Policy Summary

This policy outlines how Buffalo State collects, processes, discloses, and uses information that is shared with Buffalo State through its websites, other electronic systems, paper forms, and otherwise.


Buffalo State University (“Buffalo State”) is committed to safeguarding the privacy of personal information. This privacy notice, as required under the New York State Internet Security and Privacy Act, outlines the collection, use, processing and disclosure of personal information provided to Buffalo State by individuals including but not limited to: prospective students, applicants for admission, enrolled students and their parents or other family members; applicants for employment; employees and members of their immediate family; retirees, alumni, donors, event patrons, customers, contractors and vendors, research participants, and visitors to the university website.

New York State Internet Security and Privacy Act

Personal Information Buffalo State Collects

Buffalo State collects personal information (PI)—information relating to a personally identifiable individual—in order to fulfill its mission as a public institution of higher education. Buffalo State collects personal information only when necessary.

Personal information collected by Buffalo State may include:

  • an individual’s name, email address, and phone number
  • transcript, academic record, student organization membership
  • work history, work performance, letters of recommendation
  • demographic information
  • documentation provided to support financial aid applications
  • internet protocol (IP) addresses, browser and computer information; and information about how you interact with our websites and electronic communications, and
  • in some cases, your medical and health information or information observed as part of a research study.

Additionally, Buffalo State may process some information about you that is classed as “sensitive” or “special category” personal data, which requires additional protections. This includes information concerning ethnicity, sexual orientation, religious beliefs, or health/disability that we use for planning and monitoring purposes, or in order to provide care, help, or suitable adjustments.

Access to and the sharing of “sensitive” personal data are carefully controlled. You will normally be given further details about the use of any such data when it is collected. When asked for this “sensitive” information, you will normally have the option to refuse your consent by not supplying it.

In certain situations, other sensitive information may be processed, such as information about past criminal convictions, work with children or vulnerable adults, and fitness to practice in certain regulated professions.

Buffalo State does not collect information for commercial marketing purposes. Buffalo does not sell, rent, or otherwise disclose the information collected from buffalostate.edu for commercial marketing purposes.

Buffalo State does not knowingly collect personal information from children under the age of 13 or create profiles of children under the age of 13.

Users are cautioned that the collection of personal information submitted via e-mail will be treated as though it was submitted by an adult, and may, unless exempted from access by federal or state law, be subject to public access.


Buffalo State uses cookies and similar tools to improve the website experience and help us understand how visitors navigate our website. Visitors may disable cookies in their browser; however, our website may not work properly once this is done.

Please refer to our Cookie Policy for more information.

Buffalo State Cookie Policy

Buffalo State’s processing activities of your personal information may rely on different lawful grounds depending on the circumstances. Generally speaking, we rely upon one or more of the following lawful bases to process your personal information:

  • Necessity to enter or for the performance of a contract (e.g., online applications, information provided when enrolling, or for payment information to pay tuition)
  • Necessity of Buffalo State’s legitimate interests or those of third parties (e.g., evaluate candidates for admissions, financial aid, housing, and/or maintain a community for alumni)
  • Necessity of Buffalo State’s compliance with legal requirements imposed by state or federal law
  • Consent (e.g., for the research projects you may participate in; for processing of special categories of personal data)

We consider the processing of your personal information to be either necessary for the performance of our contractual obligations with you (e.g. to manage your education, student experience, and welfare while studying at Buffalo State), necessary for compliance with a legal obligation (e.g., visa monitoring), necessary for the performance of tasks we carry out in the public interest (e.g., teaching and research), or necessary for the pursuit of the legitimate interests of Buffalo State or an external organization (e.g., to enable your access to external services, special services, or community-based programs).

Buffalo State requires you to provide us with any information we reasonably ask for to enable us to administer our relationship with you. If we require your consent for any specific use of personal information, it will be collected at the appropriate time, and your permission can be withdrawn at any time.

General Data Protection Regulation (GDPR) Privacy Notice

The General Data Protection Regulation (GDPR) is a regulation in the European Union (EU) law on data protection and privacy for individual citizens in the European Economic Area (EEA). The EEA is comprised of the EU and the countries of Iceland, Norway, and Lichtenstein. This regulation also addresses the transfer of personal data outside the EU and EEA areas. Buffalo State is committed to respecting and protecting the privacy rights of persons pursuant to the GDPR.

This GDPR privacy notice applies to you if all of the following factors are met:

  • You are a natural person—not a corporation, partnership, or other legal entity—who is physically present in the EEA;
  • “Personal information”—any information that relates to or identifies you as an individual as is further described below—is provided while you are physically present in the EEA;
  • Such personal information is not earlier or later provided to Buffalo State while you are physically outside the EEA; and,
  • Such personal information is provided to Buffalo State:
    • During the course of Buffalo State offering you goods or services;
    • While Buffalo State is monitoring your behavior or health;
    • While you are associated with any of Buffalo State’s programs;
    • While you are participating in clinical research programs; or
    • While you are receiving health treatment.

Please note that information pertaining to current, former, or prospective employment with Buffalo State within the United States is not considered Personal Information and is excluded from this GDPR Privacy Notice.

In addition to the rights provided by the GDPR, you may also have rights with respect to your Personal Information pursuant to U.S. federal law, state law, and/or Buffalo State policy. These include, without limitation, policies pertaining to student education records and policies pertaining to certain health records that Buffalo State maintains.

General Data Protection Regulation

How Buffalo State Obtains Personal Information

Buffalo State obtains your personal information:

  • From You, the Data Subject: Buffalo State may receive your personal information when you visit Buffalo State’s websites, apply for or attend classes or programs, apply for or take online courses, travel with Buffalo State to a location in the EEA, attend events sponsored by Buffalo State in the EEA, participate in clinical research, voluntarily or involuntarily receive medical treatment or services, or otherwise interact with Buffalo State in the EEA.
  • From Third Parties: Buffalo State may also receive your personal information from third parties. Examples include, without limitation, exam scores received from testing agencies, and registration information received from third parties that administer online courses. Buffalo State also may receive information from other individuals or institutions who provide treatment and services, from public health services, and from law enforcement, and from other clinical researchers, as well as from those who process the information provided on behalf of these entities.

Certain personal information collected by Buffalo State is required for Buffalo State to be able to provide educational services or employment. In the event an individual chooses not to provide such information, Buffalo State may be unable to provide the requested services.

Use of Personal Information

How Buffalo State uses personal information depends upon the context in which it was provided:

  • Prospective Students: Buffalo State uses personal information in order to consider applicants for admission to the university or a particular program, to award financial aid and merit-based scholarships, and to track the effectiveness of our communications and programs.
  • Students: Buffalo State uses personal information to provide higher education services, comply with our legal obligations, enforce Buffalo State policies and procedures, and to improve the overall student experience on our campus and effectiveness of our programs. Some examples of these include registering for classes, tracking attendance, evaluating academic performance, submitting required reports to federal and state regulatory authorities and our accrediting bodies, providing academic and career advising, providing housing and food services, evaluating student organizations, evaluating academic programs, and providing letters of recommendation and transcripts to prospective employers or other institutions.
  • Alumni and Friends: Buffalo State uses personal information to track, maintain, and evaluate our relationships, provide communications and invitations to campus events, assist with obtaining employment or admission to another educational institution or program, and to evaluate academic and employment outcomes.
  • Prospective Employees: Buffalo State uses personal information (excluding demographic information) to consider applicants for employment, evaluate the effectiveness of our recruitment programs, establish minimum requirements for positions, and to improve the attractiveness of Buffalo State as an employer.
  • Current Employees: Buffalo State uses personal information to perform necessary tasks related to an individual’s status as an employee, to contact the appropriate person in the event of an emergency, to investigate violations of Buffalo State policy, to improve the overall employment experience at Buffalo State.
  • Research Participants: Buffalo State uses personal information to fulfill the objectives of a particular research project, and to provide any promised compensation or other incentives.

Buffalo State may use personal information for other purposes and will provide you with specific information at the time such alternate use arises. 

The collection of information through buffalostate.edu and the disclosure of that information are subject to the provisions of the Internet Security and Privacy Act.

Buffalo State does not sell or rent Personal Information and only shares Personal Information with third parties if there is a legitimate institutional need to do so.

Buffalo State may collect or disclose personal information without consent if the collection or disclosure is: (1) necessary to perform the statutory duties of Buffalo State, or necessary for Buffalo State to operate a program authorized by law, or authorized by state or federal statute or regulation; (2) made pursuant to a court order or by law; (3) for the purpose of validating the identity of the user; or (4) of information to be used solely for statistical purposes that is in a form that cannot be used to identify any particular person.

Subject to applicable laws, Buffalo State may share your personal information with the following recipients:

  • With SUNY system administration and other campuses within the SUNY system in order to govern, administer, and improve the SUNY system.
  • With Buffalo State’s affiliated entities including the Research Foundation for the State University of New York, individual campus foundations, campus faculty-student associations, and other affiliated entities in order to provide ancillary services.
  • With Buffalo State’s service providers that need access to your personal information in order to provide Buffalo State with services necessary to fulfill Buffalo State’s mission or improve the Buffalo State student or employee experience.
  • With accrediting agencies in order to obtain or maintain accreditations for Buffalo State’s and its affiliates various programs. 
  • With the federal, state, and local governments or regulatory authorities as required by law or as necessary to fulfill the mission of Buffalo State.

Buffalo State may disclose personal information if the user has consented to the collection or disclosure of such personal information.

The voluntary disclosure of personal information to Buffalo State by the user constitutes consent to the collection and disclosure of the information by Buffalo State for the purposes for which the user disclosed the information to Buffalo State.

Please note that the university may provide anonymized data developed from personal information to third parties, such as government entities and research collaborators, and that such anonymized data is outside the scope of this policy and the included GDPR Privacy Notice.

In addition to the GDPR, the disclosure of information, including personal information, collected by Buffalo State is subject to the provisions of the Freedom of Information Law, the Family Educational Rights and Privacy Act (FERPA), and the Personal Privacy Protection Law.

Freedom of Information Law

Family Educational Rights and Privacy Act

Personal Privacy Protection Law


Security of Personal Information

Buffalo State implements appropriate physical, technical, and organizational security measures to protect your personal information consistent with the requirements of law and the policies of the SUNY Board of Trustees. 

Retention and Destruction of Personal Information

Buffalo State will retain an individual’s personal information for as long as there is a legitimate need to do so and in accordance with the SUNY Records Retention and Disposition Policy and applicable federal and state law. Retention periods vary and are established considering our legitimate interests and all applicable legal requirements.

SUNY Records Retention and Disposition Policy

Your Rights Regarding Personal Information

Buffalo State is committed to facilitating the exercise of the rights granted to you, including those granted by the GDPR, in a timely manner. In the context of our processing activities, you have the following rights regarding your personal information:

  • Access, correction, and other requests: You have the right to obtain confirmation of whether we process your personal data, as well as the right to obtain information about the personal data we process about you. You also have a right to obtain a copy of this data. Additionally, and under certain circumstances, you may have the right to obtain erasure, correction, restriction, and portability of your personal data.
  • Right to object: You have the right to object to receiving marketing materials from us by following the opt-out instructions in our marketing emails, as well as the right to object to any processing of your personal data based on your specific situation. In the latter case, we will assess your request and provide a reply in a timely manner, according to our legal obligations.
  • Withdrawal consent: For all the processing operations that are based on your consent, you have the right to withdraw your consent at any time, and we will stop those processing operations as allowable by law.

In order to exercise any of these rights, except the right to file a complaint under the GDPR with an EU supervisory authority, you should submit your request to the Buffalo State privacy compliance officer. Contact information is listed at the bottom of this policy.

Please note that when you make requests based on these rights, if we are not certain of your identity, we may need to ask you for further personal information to verify your identity and to be used only for the purposes of replying to your request.

Data Transfer

Buffalo State is based in the United States and is subject to U.S. and New York State law. Personal Information that you provide to Buffalo State will generally be hosted on U.S.-based servers.  

If you are covered under the GDPR, then to the extent that Buffalo State needs to transfer your information, either (a) from the EEA to the U.S. or another country or (b) from the U.S. to another country, Buffalo State will do so on the basis of either (i) an “adequacy decision” by the European Commission; (ii) EU-sanctioned “appropriate safeguards” for transfer such as model clauses, a copy of which you may request, if applicable, by contacting Buffalo State as set forth below; (iii) your explicit and informed consent; or (iv) it being necessary for the performance of a contract or the implementation of pre-contractual measures with Buffalo State measures generally taken at your request (e.g., for the transfer of personal data necessary for your application for admission). Please note that the U.S. is not currently considered a safe harbor country under the GDPR.

Responsibility for External Sites

While using the Buffalo State website you may encounter hypertext links to organizations not affiliated with Buffalo State. Buffalo State does not control the content or information practices of external organizations or third parties. We provide the links for your convenience, but we do not review, control, or monitor the privacy practices of websites operated by others. Therefore, whenever you leave the Buffalo State website, we recommend that you review each website’s privacy practices and policies before proceeding.

Concerns and Contact Information

If you have any concerns or questions about this notice or how your personal information is used, please contact us. Buffalo State will attempt to promptly address any concerns you may have about our data collection and use policies. However, if you believe we have not been able to deal with your concern appropriately and you are subject to GDPR, you have a right to complain to your local data protection authority, as granted by Article 77 of the GDPR. You also have the right to submit a complaint in the member state of your residence, place of work, or of an alleged infringement of the GDPR.

Contact Us: privacy@buffalostate.edu

Updates to this Policy

Buffalo State may update its privacy policy, including the GDPR Privacy Notice, from time to time. Any changes will become effective upon posting of the policy.


The following definitions apply to this policy:

  • Personal information: For purposes of this policy, "personal information" means any information concerning a natural person which, because of name, number, symbol, mark, or other identifier, can be used to identify that natural person.
  • User: shall have the meaning set forth in subdivision 8 of section 202 of the New York State Technology Law.

Related Information

Cookie Policy, Buffalo State University

Nondiscrimination Notice, Buffalo State

Privacy Policy, SUNY

Contact Information

For questions regarding this Internet privacy policy, please contact our privacy compliance officer:

Tom Killian
Interim Associate VP for IT and CIO
(716) 878-4558
Information Technology Services
Twin Rise Center C3
1300 Elmwood Avenue
Buffalo, NY 14222