Information Technology Services

Appalachian State University GDPR Privacy Notice

  1. Home
  2. Governance
  3. Data Governance
  4. Appalachian State University GDPR Privacy Notice

APPALACHIAN STATE UNIVERSITY GDPR Privacy Notice


I. Privacy Notice

The European Union’s General Data Protection Regulation (“GDPR”) is a data privacy law that applies to personal information collected about natural persons located in or from the European Union. Appalachian State University (the “University”) is committed to safeguarding the privacy of personal information, including compliance with the GDPR.

This Privacy Notice outlines the collection, use, and disclosure of personal information provided to the University by individuals in or from the European Union (hereinafter “Natural Persons”), including but not limited to:

• prospective students, including applicants for admission to University;
• matriculated students;
• applicants for employment, current employees and former employees;
• alumni and donors;
• contractors and vendors;
• visitors, guests and event participants;
• research subjects; and
• others who may visit the University’s websites.

When information is submitted to the University or you choose to use the University’s websites and other electronic data services, you consent to the collection, use, and disclosure of that information as described in this Privacy Notice.


II. Definitions of Information and Sensitive Information

The University, through interactions with students, employees, alumni, visitors to campus and others outside the University community, may use, collect and/or disclose “Information” and “Sensitive Information” for its legitimate business purposes.

As used herein, “Information” refers to all personally identifiable data, excluding Sensitive Information, concerning a Natural Person, created by or provided to the University by or about a Natural Person.

“Sensitive Information,” is Information about a Natural Person’s race, gender, ethnic origin, religious affiliation, physical or mental health, and criminal convictions.

III. University Use of Information and Sensitive Information

  1. The University collects, processes and discloses Information and Sensitive Information from and about Natural Persons only as necessary in the exercise of the University’s legitimate business interests, functions and responsibilities as a public institution of higher education. 
  2. The University collects, processes and may disclose Information and Sensitive Information from and about Natural Persons who are research subjects in the exercise of scientific, historical research, or statistical purposes.
  3. The University is required to collect and process Information from and about Natural Persons who are applicants for employment, current or former employees and immediate family members of employees in order to enter into or administer an employment relationship.
  4. The University collects, processes and may disclose Information and Sensitive Information from and about Natural Persons who apply to study at the University in degree programs, study abroad programs, distance education programs and certificate programs for the purposes of providing an education. This may include registration, enrollment, housing, financial aid, student accounts, academic advising, to deliver academic programs, track academic progress, analyze and improve the University’s education programs, recruitment of new students, regulatory reporting, audits, accreditation reviews and other related educational processes and functions. 
  5. The University collects, processes and shares Sensitive Information internally and externally, necessary to identify appropriate support services or activities, provide reasonable accommodations, enforce University policies or comply with applicable state or federal laws.
  6. The University collects, processes and shares Information and Sensitive Information from and about alumni and donors internally and with third parties for the purpose of maintaining alumni and donor relations. 
  7. The University collects and processes Information from and about Natural Persons that may visit the University’s websites for marketing, advertising and statistical purposes.

IV. Disclosure of Information to Third Party

Information and Sensitive Information of Natural Persons may be shared with third parties who have entered into contracts with the University to perform functions on behalf of the University, subject to the obligation of confidentiality and safeguarding from unauthorized disclosure. The University may disclose Information and Sensitive Information to third parties as follows:

  1. Consent: The University may disclose your Information and Sensitive Information if the University has your consent to do so.
  2. Emergency Circumstances: The University may share your Information and Sensitive Information when necessary to protect your health and safety, and you are physically or legally incapable of providing consent.
  3. Employment Necessity: The University may share your Sensitive Information when necessary for administering employment or social security benefits in accordance with applicable law, subject to the application of appropriate safeguards to prevent further unauthorized disclosure.
  4. Charitable Organizations: The University may share your Information with the Appalachian State University Foundation, Inc. in connection with charitable giving subject to the application of appropriate safeguards to prevent further unauthorized disclosure.
  5. Public Information: The University may share your Information and Sensitive Information if you have otherwise made it public.
  6. Performance of a Contract: The University may share your Information and Sensitive Information when necessary to administer a contract you have with the University.
  7. Legal Obligation: The University may share your Information and Sensitive Information when state or federal laws and regulations require the disclosure.
  8. Service Providers: The University use third parties who contract with the University to support the administration of University operations. In such cases, the University may share your Information and Sensitive Information with such third parties subject to the application of appropriate safeguards to prevent further unauthorized disclosure.
  9. De-Identified and Aggregate Information: The University may use and disclose your Information and Sensitive Information in de-identified or aggregate form without limitation.

V. Security

The University implements appropriate technical and organizational security measures to protect your Information and Sensitive Information both when transmitted to the University and when the University stores the information in our information technology systems. For further information regarding Data Security please visit the ITS Office of Information Security website located here, https://security.appstate.edu/.

VI. Retention and Destruction of Your Information

Your Information and Sensitive Information will be retained by the University in accordance with applicable federal and state laws, and the applicable retention periods in the University of North Carolina System Records Retention and Disposition Schedule which can be found here, https://www.northcarolina.edu/legal-affairs/records-retention.

Your Information and Sensitive Information will be destroyed upon your request unless applicable law or policy requires permanent retention or destruction after the expiration of an applicable retention period. The manner of destruction shall be appropriate to preserve and ensure the confidentiality of your information given the level of sensitivity, value, and criticality to the University.

VII. Your Rights

Under the GDPR you have the following rights:

  1. To request access to or transfer of your PII;
  2. To request information about the methods for collection, storage and processing of your PII;
  3. To request information about any third parties that receive your PII;
  4. To request restrictions on the use or disclosure of my PII if you believe any data is processed unlawfully;
  5. To request corrections to any PII that appears incomplete or inaccurate and for those corrections to be made by University if, in its sole discretion, it deems the information to be incomplete or inaccurate;
  6. To object to the collection, retention, and use of your PII if there are legitimate grounds for such objection; 
  7. To file a complaint with the appropriate authorities in the United States or European Union; and 
  8. To withdraw your consent to the collection, processing and use of your PII at any time. Your withdrawal of consent does not affect the University's lawful use of the Information or Sensitive Information prior to receipt of your request.

VIII. Updates to this Privacy Notice

This GDPR Privacy Notice may be amended from time to time. Any such changes will be posted on this page. The effective date of this GDPR Privacy Notice is May 25, 2018.