Website Privacy Notice

Learn about the privacy notices surrounding UMGC Europe's website.

EU GDPR Web Privacy Notice

This notice provides certain required information to persons located in the European Union (“EU”), a European Economic Area (“EAA”) member state, or Switzerland. Before the University collects any Personal Information from you, you are entitled under Regulation (EU) 2016/679 (commonly known as the EU General Data Protection Regulation, or the “GDPR”), to the information in this notice. The GDPR does not apply to the Processing of Personal Information from Data Subjects prior to May 25, 2018.

If you would like to review the GDPR Articles cited in this notice, please click here, https://www.eugdpr.org/.

Glossary:

Capitalized terms shall have the meaning ascribed to them herein and shall have the same meaning when used in the singular or plural form or any appropriate tense. 

  • Contractor: A person or a company that undertakes a contract to provide materials or labor to perform a service.
  • Controller: The entity that determines the purposes and means of the Processing of Personal Information.
  • Data: Element(s) of Information in the form of facts, such as numbers, words, names, or descriptions of things from which “understandable information” can be derived.
  • Data Subject: A natural person who is identified, or can be identified, by reference to their Personal Information.
  • Employee: University staff and faculty, including nonexempt, exempt and overseas staff, 12-month collegiate faculty, and collegiate traveling faculty.
  • Information: Any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual.   
  • Information Resource: Anything that is intended to generate, store, or transmit Information.
  • Personal Information: Any Information relating to an identified or identifiable natural person, including but not limited to Personally Identifiable Information.  An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • Personally Identifiable Information: An individual’s first name and last name, personal mark, or unique biometric or genetic print or image, in combination with one or more of the following data elements:
    • A social security number;
    • A driver's license number, state identification card number, or other individual identification number issued by a state government unit;
    • A passport number or other identification number issued by the United States government;
    • An Individual Taxpayer Identification Number; or
    • A financial or other account number, a credit card number, or a debit card number that, in combination with any required security code, access code, or password, would permit access to an individual's account.
  • Privacy: The right of a party to maintain control over and Confidentiality of Information about itself.
  • Processed/Processing: Any operation or set of operations which is performed on Information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
  • Processor: The entity that processes Personal Information on behalf of the Controller.
  • Security: A condition that results from the establishment and maintenance of protective measures that enable an enterprise to perform its mission or critical functions despite risks posed by threats to its use of information systems. Protective measures may involve a combination of deterrence, avoidance, prevention, detection, recovery, and correction that should form part of the enterprise’s risk management approach.
  • University: University of Maryland Global Campus (UMGC)

The Identity and Contact Details of the Controller/Data Protection Officer

Under the GDPR, the University will be deemed a Controller of your Personal Information. If you would like to contact the University in its capacity as Controller, please contact the University’s Data Protection Officer (DPO):

Shaun Graham
dpo@umgc.edu

The University’s Purposes and Legal Bases for Processing Personal Information

The University will only process your Personal Information for lawful purposes under the GDPR related to the University’s educational, charitable, and scientific purposes and arising from your relationship with the University as a Data Subject.

Types of Data Subjects the University interacts with include, but are not necessarily limited to, prospective, current, or former students (or such a student’s parent or guardian), Employees, Contractors, adjunct faculty, donors, research subjects, visitors to the University or its website, or attendees at University events.

The University will ordinarily collect and process your Personal Information because it is necessary for the performance of educational services to which you have sought or because the University has another legitimate interest in doing so. When the University cannot rely on either of such legal grounds, it will ordinarily seek your prior consent, unless another GDPR basis can be asserted.

The purposes for which the University collects Personal Information, and the legal bases for Processing such Personal Information, as defined by GDPR, are summarized in the chart that appears below.

In the chart, each reference to (a) “necessary for the performance of a contract” shall be deemed to mean, “Necessary for the performance of a contract or agreement to which you are a party, or preliminary steps leading up to such a contract or agreement;” (b) The University’s “legitimate interest” shall require a prior “balancing test” determination by the University that its legitimate interest in Processing your Personal Information is not overridden by your interests or fundamental rights and freedoms in protecting such Personal Information; and (c) your “prior consent” shall mean your voluntarily consent, given prior to the Processing of your Personal Information. If you would like additional details as to the University’s legitimate interest “balancing test” determination under clause (b), please contact the University DPO using the contact information provided above.

Purpose for Processing

GDPR Legal Bases for Processing

Student Admissions Applications and Other Student Data:

Obtaining admissions applications, transcripts, test scores and related documents to determine applicants’ qualifications for admission, and preparing related correspondence

  • Such Processing is necessary for the performance of a contract
  • The University has a legitimate interest in collecting Data needed to evaluate an applicant’s personal and educational background in order to make admissions decisions and otherwise process such applications, and in compiling statistical Data for mandated reporting and evaluation of University services
  • Your prior consent

Staff and Faculty Job Applications:

Obtaining job applications, resumes, background checks, and other background materials from job applicants; and preparing related correspondence

  • Such Processing is necessary for the performance of a contract
  • The University has a legitimate interest in collecting Data needed to evaluate an applicant’s personal, educational, and work background in order to make an employment decision and otherwise process such applications, and in compiling statistical Data to evaluate the University’s diversity, affirmative action, and equal opportunity performance
  • Your prior consent

Managing Student Accounts:

Establishing and administering student accounts, issuing invoices, Processing payments and refunds, preparing related correspondence, and, if necessary, pursuing collection efforts

  • Such Processing is necessary for the performance of a contract
  • The University has a legitimate interest in charging tuition, fees, and other charges and collecting amounts due related to a student’s education in order to maintain the University’s fiscal stability

Managing Payroll Accounts:

Collecting forms needed to satisfy regulatory requirements (such as IRS W-9 forms), and other documents necessary to prepare payroll checks, manage direct deposits, make withholdings, issue IRS W-2 forms, process pension and retirement contributions and payments, and perform related payroll matters

  • Such Processing is necessary for the performance of a contract
  • The University has a legitimate interest in collecting necessary Data so that the University can, in a timely and accurate manner, and in compliance with applicable laws, pay its staff and faculty their salaries, make appropriate withholdings, and make required reports to and file required documents with applicable government agencies
  • Your prior consent

Managing Benefits Accounts:

Collecting and Processing benefit election and claim forms in order to manage staff and faculty benefits including medical, vision, dental, and other insurance coverages, pension and retirement accounts, charity contributions, beneficiary designations, and related benefit matters

  • Such Processing is necessary for the performance of a contract
  • The University has a legitimate interest in collecting necessary Data so that the University can, in a timely and accurate manner, and in compliance with applicable laws, provide staff and faculty, their dependents, and retirees with applicable benefits, and make required reports to and file required documents with the IRS and other government bodies and third-party benefit administrators
  • Your prior consent

Managing Expenses, Purchasing, and Reimbursements:

Collecting, issuing, and Processing expense requests, purchasing invoices, receipts, approvals, payment records, bank account information, checks, and electronic payments

 

  • Such Processing is necessary for the performance of a contract
  • The University has a legitimate interest in collecting necessary Data so that the University can account for expenses, pay bills on time, recover amounts owed to the University, and otherwise administer the University’s day-to-day financial affairs

Administering Student Financial Assistance and Scholarship Programs:

Accepting, reviewing, and making decisions related to financial assistance programs, including preparing, executing, monitoring, and enforcing scholarship and loan agreements and documenting such financial assistance

  • Such Processing is necessary for the performance of a contract
  • The University has a legitimate interest in helping students find financial resources to pay for their education, in complying with third-party lender and federal and state requirements, and documenting and administering such financial assistance programs
  • Your prior consent

Class Registration, Enrollment, and Education Records:

Registering students for courses, confirming completion of required coursework, accepting, reviewing, and evaluating student course work, and operating education-related software to support the learning environment

  • Such Processing is necessary for the performance of a contract
  • The University has a legitimate interest in establishing that students are enrolled and completing classes necessary to satisfy enrollment requirements (which may also be a condition to eligibility for certain benefits) and degree requirements, and scheduling and staffing courses, assigning coursework and administering exams, and facilitating group instruction and learning

Evaluating Academic Performance and Granting Degrees:

Assigning grades and other performance measures; confirming satisfaction of required coursework and out-of-class requirements applicable to the awarding of degrees; preparing transcripts and diplomas; maintaining long-term graduation and performance records and providing these to employers

  • Such Processing is necessary for the performance of a contract
  • The University has a legitimate interest in evaluating student performance, awarding degrees, recognizing outstanding achievements, holding graduation ceremonies, evaluating academic integrity by using biometric data, and providing its graduates, prospective employers, and other institutions with documentation confirming such performance, degrees, and achievements

Evaluating Staff and Faculty Performance:

Preparing and Processing evaluations (including self-evaluations), maintaining personnel and disciplinary files, compiling other performance measure Data

  • Such Processing is necessary for the performance of a contract
  • The University has a legitimate interest in evaluating the performance of its staff and faculty for purposes of promotions, tenure decisions, disciplinary action, setting salaries, and improving productivity

Providing Student Support Services:

Providing advising services, transfer credit evaluations, reasonable accommodations, library and tutoring services, and other related services

  • Such Processing is necessary for the performance of a contract
  • The University has a legitimate interest in promoting, assisting, and monitoring student accessibility, educational progress, physical and mental health and well-being, and evaluating the use and outcomes of such services
  • Your prior consent

Security Measures:

Taking measures to protect persons and property (both physical, personal, and digital) through issuance of identification cards, encryption, firewalls, password, reset questions, surveillance cameras, login systems, card-swiping and similar entrance/exit tracking devices, and other security efforts

  • Such Processing is necessary for the performance of a contract
  • The University has a legitimate interest in ensuring the physical and digital security of its campus and the members of the University community, and in preventing, detecting, and taking enforcement action with respect to criminal and other unlawful and/or unauthorized activity; such legitimate interest includes sharing security Data with federal, state, and local law enforcement authorities, as required or permitted by law

Complaint, Misconduct, and Grievance Processes:

Enabling students, staff, and faculty to file and process complaints, such as those related to sexual misconduct, fair practices, academic integrity, arbitrary and capricious grading, and other types of grievance and misconduct issues

  • Such Processing is necessary for the performance of a contract
  • The University has a legitimate interest in providing policies and procedures that help ensure fairness in University practices and deter and otherwise address alleged misconduct that is connected to the University. This includes but is not limited to the reporting, investigating, adjudicating, appealing, and sanctioning of alleged misconduct

Offering Access to University Information Resources and Services:

Providing authorized users appropriate access to Information Resources including University email accounts, storing Data on University servers (and servers of third-party processors), allowing students, faculty, staff, and alumni, and other authorized persons the right to use University-licensed software, providing access to educational platforms, assessment tools, social media, library digital collections

  • Such Processing is necessary for the performance of a contract
  • The University has a legitimate interest in providing access to University Information Resources for business operations and learning purposes, in assuring the University’s compliance with applicable licenses and contracts relating to the use of such Information Resources, in securing Data on such Information Resources, in monitoring them, and in performing maintenance, analytics, and upgrades

Assisting With Out-of-Class Experiential Opportunities and Job Placement:

Identifying hospitals, clinics, schools and employers who will offer practice opportunities, classroom teaching experience, and similar internships, and helping place students and graduates in jobs

  • Such Processing is necessary for the performance of a contract
  • The University has a legitimate interest in setting up experiential learning opportunities for students that will supplement their University instruction, and enhance their job readiness and future employment prospects, and in helping graduates find employment
  • Your prior consent

Recruitment and University Marketing:

Tracking inquiries and website activity and conducting ad campaigns on third party websites and networks, including through the use of “cookies” and similar tracking files, to identify and recruit prospective students, faculty, and staff

  • The University has a legitimate interest in identifying both interested and qualified students to attend the University and interested qualified staff and faculty to work at the University

Research, Data Analytics, and Data Reporting:

Conducting educational, scientific, and other research and related statistical analysis

  • The University has a legitimate interest in carrying out interviews, evaluations, longitudinal studies and other research activities to advance knowledge and translate such research into activities and applications that help ensure the quality of University services and provide students the best opportunities for success
  • Your prior consent

Alumni and Advancement Communications:

Maintaining contact information for alumni and donors in order to send correspondence, magazines, newsletters, online communications, invitations, and to seek and accept gifts and donations

  • The University has a legitimate interest in maintaining an ongoing relationship with alumni for informational, networking, job placement, continuing education, and fund-raising purposes, and in communicating the University’s programs and successes to the general public

Insurance Claim Processing:

Obtaining and evaluating Personal Information pertaining to claims of bodily injury, property damage, and other liability claims, including collecting medical reports and health insurance information, personal financial information, police reports, or other relevant Data, including Data required by the University's insurers

  • Such Processing is necessary for the performance of a contract
  • The University has a legitimate interest in obtaining the factual information needed to evaluate the merits of a claim so in order to decide on the appropriate resolution of incidents involving loss or injury
  • Your prior consent

Complying with Legal Obligations:

Compiling and providing information required under applicable laws and regulations, including, but not limited to, the Internal Revenue Code, Title IV, Title IX, Family Educational Rights and Privacy Act (FERPA), Americans with Disabilities Act, Higher Education Act, and Family Medical Leave Act (FMLA)

  • The University has a legitimate interest in complying with applicable legal obligations imposed under U.S. Federal, state, local, as well as international laws and regulations

Categories of Recipients Who May Receive Your Personal Information and Third Parties Who May Provide Your Personal Information

The specific categories of recipients who may receive your Personal Information depend on whether you are a prospective, current, or former student (or such student’s parent or guardian), a faculty or staff member, or a Contractor, donor, supporter, or research subject, or have some other status, and the types of Personal Information that you provide. The categories of recipients are likely to include one or more of the following:

  • As to Personal Information needed to accomplish university business described above, Employees and third parties working on behalf of the University may receive your Personal Information;
  • As to Personal Information required by U.S. federal departments and agencies, employees of the federal government, including but not limited to, personnel in the Department of Education, Department of Defense, the Department of Justice (Office of Civil Rights), and the Department of Treasury (Internal Revenue Service), may receive your Personal Information;
  • As to Personal Information required by State of Maryland departments and agencies, employees of the State of Maryland, including but not limited to, personnel in the University System of Maryland, the Maryland Higher Education Commission, and the Maryland Attorney General’s Office, and their respective divisions, agencies, and offices, may receive your Personal Information;
  • Third parties who underwrite, administer, or provide services related to the University’s health insurance, pension, retirement and other benefit programs may receive your Personal Information;
  • Lenders and other third parties who assist in originating, monitoring, and collecting student loans, scholarships, and other financial assistance programs, may receive your Personal Information; and
  • Third-party Processors who host and process Data may receive your Personal Information.

In certain instances, the University, in its capacity as a Controller, may acquire your Personal Information from a third party, and not directly from you.

If you would like more details as to the recipients receiving your Personal Information or the third parties from whom the University may obtain your Personal Information, please contact the University DPO using the contact information provided above.

Transfer of Personal Information to the United States

Personal Information that you provide while in the EU, an EAA member state, or Switzerland will be transferred to the United States. The GDPR permits such transfer so long as certain legal requirements have been satisfied. In transferring your Personal Information, the University will employ suitable safeguards to protect the Privacy and Security of your Personal Information so that it is only used in a manner consistent with your relationship with the University and this privacy notice.

How Long Will Your Personal Information Be Stored?

The GDPR requires that your Personal Information be kept no longer than necessary. The applicable time period will depend on the nature of such Personal Information and will also be determined by legal requirements imposed under applicable laws and regulations. If you have specific questions concerning how long a certain type of Personal Information will be retained, please contact the University DPO using the contact information provided above.

You Have Certain Rights to Control Your Personal Information

Articles 15-21 of the GDPR give you the right to control your Personal Information by directing the University, as Controller, to do one or more of the following, subject to certain conditions and limitations:

  • Allow you to access your Personal Information to see what Data the University has collected concerning you;
  • Correct (rectify) any inaccuracy in your Personal Information;
  • Delete (erase) your Personal Information, unless the University can demonstrate that retention is necessary or that the University has other overriding legitimate grounds for retention;
  • Restrict the Processing of your Personal Information;
  • Transfer your Personal Information to a third party (portability); and
  • Upon your objection, stop Processing Personal Information when the University is relying on a legitimate interest basis for Processing such Data unless the University can demonstrate compelling legitimate grounds for Processing that override your interests in prohibiting such Processing.

If You Consent to the Processing of Your Data, You Can Withdraw Such Consent

If the University relies on your written consent to collect and process your Personal Information, you can subsequently withdraw such consent as to any further Processing of such Personal Information by contacting the University DPO using the contact information provided above.

GDPR Remedies Include the Right to File A Complaint with a Supervisory Authority

If you believe your rights under the GDPR have been violated, the GDPR gives you the rights and remedies set forth in GDPR Articles 77-82. These include the right to file a complaint with the applicable data protection supervisory authority in the country in which you are physically present.

Are You Obligated to Provide Personal Information?

As discussed above, the University will sometimes ask you to provide Personal Information that is necessary in order to provide you services or otherwise conduct business with you, to perform obligations under a contract to which you are a party, or to satisfy certain legal requirements binding upon the University. If you do not provide such Information, the University will not be able to fulfill is contractual obligations or comply with such legal requirements, and you will not be eligible to receive the benefits that may result. For example, if you do not provide Personal Information needed to process an admission application or financial aid, you will not be admitted to the University or awarded financial aid. Similarly, if you do not provide legally required Information required for a background check related to a job position, you may not be eligible for such job.

You Have The Right to Know If the University Uses Your Personal Information In Automated Decision-Making, Including Profiling

The GDPR limits the University’s right to use your Personal Information for predictive purposes as part of an automated decision-making process, including profiling. Such a process uses your Personal Information, such as preferences, interests, behavior, locations, and personal movement, to make an analytically-determined decision, instead of a personalized, individual decision. The GDPR limitation does not apply when such automated decision-making is necessary for the performance of a contract to which you are, or will be, a party. The University primarily will rely upon personalized, individual decision-making and does not intend to use Personal Information in automated decision-making processes. However, if the University intends to use automated decision-making processes, as defined by GDPR, the University will take all necessary steps in order to do so in a compliant manner.

Cookies

University websites, Google Analytics, and selected third-party online advertising networks store small fragments of text, called "cookies," in a website visitor's web browser with limited Data, such as how the visitor was directed to the website (for example, from an advertisement), which advertisement was displayed to the visitor, whether the visitor has submitted a form, or how recently the visitor last accessed University websites.

The University uses these cookies to measure the performance of University websites and advertising, to provide interest-based advertising messages, and to inform development of new content, functionality, or services. Please review your Internet browser's help file for instructions on rejecting or deleting cookies.

Please note: Some website pages and applications that use cookies may not function properly, may provide less relevant Data, or may be slower if cookies are rejected.

Targeted Advertising

The University partners with third party media agencies to run advertisements and to measure performance of that advertising across a myriad of placements, which may include, websites, mobile applications, streaming television and audio platforms, or a variety of television and radio networks.

The University’s advertising efforts include ads targeted to new prospective students; prospective students who have previously visited the university’s web properties; and current and/or former students.

Audiences targeted with university advertisements are identified within advertising networks and/or platforms based on a variety of qualifiers (demographics, behaviors, etc.). The given qualifiers used are based on advertising performance data and aggregate data on prospective, current, and/or former students. The University shares limited Personal Information with third parties in order to conduct targeted advertising.

University digital advertisements may appear on a variety of sites across the internet, or within applications, including those owned and operated by advertising networks/platforms, such as Google, Bing, Facebook, or Verizon Media. University advertisements are not guaranteed to appear on all of these sites at any given time and this list is to serve as a representative sample of the types of channels used within the university’s digital advertising efforts. 

The University and its third-party vendors use first-party cookies (such as the Google Analytics cookie) and third-party cookies (such as the DoubleClick cookie) to inform, optimize, and serve advertisements based on a visitor's past visits to University websites. These cookies are also used to report on data related to the serving of each ad, including impressions, interactions, form completions, and related performance information.

Opting Out of Targeted Advertising and Other University Marketing Communications

To opt-out of targeted University advertising on specific websites/advertising networks, including but not limited to University targeted advertising, please use the links provided below. As some sites/networks do not provide specific tools to opt out of personalized advertising, you may also want to review how cookies are being used/stored in the internet browser you are using via your browser settings and/or closely monitor your privacy settings on any social media channels utilized. 

Advertising Channel

How To Opt-Out of Personalized or Targeted Advertising

Bing/Microsoft

Access Microsoft’s Personalized Ad Settings

Facebook

Manage Your Facebook Ad Preferences

Google

Access Google’s Ad Settings

LinkedIn

Manage Your LinkedIn Ad Settings

Snap Chat

Manage Your Snapchat Ad Preferences

Verizon

Access Verizon Media’s Privacy Dashboard & Controls

After you have opted out from personalized or targeted advertising on a given site or network, you may continue to see targeted advertising from other companies or advertising networks and you may continue to see university advertising that does not use the selected targeting scripts or networks.

Marketing Communications