privacy Notice - Personal Information Protection Law (“Supplemental Notice - PIPL”) supplements the University of Illinois System Privacy Statement for certain persons in the People's Republic of China ("PRC"). For the purposes of this Supplemental Notice-PIPL, "PRC" shall refer to the continental landmass under the direct control of the PRC, including the islands of Hainan Province and five major autonomous regions (e.g., Tibet, Inner Mongolia, Xinjiang, Ningxia and Guangxi), but excluding the Hong Kong Special Autonomous Region (SAR), Macao SAR and Taiwan.

1. Commitment to protecting privacy and transparency

The Board of Trustees of the University of Illinois (the “University”), by and through its academic, research, and administrative units, is committed to respecting and protecting the privacy rights of persons in the PRC consistent with the PRC’s Personal Information Protection Law (“PIPL”). 

This Supplemental Notice - PIPL describes the University’s commitment to the privacy of persons in the PRC. 

2. Does this Supplemental Notice - PIPL apply to you? 

This Supplemental Notice - PIPL applies to you if:

  • You are a Person or Data Subject meaning a natural person, not a corporation, partnership, or other legal entity;

AND

  •  The University handles your Personal Information inside the borders of the PRC.

OR

  • You are physically located in the PRC, and
  • The University handles your Personal Information outside the borders of the PRC in order to 1) provide you goods or services, 2) analyze or assess your activities, or 3) comply with other circumstances as provided by laws or administrative regulations.

"Personal Information” means any information relating to an identified or identifiable natural person, not including information after anonymization handling. For the purposes of PIPL, "anonymization" refers to the process of personal information undergoing handling to make it impossible to distinguish specific natural persons and impossible to restore.

If you are located outside the PRC and you provide your Personal Information to the University outside the PRC, this Supplemental Notice – PIPL does not apply to that information.

3. What Personal Information does the University process?

General categories

The University processes the following general categories of Personal Information: names; addresses; telephone numbers; email addresses; identification numbers including but not limited to social security numbers, Resident Identity Cards, driver’s license numbers, University identification numbers, and personal identification numbers (PINs); usernames; passwords; demographic information; education history and transcripts; entrance exam scores; background check information; personal references; financial information including but not limited to credit and debit card numbers, tax information, tax identification numbers (TINs), and financial aid information; transaction histories; business information; passport and visa information; work histories; medical histories; donation histories; insurance information; military service; IP addresses; location information; device information; metadata; education records including but not limited to coursework, correspondence, evaluations, disciplinary complaints, and other records, and files maintained by the University as part of the educational process; any requests for accommodations or leave; and other information to support the purposes set forth in Table 1, below.

The University requires Personal Information only when necessary. Table 1 identifies the purposes for which the University processes Personal Information and the legal basis for each purpose.

Sensitive Personal Information

In order to fulfill certain of the purposes identified in Table 1, the University may need to request Sensitive Personal Information. Sensitive Personal Information is a special type of Personal Information that, if leaked or used illegally, could cause harm to a person’s dignity or grave harm to personal or property security. Examples of Sensitive Personal Information include but are not limited to:

  • Biometric characteristics
  • Religious beliefs
  • Specially-designated status
  • Medical health-related information
  • Financial accounts
  • Individual location tracking
  • Personal Information concerning minors under the age of 14  

The University will only process Sensitive Personal Information when necessary for a specific purpose and will take strict protective measures to ensure the security of the information obtained. Before the University processes your Sensitive Personal Information, the University will ask for your separate consent.

Purposes for which the University processes Personal Information

 

4. How does the University receive your Personal Information

From you

The University may receive your Personal Information when you visit University websites, apply for or attend University classes or programs, apply for or take online courses with the University, apply for financial aid or University housing, complete surveys or forms sponsored by the University, participate in University research studies, participate in work for the University at a location in the PRC, seek assistance from the University to further your education or your professional career, attend events sponsored by the University, or otherwise interact with the University.

From third parties

The University may receive your Personal Information from third parties. Examples include college entrance exam scores received from testing agencies; college applications received from organizations that provide university admissions applications (e.g., the Common Application, Inc.); online course registration information received from third parties that administer online courses (e.g., Coursera, Inc.); financial aid information from government agencies or commercial financial institutions; background information received from companies conducting export control screening or checks to support working with minors or employment with the University; and the State of Illinois Representative Office in Shanghai, companies and partner institutions abroad to facilitate study or work at the University by international students and scholars.

5. Who receives/processes your Personal Information?

University personnel

Your Personal Information may be processed by University trustees and employees, including faculty, researchers, medical professionals, financial aid counselors, human resources professionals, law enforcement officers, and others, as may be necessary to carry out the purposes for processing the information and the activities of the University.

University Related Organizations

The University may share your Personal Information with University Related Organizations, such as the University of Illinois Foundation and the University of Illinois Alumni Association. University Related Organizations are entities established for the purpose of assisting the University in the accomplishment of its educational objectives.

Third parties

The University may share your Personal Information with third parties, such as: educational platform providers and course partners to further the purposes for processing the information and the activities of the University; U.S. and foreign government entities to fulfill regulatory obligations (e.g., visa processing, tax and social security payments) and to facilitate access to funding sources (e.g., financial aid); partner institutions to facilitate study abroad and research activities; service providers to facilitate the full range of University functions (e.g., cloud storage, software); potential employers to assist with job placement; the State of Illinois Representative Office in Shanghai to facilitate study or work at the University by international students and scholars; and vendors to provide services related to your affiliation with the University (e.g., print diplomas, arrange housing) and to improve University outreach efforts.   

Please note that the University may provide anonymized data developed from Personal Information to third parties, such as government entities and research collaborators, and that such anonymized data is outside the scope of this Supplemental Notice - PIPL.

6. How long does the University keep your Personal Information?

The University retains Personal Information in accordance with applicable law. Records retention schedules for many types of University records can be found on the Records and Information Management records management webpage.

7. What are your rights as a Data Subject?

As a Data Subject pursuant to the PIPL, you have certain rights. This section of the Supplemental Notice - PIPL summarizes these rights and how you can exercise them. More detail about each right, including exceptions and limitations, can be found in Articles 15 and 44 through 50 of the PIPL.

Please note: Nothing in this Supplemental Notice - PIPL is intended by the University to waive sovereign immunity or any other defenses or immunities afforded by any or all U.S. federal laws, Illinois state laws, PRC law, or international law.

Right to know and make decisions

You have the right to know and make decisions about the processing of your Personal Information, and the right to limit or refuse the handling of your Personal Information by others, unless otherwise provided for by law.

If the purpose or method of processing your Personal Information or the type of Personal Information or who has access to your Personal Information changes, you will be notified and asked to re-consent to the change(s).

Right to consult or copy

You have the right to consult or copy your Personal Information, except when it is necessary for the University to maintain confidentiality or when otherwise provided for by applicable law. The University will respond to your requests to consult or copy your Personal Information in a timely manner.

Right to request transfer

You may request that the University transfer your Personal Information to another personal information handler. If the University is permitted to make the transfer under applicable law, the University will facilitate the transfer. 

Right to have inaccurate Personal Information corrected or supplemented

You have the right to request that the University correct any inaccurate Personal Information that it maintains about you. You also have the right to request that the University complete any incomplete Personal Information that it maintains about you, which could be accomplished by incorporating a supplementary statement that you submit. If the University concurs that the Personal Information is incorrect or incomplete, the University will correct or complete it in a timely manner. 

Right to request deletion

You have the right to request the deletion of Personal Information that the University maintains about you in certain circumstances. These circumstances are identified in Article 47 of the PIPL and include that the Personal Information is no longer necessary in relation to the purpose(s) for which it was collected.

Subject to applicable U.S. federal and state law and University policies, including but not limited to the University of Illinois System Privacy Statement and University records retention schedules, and provided that there are no overriding legitimate grounds for the University to retain the Personal Information, the University will comply with deletion requests meeting the requirements of applicable law. For the avoidance of doubt, where deletion has been requested but is technically hard to realize, the University shall cease processing the Personal Information other than for storage and taking necessary security protective measures.

Right to have the rules of processing explained

You have the right to request that the University explain to you the Personal Information handling rules.

Right to withdraw consent

If the basis for processing your Personal Information is consent, you may revoke your consent at any time. Upon receipt of your notice withdrawing consent, and if there are no other legal grounds for the processing, the University will stop processing the Personal Information unless the processing is necessary for the establishment, exercise, or defense of legal claims or is otherwise permitted by applicable law. Revoking consent does not affect the lawfulness of processing that occurred before the revocation.

Your refusal to provide consent or your subsequent withdrawal of consent will not impact your ability to access University goods and/or services, to the extent such goods and/or services are applicable to you; provided however, it may prevent provision of University goods and services that are dependent on such a consent.

Right to file a lawsuit

If the University rejects your request to exercise your rights, you may file a lawsuit in a court of competent jurisdiction according to the law.

8. How to exercise your rights

In order to exercise any of your rights with the University, except the right to file a lawsuit in a court of competent jurisdiction, you should submit your request to the University of Illinois Ethics and Compliance Office:

Email: EthicsLine@uillinois.edu

Telephone:     +1 866-758-2146

Address:      University Ethics and Compliance Office
Human Resources Building, Room  20
One University Plaza, HRB  20
Springfield, IL 62703-5407
Attn: Privacy Compliance

At that time, you will be asked to: 1) identify yourself; 2) provide information to support that the PIPL applies to you (see Section 2, above); 3) identify the specific information or data that you are concerned about; and 4) state what right(s) you wish to exercise.

To expedite processing your request, please identify the data collection location (e.g., the website where your Personal Information was collected), if known.

In the event of a death, the next of kin of a deceased natural person may exercise the rights of an individual provided in this PIPL Supplement, such as the right of consulting, copying, correcting, and or deleting Personal Information of the deceased as detailed above, except where the deceased natural person has arranged otherwise before his/her death.

If your request to exercise your rights under PIPL is rejected, the University will explain the reason.

9. How does the University respond to requests for Personal Information?

In addition to the rights provided by the PIPL, you may also have rights with respect to your Personal Information pursuant to U.S. federal law, state law, and University policy.  When you submit a request to the University to exercise your rights, the University will respond in accordance with existing University policies and procedures that implement the relevant privacy law(s). These include, but are not limited to, policies pertaining to student education records and policies pertaining to certain health records maintained by the University. 

10. Existence of automated individual decision-making

The University, in conjunction with University Related Organizations such as the University of Illinois Foundation, uses automated decision-making, including profiling, to help identify prospective supporters of the University and its activities. The logic takes an all-factor approach to assessing a possible donor’s propensity to support the University and may result in a prospective donor being contacted to explore support opportunities. For the purposes of the PIPL, “automated decision-making” refers to the activity of using computer programs to automatically analyze or assess personal behaviors, habits, interests, or hobbies, or financial, health, credit, or other status, and then to make decisions based on the analysis of such information.

You will not be subject to a decision having a major influence on your rights and interests based solely on automated processing, including profiling, unless you explicitly consent.

11. Transfer of Personal Information outside the PRC

Except for the University of Illinois Shanghai Office, the University is based in the U.S. and is subject to U.S. and Illinois law. Personal Information that you provide to the University will generally be hosted on U.S. servers. To the extent that the University needs to transfer your information either (a) from the PRC to the U.S. or another country or (b) from the U.S. to another country other than the PRC, the University will do so consistent with applicable law governing such transfers. To support such transfers, the University will generally enter into a contract containing certain standard terms to clearly establish the rights and responsibilities of the parties to the transfer.

In addition, to the extent the following information is not included in this Supplemental Notice – PIPL, the University will notify you of the of the name and contact information of the overseas recipient, the purpose of the transfer and method of processing, the type of Personal Information involved, and how you can exercise your rights. The University will also obtain your separate consent to the transfer unless such separate consent is not required by applicable law.

12. How do I contact the personal information handler?

The University is the personal information handler.  If you have any questions about anything contained in this Supplemental Notice - PIPL, please contact the University of Illinois Ethics and Compliance Office:

Email: EthicsLine@uillinois.edu

Telephone:     +1 866-758-2146

Address: University Ethics and Compliance Office
Human Resources Building, Room 20
One University Plaza, HRB 20
Springfield, IL 62703-5407
Attn: Privacy Compliance

13. Updates to Supplemental Notice - PIPL

The University may update this Supplemental Notice - PIPL from time to time.  Any changes will become effective upon posting of the revised Supplemental Notice - PIPL.

Issued: 11/1/2021

Effective:  11/1/2021

Last revised: 2/23/2022

补充隐私通知-PIPL

English Version

本伊利诺伊大学补充隐私通知-个人信息保护法(简称“补充通知-PIPL”)补充了针对中华人民共和国(简称“中国”)境内特定自然人的伊利诺伊大学系统隐私声明。就本补充通知-PIPL而言,“中国”系指中国直接控制的大陆地区,包括海南岛和五个自治区(如西藏、内蒙古、新疆、宁夏和广西),但不包括香港特别行政区、澳门特别行政区和台湾省。

1. 保护隐私及透明度承诺

伊利诺伊大学(简称“大学”)董事会通过其学术、科研和行政单位,致力于根据《中国个人信息保护法》(简称“PIPL”)尊重和保护中国境内自然人的隐私权。

本补充通知-PIPL描述了大学对中国境内自然人隐私的承诺。

2. 本补充通知-PIPL是否适用您?

如符合下列情形,则本补充通知-PIPL适用您:

您系个人或数据主体,包括自然人,不包括公司、合伙企业或其他法律实体;

大学在中国境内处理您的个人信息。

您实际位于中国境内,且

大学在中国境外处理您的个人信息,以便:1)为您提供产品或服务,2)分析或评估您的活动,或3)法律、行政法规规定的其他情形。

“个人信息”系指与已识别或可识别的自然人有关的任何信息,但不包括匿名化处理后的信息。就PIPL而言,“匿名化”系指个人信息经过处理无法识别特定自然人且不能复原的过程。

如您位于中国境外,且您向中国境外的大学提供了您的个人信息,则本补充通知-PIPL不适用于该信息。

3. 大学处理哪些个人信息?

一般类别

大学处理以下类别的个人信息:名称;地址;电话号码;电子邮件地址;身份识别号码,包括但不限于社会安全号码、居民身份证号码、驾照号码、大学身份证号码和个人识别号码(PINs);用户名;密码;人口统计信息;教育经历和成绩单;入学考试成绩;背景调查信息;个人查询;财务信息,包括但不限于信用卡和借记卡号码、税务信息、税务识别号码(TINs)和经济资助信息;交易历史;业务信息;护照和签证信息;工作记录;病史;捐赠历史;保险信息;军事服务;IP地址;位置信息;设备信息;元数据;教育记录,包括但不限于课程作业、通信、评估、纪律投诉和其他记录,以及作为教育过程的一部分由大学保存的档案;任何住宿或休假请求;及支持下文表1所述目的的其他资料。

大学只在必要时要求提供个人信息。表1列出了大学处理个人信息的目的以及每个目的的法律依据。

敏感个人信息

为了实现表1所述的某些目的,大学可能需要索取敏感个人信息。敏感个人信息系指一种特殊类型的个人信息,一旦泄露或者非法使用,可能导致自然人的尊严受到侵害或者人身或财产安全受到危害的个人信息。敏感个人信息的范例包括但不限于:

生物识别

宗教信仰

特定身份

与医疗健康有关的信息

金融账户

个人行踪轨迹

不满十四周岁未成年人的个人信息  

只有在具有特定的目的和充分的必要性,并采取严格保护措施的情形下,大学才会处理敏感个人信息,以确保所获取信息的安全。在大学处理您的敏感个人信息之前,大学将取得您的单独同意。 

大学处理个人信息的目的

4. 大学如何接收您的个人信息

来源于您
当您访问大学网站、申请或参加大学课程或项目、申请或参加大学的在线课程,申请经济资助或大学住宿,完成由大学主办的调查或表格,参与大学的研究学习,参与大学在中国的工作,为继续您的教育或职业生涯而向大学寻求帮助,参加大学主办的活动,或与大学进行互动时,大学可能会接收您的个人信息。

来源于第三方

大学可能会从第三方接收您的个人信息。例如,从考试机构获取的大学入学考试成绩;从提供大学入学申请的组织(如Common Application, Inc.)收到的大学申请;从管理在线课程的第三方(如Coursera, Inc.)接收的在线课程注册信息;政府机构或商业金融机构的经济资助信息;为支持与未成年人合作或受雇于大学而进行出口管制审查或检查的公司所提供的背景资料;以及伊利诺伊州驻上海代表处,国外的公司,及合作机构,为国际学生和学者在大学学习或工作提供便利。

5. 谁会接收/处理您的个人信息?

大学工作人员

您的个人信息可能由大学的董事和员工处理,包括教师、研究人员、医疗专业人员、经济资助顾问、人力资源专业人员、执法人员以及其他为执行处理信息和大学活动的目的而可能需要的人员。

大学相关组织

大学可能会将您的个人信息与大学相关组织共享,如伊利诺伊大学基金会和伊利诺伊大学校友会。大学相关组织是为协助大学实现其教育目标而设立的实体。

第三方

大学可能会与第三方分享您的个人信息,例如:加强处理资讯及大学活动的目的的教育平台提供者及课程合作伙伴;履行监管义务(如签证处理、税收和社会保障支付)并有助于获得资金来源(如经济资助)的美国和外国政府实体;促进海外留学和研究活动的合作机构;促进大学的全方位职责(如云存储、软件)的服务提供商;协助安排工作的潜在雇主;伊利诺斯州驻上海代表处为国际学生和学者在大学学习或工作提供便利;以及提供与您在大学的联系相关服务(例如,打印文凭,安排住房)并改善大学的外联工作的供应商。   

请注意,大学可能会向第三方(如政府实体和研究合作方)提供由个人信息开发的匿名数据,而此类匿名数据不在本补充通知- PIPL的范围内。

6. 大学将您的个人信息保存多久?

大学根据适用法律保存个人信息。许多类型的大学记录的记录保留时间表详见记录和信息管理记录管理网页。

7. 您作为数据主体享有哪些权利?

根据PIPL,作为数据主体,您享有某些权利。本补充声明- PIPL概述了这些权利以及如何行使这些权利。关于每项权利的更多细节,包括豁免和限制,详见PIPL第15、44和50条。

请注意:本补充声明- PIPL并不打算放弃任何或所有美国联邦法律、伊利诺伊州法律、中国法律或国际法规定的主权豁免或任何其他抗辩或豁免。

知情权和决策权

除法律另有规定外,您有权了解并决定如何处理您的个人信息,并有权限制或拒绝他人对您的个人信息的处理。

如果处理您的个人信息的目的或方法、个人信息的类型或接触您的个人信息的人发生变化,我们将通知您并再次获取您关于此类变化的同意。

查阅或复制权

您有权查阅或复制您的个人信息,但大学出于保密的需要或适用法律另有规定的情况除外。大学将及时回复您关于查询或复制您个人信息的请求。

请求转移权

您可以要求大学将您的个人信息转交给其他个人信息处理者。如果大学被允许在适用法律下进行转移,大学将为此转移提供便利。 

更正或补充不准确的个人信息的权利

您有权要求大学更正其保留的关于您的任何不准确的个人信息。您也有权要求大学填写关于您的任何不完整的个人信息,这可以通过您提交的补充声明来完成。如果大学认为个人信息不正确或不完整,大学将及时更正或填写。 

请求删除权

在某些情况下,您有权请求删除大学保留的关于您的个人信息。这些情况已在PIPL第47条中予以规定,并包括与收集个人信息的目的有关的个人信息不再必要。

根据适用的美国联邦和州法律以及大学政策,包括但不限于伊利诺伊大学系统隐私声明和大学记录保留时间表,并在没有压倒性合法理由的情况下大学保留个人信息,大学将遵守符合适用法律要求的删除请求。为免生疑问,对于已被要求删除但技术上难以实现的个人信息,大学应停止对其进行除存储和采取必要的安全保护措施外的其他处理。

请求解释处理规则的权利

您有权要求大学向您解释个人信息的处理规则。

撤回同意的权利

如果处理您的个人信息的依据是同意,您可以在任何时候撤回您的同意。在收到您撤回同意的通知后,如果没有其他法律理由进行处理,大学将停止处理个人信息,除非该处理是为了建立、行使或辩护法律权利所必需的,或者是适用法律允许的。撤回同意不影响撤回之前处理的合法性。

您拒绝提供同意或随后撤回同意不会影响您获得大学产品和/或服务的能力,只要该等产品和/或服务适用于您;但是,它可能会阻止大学基于该同意所提供的产品和服务。

提起诉讼的权利

如果大学拒绝您行使权利的请求,您可以依法向有管辖权的法院提起诉讼。

8. 如何行使您的权利

为了行使您在伊利诺伊大学的任何权利,除了在有管辖权的法院提起诉讼的权利,您应该将您的请求提交给伊利诺伊大学道德与合规办公室:

电子邮箱: EthicsLine@uillinois.edu

电话: +1 866-758-2146

地址: University Ethics and Compliance Office
Human Resources Building, Room  20
One University Plaza, HRB  20
Springfield, IL 62703-5407


伊利诺伊州斯普林菲尔德市大学广场1号,HRB 20,人力资源大楼20室大学道德与合规办公室,62703-5407
收件人: 隐私合规处
到时,您将被要求:1)证明您的身份;2)提供信息以支持PIPL适用于您(见上文第2条);3)确定您所关注的具体信息或数据;4)陈述您希望行使的权利。
为加快处理您的要求,请指明收集信息的地点(例如,收集您的个人信息的网站)(如您知晓的话)。
在自然人身故的情况下,已故自然人的近亲属可以行使本补充通知-PIPL中规定的个人权利,如上述详细规定的查阅、复制、更正和删除已故自然人信息的权利,已故自然人在身故前另有安排的除外。
如果您行使PIPL规定的权利的请求被拒绝,大学将解释原因。

9. 大学如何满足索取个人信息的要求?

除了PIPL规定的权利外,根据美国联邦法律、州法律和大学政策,您可能还拥有关于您的个人信息的权利。当您向大学提交行使您权利的请求时,大学将根据实施相关隐私法的大学现有政策和程序予以回复。这些政策包括但不限于与学生教育记录有关的政策,以及与大学保存的某些健康记录有关的政策。 

10. 自动化决策的存在

大学与伊利诺伊大学基金会等与大学相关的组织合作,使用自动化决策,包括概况,来帮助确定大学及其活动的潜在支持者。这种逻辑采用了一种全面考虑因素的方法来评估一个可能的捐助者支持大学的倾向,并可能导致与一个可能的捐助者联系以探讨支持机会。就PIPL而言,“自动化决策”系指通过计算机程序自动分析、评估个人的行为习惯、兴趣爱好或者经济、健康、信用状况等,并进行决策的活动。

除非您明确同意,否则您将不会受到仅基于自动化处理(包括分析)决策的影响,且通过自动化决策方式作出的决定将不会对您的权益产生重大影响。

11. 向中国境外转移个人信息

除伊利诺伊大学上海办事处外,伊利诺伊大学均位于美国,并遵守美国和伊利诺斯州的法律。您提供给大学的个人信息通常会储存在美国服务器上。如果大学需要将您的信息:(a)从中国转移到美国或另一个国家,或(b)从美国转移到中国以外的另一个国家,大学将按照该等转移的适用法律进行。为了支持这种转移,大学一般会签订一份载有某些标准条款的合同,以明确规定转移各方的权利和责任。

此外,在某种程度上以下信息不包括在本补充通知– PIPL范围之内,大学将通知您的境外收件人的名称和联系信息,转移目的和处理方式,涉及个人信息的类型,以及如何行使您的权利。大学还将获得您对转移的单独同意,除非适用法律不要求此类单独同意。

12. 如何联系个人信息处理者?

大学是个人信息处理者。如果您对本补充通知- PIPL中所包含的任何内容有任何疑问,请联系伊利诺伊大学道德与合规办公室:

电子邮箱: EthicsLine@uillinois.edu

电话:     +1 866-758-2146

地址: University Ethics and Compliance Office
Human Resources Building, Room 20
One University Plaza, HRB 20
Springfield, IL 62703-5407


伊利诺伊州斯普林菲尔德市大学广场1号,HRB 20,人力资源大楼20室大学道德与合规办公室,62703-5407
收件人: 隐私合规处

13. 补充通知-PIPL的更新

大学可能会不时更新本补充通知- PIPL。任何更改将在修订后的补充通知- PIPL发布后生效。

发布日期: 11/1/2021
生效日期:  11/1/2021
最近一次修订日期: 2/23/2022