GDPR Privacy Notice

Owned by Micah Schaafsma
Last updated: Nov 21, 2023 by Guo, Chiyao (Deactivated)
6 min read

Statement and Purpose

Table of Contents

Seattle Pacific University (SPU) is committed to good stewardship of personal information provided by users of its websites.

This notice provides certain information to persons located in the European Union (“EU”) or a European Economic Area (“EAA”) member state and is intended to satisfy requirements in Regulation (EU) 2016/679 (commonly known as the EU General Data Protection Regulation, or the “GDPR”). SPU may be a data “controller” or “processor” with regard to certain activities as defined under the GDPR.  This notice is only intended to address rights already granted through the GDPR to persons located in the EU or an EAA member state and does not create any additional rights or give rights to any other person.

See the Website Terms of Use and the Website Privacy Policy for additional details on how the University collects and uses your information.

Entities Affected By This Policy

All persons or entities using Seattle Pacific University websites and internet based applications. 

Controller

If you would like to contact SPU in its capacity as a controller of your personal data, please contact GDPR@spu.edu.

Data Protection Officer

SPU does not believe that it is required under the GDPR to identify a data protection officer (“DPO”). If, in the future, SPU voluntarily designates a DPO or believes it has become obligated to identify a DPO, then this notice will be updated to identify a DPO.

Reason for Policy

This policy is to help you understand how Seattle Pacific University will collect and use personal information about you that you provide to the university by using its websites and SPU's response to the EU General Data Protection Regulation (GDPR). If you are an individual located in the EU or an EAA member state and have questions about this notice, including questions about how long a certain type of personal data will be retained or about the specific identity of recipients receiving particular personal data, you may contact GDPR@spu.edu.


Policy Version: 1.0

Responsible Office: Computer and Information Systems
Responsible Executive:  AVP for Information Technology

Effective Date: July 1, 2019
Last Updated:  July 1, 2019

Data Collection

Purposes and Legal Bases for Processing Personal Data.

  1. SPU collects and processes personal data from individuals as necessary in the exercise of SPU’s legitimate interests, functions, and responsibilities as a private, non-profit institution of higher education. SPU will only process your personal data for lawful purposes under the GDPR related to the university’s charitable, educational, and scientific purposes and arising from your relationship with the university as a prospective, current, or former student (or such a student’s parent or guardian), faculty or staff member, or an employee, contractor, donor, supporter, research subject, visitor to the university or its website, or attendee at a university event. 
  2. SPU will ordinarily collect and process your personal data because it is necessary for the performance of a contract to which you are a party or because the university has another legitimate interest in doing so. SPU may also process data as necessary for compliance with a legal obligation to which SPU, as controller of the data, is subject.  SPU may also seek your prior consent for processing your personal data (if, for example, SPU cannot rely on any legal grounds listed previously). 
  3. The purposes for which SPU collects personal data are summarized below:
    1. Student Admissions
    2. Staff and Faculty Employment
    3. Student Employment
    4. Managing Student Accounts, Payroll Accounts, and Benefits Accounts
    5. Managing Expenses, Purchasing, and Reimbursements
    6. Administering Grant, Scholarship, and Financial Aid Programs
    7. Class Registration, Enrollment, and Education Records (Including Study Abroad)
    8. Evaluating Academic Performance and Granting Degrees
    9. Evaluating Faculty and Staff Performance
    10. Issuing and Use of University Identification Cards and Payment Cards
    11. Operating Dining Halls and Other Food Service Facilities
    12. Providing Student Housing and Employee Housing
    13. Providing Student Support Services
    14. Providing Academic Advising
    15. Campus Security Measures
    16. Complaint and Grievance Procedures
    17. Offering Access to University Information Services
    18. Assisting with Clinical, Internship, and Job Placement
    19. Athletics, Musical, Theatrical, and Other Tickets
    20. Recruitment and University Marketing
    21. Research
    22. Alumni and Advancement Communications
    23. Insurance Claim Processing
    24. Complying with Legal Obligations
    25. Maintenance of Accreditation
    26. Analyzing and Improving Education Programs
    27. Financial Auditing

Data Collected from Third Parties

In certain instances, SPU (in its capacity as a controller) may acquire your personal data from a third party, and not directly from you. If this occurs, then within a reasonable period of time, but not later than the earlier to occur of (i) the first time SPU communicates with you, and (ii) one month after SPU acquires such personal data, SPU will advise you of the categories of personal data collected, the source from which SPU acquired such personal data, and certain additional information required under GDPR Article 14.

Categories of Recipients Who May Receive Your Personal Data

  1. The specific categories of recipients who will receive your information depend on whether you are a prospective, current, or former student (or such a student’s parent or guardian), faculty or staff member, or a contractor, donor, supporter, or research subject, or have some other status, and the types of personal data that you provide.
  2. The categories of recipients are likely to include one or more of the following:
    1. As to the data collection activities described in section 4, responsible faculty and staff involved in such activities may receive your personal data. Such persons will generally be located in Seattle, Washington.
    2. Personal data required by federal departments and agencies may be shared with employees of the federal government and their agencies, which may include personnel in the United States Department of Education, the Department of Justice (Office of Civil Rights), the Department of Treasury (Internal Revenue Service), the Department of Homeland Security, and their respective divisions. Such persons will generally be located in Washington, D.C., or Seattle, Washington.
    3. Personal data required by State of Washington departments and agencies may be shared with employees of the State of Washington, which may include personnel in the Washington Student Achievement Council, the Washington Office of Financial Management, the Washington Department of Revenue, the Washington Attorney General’s Office, and their respective divisions, agencies, and offices. Such persons will generally be located in Seattle, Washington, or Olympia, Washington.
    4. Third parties who underwrite, administer, or provide services related to the university’s health insurance, benefits, and pension and retirement programs may receive your personal data.
    5. Lenders and other third parties who assist in originating, monitoring, and collecting student loans, scholarships, and other financial aid programs, may receive your personal data.
    6. Third party processors who host and process information in the “cloud” on servers located in the United States may receive your personal data.
    7. SPU may share information with third parties who have entered into contracts with SPU to perform functions on behalf of SPU.
    8. In an emergency situation, SPU may share information with emergency service providers or others as needed to address the emergency.

Transfer of Personal Data to the United States

Information created in the EU or in an EAA member state will be transferred to SPU in the United States.

Retention

The GDPR requires that your personal data be kept no longer than necessary. The applicable time period will depend on the nature of such personal data and will also be determined by legal requirements imposed under applicable laws and regulations


Rights under GDPR

Articles 15-21 of the GDPR give you the right to control your personal data by directing SPU, as controller, to do one or more of the following, subject to certain conditions and limitations:

  • allow you to access your personal data to see what information the university has collected concerning you;
  • correct (rectify) any inaccuracy in your personal data;
  • delete (erase) your personal data, unless SPU can demonstrate that retention is necessary or that SPU has other overriding legitimate grounds for retention;
  • restrict the processing of your personal data;
  • transfer your personal data to a third party (portability); and
  • upon your objection, stop processing personal data when SPU is relying on a legitimate interest basis for processing such data unless SPU can demonstrate compelling legitimate grounds for processing that override your interests in prohibiting such processing.

Withdrawing Consent

If SPU obtains your written consent to collect and process your personal data, you can subsequently withdraw such consent as to any further processing of such data by contacting GDPR@spu.edu.

Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal data conducted in reliance on lawful processing grounds other than consent.

Data Provision Voluntary

SPU will sometimes ask you to provide information necessary to perform contracts to which you are a party, or to satisfy certain legal requirements binding upon the university. If you do not provide such information, SPU will not be able to process such contracts or comply with such legal requirements, and you will not be eligible to receive the benefits that may result from the processing of such contracts, or compliance with such requirements. 

Automated Decision-Making

The GDPR limits SPU’s right to use your personal data for predictive purposes as part of an automated decision-making process, including profiling. Such a process uses your personal data, such as preferences, interests, behavior, locations, and personal movement, to make an analytically-determined decision, instead of a personalized, individual decision.  The GDPR limitation does not apply when such automated decision-making is necessary for the performance of a contract to which you are, or will be, a party.  If SPU plans to use your personal data in an automated decision-making process, it will seek your consent for such use.

Information Security

We implement appropriate technical and organizational security measures to protect your information when you transmit it to us and when we store it on our information technology systems.

Complaints

If you believe your privacy rights under the GDPR have been violated, the GDPR gives you the rights and remedies set forth in GDPR Articles 77-82. These include the right to file a complaint with a supervisory authority.


Policy Updates

SPU may update or change this policy at any time in its discretion.


Related Policies and Procedures