General Data Protection Regulation (GDPR)

Data Protection Privacy Notice – General Data Protection Regulation (GDPR)

INTRODUCTION
The General Data Protection Regulation (GDPR) is a European Union (EU) regulation aimed at protecting the privacy of individuals within the European Union and the export of personal data outside the EU. Effective May 25, 2018, the GDPR will apply to the KU Alumni Association’s collection or processing of personal data from the EU.

PURPOSE
This KU Alumni Association Data Protection Privacy Notice “Notice” supplements the Association’s Privacy Policy, the University of Kansas (“University”) GDPR Privacy Notice, and the University’s General Privacy Policy. These policies can be located here: www.kualumni.org and www.policy.ku.edu.

This Notice governs the capture, use, transfer, and storage of personal data, as defined by the GDPR, and explains how the KU Alumni Association will collect, use, transfer and store applicable information, to the extent that such actions do not conflict with state or federal laws or regulations.

Please read this Notice carefully and contact the designated representatives at the contact information provide below if you have any questions.

Collection of Personal Data

Under the GDPR, personal data is any information relating to an identified or identifiable natural person, which identifies or relates to an individual, either on its own or in conjunction with other information held by the KU Alumni Association, such as a name, an identification number, location data, or online identifier (e.g., IP addresses and device IDs). Personal data can include: name, date of birth, address, telephone number, and email address. A special category of personal data (sensitive personal data) relates to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.

The KU Alumni Association collects sensitive personal data if submitted as a voluntary response to inquiries from the KU Alumni Association or its third-party service providers, as designated data processors.

The KU Alumni Association collects and processes personal data for the purposes described below. Personal data is treated as Private Information under the University’s General Privacy Policy and at the Level 1 category level under the University’s Data Classification and Handling Policy. The KU Alumni Association shall limit the collection of personal data, as defined by the GDPR, to only that information that is strictly necessary and lawful to accomplish a lawful purpose or legitimate interest as permitted under the GDPR.

Purposes and Use of Information

In order to fulfill the KU Alumni Association’s mission, it needs to collect and process personal data relating to current, and prospective students, employees, alumni and supporters, suppliers and others with whom it conducts official business. The KU Alumni Association uses personal data for a variety of reasons.

Examples include (but are not limited to):
• Responding to inquiries or correspondence with a prospective, current or past student or third parties;
• Managing a prospective, current or past student’s interaction with the KU Alumni Association, to include administering registrations, applications, outreach and recruitment, and other processes and functions related to support services, memberships, IT and information services, surveys, program participation, event registration, contributions, admission, enrollment, attendance, communications, studies and educational programs, academic progress and advising, counseling, Title IX compliance, compiling of records and statistics for research, audit, assessment, or other reporting, discipline, financial reasons, and health and safety services related to a prospective, current, or past student;
• Administering applications for employment, including outreach and recruitment, and other processes and functions related to offers, hiring, past or present employment, monitoring equal opportunities, and health and safety compliance and reporting.

The KU Alumni Association will share information, including personal data, with University units or with third parties in the delivery of goods or services by or in conjunction with the KU Alumni Association, KU Endowment or the University. Third parties with whom information is shared, including personal data, include (but are not limited to): authorized KU Alumni Association or University agents, support organizations and governing bodies, local, state, and federal agencies, accrediting bodies or commissions, press and publicity organizations, online learning or data management platforms, potential and current service providers, affinity partners, other educational institutions or work/athletic placement sites, relevant authorities for emergency circumstances, and any other authorized third party to whom the KU Alumni Association or the University has a legal or contractual obligation to share personal data.

Applicable personal data will only be disclosed in accordance with the GDPR in force at the time. Consent is only one of several legal bases for which the KU Alumni Association may collect or process personal data. If consent is required before personal data can be shared, the KU Alumni Association will request the specific consent required.

Table 1 lists, generally, the legal bases for which the KU Alumni Association will process personal data, directly or indirectly, as authorized under Article 6 of the GDPR or when processing special category personal data (sensitive personal data) under Article 9 of the GDPR.

If the KU Alumni Association collects or processes sensitive personal data, as defined in the GDPR, additional safeguards will be put in place in accordance with the University’s Data Classification and Handling Policy. Fully anonymized data may be used and shared without limitation.

Some of the above conditions for processing personal data will overlap, and the KU Alumni Association relies on applicable multiple grounds to justify its lawful processing of personal data. The KU Alumni Association also reserves the right to rely upon other grounds that are not referred to in Table 1 but are lawful under the GDPR.

When requesting personal data, the KU Alumni Association will identify the legal bases for processing personal data. If the legal basis for processing personal data is based on consent, the KU Alumni Association will provide notice if or when further processing for other purposes is intended.

Article 6 – Personal Data

Article 9- Special Categories

Consent given by a positive opt-in, for a specific, pre-defined purpose Explicit Consent
Necessary for the performance of a contract with the individual Necessary for the purposes of carrying out the obligations of the KU Alumni Association or the individual in the field of employment
Necessary for compliance with a legal obligation Necessary to protect the vital interests of an individual physically or legally incapable of giving consent; e.g., emergency circumstances
Necessary in order to protect the vital interests of an individual; e.g., emergency circumstances Carried out in the course of the Kansas Athletics’ legitimate activities by a foundation, association, or any other not-for-profit body with a political, philosophical, religious, or trade union aim.
Necessary for the performance of a task carried out in the public interest Processing relates to personal data which is made public by the individual
Necessary for the purposes of the legitimate interests pursued by Kansas Athletics or by a third party unless unwarranted because of its prejudicial effect on rights or legitimate interests. Necessary for the establishment, exercise or defense of legal claims or court proceedings.
Automated decision making for performance of a contract with an individual Necessary for reasons of substantial public interest
Necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems
Necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

When necessary to transfer or share personal data to organizations or agencies based outside the EU, the KU Alumni Association will ensure appropriate and suitable safeguards are in place in accordance with the GDPR.

More information relating to the conditions for processing personal data can be obtained by contacting the University’s Data Protection Officer.

COOKIES AND OTHER INFORMATION TECHNOLOGY
The use of cookies and other data from information technology can be found in the University’s Information Technology Security policy.

Retention and destruction of your information

Personal data will be retained by the KU Alumni Association, the University, its affiliated entities, or its third party service providers in accordance with the applicable federal and state laws and the applicable retention periods in the KU Alumni Association’s and the University’s Records Retention Schedule.

Personal data will be destroyed upon request or after the expiration of the applicable retention period, whichever is later. The manner of destruction shall be appropriate to preserve and ensure the confidentiality of personal data given the level of sensitivity, value and criticality to the KU Alumni Association or the University.

RIGHTS UNDER THE GDPR
Residents of the EU and those with data in the EU have a number of rights under the GDPR. These include the rights to request access to, a copy of, rectification, restriction in the use of, erasure of personal data and portability. The erasure of personal data is also subject to both the KU Alumni Association and University’s Record Retention Schedules and the University’s Student Records Policy. One may also withdraw consent to the use of personal data.

These rights may be exercised by contacting: KU Alumni Association Vice President for Records at records@ku.edu.

If personal data was created within or transferred from the European Union, a complaint may be filed with the appropriate supervisory authority in the European Union.

RESPONSIBILITIES
This Data Protection Privacy Notice must be read by the owner of the personal data before or at the moment the personal data is being transferred.

UPDATES TO THIS GDPR- PRIVACY NOTICE
The KU Alumni Association may update or change this Notice at any time. It is important to keep a reference to this document and review each time requested to provide personal data to the KU Alumni Association, its affiliated entities, and its third party services providers or contractors. Any changes to this Notice will be posted at: http://www.kualumni.org/privacy-terms/