Skip to content

GDPR Statement

Note: The European Union General Data Protection Regulation (EU GDPR) Privacy Notice will be updated periodically as EU GDPR is implemented, as member states finalize regulations, and as additional official guidance information becomes available.

Introduction

The University of Alabama (UA) is an institution of higher education involved in education, research, and community development. For UA to educate its students in person and online, engage in world-class research, and provide community services, it is essential and necessary that UA collect, process, use, and maintain data of its students, employees, applicants, research subjects, and others involved in its educational, research, and community programs.

The EU GDPR broadly applies to data about people who reside in the European Union or data about individuals when it is transferred from the EU. The EU GDPR limits when and how personal data can be collected, stored, processed, and used. It also provides these individuals with certain rights related to their personal data, including notice or consent, rights of access, and in some cases, requests for deletion.  These same rights are codified in other international legislation, including the UK Data Protection Act.

UA may be a data “controller” or “processor” with regard to certain activities as defined under the EU GDPR. UA is committed to protecting the rights of individuals in compliance with the EU GDPR.

Definitions

Controller:
Controllers are responsible for decisions about the collection, use, and protection of personal data.

Personal data:
Under the EU GDPR, personal data is defined as any information relating to an identified or identifiable natural person. An identifiable natural person is an actual person (not a corporation or other business entity) who can be identified, directly or indirectly, by reference to:

Processor:
Processors are responsible for processing, analyzing, storing, and deleting personal data on behalf of the controller.

Special Categories of Personal Data:
Any data that:

Lawful Basis for Collecting and Processing of Personal Data

UA has lawful basis to collect, process, use, and maintain data of its students, employees, applicants, research subjects, and others involved in its educational, research, and public service programs. The lawful basis includes, without limitation: admission; registration; delivery of classroom, online, and study abroad education; grades; communications; employment; applied research; development; program analysis for improvements; and records retention.

Most of UA’s collection and processing of personal data will fall under the following categories:

There will be some instances where the collection and processing of personal data will be pursuant to other lawful bases. This basis will be identified for each application.

Types of Personal Data Collected and How it Will be Used

UA collects a variety of personal data to meet one of its lawful basis, as referenced above. Most often the data is used for academic admissions, enrollment, educational programs, job hiring, provision of medical services, participation in research, development, and public service.

The information we hold about you may include the following:

If you have specific questions regarding the collection and use of your personal data, please contact Compliance, Ethics and Regulatory Affairs (205-348-2334, cera@ua.edu).

Where UA Acquires Personal Data

UA receives personal data from multiple sources. Most often, UA acquires this data directly from the data subject or under the direction of the data subject who has provided it to a third party.

Rights of the Data Subject Under the EU GDPR

If you are an individual data subject under the EU GDPR, you may obtain the following information and exercise the following rights:

Exercising of these rights is a guarantee to be afforded a process and not the guarantee of an outcome.

Any data subject who wishes to exercise any of the above-mentioned rights may do so by submitting a Data Subject Access Request form or by contacting CERA at (205)348-2334/privacy@ua.edu.  Departments or individuals working at UA who receive a request from a data subject asking to exercise their rights via any other method of communication should complete an Internal Data Subject Access Request to allow for tracking and documentation of data subject requests.  

Information We May Collect Automatically

To the extent permitted by law, UA and our third party vendors may supplement the information we collect from and about you with information from other sources, such as publicly available information about your online and offline activity from social media services, commercially available sources, and information from other business partners.

Information Contained in User Content

Some parts of our site may allow users to post or transmit messages, comments, screen names, computer files, and other materials. You should be careful about what personal information you choose to make public through these services.

Information from Other Sources

To the extent permitted by law, UA and our third party vendors may supplement the information we collect from and about you with information from other sources, such as publicly available information about your online and offline activity from social media services, commercially available sources, and information from other business partners.

Security of Personal Data Subject to the EU GDPR

UA is committed to ensuring the security of your information. We have put in place reasonable physical, technical, and administrative safeguards designed to prevent unauthorized access to or use of the information collected online. All personal data collected or processed by UA under the scope of the EU GDPR will comply with the security controls and systems and process requirements and standards as set forth by UA.

Sharing Your Information

UA will not share your information with third parties except as necessary to meet one of UA’s lawful purposes, including but not limited to:

Data Retention

Data collected by UA which falls under the purview of University Archives and Records Management is collected for the time periods specified by the current retention schedule, Public Universities of Alabama Functional Analysis & Records Disposition Authority Revision (RDA), 2017 edition.

Changes to this Privacy Notice

UA may, in its discretion, periodically update this EU GDPR Privacy Notice.

Additional Information

UA has an EU GDPR Compliance Program to support its requirements and to assist with questions or complaints. If you need assistance, would like to make a request, or file a complaint, contact Compliance, Ethics, and Regulatory Affairs at 205-348-2334, privacy@ua.edu.

For more information regarding the EU GDPR, please review the information available at UA General Data Protection Regulation Compliance. The most current versions of UA Privacy Policies are maintained in the UA Policy Library.