I. Lawful Basis for Collecting and Processing of Personal Data

Saint Mary’s College (“Saint Mary’s” or “the College”) takes seriously its duty to protect the personal data it collects or processes. The European Union General Data Protection Regulation (“EU GDPR”) imposes obligations on entities, like Saint Mary’s College, that collect or process personal data about people in the European Union (“EU”). The EU GDPR applies to personal data the College collects or processes about anyone located in the EU, regardless of whether they are a citizen or permanent resident of an EU country. 

For more information regarding the EU GDPR, please review the College’s EU General Data Protection Regulation Compliance Policy.

Most of the College’s collection and processing of personal data will fall under the following categories:

  1. Processing is necessary for the purposes of the legitimate interests pursued by Saint Mary’s College or third parties in providing education, employment, research and development, community programs.
  2. Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
  3. Processing is necessary for compliance with a legal obligation to which Saint Mary’s College is subject.
  4. The data subject has given consent to the processing of his or her personal data for one or more specific purposes. 

There will be some instances where the collection and processing of personal data will be pursuant to other lawful bases.

II. Types of Personal Data collected and why

Saint Mary’s College collects a variety of personal and sensitive data to meet one of its lawful bases, as referenced above. Most often the data is used for academic admissions, enrollment, educational programs, job hiring, alumnae outreach, and fundraising. Data typically includes name, address, transcripts, work history, information for payroll, medical and health information (for student health services, or travel), and donations. If you have specific questions regarding the collection and use of your personal data, please contact the College’s Data Protection Officer/Chief Information Officer, Todd Norris, at tnorris@saintmarys.edu or (574) 284-4742.

If a data subject refuses to provide personal data that is required by Saint Mary’s College in connection with one of the College’s lawful bases to collect such personal data, such refusal may make it impossible for the College to provide education, employment, or other requested services.

III. Where Saint Mary’s College gets Personal and Sensitive Personal Data

Saint Mary’s College receives personal and sensitive personal data from multiple sources. Most often, Saint Mary’s College gets this data directly from the data subject or under the direction of the data subject who has provided it to a third party (for example, application for admission to Saint Mary’s College through use of the Common App).

IV. Individual Rights of the Data Subject under the EU GDPR

Individual data subjects covered by the College’s EU General Data Protection Regulation Policy will be afforded the following rights:

  1. information about the controller collecting the data;
  2. the data protection officer contact information;
  3. the purposes and legal basis/legitimate interests of the data collection/processing;
  4. recipients of the personal data;
  5. the existence of the right to know if the College intends to transfer personal data to another country or international organization;
  6. the period the personal data will be stored;
  7. the existence of the right to access, rectify incorrect data or erase personal data, restrict or object to processing, and the right to data portability;
  8. the existence of the right to withdraw consent at any time;
  9. the right to lodge a complaint with a supervisory authority (established in the EU);
  10. the existence of the right to know why the personal data is required, and possible consequences of the failure to provide the data;
  11. the existence of automated decision-making, including profiling (if any); and
  12. the existence of the right to know if the collected data is going to be further processed for a purpose other than that for which it was collected.

Note: Exercising of these rights is a guarantee to be afforded a process and not the guarantee of an outcome.

Any data subject who wishes to exercise any of the above-mentioned rights may do so by filling such request with the College’s Data Protection Officer/Chief Information Officer, Todd Norris, at tnorris@saintmarys.edu or (574) 284-4742.

V. Cookies

Cookies are files that many websites transfer to users’ web browsers to enable the site to deliver personalized services or to provide persistent authentication. The information contained in a cookie typically includes information collected automatically by the web server and/or information provided voluntarily by the user.  Our website uses persistent cookies in conjunction with a third party technology partner to analyze search engine usage and web traffic patterns. This information is used in the aggregate to monitor and enhance our web pages. It is not used to track the usage patterns of individual users.

VI. Security of Personal Data subject to the EU GDPR

All personal data and sensitive personal data collected or processed by Saint Mary’s College under the scope of the College’s EU General Data Protection Regulation Compliance Policy  must comply with the security controls and systems and process requirements and standards of AACRAO.

The College will not share your information with third parties except:

  • as necessary to meet one of its lawful purposes, including  but not limited to,
    •  its legitimate interest,
    • contract compliance,
    • pursuant to consent provided by you,
    • as required by law;
  • as necessary to protect the College’s interests;
  • with service providers acting on our behalf who have agreed to protect the confidentiality of the data.

VII. Data Retention

Saint Mary’s College keeps the data it collects for the time periods specified in its Data Retention Policy as recommended by AACRAO.