If You Are Located in the European Union (EU)/European Economic Area (EEA)
Where we offer or provide services to you and you are located in a member state of the European Union (EU) or European Economic Area (EEA), we will observe the EU General Data Protection Regulation (GDPR) and other applicable data protection laws when we process your personal information.
Personal information relating to you from which you can be identified (such as your name and contact details, as well as other information about you personally or your interests) is called “personal data” under the GDPR.
If you are located in the EU/EEA and we offer or provide services to you, the following additional provisions beyond the general privacy statements set forth above apply in relation to how we handle your personal data.
We may collect personal data about you for one or more of the following purposes:
- To respond to inquiries from you, process any application you submit relating to studying at Syracuse University, on a Syracuse Abroad program and/or you register for another service that we offer;
- To set up and administer our agreement with you, if you enroll as a student and/or wish to participate in one of our programs or receive other services;
- To be able to effectively manage the University and administer its programs and to be able to look after you as well as other students;
- To comply with any existing legal obligations or to manage legal issues or claims that may arise;
- To provide direct marketing to you, but in relation to electronic marketing only where we have your consent in accordance with applicable law or are sending you information about goods or services that are the same as those you have previously purchased (and subject to you being able to opt-out of further direct marketing at any time); or
- To respond to any issues, requests, or questions that you raise with us.
We may also process personal data of EU/EEA residents in the following situations:
- if you apply to work for Syracuse University at one of our locations in the EU or EEA, we may need to process your personal data in connection with your job application and, if successful, add you as a staff or faculty member;
- if you apply to be a host for students who participate in Syracuse University Abroad programs in the EU or EEA, we will need to process certain personal data about you and your family that is requested as part of your application.
The Lawful Basis on which We Collect Data
The lawful grounds under which we collect and use this personal data are where:
- You have freely provided your specific, informed and unambiguous consent;
- We’ve agreed to provide services to you, to set up and perform our contractual obligations and/or enforce our contractual rights;
- Where we need to use your personal data for our legitimate interests in being able to manage Syracuse University’s operations, its courses and its programs. We will always pursue these interests in a way that respects your legal rights or freedoms and, in particular, your privacy rights;
- Where we need to use your personal data to comply with a legal obligation or for the purpose of the University being able to establish, exercise or defend legal claims; and/or
- Where we need to use personal data to protect your vital interests or those of someone else (for example, in a medical emergency or if there is an urgent welfare issue).
If you provide us with any ”special category” personal data about you, which under the GDPR includes information in relation to your health, religious/political or philosophical beliefs, ethnic origin and/or sex life/sexual orientation, in addition to the above, we will only use this ‘special category’ data in the following circumstances:
- Where we have your explicit consent – for example, to send you details of University interest groups or support resources that you may be interested in, if you are, have been or you become a student;
- Where the data is needed by us to comply with applicable employment, social security or social protection laws;
- To protect your vital interests or those of someone else, as noted above;
- Where you have clearly publicized such information (e.g. your political views); and/or
- Where we need to use such special category data in connection with a legal claim.
Disclosing Your Personal Data
Third party suppliers (called “processors”) may process your personal data on Syracuse University’s behalf, in accordance with our contractual agreements. For example, this may be to provide business support such as IT infrastructure, data or website hosting, payment services, professional advice (e.g. legal advice) and/or to protect the University (and our students or staff) from fraud or other criminal behavior.
We may also disclose your personal data to third parties external to the University who make their own determination as to how they use your personal data and for what purpose(s) (called “controllers”). This may include EU/EEA based partner universities and educational institutions for our Syracuse Abroad programs.
Our study abroad locations based in Europe are listed on the Syracuse University Abroad website.
We may also provide your personal data to third parties (who we tell you about from time to time) that offer additional products or services in which you elect to participate, such as gym memberships, travel, tours, field trips, cultural or sporting activities or if you want us to arrange any medical services for you.
We will only provide your personal data for the specific purpose of providing these services to you. However, if you then make further arrangements with those third party controllers with whom you deal, they may handle your data in accordance with their own chosen procedures. You should check the relevant privacy policies of these organizations to understand how they may use your personal data.
Other than as set out above, we will treat your personal data as private and will not disclose it to third parties without your knowledge. The exceptions are in relation to legal proceedings or where we are legally required to provide your data to a court, regulator or someone else and are legally prevented from telling you.
In all cases, we always aim to ensure that third parties only use your personal data for lawful purposes and in compliance with applicable data protection law.
Transferring Your Data
You acknowledge that your personal data may be transferred to Syracuse University and stored on computers, servers and/or in files in the United States.
Please note US federal and state law is not at present considered to meet the same legal standards of protection for personal data as European Union law.
However, in order to safeguard your personal data, we only transfer data from the EU/EEA to the US under a contract or another appropriate mechanism that is approved under applicable law and that protects that data to the same standards that you would expect in Europe.
Keeping Your Personal Data
Syracuse University retains your personal data for no longer than is necessary for the purposes for which it was processed; is necessary to perform our obligations to you (or to enforce or defend legal claims); or, as is required by applicable law.
We have a data retention and erasure policy that sets out the different periods for which we retain data for the relevant purpose it was collected and used. Please see the data retention schedule.
The criteria we use for determining data retention periods is based on various legislative requirements; the purpose for which we hold data and whether retaining the data is needed in connection with that purpose; and further specific guidance issued by relevant regulatory authorities on data retention/erasure including, but not limited to, EU regulatory authorities.
Personal data that we no longer need is either erased and/or anonymized so that you can no longer be identified from it.
We employ appropriate technical and organizational security measures to protect against access to your personal data by unauthorized persons and against unlawful processing, accidental loss, destruction and damage. We also endeavor to take all reasonable steps to protect personal data from external threats such as malicious software or hacking. However, there are always inherent risks in sending information by public networks or using public computers and we cannot 100% guarantee the security of all data sent to us.
Your Personal Data Rights
Under the GDPR, those EU/EEA residents with whom we deal have various data protection rights, which are as follows:
- you can request information about your personal data that we have, the purpose for which we use that personal data, or with who it may be shared, as well as certain other information (this is called a “subject access right”). Usually we will have 30 days to respond to a subject access right request. For a complex request, we may require an additional 60 days to respond. We may deny or charge for administrative time in dealing with any manifestly unreasonable or excessive requests. We may also require further information to locate specific information you seek and you should note that certain legal exemptions may also apply to what we can disclose in response;
- you can ask that we correct personal data that we have that is inaccurate or incomplete;
- you can object to automated processing in relation to your personal data (if applicable);
- you can object to us continuing to use your personal data for direct marketing;
- you can request that we erase your personal data if we no longer need to hold it;
- you can object or ask us to restrict the use of your personal data for any purpose unless we have a compelling legitimate reason for doing so (e.g. a legal obligation); or
- you can ask us to transfer your electronically held personal data to another party if we collected it with your consent or if it is being used to fulfill a contact.
If you would like to exercise any of the rights set out above, please contact us at the address below. We may need to ask for evidence to verify your identity before we can fully respond.
If you make a request and are not satisfied with our response, or believe that we are illegally processing your personal data, you have the right to complain to a data protection supervisory authority in your EU country of residence.
Syracuse University operates in more than one EU/EEA state. Therefore, its lead supervisory authority in the EU is the UK Information Commissioner’s Office (ICO).
Controlling Your Personal Information
If you have any questions or further concerns relating to how we use your personal data as described above, or you believe that personal data we have is incorrect or incomplete, please contact us with “EU data request” as the subject line:
Information Technology Services
Center for Science and Technology
Syracuse, NY 13244
Syracuse University London
48-51 Old Gloucester Street London
WC1N 3AE United Kingdom
We will do our best to promptly deal with your request.