Loyola University Chicago

GDPR @ Loyola

GDPR Privacy Notice

 

This notice provides certain required information to persons located in the European Union (“EU”), a European Economic Area (“EAA”) member state, or Switzerland.   Before Loyola collects any “personal data” from you, you are entitled under Regulation (EU) 2016/679 (commonly known as the EU General Data Protection Regulation, or the “GDPR”), to the information in this notice.  The GDPR does not apply to the processing of personal data from data subjects prior to May 25, 2018.

The GDPR defines (a) “personal data” as information that identifies you, or may be used to identify you, such as your name, an identification number, location data, an online identifier, or factors specific to your physical, physiological, genetic, mental, economic, cultural or social identity, (b) “controller” as the entity that determines the purposes and means of the processing of personal data, (c) “processor” as the entity that processes personal data on behalf of the controller, and (d) “data subject” as a natural person who is identified, or can be identified, by reference to his or her personal data.

If you would like to review the GDPR Articles cited in this notice, please click here, https://www.eugdpr.org/.

 

The Identity and Contact Details of the Controller

Under the GDPR, Loyola will be deemed the “controller” of your personal data.  If you would like to contact Loyola in its capacity as controller, please contact:

            Jim Pardonek, MS, CISSP, CEH, GSNA
            Information Security Officer
            Loyola University of Chicago
            1032 W. Sheridan Road
            Chicago, Illinois 60660
            GDPR@luc.edu

 

The Identity and Contact Details of the Controller’s Representative

The GDPR requires Loyola to designate a representative located in the EU.  Loyola’s representative is:

            Todd W. Waller
            Director
            John Felice Rome Center
            Via Massimi, 114-A
            00136 Rome, Italy
            twaller@luc.edu

 

Data Protection Officer

Loyola is not a public authority or body.  At present, the university’s core activities do not include the regular and systematic monitoring of data subjects on a large scale, nor does it process on a large scale either special categories of data (as described in GDPR Article 9) or personal data relating to criminal convictions and offenses (as described in GDPR Article 10).  For these reasons, the GDPR does not obligate Loyola to designate a data protection officer (“DPO”).  If, in the future, Loyola voluntarily designates a DPO, this notice shall be updated to identify and include contact information for the DPO.

Loyola’s Purposes and Legal Basis for Processing Personal Data

Loyola will only process your personal data for lawful purposes under the GDPR related to the university’s charitable, educational, and scientific purposes and arising from your relationship with the university as a prospective, current, or former student (or such a student’s parent or guardian), faculty or staff member, or an employee, contractor, donor, supporter, research subject, visitor to the university or its website, or attendee at a university event.  

Loyola will ordinarily collect and process your personal data because it is necessary for the performance of a contract to which you are a party or because the university has another legitimate interest in doing so.  When Loyola cannot rely on either of such legal grounds, it will seek your prior consent.  For example, GDPR Article 9 generally requires Loyola to obtain your prior consent if it collects special categories of personal data protected under the GDPR (e.g., racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, the processing of genetic or biometric data to uniquely identify a natural person, health data, or data related to one’s sexual activities or orientation).

The purposes for which Loyola collects personal data, and the legal bases for processing such personal data, are summarized in the chart that appears below.

In the chart: each reference to (a) “necessary for the performance of a contract” shall be deemed to mean, “Necessary for the performance of a contract or agreement to which you are a party, or preliminary steps leading up to such a contract or agreement;” (b) Loyola’s “legitimate interest” shall require a prior “balancing test” determination by the university that its legitimate interest in processing your personal data is not overridden by your interests or fundamental rights and freedoms in protecting such personal data; and (c) your “prior consent” shall mean your voluntarily consent, given prior to the processing of your personal data.  If you would like additional information as to Loyola’s legitimate interest “balancing test” determination under clause (b), please contact the Controller at GDPR@luc.edu.

 

Purpose for Processing

Legal Basis for Processing

Student Admissions Applications and Other Student Data: Obtaining admissions applications, transcripts, test scores and related documents from applicants to determine their qualification for admission, and preparing related correspondence, including acceptance and rejection letters; obtaining job applications, resumes, background checks, motor vehicle records, and other background materials from students applying for jobs
  • Such processing is necessary for the performance of a contract
  • Loyola has a legitimate interest in collecting information needed to evaluate an applicant’s personal, educational, and work background in order to make admissions and employment decisions and otherwise process such applications, and in compiling statistical information to evaluate the university’s diversity, affirmative action, and equal opportunity performance
  • Your prior consent

 

Staff and Faculty Job Applications:  Preparing acceptance and rejection letters; obtaining job applications, resumes, background checks, motor vehicle records, and other background materials from job applicants
  • Such processing is necessary for the performance of a contract
  • Loyola has a legitimate interest in collecting information needed to evaluate an applicant’s personal, educational, and work background in order to make an employment decision and otherwise process such applications, and in compiling statistical information to evaluate the university’s diversity, affirmative action, and equal opportunity performance
  • Your prior consent

Managing Student Accounts: Establishing and administering student accounts, issuing invoices, processing payments and refunds, preparing related correspondence, and, if necessary, pursuing collection efforts
  • Such processing is necessary for the performance of a contract
  • Loyola has a legitimate interest in charging tuition, fees, and other charges and collecting amounts due related to a student’s education in order to maintain the university’s fiscal stability

Managing Payroll Accounts: Collecting forms needed to satisfy regulatory requirements (such as IRS W-4 and W-9 forms), and other documents necessary to prepare payroll checks, bank account information, make withholdings, issue IRS W-2 forms, process pension and retirement contributions and payments, and related employee payroll matters
  • Such processing is necessary for the performance of a contract
  • Loyola has a legitimate interest in collecting necessary information so that the university can, in a timely and accurate manner, and in compliance with applicable laws, pay its employees their salaries, make appropriate withholdings, and make required reports to and file required documents with the IRS
  • Your prior consent

Managing Benefits Accounts: Collecting and processing benefit election and claim forms in order to manage employee benefits including medical, vision, dental, and other insurance coverages, pension and retirement accounts, charity contributions, transit benefits, FSA and HSA accounts, beneficiary designations, and related employee benefit matters.
  • Such processing is necessary for the performance of a contract
  • Loyola has a legitimate interest in collecting necessary information so that the university can, in a timely and accurate manner, and in compliance with applicable laws, provide employees, their dependents, and retirees with employee benefits, and make required reports to and file required documents with the IRS and other government bodies and third-party benefit administrators
  • Your prior consent

Managing Expenses, Purchasing, and Reimbursements: Collecting, issuing, and processing expense requests, purchasing invoices, receipts, approvals, payment records, bank accounts, checks, and electronic payments
  • Such processing is necessary for the performance of a contract
  • Loyola has a legitimate interest in collecting necessary information so that the university can account for expenses, pay bills on time, recover amounts owed to the university, and otherwise administer the university’s day-to-day financial affairs

Administering Grant, Scholarship, and Financial Aid Programs: Accepting, reviewing, and making decisions related to financial assistance programs, including preparing, executing, monitoring, and enforcing grant, scholarship, and loan agreements and notes documenting such financial assistance
  • Such processing is necessary for the performance of a contract
  •  Loyola has a legitimate interest in helping students find financial resources to pay for their education, in complying with third-party lender and federal and state requirements, and documenting and administering such financial assistance programs
  • Your prior consent

Class Registration, Enrollment, and Education Records:  Registering students for courses, confirming completion of required course work, accepting, reviewing, and evaluating student course work, operating education software to support teaching, conducting institutional statistical research to measure effectiveness, and for accreditation and collaborative purposes
  • Such processing is necessary for the performance of a contract
  • Loyola has a legitimate interest in establishing that students are enrolled and completing classes necessary to satisfy enrollment requirements (which may also be a condition to eligibility for certain benefits) and degree requirements, and scheduling and staffing courses, in assigning and evaluating homework, administering tests, and facilitating group instruction and learning

 

Evaluating Academic Performance and Granting Degrees: Assigning grades and other performance measures (such as with respect to clinical programs); confirming satisfaction of required classwork and out-of-class requirements applicable to the awarding of degrees; preparing transcripts and diplomas; maintaining long-term graduation and performance records and providing these to employers
  • Such processing is necessary for the performance of a contract
  • Loyola has a legitimate interest in evaluating student performance, awarding degrees, recognizing outstanding achievements, holding graduation ceremonies, and providing its graduates and prospective employers with information confirming such performance, degrees, and achievements

 

Evaluating Faculty and Staff Performance:  Preparing and processing evaluations (including self-evaluations), maintaining personnel and disciplinary files, compiling other performance measure data
  • Such processing is necessary for the performance of a contract
  • Loyola has a legitimate interest in evaluating the performance of faculty and staff members for purposes of promotions, tenure decisions, disciplinary action, setting salaries, and improving productivity

Issuing and Use of University Identification, Payment, and Transit Cards: Issuing (a) identification cards bearing faculty, staff or student photos and embedded with personal information for use in accessing university facilities, events, and resources; (b) making payments (including through the use of Rambler Bucks cards and purchasing cards such as ProCards); (c) encouraging the use of public transit (including through issuance of U-Pass cards); and (d) other university purposes, and monitoring all such usages
  • Such process is necessary for the performance of a contract
  • Loyola has a legitimate interest in identifying whether an individual is a student, faculty, or staff member, or who is otherwise authorized to be on university property and to access university programs and services, in classifying persons as either university community members or trespassers, in establishing the authority of individuals to take certain actions, and in facilitating the flow of persons, information, and payments throughout the university

 

Operating Dining Halls and Other Food Service Facilities:  Running cafeterias, restaurants, snack bars, and on-campus convenience stores, and administering credit, debit, and payment programs related to such services

 
  • Such processing is necessary to the performance of a contract
  • Loyola has a legitimate interest in confirming that only authorized persons use food service facilities, in verifying that such use conforms to meal plan and payment requirements, and in identifying personal dietary constraints and preferences in order to offer appropriate food options

Providing Student Housing: Providing and operating dormitories and other student housing and residence life programs
  • Such processing is necessary for the performance of a contract
  • Loyola has a legitimate interest in controlling access to student housing so that housing facilities are occupied only by eligible persons and accessed only by permitted persons at permitted times in order to safely and securely operate such facilities, and in collecting and maintaining personal information for use in cases of emergencies
  • Your prior consent

Providing Student Support Services:  Providing accommodations under disabilities laws, offering tutoring services and supplemental instruction, student conduct, providing physical and mental health and wellness care and counseling, and operating a fitness center
  • Such processing is necessary for the performance of a contract
  • Loyola has a legitimate interest in promoting, assisting, and monitoring student accessibility, educational progress, physical and mental health and well-being, and evaluating the use and outcomes of such services
  • Your prior consent

Campus Security Measures:  Taking measures to protect persons and property (both physical, personal, and digital) through encryption, firewalls, password, reset questions, surveillance cameras, login systems, card-swiping and similar entrance/exit tracking devices, and other security efforts.
  • Such processing is necessary for the performance of a contract
  • Loyola has a legitimate interest in insuring the physical and digital security of its campus and the members of the Loyola community, and in preventing, detecting, and taking enforcement action with respect to criminal and other unlawful and/or unauthorized activity; such legitimate interest includes sharing security information with federal, state, and local law enforcement authorities, as required or permitted by law

Complaint and Grievance Procedures: Enabling students, staff and faculty to file and process complaints and grievances by such means as Ethics Hotline, the ADVOCATE public incident reporting system,  public safety and sexual harassment complaints, Human Resources complaints, the Behavioral Concerns Team, the Financial Aid and Bursar financial dispute process, and the academic grievance appeals process
  • Such processing is necessary for the performance of a contract
  • Loyola has a legitimate interest in providing procedures for university members to report dishonest behavior, wrongful actions, injurious conduct, and conflicts of interest, and to contest university decisions that are perceived to be unfair or otherwise inappropriate

Offering Access to University Information Services:  Providing a user identity account including Loyola email account, storing information on university servers (and servers of third party processors), allowing students, faculty, staff, and alumni, and other authorized persons the right to use university-licensed software, providing access to educational platforms, assessment tools, social media, library applications, archives, and digital collections
  • Such processing is necessary for the performance of a contract
  • Loyola has a legitimate interest in providing access to university information services for learning and communication purposes, in assuring the university’s compliance with applicable licenses and contracts relating to the use of such services, in securing data on such systems, in monitoring the system, and in performing system maintenance, analytics, and upgrades

 

Assisting With Clinical, Out-of-Class, Internship and Job Placement:  Identifying hospitals, clinics, schools and employers who will offer clinical practice opportunities, classroom teaching experience, and similar internships; helping place students and graduates in jobs
  • Such processing is necessary for the performance of a contract
  • Loyola has a legitimate interest in setting up off-campus learning opportunities for students that will supplement their on-campus instruction, and enhance their job readiness and future employment prospects, including obtaining personal information necessary to  process background checks for such positions and in helping graduates find employment
  • Your prior consent

Ticketing: Processing information related to selling or otherwise issuing tickets for athletic, musical, theatrical, and other university events and conferences
  • Such processing is necessary for the performance of a contract
  • Loyola has a legitimate interest in holding events open both to the university community and to the general public and in charging and collecting admission fees for such events

Recruitment and University Marketing:  Tracking inquiries and website activity (including through the use of  “cookies” and similar tracking files) to identify and recruit prospective students, faculty, and staff
  • Loyola has a legitimate interest in identifying both qualified students to attend the university and qualified faculty and staff to work at the university

 

Research: Conducting educational, scientific, and other research and related statistical analysis
  • Loyola has a legitimate interest in carrying out experiments, interviews, clinical evaluations, longitudinal studies and other research activities to advance knowledge and translate such research into activities and applications that benefit society
  • Your prior consent

Alumni and Advancement Communications:  Maintaining contact information for alumni and donors in order to send correspondence, magazines, newsletters, online communications, invitations, and to seek and accept gifts and donations
  • Loyola has a legitimate interest in maintaining an ongoing relationship with alumni for informational, networking, job placement, continuing education, and fund-raising purposes, and in communicating the university’s programs and successes to the general public

 

Insurance Claim Processing: Obtaining and evaluating personal information pertaining to claims of bodily injury, property damage, and other liability claims, including collecting medical reports and health insurance information, personal financial data, police reports, or other relevant information, including information required by Loyola’s insurers
  • Such processing is necessary for the performance of a contract
  • Loyola has a legitimate interest in obtaining the factual information needed to evaluate the merits of a claim so in order to decide on the appropriate resolution of incidents involving loss or injury
  • Your prior consent

Complying with Legal Obligations: Compiling and providing information required under applicable laws, including, without limitation, the Internal Revenue Code, Title IV and Title IX, U.S. Department of Education laws and regulations, the Immigration and Naturalization Service, and the Department of Homeland Security
  • Loyola has a legitimate interest in complying with legal obligations imposed under European, federal, state, and local laws

 

Video Surveillance:

For students security and asset protection needs (i.e. to avert the risk of theft, damage, tampering), a video surveillance system is installed outside and inside the John Felice Rome Center campus, which, inevitably, collects the personal data (image) of anyone who enters the visual range of the cameras, duly signaled by signs placed near the video shooting perimeter. The function of the signal is to forewarn that if someone exceeds the marked limit, their image will be videotaped. The legal basis for processing is the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Article 6(1)(e) of the GDPR), for the purposes stated above. Your personal data will not be subject to any automated decision-making process, including profiling. No further processing is carried out on the recorded images.

Recorded images are retained for 7 days. These images could be subjected to further retention in the event of adherence to a specific investigative request by the judicial authority or law enforcement agencies. After these terms have expired, the images are automatically deleted.
  • Loyola has a legitimate interest in complying with legal obligations imposed under European, federal, state, and local laws

 

Categories of Personal Data Collected

In certain instances, Loyola, in its capacity as a controller, may acquire your personal data from a third party, and not directly from you.  If this occurs, then within a reasonable period of time, but not later than the earlier to occur of (a) the first time Loyola communicates with you, and (b) one month after Loyola acquires such personal data, Loyola will advise you of the categories of personal data collected, the source from which Loyola acquired such personal data, and certain additional information required under GDPR Article 14.

 

Recipients/Categories of Recipients Who May Receive Your Personal Data

The specific categories of recipients who will receive your information depend on whether you are a prospective, current, or former student (or such a student’s parent or guardian), faculty or staff member, or a contractor, donor, supporter, or research subject, or have some other status, and the types of personal data that you provide.  The categories of recipients are likely to include one or more of the following:

 

  • As to the Loyola data collection activities described in the preceding chart, responsible faculty and  staff involved in such activities may receive your personal data (for example, personnel in the Registrar’s office will have access to personal data related to student admissions, class registration, enrollment, grades and transcript); such persons will generally be located in Chicago, Illinois;
  • As to personal data required by federal departments and agencies, employees of the federal government, including personnel in the United States Department of Education, the Department of Justice (Office of Civil Rights), the Department of Treasury (Internal Revenue Service), the Department of Homeland Security, and their respective divisions, and agencies may receive your personal data; such persons will generally be located in Washington D.C. and Chicago, Illinois;
  • As to personal data required by State of Illinois departments and agencies, employees of the State of Illinois, including personnel in the Illinois State Board of Education, the Illinois Department of Revenue, and the Illinois Attorney General’s Office, and their respective divisions, agencies, and offices, may receive your personal data; such persons will generally be located in Chicago, Illinois, or Springfield, Illinois;
  • Third parties who underwrite, administer, or provide services related to the university’s health insurance, benefits, and pension and retirement programs may receive your personal data;
  • Lenders and other third parties who assist in originating, monitoring, and collecting student loans, scholarships, and other financial aid programs, may receive your personal data; and
  • Third party processors who host and process information in the “cloud” on servers located in the United States may receive your personal data.

 

If you would like more detailed information as to the specific identify of recipients receiving particular personal data, please contact the Controller at GDPR@luc.edu.

 

 

Transfer of Personal Data to the United States

Personal data that you provide while in the EU, an EAA member state, or Switzerland will be transferred to the United States.  The GDPR permits such transfer when necessary for the performance of a contract between you and Loyola, or if Loyola obtains your explicit consent to such transfer.  In transferring your personal data to a processor, Loyola will employ suitable safeguards, including those described in the Information Security section below, to protect the privacy and security of your personal data so that it is only used in a manner consistent with your relationship with the university and this privacy notice.

 

How Long Will Your Personal Data Be Stored?

The GDPR requires that your personal data be kept no longer than necessary.  The applicable time period will depend on the nature of such personal data and will also be determined by legal requirements imposed under applicable laws and regulations.  For a link to a table setting forth current university record and data retention policies, click here Non-Financial Records Retention Policy.  If you have specific questions concerning how long a certain type of personal data will be retained, please contact the Controller at GDPR@luc.edu.

 

 

You Have Certain Rights to Control Your Personal Data

Articles 15-21 of the GDPR give you the right to control your personal data by directing Loyola, as controller, to do one or more of the following, subject to certain conditions and limitations:

 

(a)   allow you to access your personal data to see what information the university has collected concerning you;

(b)   correct (rectify) any inaccuracy in your personal data;

(c)   delete (erase) your personal data, unless Loyola can demonstrate that retention is necessary or that Loyola has other overriding legitimate grounds for retention;

(d)   restrict the processing of your personal data;

(e)   transfer your personal data to a third party (portability); and

(f)    upon your objection, stop processing personal data when Loyola is relying on a legitimate interest basis for processing such data unless Loyola can demonstrate compelling legitimate grounds for processing that override your interests in prohibiting such processing.

 

If You Consent to the Processing of Your Data, You Can Withdraw Such Consent

If Loyola obtains your written consent to collect and process your personal data, you can subsequently withdraw such consent as to any further processing of such data by contacting the Controller.

 

GDPR Remedies Include the Right to File A Complaint With The Supervisory Authority

If you believe your privacy rights under the GDPR have been violated, the GDPR gives you the rights and remedies set forth in GDPR Articles 77-82.  These include the right to file a complaint with the Italian data protection supervisory authority:

 

            Garante Per La Protezione Dei Dati Personali

            Piazza di Monte Citorio, 121

            00186 Roma

            Tel. + 39 06 69677 1

            Fax. + 39 06 69677 785

            Email: garante@garanteprivacy.it

            Website:  http://www.garanteprivacy.it

 

Are You Obligated to Provide Personal Data?

As discussed above, Loyola will sometimes ask you to provide information necessary to perform contracts to which you are a party, or to satisfy certain legal requirements binding upon the university.  If you do not provide such information, Loyola will not be able to process such contracts or comply with such legal requirements, and you will not be eligible to receive the benefits that may result from the processing of such contracts, or compliance with such requirements.  For example, if you do not provide personal data needed to process an admission, financial aid, student housing application or agreement, you will not be admitted to the university, awarded financial aid, or allowed to live in student housing.  Similarly, if you do not provide legally required information needed to process a visa, or as part of a legally required background check process related to a job or internship position, your visa will not be approved and you will not be eligible for such job or internship.

 

You Have The Right to Know If Loyola Uses Your Personal Data In Automated Decision-Making, Including Profiling

The GDPR limits Loyola’s right to use your personal data for predictive purposes as part of an automated decision-making process, including profiling.  Such a process uses your personal data, such as preferences, interests, behavior, locations, and personal movement, to make an analytically-determined decision, instead of a personalized, individual decision.   The GDPR limitation does not apply when such automated decision-making is necessary for the performance of a contract to which you are, or will be, a party.  Loyola does not intend to use personal data in an automated decision-making process, except in the context of such a contract. However, if it does, it will seek your consent for such use. 

 

Information Security

Loyola, by design, works to take necessary steps to protect personal data from unauthorized access, unauthorized alteration, disclosure or destruction of information. In particular, Loyola:

 

  • uses encryption both in transit and at rest to protect personal data;
  • requires log-in authentication for accessing services related to a data subject’s Loyola Account;
  • reviews its information collection, storage and processing practices, perimeter security and physical security measures, to guard against unauthorized access to systems;
  • restricts access to personal data on a “need to know” basis so that only authorized personnel and contractors have access to personal data and only for the permitted purpose
  • Loyola employees and contractors are subject to strict contractual confidentiality obligations and may be disciplined or terminated if they fail to meet these obligations; and
  • employs technical and organizational measures, such as pseudonymization and data minimization, to structurally reduce the risk of data breaches and unauthorized disclosures of personal data.