General Data Protection Regulation Statement

Note: Jacksonville State University’s General Data Protection Regulation (GDPR) Privacy Notice will be updated periodically as EU GDPR is implemented, as member states finalize regulations, and as additional official guidance information becomes available.


Introduction

Jacksonville State University (JSU) is an institution of higher education involved in education, research, and community development. To educate its students in person and online, engage in research, and provide community services, JSU must collect, process, use, and maintain data of its students, employees, applicants, research subjects, and others involved in its educational, research, and community programs.

The EU GDPR broadly applies to data about people who reside in the European Union (EU) or data about individuals when it is transferred from the EU. The EU GDPR limits when and how personal data can be collected, stored, processed, and used. It also provides these individuals with certain rights related to their personal data, including notice or consent, rights of access, and in some cases, requests for deletion.

JSU may be a data “controller” or “processor” regarding certain activities as defined under the EU GDPR. JSU is committed to protecting the rights of individuals in compliance with the EU GDPR.


Definitions

Data Subject:
A data subject is any person whose personal data is being collected, held or processed.

Controller:
Controllers are responsible for decisions about the collection, use, and protection of personal data.

Personal data:
The EU GDPR defines personal data as any information relating to an identified or identifiable natural person. An identifiable natural person is an actual person (not a corporation or other business entity) who can be identified, directly or indirectly, by reference to:

  • Any identifiers, such as name, ID numbers, location data, online identifier; or
  • Factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.

Processor:
Processors are responsible for processing, analyzing, storing, and deleting personal data on behalf of the controller.

Special Categories of Personal Data:
Any data that:

  • Reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership.
  • Are genetic data or biometric data enough to uniquely identify a natural person.
  • Are concerning a natural person’s sex life or sexual orientation.

Lawful Basis for Collecting and Processing of Personal Data

JSU has a lawful basis to collect, process, use, and maintain data of its students, employees, applicants, research subjects, and others involved in its educational, research, and public service programs. The lawful basis includes the following, without limitation: academic admission; registration; awarding scholarships; enrollment: delivery of classroom, online, and study abroad education; grades; communications; employment; applied research; development; program analysis for improvements; provision of medical services; and records retention.

Most of JSU’s collection and processing of personal data will fall under the following categories:

  • Processing necessary for the purposes of the legitimate interests pursued by JSU or third parties in providing education, employment, research and development, and public service.
  • Processing necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract.
  • Processing necessary for compliance with a legal obligation to which JSU is subject.
  • Processing for which the data subject has given consent for JSU to use his or her personal data for one or more specific purposes.

Occasionally when the collection and processing of personal data will be pursuant to other lawful bases, JSU will identify the basis for each application and determine its essentiality prior to collection and processing.


Types of Personal Data Collected and How it Will be Used

JSU collects a variety of personal data to meet one of its lawful basis, as referenced above. The information JSU retains about you may include the following:

  • Personal details such as name, title, address, telephone number, email address, marital status, nationality, date of birth, photograph, household income, parental status, details of dependents;
  • Emergency contact information;
  • National Insurance number (where you have voluntarily provided it);
  • Education and employment information (including the school(s), college(s), and other educational locations you have attended; places where you have worked; the courses you have completed; dates of study and examination results);
  • Other personal background information collected during the admissions process, e.g. your socioeconomic classification, and details of your parents’ occupation and education;
  • Examination records (including records relating to assessments of your work, details of examinations taken, and your predicted and actual examination grades);
  • Information captured in your student record, including progression, achievement of milestones and progression reports;
  • Visa, passport, and immigration information;
  • Fees and financial support record (including records relating to the fees paid, student loan information and financial support, scholarships, and sponsorship);
  • Supervision, teaching, and tutorial activities; and training needs analysis and skills acquisition records;
  • Placement and internship record or study at another institution as an established component of your course of studies, or career development opportunity;
  • Information about your engagement with University support services or University facilities;
  • Information about your use of library facilities, including borrowing and fines;
  • Information about disciplinary actions (including academic misconduct), dispensations from regulations, and about any appeals and complaints raised;
  • Attendance at University degree and award ceremonies and other on-campus events;
  • Information about your use of JSU’s information and communications systems, including CCTV and building access information;
  • JSU may also process the following "special categories" of more sensitive personal data:
    • Information about your sex and gender identity;
    • Information about your race or ethnicity and religious beliefs;
    • Information about your health, including any disability and/or medical condition;
    • Information about criminal convictions and offenses, including proceedings or allegations.

If you have specific questions regarding the collection and use of your personal data, please contact: gdpr@jsu.edu 


Where JSU Acquires Personal Data

JSU receives personal data from multiple sources. Most often, JSU acquires this data directly from the data subject or under the direction of the data subject who has provided it to a third party.


Rights of the Data Subject Under the EU GDPR

If you are an individual data subject under the EU GDPR, you may obtain the following information and exercise the following rights:

  • the identity and the contact details of the controller and, where applicable, the controller’s representative;
  • the contact details of JSU’s GDPR Compliance Program;
  • an explanation of the purposes and legal basis/legitimate interests of the data collection/processing;
  • the identification of the recipients of the personal data;
  • notice if JSU intends to transfer personal data to another country or international organization;
  • notice of the time period that the personal data will be stored;
  • the right to access personal data, rectify incorrect personal data, erase personal data, restrict or object to processing, and the right to data portability;
  • the right to withdraw consent at any time, if processing is based on consent;
  • the right to lodge a complaint with a supervisory authority (established in the EU);
  • an explanation of why the personal data are required, and possible consequences of the failure to provide the data;
  • notice of the existence of automated decision-making, including profiling; and
  • notice if the collected data are going to be further processed for a purpose other than that for which the information was collected.

Exercising of these rights is a guarantee to be afforded a process and not the guarantee of an outcome.

Any data subject who wishes to exercise any of the above-mentioned rights may do so by submitting such request to: gdpr@jsu.edu


Information JSU May Collect Automatically

To the extent permitted by law, JSU and our third-party vendors may supplement the information we collect from and about you with information from other sources, such as publicly available information about your online and offline activity from social media services, commercially available sources, and information from other business partners.

  • IP Address and Other Identifiers: When you access and interact with the JSU website or programs, JSU and its third-party providers may collect information about your visits in order to permit you to connect to and obtain the services and to understand the frequency with which specific visitors visit various parts of the JSU site. For example, we may collect your Internet Protocol (“IP”) address, which identifies the computer or third party that you use to access JSU services, or information about your browser type, authentication identifiers, and other software and hardware information. If you access the JSU website through a mobile or other device, JSU may collect your mobile device identifier, geolocation data (including your precise location), or other transactional information for that device. JSU may combine this information with other information that we have collected to make JSU services and communications to you more tailored to your interests.
  • Social Media Information and Content: If you access or log in to the JSU site through a social media service or connect a service to a social media service, the information collected may also include your user ID and/or user name associated with that social media service, any information or content you have permitted the social media service to share with JSU, such as your profile picture, email address or friends lists, and any information you have made public in connection with that social media service. When you access JSU sites through social media services or when you connect a service to social media services, you are authorizing JSU to collect, store, and use such information and content in accordance with this Privacy Statement and JSU Privacy Policies.
  • Cookies and Other Tracking Technologies: JSU services may also use cookies. Cookies are small text files that are stored on a user’s computer and allow websites to remember information about users. JSU and its third parties use cookies for a variety of purposes in order to enhance the quality of JSU sites. JSU uses transient (also called “session ID”) cookies to provide continuity from page to page. A session ID cookie expires when you close your browser. JSU also uses persistent cookies. Persistent cookies allow your browser to be recognized when you return after your first visit to that part of the JSU site. Cookies allow JSU to personalize your return visits to the JSU site. You have the choice to set your browser to accept all cookies, reject all cookies, or notify you when a cookie is set. (Each browser is different, so check the "Help" menu of your browser to learn how to change your cookie preferences.) It is up to you whether to allow JSU to send you cookies. Please note that by blocking any or all cookies, you may not have access to certain features, content, or personalization available through JSU’s site.
  • Web beacons and other tracking technologies: The site may use other tracking tools, including so-called “pixel tags,” “web beacons,” “web bugs,” “clear GIFs,” etc. (collectively “Web Beacons”) to collect user activity information about your activities on the JSU site. These are small electronic images embedded in web content (including online ads) and email messages and are ordinarily not visible to users. Like cookies, web beacons enable JSU to track pages and content (including ads) accessed and viewed by users. Also, when JSU sends HTML-formatted (as opposed to plain text) emails to you, web beacons may be embedded in such emails to allow JSU to monitor readership levels so that JSU can identify aggregate trends and individual usage to provide audiences with more relevant content or offers. Web beacons in emails may recognize activities such as when an email was opened, how many times an email was forwarded, which links in the email were clicked on, etc. Web beacons cannot be declined when delivered via a regular web page. However, web beacons can be refused when delivered via email. If you do not wish to receive web beacons via email, you will need to disable HTML images or refuse HTML (select Text only) emails via your email software.
  • Third Party Tracking: Third parties that support JSU by serving advertisements or providing services, such as allowing you to share content or tracking aggregate usage statistics of the JSU site, may also use these technologies to collect similar information when you interact with JSU services (such as websites and emails). These third parties may also use these technologies, along with activity information they collect, to recognize you across the devices you use, such as a mobile device and a laptop or other computer. JSU does not control these third-party technologies and their use is governed by the privacy policies of third parties using such technologies.

Information Contained in User Content

Some parts of the JSU site may allow users to post or transmit messages, comments, screen names, computer files, and other materials. You should be careful about what personal information you choose to make public through these services.


Information from Other Sources

To the extent permitted by law, JSU and its third-party vendors may supplement the information collected from and about you with information from other sources, such as publicly available information about your online and offline activity from social media services, commercially available sources, and information from other business partners.


Security of Personal Data Subject to the EU GDPR

JSU is committed to ensuring the security of your information. JSU has implemented reasonable physical, technical, and administrative safeguards designed to prevent unauthorized access to or use of the information collected online. All personal data collected or processed by JSU under the scope of the EU GDPR will comply with the security controls and systems and process requirements and standards as set forth in JSU’s IT Policies and Procedures.


Sharing Your Information

JSU will not share your information with third parties except as necessary to meet one of JSU’s lawful purposes, including but not limited to:

  • legitimate interest;
  • contract compliance;
  • pursuant to consent provided by you;
  • as required by law;
  • as necessary to protect JSU’s interests; or
  • with third parties acting on JSU’s behalf who have agreed to protect the confidentiality of the data.

Data Retention

Data collected by JSU which falls under the purview of University Archives and Records Management is collected for the time periods specified by the current retention schedule, Public Universities of Alabama Functional Analysis & Records Disposition Authority dated 05.24.17.


Changes to this Privacy Notice

JSU may, in its discretion, periodically update this EU GDPR Privacy Notice.


Additional Information

JSU has an EU GDPR Compliance Program to support its requirements and to assist with questions or complaints. If you need assistance, would like to make a request, or file a complaint, contact gdpr@jsu.edu

 

For more information regarding the EU GDPR, please review the information available at EU GDPR.org.  The most current version of the JSU Privacy Statement can be found here:  JSU Privacy Statement.