Skip to main content

GDPR Privacy Notice

SUNY Buffalo State College (“Buffalo State”) is committed to respecting and protecting the privacy rights of persons in the European Economic Area (“EEA”), comprised of the European Union (“EU”) and the countries of Iceland, Norway, and Lichtenstein, pursuant to the EU General Data Protection Regulation (“GDPR”). This privacy notice outlines how Buffalo State collects, processes, discloses and uses information that you share with Buffalo State through our websites, other electronic systems, paper forms, and otherwise.

Applicability of this GDPR Privacy Notice

This GDPR Privacy Notice applies to you if all of the following factors are met:

  • You are a natural person—not a corporation, partnership, or other legal entity—who is physically present in the EEA;
  • “Personal Information”—any information that relates to or identifies you as an individual as is further described below—is provided while you are physically present in the EEA;
  • Such Personal Information is not earlier or later provided to Buffalo State while you are physically outside the EEA; and,
  • Such Personal Information is provided to Buffalo State:
    • During the course of Buffalo State offering you goods or services;
    • While Buffalo State is monitoring your behavior or health;
    • While you are associated with any of Buffalo State’s programs;
    • While you are participating in clinical research programs; or
    • While you are receiving health treatment.

Please note that information pertaining to current, former, or prospective employment with Buffalo State within the United States is not considered “Personal Information” and is excluded from this GDPR Privacy Notice.

Personal Information Buffalo State Collects

Buffalo State collects Personal Information – information relating to a personally identifiable individual – in order to fulfill its mission as a public institution of higher education.  Buffalo State requires Personal Information only when necessary.

Personal Information collected by Buffalo State typically includes an individual’s name, email address, phone number, transcript, academic record, student organization membership, work history, work performance, letters of recommendation, demographic information, documentation provided to support financial aid applications, donor information, IP addresses, browser and computer information, how you interact with our websites and electronic communications, and in some cases your medical and health information and information observed as part of a research study.

In addition to this, Buffalo State may process some information about you that is classed as “sensitive” or “special category” personal data, which requires additional protections. This includes information concerning your ethnicity, sexual orientation, religious beliefs or health/disability that we use for planning and monitoring purposes, or in order to provide care, help or suitable adjustments. For certain courses of study, other sensitive information may be processed, such as information about past criminal convictions, working with children or vulnerable adults, and your fitness to practice in certain regulated professions.

Access to, and the sharing of, your “sensitive” personal data are carefully controlled. You will normally be given further details about our use of any such data when we collect it from you.

Legal Basis for Processing Your Personal Information

Buffalo State’s processing activities of your Personal Information may rely on different lawful grounds depending on the circumstances. Generally speaking, we typically rely upon one or more of the following lawful bases to process your Personal Information under the GDPR:

  • Necessity to enter or for the performance of a contract (e.g., online applications, information provided when enrolling, or for payment information to pay tuition)
  • Necessity of Buffalo State’s legitimate interests or those of third parties (e.g., evaluate candidates for admissions, financial aid, housing, and/or maintain a community for alumni)
  • Necessity of Buffalo State’s compliance with legal requirements imposed by state or federal law
  • Consent (e.g., for the research projects you may participate in; for processing of special categories of personal data)

We consider the processing of your Personal Information to be either necessary for the performance of our contractual obligations with you (e.g. to manage your education, student experience and welfare while studying at Buffalo State), necessary for compliance with a legal obligation (e.g., visa monitoring), necessary for the performance of tasks we carry out in the public interest (e.g., teaching and research), or necessary for the pursuit of the legitimate interests of Buffalo State or an external organization (e.g., to enable your access to external services). Buffalo State requires you to provide us with any information we reasonably ask for to enable us to administer our relationship with you.  If we require your consent for any specific use of your personal information, we will collect it at the appropriate time, and you can withdraw this at any time. Where we ask for any “sensitive” information, such as that concerning your ethnicity, sexual orientation, religious beliefs or health/disability, you will normally have the option to refuse your consent by not supplying it.

How Buffalo State Obtains Personal Information

Buffalo State obtains your Personal Information:

  • From You, the Data Subject: Buffalo State may receive your Personal Information when you visit Buffalo State’s websites, apply for or attend classes or programs, apply for or take online courses, travel with Buffalo State to a location in the EEA, attend events sponsored by Buffalo State in the EEA, participate in clinical research, voluntarily or involuntarily receive medical treatment or services, or otherwise interact with Buffalo State in the EEA.
  • From Third Parties: Buffalo State may also receive your Personal Information from third parties. Examples include, without limitation, exam scores received from testing agencies, and registration information received from third parties that administer online courses. Buffalo State also may receive information from other individuals or institutions who provide treatment and services, from public health services, and from law enforcement, and from other clinical researchers, as well as from those who process the information provided on behalf of these entities.

Certain Personal Information collected by Buffalo State is required for Buffalo State to be able to provide you with educational services, employment, or treatment as a patient.  In the event you do not provide such information, Buffalo State may be unable to provide you with the requested services.

Use of Personal Information

How Buffalo State uses your Personal Information depends upon the context in which it was provided:

  • Prospective Students – Buffalo State uses your Personal Information in order to consider you for admission to a campus or a particular program, to award financial aid and merit-based scholarships, and to track the effectiveness of our communications and programs
  • Students – Buffalo State uses your Personal Information to provide you higher education services, comply with our legal obligations, enforce Buffalo State policies and procedures, and to improve the overall student experience on our campuses and effectiveness of our programs.  Some examples of these include registering you for classes, tracking attendance, evaluating your academic performance, submitting required reports to federal and state regulatory authorities and our accrediting bodies, providing you with academic and career advising, providing housing and food services, evaluating student organizations, evaluating academic programs, and providing letters of recommendation and transcripts to prospective employers or other institutions.
  • Alumni & Friends – Buffalo State uses your Personal Information to track, maintain, and evaluate our relationship with you, provide you with communications and invitations to campus events, assist you with obtaining employment or admission to another educational institution or program, and to evaluate academic and employment outcomes.
  • Prospective Employees – Buffalo State uses your Personal Information to consider you for employment, evaluate the effectiveness of our recruitment programs, establish minimum requirements for positions, and to improve the attractiveness of Buffalo State as an employer
  • Current Employees – Buffalo State uses your Personal Information to perform necessary tasks related to your status as an employee, to contact the appropriate person in the event of an emergency, to investigate violations of Buffalo State policy, to improve the overall employment experience at Buffalo State.
  • Patients – Buffalo State uses your Personal Information to deliver health care services including billing and submission of claims to insurance companies, responding to your inquiries regarding your experience as a patient, complying with federal and state reporting requirements, and providing information to accrediting bodies 
  • Research Participants – Buffalo State uses your Personal Information to fulfill the objectives of a particular research project, and to provide any promised compensation or other incentives

Buffalo State may use your Personal Information for other purposes and will provide you with specific information at the time such alternate use arises. 

Sharing of Your Personal Information

Buffalo State does not sell your Personal Information and only shares your Personal Information with third parties if there is a legitimate institutional need to do so.  Buffalo State may share your Personal Information with the following recipients:

  • With SUNY System Administration and other campuses within the SUNY System in order to govern, administer, and improve the SUNY system.
  • With Buffalo State’s affiliated entities including the Research Foundation for the State University of New York, individual campus foundations, campus faculty student associations, and other affiliated entities in order to provide ancillary services.
  • With Buffalo State’s service providers that need access to your Personal Information in order to provide Buffalo State with services necessary to fulfill Buffalo State’s mission or improve the Buffalo State student or employee experience.
  • With accrediting agencies in order to obtain or maintain accreditations for Buffalo State’s and its affiliates various programs. 
  • With the Federal, State, and local governments or regulatory authorities as required by law or as necessary to fulfill the mission of Buffalo State.

Please note that the College may provide anonymized data developed from Personal Information to third parties, such as government entities and research collaborators, and that such anonymized data is outside the scope of this GDPR Privacy Notice.

Your Rights Regarding your Personal Information

Buffalo State is committed to facilitating the exercise of the rights granted to you by the GDPR in a timely manner. In the context of our processing activities that are subject to the GDPR, you have the following rights regarding your personal information:

  • Access, correction and other requests – You have the right to obtain confirmation of whether we process your personal data, as well as the right to obtain information about the personal data we process about you. You also have a right to obtain a copy of this data. Additionally, and under certain circumstances, you may have the right to obtain erasure, correction, restriction and portability of your personal data.
  • Right to object – You have the right to object to receiving marketing materials from us by following the opt-out instructions in our marketing emails, as well as the right to object to any processing of your personal data based on your specific situation. In the latter case, we will assess your request and provide a reply in a timely manner, according to our legal obligations.
  • Right to withdrawal consent – For all the processing operations that are based on your consent, you have the right to withdraw your consent at any time, and we will stop those processing operations as allowable by law.

In addition to the rights provided by the GDPR, you may also have rights with respect to your Personal Information pursuant to U.S. federal law, state law, and/or Buffalo State policy. These include, without limitation, policies pertaining to student education records and policies pertaining to certain health records that Buffalo State maintains.

In order to exercise any of these rights, except the right to file a complaint with an EU supervisory authority, you should submit your request to the identified GDPR Buffalo State contact listed at the bottom of this Notice.

Please note that when you make requests based on these rights, if we are not certain of your identity, we may need to ask you for further personal information to be used only for the purposes of replying to your request.

Security of your Personal Information

Buffalo State implements appropriate physical, technical, and organizational security measures to protect your Personal Information consistent with the requirements of law and the policies of the SUNY Board of Trustees. 

Retention and Destruction of Your Personal Information

Buffalo State will retain your Personal Information for as long as there is a legitimate need to do so and in accordance with the SUNY Records Retention and Disposition Policy and applicable federal and state law. Retention periods vary and are established considering our legitimate interests and all applicable legal requirements.

Data Transfer Outside of the EEA

Buffalo State is based in the United States and is subject to U.S. and New York State law.  Personal Information that you provide to Buffalo State will generally be hosted on U.S.-based servers. To the extent that Buffalo State needs to transfer your information either (a) from the EEA to the U.S. or another country or (b) from the U.S. to another country, Buffalo State will do so on the basis of either (i) an “adequacy decision” by the European Commission; (ii) EU-sanctioned “appropriate safeguards” for transfer such as model clauses, a copy of which you may request, if applicable, by contacting Buffalo State as set forth below; (iii) your explicit and informed consent; or (iv) it being necessary for the performance of a contract or the implementation of pre-contractual measures with Buffalo State measures generally taken at your request (e.g., for the transfer of personal data necessary for your application for admission).  Please note that the U.S. is not currently considered a safe harbor country under the GDPR. 

Concerns and Contact Information

If you have any concerns or questions about this notice or how your Personal Information is used, please contact us at Buffalo State will attempt to promptly address any concern you may have about our data collection and use policies. However, if you believe we have not been able to deal with your concern appropriately, you have a right to complain to your local data protection authority, as granted by Article 77 of the GDPR. You also have the right to submit a complaint in the Member State of your residence, place of work, or of an alleged infringement of the GDPR.

Updates to GDPR Privacy Notice

Buffalo State may update this GDPR Privacy Notice from time to time.  Any changes will become effective upon posting of the revised GDPR Privacy Notice.

Scroll Up

Scroll Down