European Economic Area Privacy Provisions
Privacy Provisions for Persons Located Within the European Economic Area
In addition to Bridgewater State University’s Website Privacy Statement, the following provisions regarding the collection, use, processing and sharing of data apply to those located in the European Economic Area (“EEA”) pursuant to the European Union’s General Data Protection Regulation (“GDPR”).
I. Applicability and Definitions
EEA The European Economic Area includes Iceland, Liechtenstein and Norway and the countries of the European Union (“EU”):
- Austria
- Belgium
- Bulgaria
- Croatia
- Cyprus
- Czech Republic
- Denmark
- Estonia
- Finland
- France
- Germany
- Greece
- Hungary
- Ireland
- Italy
- Latvia
- Lithuania
- Luxembourg
- Malta
- Netherlands
- Poland
- Portugal
- Romania
- Slovakia
- Slovenia
- Spain
- Sweden
Personal Data The GDPR defines personal data to include any information related to an identified or identifiable person, such as name, identification number, location data, online identifier (e.g., IP address), email address, or information related to an individual’s physical, psychological, genetic, mental, economic, cultural, or social identity.
EEA Personal Data Personal Data you submit or disclose to the University (or to a third party that transfer it to the University for processing) while you are located in the EEA.
EEA Sensitive Personal Data In addition to EEA Personal Data, the University may process some information about you that is classed as “sensitive” personal data, which requires additional protections. This includes information concerning your ethnicity, sexual orientation, religious beliefs or health/disability that we may use for planning and monitoring purposes, or in order to provide care, help or suitable adjustments. For certain courses of study, other sensitive information may be processed, such as information about past criminal convictions, working with children or vulnerable adults, and your fitness to practice in certain regulated professions. Access to, and the sharing of, your EEA Sensitive Personal Data are carefully controlled. You will normally be given further details about our use of any such data when we collect it from you.
EEA Processing Any action or operation the University might take, including but not limited to collection, use, recording, organizing, storing, transferring, sharing, disclosing, erasing or destroying of EEA Personal Data, by any means, including hardcopy (such as paper applications or forms) and electronic (such as websites and mobile applications or “apps”).
The University may Process your EEA Personal Data in accordance with these EEA Privacy Provisions, the University’s Website Privacy Statement and other applicable policies, and as permitted or required by law. If you do not agree with these EEA Privacy Provisions, please do not provide any EEA Personal Data to the University. If you choose not to provide any EEA Personal Data that is necessary for the University to provide you with specific products or services, the University may not be able to provide those products or services to you.
II. How the University Collects and Uses Your EEA Personal Data
How the University Collects EEA Personal Data
The University collects your EEA Personal Data when you engage in the following from inside the EEA: visit the University’s websites; use the University’s mobile apps; apply for or attend classes or programs, online or in person; register for, update or change an online account with the University; send emails or other communications to the University; complete a survey or request information from the University; inquire about or apply for employment with the University; work for the University; use University equipment or resources; or otherwise interact with the University.
The University may also receive your EEA Personal Data from third parties. Examples include, but are not limited to, exam scores received from testing agencies, and registration information received from third parties that administer online courses. The University may also receive information from other individuals or institutions who provide treatment and services, from public health services, and from law enforcement, and from other clinical researchers, as well as from those who process the information provided on behalf of these entities.
How the University Uses and Processes EEA Personal Data
The University uses the EEA Personal Data that we collect to carry on various institutional and educational activities. The ways in which we collect and use your EEA Personal Data vary depending on the relationship between you and the University. As described in detail below, the University relies on a number of legal bases to lawfully process your EEA Personal Data.
What EEA Personal Data Will Be Processed? We will keep a record of information you provide on your application form, any supporting documents requested as part of your admission/employment process and/or details provided by any references or recorded during an interview process. We will maintain records about your studies and work at the University, and your usage of academic and non-academic goods and services we offer. Additional information may be recorded such as:
- University identification numbers
- usernames and passwords
- emergency contact information
- financial information including donation information
- transaction history including payments
- passport and visa information
- location information
- device information
- disciplinary information and complaints
- disability and accommodation history
- photographs and video
- personal health information
Why Do We Process Your EEA Personal Data? We will process your EEA Personal Data for a range of contractual, statutory or public interest purposes, including to:
- respond to your questions and communicate with you;
- deliver and administer your education and determine your academic progress and achievements;
- administer the financial aspects of your relationship with us and any lenders;
- deliver facilities and services to you;
- confirm immigration status;
- affirmative action and equal opportunity monitoring;
- detect or prevent fraud or other criminal activity;
- confirm your previous educational record(s);
- assist in providing reasonable accommodations for a disability;
- research and statistical purposes but only in a non-identifiable aggregate format;
- compile statistics and conduct surveys for internal and statutory reporting purposes;
- fulfill and monitor the University’s legal obligations;
- establish, exercise, and defend legal claims;
- enable us to contact you or others in case of an emergency;
- support alumni relations and fundraising;
- reasons of substantial public interest, including archiving purposes;
- satisfy any other contractual obligation we have to you; and
- use it for the legitimate interests of the University or any third party to whom we disclose your EEA Personal Data, if your fundamental rights and freedoms do not override those interests.
The Lawful Basis for the University to Process your EEA Personal Data The University typically relies on one or more of the following lawful bases under the GDPR when we process your EEA Personal Data:
- in accordance with your consent;
- to fulfill a contractual obligation with you (e.g., online applications, paying tuition) or in order to take steps at your request prior to entering into a contract;
- to pursue any legitimate interest of the University (e.g., evaluate candidates for admission, financial aid, housing and/or alumni communications);
- to protect your vital interests or those of another natural person;
- to perform or carry out a task in the public interest (e.g., teaching and research);
- to exercise the University’s official authorities as granted to it and to its board of trustees by the Commonwealth of Massachusetts; and/or
- to comply with our obligations under the law.
The University requires you to provide us with any information we reasonably ask for to enable us to administer our relationship with you. If we require your consent for any specific use of your EEA Personal Data, we will collect it at the appropriate time, and you can withdraw this at any time. Where we ask for any EEA Sensitive Personal Data, such as that concerning your ethnicity, sexual orientation, religious beliefs or health/disability, you will normally have the option to refuse your consent by not supplying it.
Purposes for University Processing of EEA Personal Data
The following subsections of these EEA Privacy Provisions are intended to describe in more detail our collection and use practices for a number of the different ways in which you might interact with us.
Website and Mobile Apps
The University collects EEA Personal Data you provide, for example, when you enter the information into form fields on our Services. We also gather certain information automatically when you use our Services. For example, we and our vendors may collect:
Category of Personal Data | Purposes of Processing | Legal Bases for Processing |
---|---|---|
Contact Information, including your name, home address, email address, phone number, and birth date |
|
|
Log Files, including IP addresses, browser type, device type, internet service provider, referring/exit pages, operating system, date/time stamp and/or clickstream data |
|
|
Location Information, including using your IP address to identify the general geographic area from which you are accessing our website. |
|
|
Admissions and Financial Aid
The information collected by us, or on our behalf, during the admissions process and throughout any subsequent enrollment as a student at the University is collected for the primary purpose of considering your application for admission to the University, evaluating your eligibility for financial aid and, if you are admitted, facilitating your education. For example, we may collect:
Category of Personal Data | Purposes of Processing | Legal Bases for Processing |
---|---|---|
Contact Information, including your name, home address, email address, and phone number |
|
|
Demographic Information, including race, ethnicity, gender, age, and marital status |
|
|
Education History, including your prior schools, transcripts, school activities, and disciplinary records |
|
|
Testing History, including standardized testing |
|
|
Personal History, including interests, extracurricular activities, and recommendations |
|
|
Employment History, including job title, location, and work experience |
|
|
Criminal Record, including your self-reported and public record |
|
|
Personal Financial Information, including tax identification number, wages, scholarships and grants, and family support |
|
|
Family Financial Information, including family member names, ages, occupations, wages, and savings |
|
|
Alumni
The main way the University collects and maintains personal information about alumni is when you provide it to us, for example, when you update your alumni profile, connect with us on social media, or register to attend alumni events. We may also collect personal information from publicly available sources or third-party sources that support the University. The main purpose for the University’s collection of alumni personal information is to connect you with the University and other alumni. For example, we may collect:
Category of Personal Data | Purposes of Processing | Legal Bases for Processing |
---|---|---|
Contact Information, including your name, home address, email address, and phone number |
|
|
Employment History, including job title, location, and work experience |
|
|
Personal Information, including personal interests, religious affiliation, and political affiliation. |
|
|
Family Information, including family member names, ages, occupations, and relevant medical information |
|
|
Human Resources
The University collects your personal information when you apply for employment. Further personal information collection occurs at the commencement and throughout your employment at the University. The personal information collected by the University, or on our behalf, is collected for the primary purpose of providing employment or enabling authorized persons to utilize the University’s services and facilities. For example, we may collect:
Category of Personal Data | Purposes of Processing | Legal Bases for Processing |
---|---|---|
Contact Information, including your name, home address, email address, and phone number |
|
|
Payment Information, including your bank account number and routing number |
|
|
Tax Information, including your tax identification number, wages, and filing status |
|
|
Employment History, including prior employers, titles, wages, work experience, and disciplinary record |
|
|
Education History, including prior schools, transcripts, awards, honors, and disciplinary records |
|
|
Students
The information collected by us, or on our behalf, throughout your enrollment as a student at the University is collected for the primary purpose of facilitating your education at the University and providing the programs for which you are enrolled. For example, we may collect:
Category of Personal Data | Purposes of Processing | Legal Bases for Processing |
---|---|---|
Contact Information, including your name, home address, email address, and phone number |
|
|
Education History, including your prior schools, transcripts, school activities, and disciplinary records |
|
|
Assignment and Testing History, including course grades and standardized testing |
|
|
Health Records, including doctor’s records, surgical records, immunization records, vaccinations and medications |
|
|
Disability Information |
|
|
Personal History, including interests and extracurricular activities/td> |
|
|
Employment History, including job title, location, and work experience |
|
|
Personal Financial Information, including tax identification number, wages, scholarships and grants, and family support |
|
|
EEA Personal Data Obtained from Third Parties
We may obtain certain Personal Information about you from third party sources, which we may use to serve our legitimate interests, comply with legal obligations, perform a contract, or in some cases, in accordance with your consent.
Partners and Service Providers. We use partners and service providers, such as payment processors and analytics providers, to perform services on our behalf. Some of these partners have access to Personal Information about you that we may not otherwise have (for example, if you sign up directly with that provider) and may share some or all this information with us. We use this information to administer the Services and conduct marketing and advertising campaigns, as well as to process transactions that you request.
Single Sign-On. Some of our Services allow you to register and login to our Services through a third-party platform. When you choose to login to our service through a third-party platform, you allow us to access and collect any information from your third-party platform account permitted under the settings and privacy policy of that platform. We use this information to deliver this functionality and the Services to you.
Supplemental Information. We may receive additional Personal Information from third-party sources, such as credit reference agencies and public databases, which we may append to existing personal information, such as email address verification. We may use this supplemental information to process transactions that you request and to prevent fraud, deliver relevant offers and advertising to you, and to improve our operations, services, and our advertising and marketing campaigns.
Additional Uses of EEA Personal Data
In addition to the uses described above, we may use your Personal Information for the following purposes, which uses may under certain circumstances be based on your consent, may be necessary to fulfill our contractual commitments to you, and are necessary to serve our legitimate interest in the following operations:
- Conducting our operations, administering the Services, and managing your accounts;
- Contacting you to respond to your requests or inquiries;
- Processing and completing your transactions including, as applicable, course registration, order confirmation, enrollment in academic groups or other programs, processing payments for online purchases and course registration, and delivering products or services;
- Providing you with newsletters, articles, service alerts or announcements, event invitations, and other information that that we believe may be of interest to you;
- Providing you with promotional information, offers, and other information that are personally tailored to your interests;
- Conducting market research, surveys, and similar inquiries to help us understand trends and needs of our users;
- Alerting you about a safety announcement;
- Preventing, investigating, or providing notice of fraud, unlawful or criminal activity, or unauthorized access to our use of Personal Information, our website or data systems; or to meet legal obligations;
- Enforcing our Terms of Use and other agreements;
- Sending you text messages or push notifications when you sign up for one of our messaging programs. These messages may be sent by automated means. You may opt out of a text message program by following the instructions in the Managing Communication Preferences section.
Legitimate Interests
We rely on several legitimate interests in using and sharing your Personal Information. These interests include:
- Providing, improving and customizing our educational offerings;
- Administration of our operations;
- Promoting the success of our current and former students;
- Furthering research and understanding in fields of academic study;
- Maintaining an ongoing relationship with alumni, donors and prospective donors, and helping to connect them with others;
- Requesting gifts or donations;
- Offering attendance to events and opportunities to volunteer;
- Conducting admissions research;
- Understanding how our online platforms are being used;
- Exploring ways to develop and grow our operations;
- Ensuring the safety and security of our students, faculty, fellows, employees and others;
- Cybersecurity;
- Enhancing protection against fraud, spam, harassment, intellectual property infringement, crime and security risks;
- Meeting our obligations and enforcing our legal rights.
How We Retain, Store and Destroy EEA Personal Data
The University retains your EEA Personal Data pursuant to applicable state and federal law, and in adherence to the specific retention periods that apply to such data.
After you graduate, a record of your studies and core information is retained indefinitely as prescribed by University policy and state and federal law. Your contact information and some personal information and academic achievement information are passed to the Alumni/ Development Office.
If a request is entered for data destruction, it will only be processed if doing so does not contradict state or federal law, including but not limited to, data retention rules.
If, subject to the previous paragraph, it is determined that data destruction is not barred by federal and/or state law, any destruction of data shall be conducted in the manner that best preserves and ensures the confidentiality of the information based on the sensitivity, value and how critical the data is to the University. Further, the University will maintain a core set of your EEA Personal Data, to ensure we do not contact you inadvertently in the future, to maintain your academic record for reference and archival purposes, and to meet our legal obligations.
III. How We Share and Disclose EEA Personal Data
We share your EEA Personal Data with third parties only in the ways described in this Privacy Policy. The University does not sell your EEA Personal Data and only shares your EEA Personal Data with third parties if there is a legitimate institutional need to do so.
University Personnel Your EEA Personal Data may be processed by University departments and employees, including faculty, researchers, medical professionals, financial aid counselors, human resource and payroll personnel, law enforcement officers and others as necessary to perform their University duties. We may also share your EEA Personal Data with University related organizations, such as the Alumni office.
State University System We may share your EEA Personal Data within our Massachusetts State University System in order to provide services, govern, administer and improve the Massachusetts State University System.
Service Providers We may share your EEA Personal Data with our Service Providers who require access to your information in order to fulfill the University’s mission or improve the experiences of our students and employees. We strive to be diligent with our confidentiality, privacy and security standards that we require of all our service providers, and we require that our service providers use your EEA Personal Data only for the purpose of providing those services on behalf of the University.
Accrediting Agencies We may share your EEA Personal Data with accrediting agencies in order to obtain or maintain accreditation of our programs.
Legal Process, Safety and Terms Enforcement We may disclose your EEA Personal Data to legal or government regulatory authorities as required by applicable law. We may also disclose your EEA Personal Data to third parties as required by applicable law in connection with claims, disputes or litigation, when otherwise required by applicable law, or if we determine its disclosure is necessary to protect the health, safety, rights or property of you, us, or others, or to enforce our legal rights or contractual commitments that you have made.
Third-Party Mobile App Providers With your knowledge and consent, our services on your mobile device may gather and transfer your EEA Personal Data, including location information, from and to other applications, functions and tools within your mobile device if you use our mobile applications.
Social Media Platforms We may also use services provided by third parties (such as social media platforms) to serve targeted ads or sponsored content on third-party platforms.
IV. International Data Transfers
Your EEA Personal Data may be transferred to, stored, and processed in a country other than the one in which it was collected, relying on appropriate safeguards or specific derogations recognized under data protection laws, including the GDPR.
The European Commission has adopted standard data protection clauses, which provides safeguards from Personal Information transferred outside the EEA. We may use Standard Contractual Clauses when transferring Personal Data from a country in the EEA to a country outside the EEA.
V. Your Rights Under GDPR
At any point while the University is in possession of, or processing your EEA Personal Data, you have the following rights:
- The right to be informed of how your EEA Personal Data is being used – this information is set forth in these EEA Privacy Provisions and any documents linked hereto.
- Right of access- you have the right to request a copy of the information that we hold about you.
- Right of rectification- you have a right to correct data that we hold about you that is inaccurate or incomplete.
- Right to be forgotten- in certain circumstances you can ask for the data we hold about you to be erased from our records.
- Right to restriction of processing- where certain conditions apply, you have a right to restrict the processing.
- Right of portability- you have the right to have the data we hold about you transferred to another organization.
- Right to object- you have the right to object to certain types of processing such as direct marketing.
- Right to object to automated processing, including profiling- you also have the right to be subject to the legal effects of automated processing or profiling.
- Right to judicial review: in the event that the University refuses your request under any of the above rights, we will provide you with a reason as to why.
- The right to receive copies of your EEA Personal Data.
- The right to file a complaint with an EEA Supervisory Authority.
All the above requests will be forwarded on should there be a third party involved in the processing of your EEA Personal Data. These rights differ depending upon your location within the world where information was created or shared.
A response to a rights request needs to be sent within one month. However, nearly all your rights are qualified in various ways and there are numerous specific exemptions (for example, almost all the rights do not apply if your EEA Personal Data is being processed solely in an academic research context).
Please note that these rights are not absolute, and we may be entitled to refuse requests where exceptions apply. Should the University determine that you are not entitled to exercise that right, we will provide you with the reason(s) for the denial.
Note: Exercising of these rights is a guaranty to be afforded a process and not the guaranty of an outcome.
Rights Requests/Contact Information
If you wish to access your EEA Personal Data that is held by the University, or if you wish to ask the University to correct any inaccuracies in such Data, or if you wish to exercise any of your other rights regarding your EEA Personal Data, please call the IT Service Center at 508-531-2555 or by emailing itsupport@bridgew.edu and submit your request via a service ticket.
You may also file a complaint concerning your EEA Personal Data Processing with the applicable EU Supervisory Authority. The Supervisory Authority Contact Information for all EU countries is at https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm
If you have specific requests relating to how the University Processes your EEA Personal Data, we will endeavor to resolve these, but there may be circumstances where we cannot comply with specific requests.
VI. Cookies and Similar Technologies
We may collect EEA Personal Data about you, or information that becomes EEA Personal Data if combined with other information, when you visit or use our websites and online services. This information may be collected through the use of cookies, which are small data files placed on your computer or mobile device that allow us to collect certain information whenever you visit or interact with our websites or online services. Some of these cookies are managed by us (first-party cookies), while others are managed by third parties that we do not control (third-party cookies). This information may also be collected through the use of other data collection technologies (such as web beacons, pixels or tags) that embed graphic files in our websites and online services. These graphic files contain a unique identifier that enables us to recognize when someone has visited our website or online services, or in the case of web beacons, opened an email that we have sent them.
If you choose to reject certain cookies and similar technologies, you may still use our websites and online services through your access to some functionality and features may be restricted. If you have any questions regarding our use of cookies and other similar technologies, please contact the IT helpline and submit your question via a service ticket.
VII. Questions or Complaints
If you have questions, please call the IT Service Center and submit your request via a service ticket. They will route the request to the most appropriate department or person to answer the question.
If you are not happy with the way your information is being handled, or with the response received from the University, please contact the President’s Office at 508-531-1201. You also have the right to file a complaint with the Massachusetts Department of Higher Education at https://www.mass.edu
You may also file a complaint concerning your EEA Personal Data Processing with the applicable EU Supervisory Authority. The Supervisory Authority Contact Information for all EU countries is at https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm .
VIII. Updates Or Changes
From time to time, we may update or amend these EEA Privacy Provisions to reflect new or different privacy practices, without notice to you. However, if these changes are material, we will place a notice on our website and/or otherwise communicate this fact to you.
This GDPR Policy was approved by Bridgewater State University Board of Trustees on August 27, 2020.