GDPR Privacy Notice
This notice provides certain required information to persons located in the European Union (“EU”), a European Economic Area (“EAA”) member state, or Switzerland. Before Loyola collects any “personal data” from you, you are entitled under Regulation (EU) 2016/679 (commonly known as the EU General Data Protection Regulation, or the “GDPR”), to the information in this notice. The GDPR does not apply to the processing of personal data from data subjects prior to May 25, 2018.
The GDPR defines (a) “personal data” as information that identifies you, or may be used to identify you, such as your name, an identification number, location data, an online identifier, or factors specific to your physical, physiological, genetic, mental, economic, cultural or social identity, (b) “controller” as the entity that determines the purposes and means of the processing of personal data, (c) “processor” as the entity that processes personal data on behalf of the controller, and (d) “data subject” as a natural person who is identified, or can be identified, by reference to his or her personal data.
If you would like to review the GDPR Articles cited in this notice, please click here, https://www.eugdpr.org/.
The Identity and Contact Details of the Controller
Under the GDPR, Loyola will be deemed the “controller” of your personal data. If you would like to contact Loyola in its capacity as controller, please contact:
Jim Pardonek, MS, CISSP, CEH, GSNA
Information Security Officer
Loyola University of Chicago
1032 W. Sheridan Road
Chicago, Illinois 60660
GDPR@luc.edu
The Identity and Contact Details of the Controller’s Representative
The GDPR requires Loyola to designate a representative located in the EU. Loyola’s representative is:
Todd W. Waller
Director
John Felice Rome Center
Via Massimi, 114-A
00136 Rome, Italy
twaller@luc.edu
Data Protection Officer
Loyola is not a public authority or body. At present, the university’s core activities do not include the regular and systematic monitoring of data subjects on a large scale, nor does it process on a large scale either special categories of data (as described in GDPR Article 9) or personal data relating to criminal convictions and offenses (as described in GDPR Article 10). For these reasons, the GDPR does not obligate Loyola to designate a data protection officer (“DPO”). If, in the future, Loyola voluntarily designates a DPO, this notice shall be updated to identify and include contact information for the DPO.
Loyola’s Purposes and Legal Basis for Processing Personal Data
Loyola will only process your personal data for lawful purposes under the GDPR related to the university’s charitable, educational, and scientific purposes and arising from your relationship with the university as a prospective, current, or former student (or such a student’s parent or guardian), faculty or staff member, or an employee, contractor, donor, supporter, research subject, visitor to the university or its website, or attendee at a university event.
Loyola will ordinarily collect and process your personal data because it is necessary for the performance of a contract to which you are a party or because the university has another legitimate interest in doing so. When Loyola cannot rely on either of such legal grounds, it will seek your prior consent. For example, GDPR Article 9 generally requires Loyola to obtain your prior consent if it collects special categories of personal data protected under the GDPR (e.g., racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, the processing of genetic or biometric data to uniquely identify a natural person, health data, or data related to one’s sexual activities or orientation).
The purposes for which Loyola collects personal data, and the legal bases for processing such personal data, are summarized in the chart that appears below.
In the chart: each reference to (a) “necessary for the performance of a contract” shall be deemed to mean, “Necessary for the performance of a contract or agreement to which you are a party, or preliminary steps leading up to such a contract or agreement;” (b) Loyola’s “legitimate interest” shall require a prior “balancing test” determination by the university that its legitimate interest in processing your personal data is not overridden by your interests or fundamental rights and freedoms in protecting such personal data; and (c) your “prior consent” shall mean your voluntarily consent, given prior to the processing of your personal data. If you would like additional information as to Loyola’s legitimate interest “balancing test” determination under clause (b), please contact the Controller at GDPR@luc.edu.
Purpose for Processing |
Legal Basis for Processing |
Student Admissions Applications and Other Student Data: Obtaining admissions applications, transcripts, test scores and related documents from applicants to determine their qualification for admission, and preparing related correspondence, including acceptance and rejection letters; obtaining job applications, resumes, background checks, motor vehicle records, and other background materials from students applying for jobs |
|
Staff and Faculty Job Applications: Preparing acceptance and rejection letters; obtaining job applications, resumes, background checks, motor vehicle records, and other background materials from job applicants |
|
Managing Student Accounts: Establishing and administering student accounts, issuing invoices, processing payments and refunds, preparing related correspondence, and, if necessary, pursuing collection efforts |
|
Managing Payroll Accounts: Collecting forms needed to satisfy regulatory requirements (such as IRS W-4 and W-9 forms), and other documents necessary to prepare payroll checks, bank account information, make withholdings, issue IRS W-2 forms, process pension and retirement contributions and payments, and related employee payroll matters |
|
Managing Benefits Accounts: Collecting and processing benefit election and claim forms in order to manage employee benefits including medical, vision, dental, and other insurance coverages, pension and retirement accounts, charity contributions, transit benefits, FSA and HSA accounts, beneficiary designations, and related employee benefit matters. |
|
Managing Expenses, Purchasing, and Reimbursements: Collecting, issuing, and processing expense requests, purchasing invoices, receipts, approvals, payment records, bank accounts, checks, and electronic payments |
|
Administering Grant, Scholarship, and Financial Aid Programs: Accepting, reviewing, and making decisions related to financial assistance programs, including preparing, executing, monitoring, and enforcing grant, scholarship, and loan agreements and notes documenting such financial assistance |
|
Class Registration, Enrollment, and Education Records: Registering students for courses, confirming completion of required course work, accepting, reviewing, and evaluating student course work, operating education software to support teaching, conducting institutional statistical research to measure effectiveness, and for accreditation and collaborative purposes |
|
Evaluating Academic Performance and Granting Degrees: Assigning grades and other performance measures (such as with respect to clinical programs); confirming satisfaction of required classwork and out-of-class requirements applicable to the awarding of degrees; preparing transcripts and diplomas; maintaining long-term graduation and performance records and providing these to employers |
|
Evaluating Faculty and Staff Performance: Preparing and processing evaluations (including self-evaluations), maintaining personnel and disciplinary files, compiling other performance measure data |
|
Issuing and Use of University Identification, Payment, and Transit Cards: Issuing (a) identification cards bearing faculty, staff or student photos and embedded with personal information for use in accessing university facilities, events, and resources; (b) making payments (including through the use of Rambler Bucks cards and purchasing cards such as ProCards); (c) encouraging the use of public transit (including through issuance of U-Pass cards); and (d) other university purposes, and monitoring all such usages |
|
Operating Dining Halls and Other Food Service Facilities: Running cafeterias, restaurants, snack bars, and on-campus convenience stores, and administering credit, debit, and payment programs related to such services
|
|
Providing Student Housing: Providing and operating dormitories and other student housing and residence life programs |
|
Providing Student Support Services: Providing accommodations under disabilities laws, offering tutoring services and supplemental instruction, student conduct, providing physical and mental health and wellness care and counseling, and operating a fitness center |
|
Campus Security Measures: Taking measures to protect persons and property (both physical, personal, and digital) through encryption, firewalls, password, reset questions, surveillance cameras, login systems, card-swiping and similar entrance/exit tracking devices, and other security efforts. |
|
Complaint and Grievance Procedures: Enabling students, staff and faculty to file and process complaints and grievances by such means as Ethics Hotline, the ADVOCATE public incident reporting system, public safety and sexual harassment complaints, Human Resources complaints, the Behavioral Concerns Team, the Financial Aid and Bursar financial dispute process, and the academic grievance appeals process |
|
Offering Access to University Information Services: Providing a user identity account including Loyola email account, storing information on university servers (and servers of third party processors), allowing students, faculty, staff, and alumni, and other authorized persons the right to use university-licensed software, providing access to educational platforms, assessment tools, social media, library applications, archives, and digital collections |
|
Assisting With Clinical, Out-of-Class, Internship and Job Placement: Identifying hospitals, clinics, schools and employers who will offer clinical practice opportunities, classroom teaching experience, and similar internships; helping place students and graduates in jobs |
|
Ticketing: Processing information related to selling or otherwise issuing tickets for athletic, musical, theatrical, and other university events and conferences |
|
Recruitment and University Marketing: Tracking inquiries and website activity (including through the use of “cookies” and similar tracking files) to identify and recruit prospective students, faculty, and staff |
|
Research: Conducting educational, scientific, and other research and related statistical analysis |
|
Alumni and Advancement Communications: Maintaining contact information for alumni and donors in order to send correspondence, magazines, newsletters, online communications, invitations, and to seek and accept gifts and donations |
|
Insurance Claim Processing: Obtaining and evaluating personal information pertaining to claims of bodily injury, property damage, and other liability claims, including collecting medical reports and health insurance information, personal financial data, police reports, or other relevant information, including information required by Loyola’s insurers |
|
Complying with Legal Obligations: Compiling and providing information required under applicable laws, including, without limitation, the Internal Revenue Code, Title IV and Title IX, U.S. Department of Education laws and regulations, the Immigration and Naturalization Service, and the Department of Homeland Security |
|
Video Surveillance: For students security and asset protection needs (i.e. to avert the risk of theft, damage, tampering), a video surveillance system is installed outside and inside the John Felice Rome Center campus, which, inevitably, collects the personal data (image) of anyone who enters the visual range of the cameras, duly signaled by signs placed near the video shooting perimeter. The function of the signal is to forewarn that if someone exceeds the marked limit, their image will be videotaped. The legal basis for processing is the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Article 6(1)(e) of the GDPR), for the purposes stated above. Your personal data will not be subject to any automated decision-making process, including profiling. No further processing is carried out on the recorded images. Recorded images are retained for 7 days. These images could be subjected to further retention in the event of adherence to a specific investigative request by the judicial authority or law enforcement agencies. After these terms have expired, the images are automatically deleted. |
|
Categories of Personal Data Collected
In certain instances, Loyola, in its capacity as a controller, may acquire your personal data from a third party, and not directly from you. If this occurs, then within a reasonable period of time, but not later than the earlier to occur of (a) the first time Loyola communicates with you, and (b) one month after Loyola acquires such personal data, Loyola will advise you of the categories of personal data collected, the source from which Loyola acquired such personal data, and certain additional information required under GDPR Article 14.
Recipients/Categories of Recipients Who May Receive Your Personal Data
The specific categories of recipients who will receive your information depend on whether you are a prospective, current, or former student (or such a student’s parent or guardian), faculty or staff member, or a contractor, donor, supporter, or research subject, or have some other status, and the types of personal data that you provide. The categories of recipients are likely to include one or more of the following:
- As to the Loyola data collection activities described in the preceding chart, responsible faculty and staff involved in such activities may receive your personal data (for example, personnel in the Registrar’s office will have access to personal data related to student admissions, class registration, enrollment, grades and transcript); such persons will generally be located in Chicago, Illinois;
- As to personal data required by federal departments and agencies, employees of the federal government, including personnel in the United States Department of Education, the Department of Justice (Office of Civil Rights), the Department of Treasury (Internal Revenue Service), the Department of Homeland Security, and their respective divisions, and agencies may receive your personal data; such persons will generally be located in Washington D.C. and Chicago, Illinois;
- As to personal data required by State of Illinois departments and agencies, employees of the State of Illinois, including personnel in the Illinois State Board of Education, the Illinois Department of Revenue, and the Illinois Attorney General’s Office, and their respective divisions, agencies, and offices, may receive your personal data; such persons will generally be located in Chicago, Illinois, or Springfield, Illinois;
- Third parties who underwrite, administer, or provide services related to the university’s health insurance, benefits, and pension and retirement programs may receive your personal data;
- Lenders and other third parties who assist in originating, monitoring, and collecting student loans, scholarships, and other financial aid programs, may receive your personal data; and
- Third party processors who host and process information in the “cloud” on servers located in the United States may receive your personal data.
If you would like more detailed information as to the specific identify of recipients receiving particular personal data, please contact the Controller at GDPR@luc.edu.
Transfer of Personal Data to the United States
Personal data that you provide while in the EU, an EAA member state, or Switzerland will be transferred to the United States. The GDPR permits such transfer when necessary for the performance of a contract between you and Loyola, or if Loyola obtains your explicit consent to such transfer. In transferring your personal data to a processor, Loyola will employ suitable safeguards, including those described in the Information Security section below, to protect the privacy and security of your personal data so that it is only used in a manner consistent with your relationship with the university and this privacy notice.
How Long Will Your Personal Data Be Stored?
The GDPR requires that your personal data be kept no longer than necessary. The applicable time period will depend on the nature of such personal data and will also be determined by legal requirements imposed under applicable laws and regulations. For a link to a table setting forth current university record and data retention policies, click here Non-Financial Records Retention Policy. If you have specific questions concerning how long a certain type of personal data will be retained, please contact the Controller at GDPR@luc.edu.
You Have Certain Rights to Control Your Personal Data
Articles 15-21 of the GDPR give you the right to control your personal data by directing Loyola, as controller, to do one or more of the following, subject to certain conditions and limitations:
(a) allow you to access your personal data to see what information the university has collected concerning you;
(b) correct (rectify) any inaccuracy in your personal data;
(c) delete (erase) your personal data, unless Loyola can demonstrate that retention is necessary or that Loyola has other overriding legitimate grounds for retention;
(d) restrict the processing of your personal data;
(e) transfer your personal data to a third party (portability); and
(f) upon your objection, stop processing personal data when Loyola is relying on a legitimate interest basis for processing such data unless Loyola can demonstrate compelling legitimate grounds for processing that override your interests in prohibiting such processing.
If You Consent to the Processing of Your Data, You Can Withdraw Such Consent
If Loyola obtains your written consent to collect and process your personal data, you can subsequently withdraw such consent as to any further processing of such data by contacting the Controller.
GDPR Remedies Include the Right to File A Complaint With The Supervisory Authority
If you believe your privacy rights under the GDPR have been violated, the GDPR gives you the rights and remedies set forth in GDPR Articles 77-82. These include the right to file a complaint with the Italian data protection supervisory authority:
Garante Per La Protezione Dei Dati Personali
Piazza di Monte Citorio, 121
00186 Roma
Tel. + 39 06 69677 1
Fax. + 39 06 69677 785
Email: garante@garanteprivacy.it
Website: http://www.garanteprivacy.it
Are You Obligated to Provide Personal Data?
As discussed above, Loyola will sometimes ask you to provide information necessary to perform contracts to which you are a party, or to satisfy certain legal requirements binding upon the university. If you do not provide such information, Loyola will not be able to process such contracts or comply with such legal requirements, and you will not be eligible to receive the benefits that may result from the processing of such contracts, or compliance with such requirements. For example, if you do not provide personal data needed to process an admission, financial aid, student housing application or agreement, you will not be admitted to the university, awarded financial aid, or allowed to live in student housing. Similarly, if you do not provide legally required information needed to process a visa, or as part of a legally required background check process related to a job or internship position, your visa will not be approved and you will not be eligible for such job or internship.
You Have The Right to Know If Loyola Uses Your Personal Data In Automated Decision-Making, Including Profiling
The GDPR limits Loyola’s right to use your personal data for predictive purposes as part of an automated decision-making process, including profiling. Such a process uses your personal data, such as preferences, interests, behavior, locations, and personal movement, to make an analytically-determined decision, instead of a personalized, individual decision. The GDPR limitation does not apply when such automated decision-making is necessary for the performance of a contract to which you are, or will be, a party. Loyola does not intend to use personal data in an automated decision-making process, except in the context of such a contract. However, if it does, it will seek your consent for such use.
Information Security
Loyola, by design, works to take necessary steps to protect personal data from unauthorized access, unauthorized alteration, disclosure or destruction of information. In particular, Loyola:
- uses encryption both in transit and at rest to protect personal data;
- requires log-in authentication for accessing services related to a data subject’s Loyola Account;
- reviews its information collection, storage and processing practices, perimeter security and physical security measures, to guard against unauthorized access to systems;
- restricts access to personal data on a “need to know” basis so that only authorized personnel and contractors have access to personal data and only for the permitted purpose
- Loyola employees and contractors are subject to strict contractual confidentiality obligations and may be disciplined or terminated if they fail to meet these obligations; and
- employs technical and organizational measures, such as pseudonymization and data minimization, to structurally reduce the risk of data breaches and unauthorized disclosures of personal data.