SUNY Buffalo State College (“Buffalo State”) is committed to respecting and protecting the privacy rights of persons in the European Economic Area (“EEA”), comprised of the European Union (“EU”) and the countries of Iceland, Norway, and Lichtenstein, pursuant to the EU General Data Protection Regulation (“GDPR”). This privacy notice outlines how Buffalo State collects, processes, discloses and uses information that you share with Buffalo State through our websites, other electronic systems, paper forms, and otherwise.
This GDPR Privacy Notice applies to you if all of the following factors are met:
Please note that information pertaining to current, former, or prospective employment with Buffalo State within the United States is not considered “Personal Information” and is excluded from this GDPR Privacy Notice.
Buffalo State collects Personal Information – information relating to a personally identifiable individual – in order to fulfill its mission as a public institution of higher education. Buffalo State requires Personal Information only when necessary.
Personal Information collected by Buffalo State typically includes an individual’s name, email address, phone number, transcript, academic record, student organization membership, work history, work performance, letters of recommendation, demographic information, documentation provided to support financial aid applications, donor information, IP addresses, browser and computer information, how you interact with our websites and electronic communications, and in some cases your medical and health information and information observed as part of a research study.
In addition to this, Buffalo State may process some information about you that is classed as “sensitive” or “special category” personal data, which requires additional protections. This includes information concerning your ethnicity, sexual orientation, religious beliefs or health/disability that we use for planning and monitoring purposes, or in order to provide care, help or suitable adjustments. For certain courses of study, other sensitive information may be processed, such as information about past criminal convictions, working with children or vulnerable adults, and your fitness to practice in certain regulated professions.
Access to, and the sharing of, your “sensitive” personal data are carefully controlled. You will normally be given further details about our use of any such data when we collect it from you.
Buffalo State’s processing activities of your Personal Information may rely on different lawful grounds depending on the circumstances. Generally speaking, we typically rely upon one or more of the following lawful bases to process your Personal Information under the GDPR:
We consider the processing of your Personal Information to be either necessary for the performance of our contractual obligations with you (e.g. to manage your education, student experience and welfare while studying at Buffalo State), necessary for compliance with a legal obligation (e.g., visa monitoring), necessary for the performance of tasks we carry out in the public interest (e.g., teaching and research), or necessary for the pursuit of the legitimate interests of Buffalo State or an external organization (e.g., to enable your access to external services). Buffalo State requires you to provide us with any information we reasonably ask for to enable us to administer our relationship with you. If we require your consent for any specific use of your personal information, we will collect it at the appropriate time, and you can withdraw this at any time. Where we ask for any “sensitive” information, such as that concerning your ethnicity, sexual orientation, religious beliefs or health/disability, you will normally have the option to refuse your consent by not supplying it.
Buffalo State obtains your Personal Information:
Certain Personal Information collected by Buffalo State is required for Buffalo State to be able to provide you with educational services, employment, or treatment as a patient. In the event you do not provide such information, Buffalo State may be unable to provide you with the requested services.
How Buffalo State uses your Personal Information depends upon the context in which it was provided:
Buffalo State may use your Personal Information for other purposes and will provide you with specific information at the time such alternate use arises.
Buffalo State does not sell your Personal Information and only shares your Personal Information with third parties if there is a legitimate institutional need to do so. Buffalo State may share your Personal Information with the following recipients:
Please note that the College may provide anonymized data developed from Personal Information to third parties, such as government entities and research collaborators, and that such anonymized data is outside the scope of this GDPR Privacy Notice.
Buffalo State is committed to facilitating the exercise of the rights granted to you by the GDPR in a timely manner. In the context of our processing activities that are subject to the GDPR, you have the following rights regarding your personal information:
In addition to the rights provided by the GDPR, you may also have rights with respect to your Personal Information pursuant to U.S. federal law, state law, and/or Buffalo State policy. These include, without limitation, policies pertaining to student education records and policies pertaining to certain health records that Buffalo State maintains.
In order to exercise any of these rights, except the right to file a complaint with an EU supervisory authority, you should submit your request to the identified GDPR Buffalo State contact listed at the bottom of this Notice.
Please note that when you make requests based on these rights, if we are not certain of your identity, we may need to ask you for further personal information to be used only for the purposes of replying to your request.
Buffalo State implements appropriate physical, technical, and organizational security measures to protect your Personal Information consistent with the requirements of law and the policies of the SUNY Board of Trustees.
Buffalo State will retain your Personal Information for as long as there is a legitimate need to do so and in accordance with the SUNY Records Retention and Disposition Policy and applicable federal and state law. Retention periods vary and are established considering our legitimate interests and all applicable legal requirements.
Buffalo State is based in the United States and is subject to U.S. and New York State law. Personal Information that you provide to Buffalo State will generally be hosted on U.S.-based servers. To the extent that Buffalo State needs to transfer your information either (a) from the EEA to the U.S. or another country or (b) from the U.S. to another country, Buffalo State will do so on the basis of either (i) an “adequacy decision” by the European Commission; (ii) EU-sanctioned “appropriate safeguards” for transfer such as model clauses, a copy of which you may request, if applicable, by contacting Buffalo State as set forth below; (iii) your explicit and informed consent; or (iv) it being necessary for the performance of a contract or the implementation of pre-contractual measures with Buffalo State measures generally taken at your request (e.g., for the transfer of personal data necessary for your application for admission). Please note that the U.S. is not currently considered a safe harbor country under the GDPR.
If you have any concerns or questions about this notice or how your Personal Information is used, please contact us at firstname.lastname@example.org. Buffalo State will attempt to promptly address any concern you may have about our data collection and use policies. However, if you believe we have not been able to deal with your concern appropriately, you have a right to complain to your local data protection authority, as granted by Article 77 of the GDPR. You also have the right to submit a complaint in the Member State of your residence, place of work, or of an alleged infringement of the GDPR.
Buffalo State may update this GDPR Privacy Notice from time to time. Any changes will become effective upon posting of the revised GDPR Privacy Notice.