Rights under GDPR
Articles 15-21 of the GDPR give you the right to control your personal data by directing SPU, as controller, to do one or more of the following, subject to certain conditions and limitations:
- allow you to access your personal data to see what information the university has collected concerning you;
- correct (rectify) any inaccuracy in your personal data;
- delete (erase) your personal data, unless SPU can demonstrate that retention is necessary or that SPU has other overriding legitimate grounds for retention;
- restrict the processing of your personal data;
- transfer your personal data to a third party (portability); and
- upon your objection, stop processing personal data when SPU is relying on a legitimate interest basis for processing such data unless SPU can demonstrate compelling legitimate grounds for processing that override your interests in prohibiting such processing.
If SPU obtains your written consent to collect and process your personal data, you can subsequently withdraw such consent as to any further processing of such data by contacting GDPR@spu.edu.
Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal data conducted in reliance on lawful processing grounds other than consent.
Data Provision Voluntary
SPU will sometimes ask you to provide information necessary to perform contracts to which you are a party, or to satisfy certain legal requirements binding upon the university. If you do not provide such information, SPU will not be able to process such contracts or comply with such legal requirements, and you will not be eligible to receive the benefits that may result from the processing of such contracts, or compliance with such requirements.
The GDPR limits SPU’s right to use your personal data for predictive purposes as part of an automated decision-making process, including profiling. Such a process uses your personal data, such as preferences, interests, behavior, locations, and personal movement, to make an analytically-determined decision, instead of a personalized, individual decision. The GDPR limitation does not apply when such automated decision-making is necessary for the performance of a contract to which you are, or will be, a party. If SPU plans to use your personal data in an automated decision-making process, it will seek your consent for such use.
We implement appropriate technical and organizational security measures to protect your information when you transmit it to us and when we store it on our information technology systems.
If you believe your privacy rights under the GDPR have been violated, the GDPR gives you the rights and remedies set forth in GDPR Articles 77-82. These include the right to file a complaint with a supervisory authority.