Supplemental Privacy Notice 

This University of Illinois Supplemental Privacy Notice (“Supplemental Notice”) supplements the University of Illinois Web Privacy Notice for certain persons in the European Economic Area (“EEA”).

1. Commitment to protecting privacy and transparency

The Board of Trustees of the University of Illinois (the “University”), by and through its academic, research, and administrative units, is committed to respecting and protecting the privacy rights of persons in the EEA—comprised of the European Union (“EU”) and the countries of Iceland, Norway, and Lichtenstein—pursuant to the EU General Data Protection Regulation (“GDPR”).  This Supplemental Notice describes the University’s commitment to the privacy of persons in the EEA.

2. Does this Supplemental Notice apply to me?

This Supplemental Notice applies to you if:

  • You are a “Person” or “Data Subject”—meaning a natural person, not a corporation, partnership, or other legal entity—who is physically present in the EEA;
  • It is with respect to your “Personal Information”—meaning any information relating to an identified or identifiable person—that is provided while you are physically present in the EEA;
  • Such Personal Information is not earlier or later provided to the University while you are outside the EEA; and
  • Such Personal Information is provided to the University:
    • During the course of the University offering you goods or services;
    • While the University is monitoring your behavior; or
    • While you are associated with any of the University’s establishments in the EEA.

Please note that information pertaining to current, former, or prospective employment with the University in the United States is not considered “Personal Information” and is excluded from this Supplemental Notice.

3. What Personal Information does the University process?

General categories

The University processes the following general categories of Personal Information: names; addresses; telephone numbers; email addresses; identification numbers including but not limited to social security numbers, driver’s license numbers, University identification numbers, and personal identification numbers (PINs); usernames; passwords; demographic information; education history and transcripts; entrance exam scores; background check information; personal references; financial information including but not limited to credit and debit card numbers, tax information, and financial aid information; transaction history; business information; passport and visa information; work history; medical history; donation history; insurance information; military service; IP addresses; location information; device information; metadata; education records including but not limited to coursework, correspondence, evaluations,  disciplinary complaints, and other records, and files maintained by the University as part of the educational process; any requests for accommodations or leave; and other information to support the purposes set forth in Table 1, below.

The University requires Personal Information only when necessary.  Table 1 identifies the purposes for which the University processes Personal Information and the legal basis for each purpose.

Special categories

In order to fulfill certain of the purposes identified in Table 1, the University may need to request special categories of Personal Information—information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; genetic data; biometric data for the purpose of uniquely identifying a natural person; data concerning health; or data concerning a natural person’s sex life or sexual orientation.  

Before the University processes your special category Personal Information or your criminal conviction Personal Information, if any, the University will ask for your affirmative consent unless the University has another legal basis for the processing, in which case the University will inform you of that basis.

Purposes for which the University processes Personal Information

Table 1

Purpose Legal Basis
To respond to requests for information about admission to the University or about participating in online courses or other programs at the University Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract
To recruit, evaluate, and manage persons who apply to the University for admission, take courses at the University, participate in programs offered by the University, or attend the University, either in person or online, and to perform related activities needed to foster and maintain these relationships Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract
To operate and facilitate the registration and participation in online and in-person education programs, including those relating to professional licensing requirements Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract
To evaluate applications for and administer financial aid, including reporting to relevant federal and state government agencies Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract
To facilitate application for and sponsoring of visas to study, work and/or research at the University, including all functions necessary to comply with applicable immigration laws Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract
To assign housing and facilitate housing requests for individuals studying or participating in programs at or through the University Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract
To conduct study abroad programs offered by or coordinated through the University Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract
To provide on-campus and distance learning information technology and other services to students, including network, authentication and help desk services Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract
To respond to an individual’s request for records relating to an individual’s time at the University, such as transcripts, tax documents, employment documents, etc. Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract
To respond to an individual’s request for records relating to an individual’s time at the University, such as transcripts, tax documents, employment documents, etc. Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract
To engage the services of an independent contractor and all uses incident to that engagement Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract
To employ persons to work for the University and all uses incident to that engagement including but not limited to evaluation and management of employees and administration of employee benefits  Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract
To conduct transactions and business with individuals, such as processing payments made by credit card to the University and payments made by the University to you Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract
To host and allow individuals to attend and participate in University events, including educational, artistic, and sports camps and sporting events Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract
To facilitate review and evaluation of University programs, including academic, sports, and other programs, by accrediting organizations, government entities, third-party ranking organizations, and other appropriate bodies  Legitimate interests of the University - legitimate interest in providing and maintaining a world-class higher education experience at the University
To promote safety, integrity, and security of the University’s information technology systems  Legitimate interests of the University – legitimate interest in maintaining IT and network security
To protect the University community, including you, and to keep its members safe wherever they are located Legitimate interests of the University – legitimate interest in physical security
To report salary data to social security or tax authorities and otherwise comply with applicable EU or Member State laws Necessary for compliance with a legal obligation
To allow individuals to visit University facilities Legitimate interests of the University - legitimate interest in physical security
To facilitate and administer the reservation and use by individuals of University facilities Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract
To facilitate the use of volunteers and to evaluate and manage individuals who volunteer to assist the University in any capacity, and to perform related activities required to foster and maintain these relationships Legitimate interests of the University—legitimate interest in physical security
To respond to subpoenas, court orders, agency requests, and other legal requests for records relating to an individual’s time at the University, such as transcripts, tax documents, employment documents, etc. Legitimate interest of the University – legitimate interest in complying with U.S. and state laws and not being held in contempt of court or having penalties imposed
To engage third parties to collect sums owing to the University or to otherwise take action to collect outstanding debt from an individual Legitimate interests of the University—legitimate interest in recovering sums owed to it and enforcing its legal claims whether in or out of court
To respond to proper requests for information as required by the Illinois Freedom of Information Act and the U.S. federal Freedom of Information Act Legitimate interests of third parties—legitimate interest in publication of data for purposes of transparency and accountability
To stay connected with University alumni Legitimate interests of the University—legitimate interest in communicating unsolicited non-commercial messages
To allow and facilitate individuals to perform research at or with the University Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract
To utilize individuals as subjects of research performed at or through the University, and to perform related activities required to foster and maintain this relationship Consent
To facilitate the provision of medical treatment and the filing of claims for payment from insurance companies and/or government agencies Consent
To raise funds to support the University and its programs Consent

4. How does the University receive your Personal Information?


From you
The University may receive your Personal Information when you visit University websites, apply for or attend University classes or programs, apply for or take online courses with the University, work for the University at a location in the EEA, attend events sponsored by the University, or otherwise interact with the University.

From third parties
The University may also receive your Personal Information from third parties. Examples include college entrance exam scores received from testing agencies, college applications received from the Common Application, Inc., and online course registration information received from third parties that administer online courses (e.g., Coursera, Inc.).

5. Who receives/processes your Personal Information?

University personnel

Your Personal Information may be processed by University trustees and employees, including faculty, researchers, medical professionals, financial aid counselors, human resources professionals, law enforcement officers, and others, as may be necessary to carry out the purposes for processing the information and the activities of the University.

University Related Organizations

The University may share your Personal Information with University Related Organizations, such as the University of Illinois Foundation and the University of Illinois Alumni Alliance.

Third parties

The University may share your Personal Information with third parties, such as: educational platform providers and course partners to further the purposes for processing the information and the activities of the University; U.S. and foreign government entities to fulfill regulatory obligations (e.g., visa processing) and to facilitate access to funding sources (e.g., financial aid); partner institutions to facilitate study abroad activities; and vendors to provide services related to your affiliation with the University (e.g., print diplomas, arrange housing) and to improve University outreach efforts.   

Please note that the University may provide anonymized data developed from Personal Information to third parties, such as government entities and research collaborators, and that such anonymized data is outside the scope of this Supplemental Notice.

6. How long does the University keep your Personal Information?

The University retains Personal Information in accordance with applicable law. Records retention schedules for many types of University records can be found on the Records and Information Management records management webpage: https://www.uillinois.edu/cio/services/rims/retention_and_disposal/records_retention/.

7. What are your rights as a Data Subject?

As a Data Subject pursuant to the GDPR, you have certain rights.  This Supplemental Notice summarizes what these rights under the GDPR involve and how you can exercise these rights.  More detail about each right, including exceptions and limitations, can be found in Articles 15-21 and 77 of the GDPR.

Please note:   Nothing in this Supplemental Notice is intended by the University to waive sovereign immunity or any other defenses or immunities afforded by any or all U.S. federal law, Illinois state law, and EU law.

Right of access

You have the right to request that the University confirm whether it is processing your Personal Information.  If the University is processing your Personal Information, you have the right to access that Personal Information, and the University will provide you with a copy of that Personal Information unless prevented by applicable law.

Right to have inaccurate Personal Information corrected

You have the right to request that the University correct any inaccurate Personal Information that it maintains about you.  You also have the right to request that the University complete any incomplete Personal Information that it maintains about you, which could be accomplished by incorporating a supplementary statement that you submit.  If the University concurs that the Personal Information is incorrect or incomplete, the University will promptly correct or complete it. 

Right to erasure

You have the right to request the erasure of Personal Information that the University maintains about you in certain circumstances.  These circumstances are identified in Article 17 of the GDPR and include that the Personal Information is no longer necessary in relation to the purpose(s) for which it was collected.

Subject to applicable U.S., state, and EU law and University policies, including but not limited to its Web Privacy Notice, and provided that there are no overriding legitimate grounds for the University to retain the Personal Information, the University will comply with the request and will take reasonable steps to inform any third parties with whom the Personal Information was shared.

Right to restriction of processing

You have the right to request that the University restrict the processing of your Personal Information where one of the reasons identified in Article 18 of the GDPR apply.  These reasons include that the Personal Information is inaccurate, the processing is unlawful, or the University no longer needs the Personal Information.

If the University grants your request to restrict processing, the University will only process that Personal Information with your consent, for the protection of the rights of another natural or legal person, for reasons of important public interest, for the establishment, exercise or defense of legal claims, or as otherwise required by applicable U.S., state, or EU law.

Right to data portability

Where the basis for processing is either consent or performance of a contract between you and the University, and where the processing is carried out by automated means, you have the right to receive your Personal Information that you have provided to the University. The University will provide the Personal Information in a structured, commonly used, and machine-readable format.  Where technically feasible and upon your request, the University will transmit the Personal Information directly to another entity. 

Right to withdraw consent

If the basis for processing your Personal Information is consent, you may revoke your consent at any time.  Upon receipt of your notice withdrawing consent, and if there are no other legal grounds for the processing, the University will stop processing the Personal Information unless the processing is necessary for the establishment, exercise, or defense of legal claims.  Revoking consent does not affect the lawfulness of processing that occurred before the revocation.

Right to object to processing

In certain situations, you may have the right to object to processing of your Personal Information

  • Public Interest or Legitimate Interests. If the basis for processing your Personal Information is public interest or legitimate interests, you have the right to object to processing the Personal Information. The University will cease processing unless the University demonstrates overriding legitimate grounds for processing or the processing is necessary for the establishment, exercise, or defense of legal claims.
  • Direct Marketing. If the University is using your Personal Information for direct marketing purposes such as fundraising, you have the right to object at any time, and the University will stop using your Personal Information for that purpose 

Right to file a complaint

You have the right to submit a complaint with an EU supervisory authority, in particular the one in the EU Member State of your habitual residence, place of work, or place of the alleged violation, if you believe that the University’s processing of your Personal Information violates the GDPR. 

For more information on the process for submitting a complaint, consult the relevant EU supervisory authority:  http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm.

8. How to exercise your rights

In order to exercise any of these rights, except the right to file a complaint with an EU supervisory authority, you should submit your request to University of Illinois System GDPR Compliance:

Email: GDPRrequest@uillinois.edu

Telephone:     +1 866-758-2146

Address:      University Ethics and Compliance Office
Human Resources Building, Room  20
One University Plaza, HRB  20
Springfield, IL 62703-5407
Attn: GDPR Compliance

At that time, you will be asked to: 1) identify yourself; 2) provide information to support that the GDPR applies to you (see Section 2, above); 3) identify the specific information or data that you are concerned about; and 4) state what right(s) you wish to exercise.

To expedite processing your request, please identify the data collection location (e.g., the website where your Personal Information was collected), if known.

9. How does the University respond to requests for Personal Information?

In addition to the rights provided by the GDPR, you may also have rights with respect to your Personal Information pursuant to U.S. federal law, state law, or University policy.  When you submit a request to the University to exercise your rights, the University will respond in accordance with existing University policies and procedures that implement the relevant privacy law(s). These include, but are not limited to, policies pertaining to student education records and policies pertaining to certain health records maintained by the University. 

10. Existence of automated individual decision-making

The University, in conjunction with University Related Organizations such as the University of Illinois Foundation, uses automated decision-making, including profiling, to help identify prospective supporters of the University and its activities. The logic takes an all-factor approach to assessing a possible donor’s propensity to support the University and may result in a prospective donor being contacted to explore support opportunities.

You will not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, unless the decision is necessary for entering into or performing a contract or unless you explicitly consent.

11. Transfer of Personal Information outside the EEA

The University is based in the U.S. and is subject to U.S. and Illinois law.  Personal Information that you provide to the University will generally be hosted on U.S. servers.  To the extent that the University needs to transfer your information either (a) from the EEA to the U.S. or another country or (b) from the U.S. to another country, the University will do so on the basis of either (i) an “adequacy decision” by the European Commission; (ii) EU-sanctioned “appropriate safeguards” for transfer such as model clauses, a copy of which you may request, if applicable, by contacting the University as set forth in Section 12; (iii) your explicit and informed consent; or (iv) it being necessary for the performance of a contract or the implementation of pre-contractual measures with the University, in which case the University will inform you of the intent to transfer the Personal Information.  Please note that the U.S. is not currently considered a safe harbor country under the GDPR. 

12. How do I contact the data controller?

The University is the data controller.  If you have any questions about anything contained in this Supplemental Notice, please contact University of Illinois System GDPR Compliance:

Email: GDPRrequest@uillinois.edu

Telephone:     +1 866-758-2146

Address: University Ethics and Compliance Office
Human Resources Building, Room 20
One University Plaza, HRB 20
Springfield, IL 62703-5407
Attn: GDPR Compliance

13. GDPR

If you are interested in reviewing an English version of the GDPR, please see http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN.

14. Updates to Supplemental Notice

The University may update this Supplemental Notice from time to time.  Any changes will become effective upon posting of the revised Supplemental Notice.

 

Issued: 05/17/2018

Effective:  05/25/2018

Last revised: 05/22/2018