GDPR PRIVACY NOTICE

Last updated: February 2019

Washington University in St. Louis (the “University”) is committed to safeguarding the privacy of our students, employees, alumni, research subjects, and other individuals interacting with the University.

This Privacy Notice is specific to the processing of the personal data of individuals who are protected by the European Union’s General Data Protection Regulation (“GDPR”).  The University has adopted polices, practices and procedures to govern the use of personal data collected through our varied operations. For example, the Internet Privacy Policy describes the information collected and outlines policies regarding the use of that data.   The Computer Use Policy provides student faculty and staff with direction regarding the use of University internet resources; including a discussion of the privacy of data stored or transmitted on University systems.

You can jump to particular topics by going to the headings below:
What types of personal data does the University collect?
How do we use your information?
With whom does the University share information?
What rights do I have?
How long is my personal information retained?
How does the University protect personal information?
In what countries does the University process personal information?
Changes to This GDPR Privacy Notice
Contact Information

What types of personal data does the University collect?

The following provides examples of the types of personal data that the University collects:

Student application

Types of Data

If you apply to the University, or to one of our educational programs such as our study abroad program, we may collect, among other things, your contact information, demographic information, educational history, test scores, reference letters, financial information, criminal background checks and other information necessary to process your application

Primary Purpose for Collection and Use of Data

We have a legitimate interest in processing and evaluating student applications.

Student enrollment

Types of Data

If you enroll in the University we may collect, among other things, your contact information, demographic information, preferences, educational history, and financial information.

Primary Purpose for Collection and Use of Data

We have a legitimate interest in collecting personal data to provide educational services and financial aid and in promoting student life initiatives, developing student activities, administering campus activities, and managing University programs.

Information about the University

Types of Data

If you request information about the University we may collect your contact information and your demographic information.

Primary Purpose for Collection and Use of Data

We have a legitimate interest in communicating with individuals that are interested in our University, such as our educational and research programs, employment opportunities, health care services, and other University services and programs.

Employment (current)

Types of Data

If you become an employee we collect information necessary to retain you as an employee.  This may include, among other things, your Social Security Number.  Providing this information is required for employment.

Primary Purpose for Collection and Use of Data

We use information about current employees to perform our obligations as an employer. We may be required by law to collect information about our employees and we have a legitimate interest in complying with those laws.  We also have a legitimate interest in using your information to have efficient staffing and work force operations.

Employment (applicants)

Types of Data

If you apply for a job posting we collect information necessary to process your application or to retain you as an employee.  This may include, among other things, your Social Security Number and conducting criminal background checks.  Providing this information is required to be considered for employment.

Primary Purpose for Collection and Use of Data

We use information about prospective employees in anticipation of an employee-employer relationship.  We may also be required by law to collect information about our applicants.  We also have a legitimate interest in using your information for operational and statistical purposes.

Research studies

Types of Data

If you register for, or participate in, a research study, we may collect personal information necessary to carry out that study.

Primary Purpose for Collection and Use of Data

As a research institution, we have a legitimate interest in conducting research.  For certain types of research we will provide participants with information concerning the study and solicit their consent for participation and the collection of personal data. We may be required to disclose information to regulatory authorities or to our contracted collaborators and sponsors.

Conferences, Conventions, and Events

Types of Data

We collect information from you when you register for a conference, convention, or event.  For example, we may collect your contact information, billing information, and preferences.  If you are a speaker we may collect presentation materials, a biography and other information.

Primary Purpose for Collection and Use of Data

We use this information to perform our contractual obligations in relation to a conference, convention, or event.  We also have a legitimate interest in using your information to create directories of attendees.

Donations

Types of Data

We collect information from you when you make donations or gifts. For example, we collect contact and billing information.

Primary Purpose for Collection and Use of Data

As a nonprofit organization, we have a legitimate interest in collecting donations to fund our programs, operations and facilities.

Third Party Vendors

Types of Data

We may need to collect your information to enable our vendors to provide goods and services to the University, employees, students, patients and the University community or support University operations.

Primary Purpose for Collection and Use of Data

We have a legitimate interest in assuring the University operates efficiently.

Cookies and first party tracking

Types of Data

We use cookies and clear GIFs. “Cookies” are small pieces of information that a website sends to a computer’s hard drive while a web site is viewed. We may use both session cookies (which expire once a web browser is closed) and persistent cookies (which stay on a device until deleted).  Among other things, cookies allow us to provide a more personal and interactive experience and to improve. Persistent cookies may be removed by following instructions provided by your browser.  If you choose to disable cookies some areas or features of our websites may not work properly.

Primary Purpose for Collection and Use of Data

We have a legitimate interest in making our website operate efficiently.

Cookies and third party tracking

Types of Data

We use cookies to collect information about your use of our website.  This includes obtaining analytics from third parties regarding the total numbers of users to our sites.  The third parties that deploy cookies on our behalf may be able to track you across time and across websites.

Primary Purpose for Collection and Use of Data

We have a legitimate interest in monitoring our networks and the visitors to our websites.  Among other things, it helps us understand which of our services are most frequently used.

Dispute Resolution

Types of Data

We collect information when individuals engage us in adjudicatory or regulatory proceedings.

Primary Purpose for Collection and Use of Data

We have a legitimate interest in facilitating dispute resolution involving the University, our employees and students.

Email Interconnectivity

Types of Data

If you receive email from us we use certain tools to capture data related to when you open our message, click on any links or banners it contains and make purchases.

Primary Purpose for Collection and Use of Data

We have a legitimate interest in understanding how you interact with our communications.

Feedback/Support

Types of Data

If you provide us feedback or contact us for support we will collect your name and e-mail address, as well as any other content that you send to us, in order to reply.

Primary Purpose for Collection and Use of Data

We have a legitimate interest in receiving, and acting upon, your feedback or issues.

Health related information

Types of Data

We may collect health information about you for various reasons, such as providing clinical or research services or making accommodations for a physical or mental disability.

Primary Purpose for Collection and Use of Data

We have a legitimate interest in assisting our students, employees, patients and visitors with health related requests and services.  We may need to retain a service provider to assist in providing an accommodation.

Mailing List

Types of Data

When you sign up for one of our mailing lists we collect your email address or postal address.

Primary Purpose for Collection and Use of Data

We have a legitimate interest in sharing information about our products or services, and providing you with information that you request.

Publications

Types of Data

We collect information about the authors that submit material for publications, the people that appear in our publications and subscribers of our materials.

Primary Purpose for Collection and Use of Data

We have a legitimate interest in keeping a record of submissions for publication and in understanding the background and experience of authors and prospective authors that are accepted for publication as well as subscriber contact information.  We also have a legitimate interest in recording information about those that appear in our publications including, for example, maintaining waivers and releases where appropriate for use of photographs.

Surveys

Types of Data

When you participate in a survey we collect information that you provide through the survey.  If the survey is provided by a third party service provider, the third party’s privacy policy applies to the collection, use, and disclosure of your information.

Primary Purpose for Collection and Use of Data

We have a legitimate interest in understanding your opinions, and collecting information relevant to our organization.

Web logs

Types of Data

We collect information, including your browser type, operating system, Internet Protocol (IP) address (a number that is automatically assigned to a computer when the Internet is used), domain name, click-activity, referring website, and/or a date/time stamp for visitors.

Primary Purpose for Collection and Use of Data

We have a legitimate interest in monitoring our networks and the visitors to our websites.  Among other things, it helps us understand which of our services is the most popular.


In addition to the information that we collect from you directly, we may also receive information about you from other sources, including third parties, business partners, our affiliates, or publicly available sources.

How do we use your information?

In addition to the purposes and uses described above, we use information in the following ways:

  • To identify you when you visit our websites.
  • To provide products and services, including educational instruction.
  • To improve our services and product offerings.
  • To conduct analytics.
  • To respond to inquiries or requests.
  • To send marketing and promotional materials, including information relating to our institution and our educational programs.
  • For internal administrative purposes, as well as to manage our relationships with our students, employees, vendors and other with whom we do business.

Although the sections above describe our primary purpose in collecting your information, in many situations we have more than one purpose.  As a result, our collection and processing of your information is based in different contexts upon your consent, our need to perform a contract, our obligations under law, and/or our legitimate interest in operating a University.

With whom does the University share information?

In addition to the specific situations discussed elsewhere in this policy, we disclose information in the following situations:

  1. Affiliates. We may share information with our affiliates (g., subsidiaries, joint ventures, or other organizations under common control).
  2. Other Disclosures with Your Consent. We may ask if you would like us to share your information with other unaffiliated third parties who are not described elsewhere in this policy.
  3. Other Disclosures without Your Consent. We may disclose information in response to subpoenas, warrants, or court orders, or in connection with any legal process, or to comply with relevant laws. We may also share your information in order to establish or exercise our rights, to defend against a legal claim, to investigate, prevent, or take action regarding possible illegal activities, suspected fraud, safety of person or property, or a violation of our policies, or to comply with your request for the shipment of products to or the provision of services by a third party intermediary.
  4. Public. We offer student and staff directories.  If you decide to submit information to our directory, or allow your information to be posted in our directory, that information will be publically available.
  5. Service Providers. We may share your information with service providers. Among other things service providers help us to operate our business, provide education, clinical and research services, administer our website, conduct surveys, provide technical support, process payments, and assist in the fulfillment of orders.

What rights do I have?

Under the GDPR, you have the right to:

  • Request access to, rectification of, and with some exceptions, erasure of your personal information
  • Request restriction of processing concerning your information or object to processing
  • Request a copy of your personal information
  • Withdraw your consent if the processing of your personal information was based on your consent
  • Lodge a complaint with the appropriate supervisory authority in the European Union

To exercise one of your rights you may contact the University using the information in the “Contact” section below.

How long is my personal information retained?

Your information is retained by the University in accordance with state and federal laws and University policy. The University will destroy your personal information on your request unless it is necessary to retain it or there are legal grounds for continued processing. The University may retain information on its backup systems.

How does the University protect personal information?

The University employs reasonable physical, technical and organizational safeguards designed to promote the security of our systems and protect the confidentiality, integrity and availability of personal information; however, we cannot guarantee that our safeguards will be effective or sufficient.  In the event that we are required by law to inform you of any unauthorized access to your personal information we may notify you electronically, in writing, or by telephone, if permitted to do so by law.

In what countries does the University process personal information?

The University is located within the United States.  As a result, if you reside outside of the United States and provide information to us your information may be processed in the United States where privacy laws may be less stringent than the laws in your country.  For example, the United States government may have a greater ability to access your personal information than might your local government.

Changes to This GDPR Privacy Notice

We may change our privacy policy and practices over time.  To the extent that our policy changes in a material way, the policy that was in place at the time that you submitted personal information to us will generally govern that information unless we receive your consent to the new privacy policy.

Contact Information

If you have questions about this GDPR Privacy Notice, you can contact:
David Valentine-Elam
Chief Privacy Officer
davalentineelam@wustl.edu
One Brookings Dr., St. Louis, Missouri, 63130