Ferris Data Privacy and Security Resources
Effective as of February 16, 2021
Personal Information We Collect
Information You Give Us
Personal information you may provide through the Site or otherwise communicate to us includes:
- Contact information. We collect information about you when you provide contact information to us via email, mail, or through the Site, including as a result of creating an account, filling out an application for admission through the Site, registering for a contest, making a donation to us, or registering for a campus visit. This information may include your first and last name, email address, mailing address, phone number, and credit card information
- Sensitive personal information. We collect information that may be considered sensitive, such as your country of citizenship, race, gender, and social security number, through our Site’s online application process.
- Feedback and correspondence. We may collect information about you when you request information, respond to surveys, or otherwise correspond with us.
Information We Get From Others
We may obtain additional information about you from third party sources, such as service providers, vendors, social media sites, and advertising agencies to provide you with more relevant information about our services.
Information Automatically Collected
We use Google Analytics to help us gather statistical information about the visitors to our Site and how they use the Site on an anonymous, aggregate basis. However, we will not associate this data with your personally identifiable data unless required to do so to cooperate with law enforcement activity or other governmental request or to comply with law. We may use this information to gain a better understanding of the users of our Site, to improve our Site, and to improve our services. Depending on the type of browser and device that you use, you may have the ability to control the type of information that Google Analytics use. To understand how Google Analytics collects and processes data, please visit www.google.com/policies/privacy/partners/. We reserve the right to license or sell aggregate, de-identified information about the visitors to our Site, but this information will not contain your personal information or otherwise be individually identifiable.
Sensitive Personal Information
We may collect some sensitive personal information (e.g., social security numbers, information related to racial or ethnic origin, gender, and criminal background) through the Site as a result of our online application process for admission. In collecting this sensitive personal information, Ferris respects individual privacy, protects against unauthorized access to or use of information, and complies fully with all laws and government regulations in the collection, use, storage, display, distribution and disposal of such information. Authorized uses of sensitive information within Ferris are limited to uses which are necessary to: a) meet our legal and regulatory requirements; b) facilitate access to services, transactions, facilities and information; or c) otherwise support efficient academic and administrative processes.
How We Use Your Personal Information
To Provide the Site and Communicate with You
We use your personal information:
- to provide, maintain and improve the Site;
- to better understand your needs and interests, and personalize your experience with the Site;
- to process applications for admission that you submit through the Site;
- to register you for events, classes, and contests;
- to respond to your requests, questions, comments, and feedback; and
- to perform website analytics and database management services.
To Create and Maintain Your Account
When you enroll at Ferris, an account is created for you using certain personal information you provided during the enrollment process. You have choices about the information included in your account profile. You do not have to provide additional information on your profile; however, additional profile information may help you get more from our services. It is your choice whether to include sensitive information on your profile and to make that sensitive information public. Please do not post or add personal data to your profile that you would not want to be publicly available.
To Send You Communications
We may send you newsletters or other communications, but you may opt out of receiving them as described in the Your Choices section below. Your information may be used both while you are a current student at Ferris and after you have graduated from Ferris.
To Advertise To You
For Compliance, Fraud Prevention and Safety
We may use your personal information as we believe appropriate to: (a) investigate or prevent violation of the law or your agreements with us; (b) protect our, your or others’ rights, privacy, safety or property (including by prosecuting and defending legal claims); (c) protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity; (d) comply with applicable laws, lawful requests and legal process, such as to respond to subpoenas or requests from government authorities; and (e) where permitted by law in connection with a legal investigation. For example, we may share information with law enforcement to reduce the risk of fraud or if someone uses or attempts to use our site for illegal reasons.
With Your Consent
In some cases we may ask for your consent to collect, use or share your personal information.
How We Share your Personal Information
We do not share your personal information with third parties without your consent, except in the following circumstances:
Ferris-Related and Affiliated Organizations
We may share your personal information with third party companies and individuals as needed for them to provide us with services that help us with our business activities and to promote our services to you. A list of our current service providers is available upon request.
We may share your personal information with our business partners who offer a service to you jointly with us. A list of our current business partners that have access to certain personal information we collect is available upon request.
Security, Compliance, Fraud Prevention, Safety; Compliance with Law
We may disclose your personal information as we believe appropriate to government or law enforcement officials or private parties for the purposes described above under the following sections: For compliance, fraud prevention and safety and for compliance with law.
We may sell, transfer or otherwise share some or all of our business or assets, including your personal information, in connection with a business deal (or potential business deal) such as a merger, consolidation, acquisition, reorganization or sale of assets, or in the event of bankruptcy.
Opt Out of Marketing Communications
You may opt out of marketing-related emails by changing the communication preferences in your account settings or by following the opt-out prompt in the email. To opt out of other forms of marketing communications, please contact us using the contact information provided at the end of this Policy.
Consequences of Not Providing Personal Information
What are Cookies?
Cookies are small data files that are placed on your computer or mobile device when you visit a website. Cookies set by the website are called “first party cookies”. Cookies set by parties other than the website are called “third party cookies”. Third party cookies enable third party features or functionality, such as advertising or website analytics, to be provided on or through the website. The parties that set these third party cookies can recognize your computer or device both when it visits the website in question and also when it visits certain other websites and/or mobile apps.
What Cookies and Other Tracking Technologies does Ferris Use?
How Can You Disable Cookies and Other Tracking Technology?
Most browsers let you remove or reject cookies. To do this, follow the instructions in your browser settings. Many browsers accept cookies by default until you change your settings. For more information about cookies, including how to see what cookies have been set on your computer or mobile device and how to manage and delete them, visit All About Cookies and Your Online Choices. Some Internet browsers also may be configured to send “Do Not Track” signals to the online services that you visit. We currently do not respond to “Do Not Track” or similar signals. To find out more about “Do Not Track,” please visit All About Do Not Track.
Other Important Privacy Information
Third Party Sites and Services
The Site may contain links to other websites and services operated by third parties. These links are not an endorsement of, or representation that we are affiliated with, any third party. We do not control third party websites, applications or services, and we are not responsible for their actions. Other websites and services follow different rules regarding their collection, use and sharing of your personal information. We encourage you to read their privacy policies to learn more.
The security of your personal information is important to us. We take a number of organizational, technical and physical measures that are designed to protect the personal information we collect. However, security risk is inherent in all internet and information technologies and we cannot guarantee the absolute security of your personal information.
International Data Use
We are located in the United States and have affiliates and service providers in other countries, and your personal information may be collected, used and stored in the United States or other locations outside of your home country. Privacy laws in the locations where we handle your personal information may not be as protective as the privacy laws in your home country.
Verifying, Changing, and Deleting Your Information
If you have registered for an account through our Site, you can access, review and manage many changes yourself via your account, including updating your profile information and changing your communication preferences. If the information you are seeking is not available within your account, you can contact us as detailed below and ask us to change, update or fix your information in certain cases, particularly if it is inaccurate. You can also request that we erase or delete all or some of your personal information or otherwise object to, limit, or restrict the use of such information (if we have no legal right or legitimate business interest in retaining such information).
The Site is not intended for use by anyone under the age of 13, nor do we knowingly collect or solicit personal information from anyone under the age of 13. If you are under 13, you should not attempt to use the Site or send any information about yourself to us.
Notice to European Users
The following applies to individuals in the European Economic Area.
Legal bases for processing
We are required to inform you of the legal bases of our processing of your personal information, which are described in the table below. If you have questions about the legal basis of how we process your personal information, contact us using one of the methods detailed at the end of this Policy.
|To provide the Site, communicate with you, create and maintain your account, and process your application for admission submitted through the Site.||
You are subject to a contract with us and we need to use your personal information to provide services you have requested or take steps that you request prior to providing services.
|To establish and administer student accounts, issue invoices, and process payments and refunds.||
You are subject to a contract with us and we need to use your personal information to provide services you have requested or take steps that you request prior to providing services.
Ferris has a legitimate interest in charging tuition, fees, and other charges and collecting amounts due related to your education in order to maintain the university’s fiscal stability.
|To accept, review, and make decisions related to financial assistance programs, including preparing, executing, monitoring, and enforcing grant, scholarship, and loan agreements and notes documenting such financial assistance.||
You are subject to a contract with us and we need to use your personal information to provide services you have requested or take steps that you request prior to providing services.
Ferris has a legitimate interest in helping you find financial resources to pay for your education, in complying with third-party lender and federal and state requirements, and documenting and administering such financial assistance programs.
|To register you for courses, confirm completion of required course work, accept, review, and evaluate student course work, and for accreditation and collaborative purposes.||
Ferris has a legitimate interest in establishing that you are enrolled and completing classes necessary to satisfy enrollment requirements (which may also be a condition to eligibility for certain benefits) and degree requirements, and scheduling and staffing courses, in assigning and evaluating homework, administering tests, and facilitating group instruction and learning.
|To assign grades and other performance measures; confirm satisfaction of required classwork and out-of-class requirements applicable to the awarding of degrees; prepare transcripts and diplomas; and maintain long-term graduation and performance records and provide these to employers.||
Ferris has a legitimate interest in evaluating student performance, awarding degrees, recognizing outstanding achievements, holding graduation ceremonies, and providing its graduates and prospective employers with information confirming such performance, degrees, and achievements.
|Maintain contact information for alumni and donors in order to send correspondence, magazines, newsletters, online communications, invitations, and to seek and accept gifts and donations.||Ferris has a legitimate interest in maintaining an ongoing relationship with alumni for informational, networking, job placement, continuing education, and fund-raising purposes, and in communicating the university’s programs and successes to the general public.|
To send you marketing communications.
For compliance, fraud prevention, and safety.
|These processing activities constitute our legitimate interests. We consider and balance the potential impact on your rights before we process your personal information for our legitimate interests. We do not use your personal information for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).|
|For compliance with law.||Processing is necessary to comply with our legal obligations.|
|With your consent.||Where we specifically ask for your consent to process your personal information, such processing is based on your consent. Where we rely on your consent, you have the right to withdraw it anytime in the manner indicated on the Site.|
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.
European data protection laws give you certain rights regarding your personal information. You may ask us to take the following actions in relation to your personal information that we hold:
- Access. Provide you with information about our processing of your personal information and give you access to your personal information.
- Correct. Update or correct inaccuracies in your personal information.
- Delete. Delete your personal information.
- Transfer. Transfer a machine-readable copy of your personal information to you or a third party of your choice
- Restrict. Restrict the processing of your personal information.
- Object. Object to our reliance on our legitimate interests as the basis of our processing of your personal information that impacts your rights.
You may submit these requests by contacting us as detailed at the end of this Policy. We may request specific information from you to help us confirm your identity and process your request. Applicable law may require or permit us to decline your request. If we decline your request, we will tell you why, subject to legal restrictions. If you would like to submit a complaint about our use of your personal information or response to your requests regarding your personal information, you may contact us or submit a complaint to the data protection regulator in your jurisdiction. You can find your data protection regulator here.
Cross-Border Data Transfers
How to Contact Us
Please contact us at one of the following and let us know if you have any questions or comments about our policies and practices.
Ferris State University: [email protected]
Kendall College of Art and Design (including Design West Michigan and Wege Prize): [email protected]
Urban Institute for Contemporary Arts: [email protected]
You may also direct your inquiries to: Ferris State University 1201 S. State Street Big Rapids, Michigan 49307 United States of America Attn: Web Marketing Manager Phone: (231) 591-2000
The European Union (“EU”) General Data Protection Regulation (“GDPR”) requires Ferris State University (“Ferris”) to have in place appropriate safeguards to protect information relating to an identified or identifiable natural person residing in the European Economic Area (“Personal Data”). Ferris’ policy is to establish and maintain appropriate safeguards and controls related to the Processing of Personal Data as required by the GDPR (“Processing/Processed”). Processing and or Processed under GDPR means any operation performed on Personal Data, including but not limited to collection, use, disclosure, storage, retrieval, erasure or destruction. This Policy sets forth the expected behaviors of Ferris and its workforce members relating to the Processing of any Personal Data belonging to Ferris or a third party (i.e., a Data Subject).
2 SCOPE AND POLICY STATEMENT
This Policy applies to all Personal Data Processed in electronic or physical form
by or on behalf of Ferris, and applies to all Ferris workforce members responsible
for such Processing. Capitalized terms not defined in this Policy have been defined
by GDPR. This Policy does not override any other applicable data privacy laws that
apply to Ferris.
Ferris is committed to conducting its business in accordance with all applicable data protection laws and regulations and in line with the highest standards of ethical conduct. Ferris, as a Controller under the GDPR, is responsible for ensuring compliance with GDPR and the data protection requirements outlined in this Policy. Noncompliance may expose Ferris to complaints, regulatory action, fines and/or reputational damage. Ferris’ leadership is fully committed to ensuring continued and effective implementation of this Policy and expects all Ferris workforce members to share in this commitment.
Ferris has in place a consistent level of data protection and security measures across its organization, including the protections and procedures contained in its Information Security Policy and Guidelines and HIPAA Policies & Procedures. Ferris has also established additional procedures for the Processing of Personal Data. The purpose of this Policy is to address the protections and rights that individuals have in regards to the Processing of their Personal Data and how Ferris is continuously working to maintain these protections and rights.
For the purposes of this Policy:
- Consent of the Data Subject means any freely given, specific, informed, and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to him or her.
- Controller means the natural or legal person, public authority, agency, or other body, which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
- Data Subject means an identified or identifiable natural person, which is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
- Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed.
- Processor means a natural or legal person, public authority, agency, or other body, which Processes Personal Data on behalf of the Controller.
- Special Categories of Personal Data means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health data or data concerning a natural person’s sex life or sexual orientation, Genetic Data, or Biometric Data. Genetic Data means Personal Data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question. Biometric Data mean Personal Data resulting from specific technical Processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.
- Supervisory Authority means a supervisory authority which is concerned by the Processing of personal data because: (a) the Controller or Processor is established in the territory of the Member State of that supervisory authority; (b) Data Subjects residing in the Member State of that supervisory authority are substantially affected or likely to be affected by the Processing; or (c) a complaint has been lodged with that supervisory authority.
4 GDPR DATA PROTECTION PRINCIPLES AND COMPLIANCE MEASURES
Article 5 of GDPR sets forth six data protection principles for Personal Data that Ferris must abide by to comply with the GDPR:
- Personal Data must be Processed lawfully, fairly, and in a transparent manner;
- Personal Data should only be collected for specified, explicit, and legitimate purposes;
- Personal Data should be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is Processed;
- Personal Data must be accurate and, where necessary, kept up to date;
- Personal Data must be kept in a form that permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data is Processed; and
- Personal Data must be Processed in a manner that ensures the appropriate security of Personal Data at all stages of the Personal Data lifecycle, including using appropriate technical and organizational measures to protect against unauthorized or unlawful Processing and against accidental loss, destruction, or damage.
Thus, GDPR requires Controllers like Ferris to provide detailed, specific information to Data Subjects about their Personal Data. This information includes the identity of the Controller and how and why Ferris will Process, protect, and retain the Personal Data. This information must be presented to the Data Subject when the Data Subject first provides his or her Personal Data to Ferris.
The following sections are designed to address Ferris’ GDPR compliance efforts in greater detail.
- Policies and Procedures
Ferris must implement the appropriate technical and organizational measures to ensure that Data Subjects’ rights are protected. Ferris has developed its Information Security Policy and Guidelines Policies and Procedures, and its Website Policy and Procedures to fulfill the requirements and standards under the GDPR and other relevant data protection laws. These Policies and Procedures specifically address the mechanics of how Ferris protects and retains various categories of information, including Personal Data.
- Legal Basis for Processing
Ferris must review all Processing activities to identify the legal basis for Processing and ensure that each basis is appropriate for the activity to which it corresponds. Legal purposes for Processing Personal Data include: consent; Processing necessary for the performance of a contract between Ferris and the Data Subject or Controller; Processing necessary to meet Ferris’ legal compliance obligations; Processing necessary to protect a Data Subject’s vital interests; or Processing necessary for Ferris to pursue its legitimate interests, as long as such interests are not overridden by the interests or fundamental rights and freedoms of the Data Subject. Additionally, Ferris must continually audit its Processing activities to ensure that the legal bases for such Processing are accurate and up to date.
- Obtaining Consent from Data Subjects
In those circumstances when Ferris relies on consent to Process any Personal Data, Ferris’s consent mechanisms for obtaining Personal Data from Data Subjects must ensure that the individuals understand when they are providing Consent and why and how Ferris uses the information Processed with their Consent. Consent requires an affirmative action on the part of the Data Subject, and must be clearly indicated, either by a statement or a positive action to the Processing. Data Subjects must be easily able to withdraw Consent to Processing at any time and withdrawal must be promptly honored. Ferris will keep records of all consents of Data Subjects in accordance with Subsection H, below.
- Direct Marketing
Ferris may send direct marketing communications to a Data Subject only with the Data Subject’s prior opt-in Consent where another legal basis for sending the communication is not clearly established. In all cases, including where prior opt-in Consent of the Data Subject is not required, Ferris shall offer the Data Subject the opportunity to opt-out of such direct marketing communications. If a Data Subject objects to receiving marketing communications from Ferris, or withdraws his or her Consent to receive such communications, Ferris will take steps to refrain from sending further marketing within the time period required by the GDPR and other applicable law.
- Data Protection Impact Assessments
When Ferris seeks to implement new technologies in how it Processes Personal Data, it will evaluate whether it needs to conduct an assessment of the impact of the new Processing operations (a “Data Protection Impact Assessment” or “DPIA”) to determine the level of risk associated with the new Processing activity and whether a new legal basis for such Processing is required. A DPIA is required when the new Processing activity is likely to result in a high risk to the rights and freedoms of natural persons. Examples of when a DPIA is required include the following cases:
- a systematic and extensive evaluation of personal aspects relating to Data Subjects based on automated Processing, including profiling, and on which decisions are based that produce legal effects concerning or otherwise significantly affecting the Data Subject;
- Processing special categories of Personal Data (see Subsections I and J) on a large scale; or
- a systematic monitoring of a publicly accessible area on a large scale.
- Third-Party Processors
When Ferris engages third parties to Process Personal Data on its behalf (each, a “Third Party Processor”), Ferris shall follow its due diligence procedures to confirm that such Third Party Processors are Processing Personal Data properly and according to GDPR. This includes putting in place a Data Processing Agreement (as more fully described in Subsection G, below) and monitoring its Third Party Processors’ security standards and GDPR compliance efforts.
- Data Processing Agreements
For the purposes of this Policy, “Data Processing Agreement” or “DPA” means a GDPR-compliant agreement for Processing Personal Data. When Ferris desires to engage Third Party Processors, Ferris shall put in place DPAs to ensure the Third Party Processors meet and understand Ferris’ GDPR obligations as well as their own. Ferris will not transfer Personal Data to Third Party Processors that cannot comply with a DPA and that do not agree to put adequate compliance measures in place.
- Record Keeping
Ferris must keep full and accurate records of all of its data Processing activities, including records of Data Subjects’ consents and Ferris’s procedures for obtaining consents when Ferris is acting as a Controller. The records shall include, at a minimum, clear descriptions of: the Personal Data types, Data Subject types, Processing activities, Processing purposes, third-party recipients of the Personal Data, Personal Data storage location, Personal Data transfers, the Personal Data’s retention period, and a description of the security measures in place. All of the records described above will be kept in compliance with the following:
- Documenting Policies and Procedures. Ferris will maintain a copy of this Policy for six years beyond the date the documents cease to be effective.
- Documenting Authorizations and Responses to Exercise Individual Rights. Ferris will maintain for a period of six years from the date the document was last
effective, the following documents:
- individual consents for the Processing of Personal Data;
requests to exercise individual rights related to Ferris’ Processing activities (see Section 5, below), and the related response to the request, which will be maintained for six years beyond the date of the most recent entry on the form, and which shall include:
- the individual whose Personal Data was disclosed
the date of the disclosure
a brief statement of the request, purpose for the disclosure, and Personal Data disclosed
if Ferris elects not to grant an individual’s request, Ferris must maintain legal justification of such denial for a period of six years from the date of denial.
In addition to the documents listed above, Ferris may at its discretion maintain any additional documents it believes are appropriate relating to requests by individuals to exercise their individual rights under GDPR.
The obligation to retain documents relating to individual rights is limited to requests made to Ferris for documents maintained by Ferris. When Personal Data is held by a Ferris third party service provider, Ferris will work with the service provide to ensure Ferris properly maintains the required documentation relating to individual rights.
- individual consents for the Processing of Personal Data;
- Documenting Personal Data Breaches. Ferris will maintain for a period of six years
from the date a Personal Data Breach was fully resolved, the following documents:
- a summary of the Data Breach that would enable the Supervisory Authority to verify
compliance with GDPR, including:
the relevant facts related to the Personal Data Breach
the effects (or anticipated effects) of the Personal Data Breach
the remedial actions taken by Ferris
whether Ferris notified anyone of the breach (and the categories of persons notified)
if notification to any party was delayed, the reasons for such delay
if Ferris determines notification is necessary, a copy of the notices sent to the Supervisory Authority and Data Subjects
or if Ferris determines it does not need to notify the Supervisory Authority or any Data Subjects, the rationale behind Ferris’ determination.
- a summary of the Data Breach that would enable the Supervisory Authority to verify compliance with GDPR, including:
- Documenting Data Processing Agreements. Ferris will maintain copies of all DPAs with all Third-Party Processors for a period of six years from the date the contract was last in effect.
- Documenting Training. Ferris will maintain documentation demonstrating the dates when employees with access to Data were trained concerning the Privacy Rules and any applicable Policies and Procedures, for a period of six years from the date each training session was concluded.
- Documenting Complaints. Ferris will maintain documentation of all complaints that Ferris receives of violations of this Policy or GDPR, and all documentation relating to disposition of the complaints. Ferris will maintain these documents for six years from the date of a complaint’s final disposition.
- Documenting Disciplinary Action. Ferris will maintain documentation of all disciplinary action that Ferris has taken against employees for violations of this Policy or GDPR, for a period of six years from the date of the disciplinary action.
- Documenting Mitigation Efforts. Ferris will maintain all documents relating to Ferris’ efforts to minimize the harmful effects of any unauthorized Processing for a period of six years from the date of the action. Such documentation will include known details of the unauthorized Processing, details of Ferris’ efforts to retrieve Personal Data or halt the improper Processing, and all correspondence relating to the unauthorized Processing.
- Special Categories of Personal Data
When Ferris Processes Special Categories of Personal Data under GDPR, including race and ethnic origin, religious or philosophical beliefs, political opinions, trade union memberships, biometric data used to identify an individual, genetic data, health data, or data related to sexual preferences and/or sexual orientation, it must do so only when necessary and when Ferris has first identified the appropriate legal basis for Processing such Personal Data.
Permissible legal bases for Processing Special Categories of Personal Data are set forth under Article 9 of the GDPR and include Processing necessary to establish, exercise or defend legal claims or Processing with the express consent of the Data Subject. Where Ferris relies on consent for Processing, it must ensure the consent is explicit and is verified by a signature, with the right to modify or remove consent being clearly communicated in writing.
Ferris will protect and store all Special Categories of Personal Data in accordance with its Information Security Policy and Guidelines.
- Personal Data Related to Criminal Convictions
Personal Data related to criminal convictions is subject to strict requirements under Article 10 of the GDPR; therefore, Processing of this type of Personal Data requires approval by Ferris’ General Counsel. Ferris may only Process Personal Data related to criminal convictions and offenses if it has consent from the Data Subject to do so and if such Processing is carried out only under the control of an official authority or the Processing is authorized by Union or Member State law providing for appropriate safeguards for the rights and freedoms of Data Subjects. Information related to criminal convictions and offenses must be protected and stored by Ferris in accordance with its Information Security Policy and Guidelines.
- Transferring Personal Data Across Borders
Ferris may not transfer Personal Data outside of the European Union unless there are appropriate safeguards between the parties or the European Commission has determined that the country outside the European Union ensures an adequate level of protection. For transfers from the European Union to the United States, appropriate safeguards include Privacy Shield certification by the United States recipient or Standard Contractual Clauses in addition to a Data Processing Agreement (see Subsection G).
5 RESPONDING TO DATA SUBJECTSFerris recognizes that Data Subjects have certain rights under GDPR related to the Processing of their Personal Data. These include rights to:
- request access to their Personal Data that Ferris holds (Article 15); 18811566-2 8
- correct, or ask Ferris to correct, the Personal Data that Ferris holds (Article 16);
- ask Ferris to erase Personal Data (Article 17);
- in certain circumstances, restrict Ferris’ Processing (Article 18) or object to Ferris’ Processing activities entirely (Articles 21-22); and
- receive a copy of their Personal Data or ask for their Personal Data to be transferred to a third party (Article 20).
- Ferris will strive to provide information to the individual in a concise, transparent, intelligible, and easily accessible form, using clear and plain language.
- Information should be provided to a Data Subject in writing, or electronically by other means, even if the original request is submitted orally, such as over the phone or face to face.
- Ferris shall act on a request from an individual unless Ferris is unable to establish his or her identity.
- Ferris shall provide information without delay (within one month from the date of request).
- The response timetable may be extended by an additional two months for complex or a high volume of requests. The individual must be informed of this extension and the reasons for this extension before the end of the initial one-month period.
- If it is decided that Ferris will not comply with a request, Ferris must inform the individual without delay, stating the reason(s) and informing the individual of their right to complain to a supervisory authority.
- Generally, responses to requests will be made free of charge, unless they are unfounded or excessive, in which case Ferris will either charge a reasonable fee or refuse to fulfill the request.
- If there is doubt about an individual’s identity, Ferris may request further information to establish it.
- Tracking Data Subject Requests
- All Data Subject requests received by Ferris should be forwarded immediately to the
[email protected] email address. The Committee must track the following information regarding Data
Subject requests in accordance with Section 4.H.i:
- Receipt date of Data Subject request.
- Data subject name.
- Requester name (if applicable).
- Email address, phone number, or other contact information to respond to a Data Subject’s request.
- Individual assigned to handling Data Subject request.
- Request status (new, in progress, completed).
- Request format.
- Request type.
- Request details.
- Final response date.
- Final disposition. 18811566-2 9
- All Data Subject requests received by Ferris should be forwarded immediately to the [email protected] email address. The Committee must track the following information regarding Data Subject requests in accordance with Section 4.H.i:
- Verifying the Identity of Individuals
- Ferris’ first step to responding to Data Subjects’ rights requests is verifying the
identity of the Data Subject submitting the request as follows:
- In Person. If the Data Subject making the request is not known to the Ferris employee receiving the request, the employee will take appropriate steps to verify the identity of the Data Subject which may include reviewing and making a copy of a valid photo identification issued by a government agency.
- By Telephone. If the Data Subject requests Personal Data over the telephone and the
employee is reasonably able to positively identify the Data Subject over the telephone,
no further verification is required. Ferris may request that the Data Subject provide
his or her address, telephone number, and other Personal Data that Ferris has on file
to confirm his/her identity. If the employee cannot verify the identity of the Data
Subject, the employee will instruct the Data Subject to make the request in person,
or direct the Data Subject to send the request in writing.
- By Email. If the Data Subject makes the request through email: From within Ferris’ email system: If the request is from a Ferris employee or student and originates within the Ferris email system, the email is considered authenticated because of the log-in procedures that the employee must use to gain access to his or her account through the Ferris email system. Ferris employees receiving such requests will be trained on the risk of compromised emails.
- From outside the Ferris email system: If the request from a Data Subject originates from another email system or a public email service (e.g. yahoo.com), the person receiving the request must verify the authenticity of the email. If it is not possible to verify the authenticity of the email, the Data Subject should be asked for additional, nonsensitive Personal Data such as address, telephone number, and other Personal Data that Ferris has on file. The additional information should then be compared with the Personal Data Ferris has on record. If the Personal Data does not match, or if there is any doubt as to the identity of the person making the request, contact the Committee, as appropriate.
- In Writing. If the individual submits a written request for Personal Data, compare the Personal Data provided in the written request with Personal Data Ferris has on record. If the Personal Data does not match, or if there is any doubt as to the identity of the person making the request, contact the Committee through the [email protected] email address, as appropriate. Ferris may develop a form to use for written requests.
- Ferris’ first step to responding to Data Subjects’ rights requests is verifying the identity of the Data Subject submitting the request as follows:
- Identifying and Locating Relevant Data 18811566-2 10
- The Committee will identify the departments that might reasonably be considered to hold Personal Data relevant to the request. Ferris General Counsel will be informed of any Data Subject request that involves searching through Ferris student data. The relevant department leader will work to collect the Personal Data about the Data Subject from all relevant sources, including, but not limited to, emails, electronic files and documents, and electronic systems, databases, and hard copy files. This may also include submitting a formal request to obtain a student file. The Committee will retain internal documents that show the steps and efforts made to locate relevant Personal Data.
- Responding to Data Subject Rights Requests
- In responding to all the Data Subject rights requests laid out below, the Committee
will determine whether Ferris has a legal basis under the GDPR not to respond to a
Data Subject’s request (see Section 5.E, below). If Ferris denies a Data Subject’s
request, it must inform the Data Subject of the reason for the denial and of the individual’s
ability to file a complaint with a supervisory authority (the data protection authority
for the relevant member state) and seek a judicial remedy. Note that the procedures
set forth below assume Ferris is acting as a Controller. If Ferris believes it is
acting as a Processor it should consult with legal counsel prior to responding to
a Data Subject’s request, as Ferris’ position as a Processor will require Ferris to
work with the Controller in responding to the Data Subject’s request.
- Responding to Personal Data Access Requests
- Data Subjects have the right to request access to their Personal Data Processed by Ferris under the GDPR. In response to a Data Subject access request, the Committee must, unless an exemption applies under Section 5.E, provide Data Subjects with the following information about Ferris’s Personal Data Processing activities:
- The purposes of Processing.
- Categories of Personal Data Processed.
- Recipients or categories of recipients who receive Personal Data from Ferris.
- How long Ferris stores the Personal Data, or the criteria Ferris uses to determine retention periods.
- Information on the data source if Ferris does not collect it directly from the Data Subject.
- Information on the safeguards Ferris uses to secure transfers of Personal Data to non-EU countries or to an international organization.
- Whether Ferris uses automated decision-making, including profiling, the auto-decision logic used, and the consequences of this Processing.
- The Data Subject’s right to:
- request correction or erasure of their Personal Data;
- restrict or object to certain types of Processing with respect to their Personal Data; and
- make a complaint with the local data protection authority. 18811566-2 11
- Unless an exemption applies under Section 5.E, the Committee must provide the Data Subject with a copy of the Personal Data Ferris Processes about the Data Subject in a commonly used electronic form.
- Responding to Personal Data Correction (Rectification) Requests Data
- Subjects have the right to have their inaccurate Personal Data rectified. Rectification can include having incomplete Personal Data completed, for example, by a Data Subject providing a supplementary statement regarding the data. Where such a request is made, the Committee must rectify the Personal Data without undue delay unless a basis exists under Section 5.E to deny the request.
- Responding to Erasure Requests
- Data Subjects have the right, in certain circumstances described below, to have Ferris
erase their Personal Data. Where such a request is made, the Committee must, unless
a basis exists under Section 5.E to deny the request, erase the Personal Data that
is the subject of the request if:
- the Personal Data is no longer necessary for the purpose Ferris collected it;
- the Data Subject withdrew consent to Ferris’ Processing activities and no other legal justification for Processing applies;
- Ferris unlawfully Processed the Personal Data; or
- EU or member state law requires Ferris to erase the Personal Data to comply with a legal obligation.
- If Ferris determines that it must erase the Personal Data in response to the request, the Committee must identify each recipient to whom Ferris disclosed the Personal Data that is the subject of the erasure request. The Committee must instruct the Processor to erase the Personal Data. The Committee must also notify the Data Subjects about Ferris’ Processors if they request information regarding other parties with access to their Personal Data.
- In regard to the right to erasure specifically, Ferris may refuse to implement a Data
Subject erasure request if Ferris Processes Personal Data that is necessary for one
of the following reasons, provided that Ferris must still inform the Data subject
that it is unable to fulfill the request based on such reason:
- Exercising the right of freedom of expression or information.
- Complying with a legal obligation under EU or member state law or performing of a task carried out in the public interest.
- For reasons of public interest related to public health.
- For scientific or historical research or statistical purposes that are in the public interest, where such purpose would be seriously impaired if the erasure request was fulfilled.
- Establishing, exercising, or defending legal claims. 18811566-2 12
- Data Subjects have the right, in certain circumstances described below, to have Ferris erase their Personal Data. Where such a request is made, the Committee must, unless a basis exists under Section 5.E to deny the request, erase the Personal Data that is the subject of the request if:
- Responding to Objections to, or Requests to Restrict, Personal Data Processing
- Data Subjects have the right to request that Ferris restricts the Processing of their
Personal Data or object to the Processing of Personal Data outright. Unless a basis
exists under the “Denying a Data Subject Request” section of this Policy to deny such
request, Ferris must restrict Processing of the Personal Data if:
- The Data Subject contests the accuracy of the Personal Data. Ferris must restrict Processing the contested data until Ferris can verify its accuracy.
- The Processing is unlawful.
- Ferris no longer needs to Process the Personal Data, but the Data Subject needs the Personal Data for the establishment, exercise, or defense of legal claims.
- A Data Subject objects to Processing, even if the Processing is necessary for Ferris to perform a task in the public interest or to pursue Ferris’ or a third party’s legitimate interests, if there are no overriding legitimate grounds to Process the Personal Data.
- the Data Subject objects under GDPR Article 21(2) to Processing for direct marketing purposes.
- Where the Committee determines the restriction of Processing is appropriate, the Committee
must ensure that Ferris only Processes Personal Data either:
- With the Data Subject’s consent.
- For the establishment, exercise, or defense of legal claims.
- For the protection of the rights of another person.
- For reasons of important public interest.
- Data Subjects have the right to request that Ferris restricts the Processing of their Personal Data or object to the Processing of Personal Data outright. Unless a basis exists under the “Denying a Data Subject Request” section of this Policy to deny such request, Ferris must restrict Processing of the Personal Data if:
- Responding to Data Portability Requests
- In the circumstances described below, Data Subjects have the right to:
- Receive a copy of certain Personal Data from Ferris in a commonly used and machine-readable format and store it for further personal use on a private device.
- Transmit certain Personal Data to another Controller.
- Have Ferris transmit certain Personal Data directly to another Controller, where technically possible. The right to data portability only applies to Personal Data that is Processed by automated means, when Processing is either (1) based on the Data Subject’s consent; or (2) necessary to perform a contract with the Data Subject. Furthermore, the Personal Data covered by the right to data portability includes only Personal Data that the Data Subject knowingly and voluntarily provided to Ferris, such as name and contact information. It does not include data that Ferris creates from the information provided by the Data Subject. 18811566-2 13
- Unless an exemption applies under Section 5.E, the Committee must transfer the Personal Data that the Data Subject is requesting in a commonly used electronic format, or other format the Data Subject requests, so long as that format is reasonable.
- In the circumstances described below, Data Subjects have the right to:
- Responding to Personal Data Access Requests
- In responding to all the Data Subject rights requests laid out below, the Committee will determine whether Ferris has a legal basis under the GDPR not to respond to a Data Subject’s request (see Section 5.E, below). If Ferris denies a Data Subject’s request, it must inform the Data Subject of the reason for the denial and of the individual’s ability to file a complaint with a supervisory authority (the data protection authority for the relevant member state) and seek a judicial remedy. Note that the procedures set forth below assume Ferris is acting as a Controller. If Ferris believes it is acting as a Processor it should consult with legal counsel prior to responding to a Data Subject’s request, as Ferris’ position as a Processor will require Ferris to work with the Controller in responding to the Data Subject’s request.
- Denying a Data Subject Request
- Ferris will determine if it has a basis to deny a Data Subject request. Ferris may refuse to implement a Data Subject request for the following reasons:
- The Data Subject fails to provide sufficient proof for Ferris to verify his or her identity, or a third party fails to present sufficient proof of authority to make the request on the Data Subject’s behalf.
- Privacy laws provide a basis for denying the request.
- Ferris does not have any Personal Data related to the Data Subject’s request.
- No Personal Data Related to a Data Subject Request
- If Ferris does not have or Process Personal Data related to a Data Subject, Ferris should notify the Data Subject that it conducted a diligent search for records related to the Data Subject’s request and did not uncover responsive results.
- Ferris should keep all records related to the Data Subject’s request and any internal documents detailing the steps that Ferris took to locate the Personal Data, including the search methods utilized, in accordance with Section 4.H.
- Fees for Responding to Data Subject Requests
- Ferris must generally respond to a Data Subject request for free. However, Ferris may charge a fee when requests are manifestly unfounded or excessive, either because of their repetitive character or when the requests relate to large amounts of data. 18811566-2 14
6 REPORTING A PERSONAL DATA BREACH
In the event that Ferris becomes aware of a Personal Data Breach, Ferris will follow the same procedures set forth in its HIPAA Breach Notification Policy, subject to the following additional requirements:
- Notification to Supervisory Authorities
- Ferris will notify the applicable Supervisory Authority within 72 hours after becoming aware of the Personal Data Breach, unless Ferris determines that the Personal Data Breach is unlikely to result in a risk to the rights and freedoms of natural persons, using a similar analysis as set forth in the HIPAA Breach Notification Policy related to determining whether data has been compromised. If any delay in reporting is necessary, the reasons for this delay must be communicated to the Supervisory Authority. In all cases, external reporting must be conducted within thirty (30) days.
- Notification to authorities must: (i) describe the nature of the Personal Data Breach including where possible, the categories and the approximate number of Data Subjects concerned, and the categories and the approximate number of Personal Data records concerned; (ii) include the name and contact details of a Ferris point of contact where more information can be obtained; (iii) describe the likely consequences of the Personal Data Breach; and (iv) describe the measures taken or proposed to be taken by Ferris to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects. If it is not possible to provide all necessary information at the same time, the information may be provided in phases, without undue delay.
- Notification to Data Subjects
- If Ferris determined that the Personal Data Breach is likely to result in a high risk to Data Subjects, notification to such Data Subjects is also required, and such notice should align with the HIPAA Breach Notification Policy related to notification to individuals, but must also include the name of the Committee and contact information for the [email protected] email.
- Affected Data Subjects must be notified in the most expedient time possible, and without unreasonable delay, consistent with any measures necessary to determine the scope of the Personal Data Breach and to restore the reasonable integrity of the data system. Delay is permitted when a law enforcement agency has determined that notification will impede a criminal investigation. In such case, notification must occur as soon as the law enforcement agency determines that notification will no longer compromise the investigation. The factors considered when determining the timing of notification must be documented in accordance with Section 4.H.
- Documentation 18811566-2 15
- Ferris must document the details of any Personal Data Breach, including the notifications sent out or Ferris’ reasoning for not sending notification, in accordance with Section 4.H.
7 CHANGES TO THIS POLICY
Ferris will regularly review this Policy and update it as appropriate.
If you have any questions about this Policy, please contact Ferris’ Data Privacy and Security Committee at (231) 591-2331 or [email protected].