GDPR Notice
Notice Specific to Persons Within the European Union and European Economic Area
If you are located in the EU or EEA, then our processing of your personal data may be subject to the General Data Protection Regulation, or the “GDPR”. GDPR is a data privacy law that applies to personal data collected in or from the EU or EEA.
In addition to UW–Madison’s general Privacy Notice, the GDPR Supplemental Privacy Notice outlines the collection, use, and disclosure of personal data provided to UW–Madison by individuals while located in the EU and/or the EEA including but not limited to:
- prospective students
- applicants for admission
- enrolled students
- alumni
- employees – prospective, current, and former
- research subjects
- donors
- contractors and vendors
- event participants
- customers
When you submit information to UW–Madison or use UW–Madison’s websites and/or other electronic services, you consent to the collection, use, and disclosure of that information as described in this Privacy Notice. Please also see our GDPR resources webpage for more information.
I. Personal Data Collected
Below are the categories of personal data, as defined under the GDPR, which UW–Madison collects and uses in relation to EU/EEA processing activities. UW–Madison also identifies the purposes and legal bases for processing personal data. While each category has specific identified purposes, the summary of how we use data in Section II also applies.
Websites and Mobile Applications
We collect personal data from visitors and users of any of UW–Madison’s websites and mobile applications such as browser and device type, IP address, and pages visited. We also gather the data that is entered into various web forms. The personal data is used to respond to your inquiries and to conduct analytics to maintain and improve our websites and mobile platforms as well as provide you with relevant marketing and other communications.
The legal basis for this type of data use includes: (1) facilitating transactions requested by you and to meet our contractual obligations, e.g., registering participants for events; (2) UW–Madison’s legitimate interests (such as analytics); (3) your consent, where applicable.
Admissions, Financial Aid, and Academic Services
We collect personal data from prospective and enrolled students such as contact information, demographic information — race, gender, age, education history, family information, testing history, personal financial information, and payment information. The personal data collected during the admissions process by UW–Madison or by third parties on the University’s behalf is primarily used for the purposes of: considering a potential student’s candidacy for admission to the relevant School/College, program or course; evaluating your eligibility for financial aid, if applicable; and, if you are admitted and enroll, facilitating your education and access to university programs and services.
The legal basis for this type of data use includes: (1) facilitating transactions requested by you and to meet our contractual obligations, e.g., processing your application for admission; (2) UW–Madison’s legitimate interests (such as providing educational offerings and conducting admissions research); (3) your consent, where applicable.
Alumni and Donors
We collect personal data from our alumni, donors, and prospective donors — contact and demographic information, financial and payment information, education history, and employment information. We also transfer some personal student data to our alumni organization database. The personal data collected is used to provide opportunities to engage with UW–Madison alumni and students, facilitate alumni and donor communications, events, fundraising and operations, request and process donations, and share information about other giving and volunteer opportunities.
The legal basis for this type of data use includes: (1) facilitating transactions requested by you and to meet our contractual obligations, e.g., registration for events or processing of donations; (2) UW–Madison’s legitimate interests (such as requesting gifts or donations); (3) complying with a legal obligation; and (4) your consent, where applicable.
Registration for Campus Events and Online Education
We collect personal data from participants who register for UW–Madison campus events and programs and enroll in online courses or programs. The personal data collected includes: contact and payment information, cookies and other technology data, education history, course engagement and assessment data, and possibly data related to health for accommodation purposes.
The legal basis for this type of data use includes: (1) facilitating transactions requested by you and to meet our contractual obligations, e.g., registration for events or online courses and programs; (2) UW–Madison’s legitimate interests (such as providing educational offerings and evaluating your performance); (3) complying with a legal obligation; and (4) your consent, where applicable.
Employees and Job Applicants
We collect personal data from potential, current, and former employees of UW–Madison — contact and biographical information, employment and education history, payment and tax information, family and health information related to benefits, and information related to performance at work. The personal data collected is used to evaluate your application for employment or other work relationship and communicate hiring decisions, as well as administer employment–related processes and facilitate employment-related operations, including payroll processing and the provision of employee benefits.
The legal basis for this type of data use includes: (1) facilitating transactions requested by you and to meet our contractual obligations, e.g., managing employment relationships; (2) UW–Madison’s legitimate interests (such as managing employment relationship and administrative responsibilities); (3) complying with a legal obligation (e.g., providing information to tax authorities); and (4) your consent, where applicable.
Educational Programs in EEA
We collect personal data from participants of any educational programs conducted by UW–Madison in the EU/EEA — contact and demographic information, education and employment information, course assessment data, health and dietary information, and payment information. This personal data is used for the primary purpose of administering the course or program in which you are participating including sharing information about you with other participants, providing academic guidance, evaluating your performance, and providing you with related services such as lodging, and dietary or medical needs.
The legal basis for this type of data use includes: (1) facilitating transactions requested by you and to meet our contractual obligations, e.g., provide the educational programming and related services; (2) UW–Madison’s legitimate interests (such as evaluation to improve program offerings); (3) complying with a legal obligation; and (4) your consent, where applicable.
Research
We collect personal data from people who have or are participating as research subjects at UW–Madison, with the personal data collected about you varying depending on the specific research project in which you have participated or are participating. Personal data collected by university researchers — or on their behalf — is done so for the primary purpose of furthering research and understanding in fields of academic study. University researchers will generally provide you with a consent and/or authorization form relating to the specific research project that explains the types of data collected and the purposes for which such data are processed and shared. That consent or authorization form supersedes the information provided in this Notice.
The legal basis for this type of data use includes: (1) facilitating transactions requested by you and to meet our contractual obligations, e.g., paying faculty, employees, research collaborators and research consultants; (2) UW–Madison’s legitimate interests (such as conducting research); (3) complying with a legal obligation (e.g., reporting adverse events to regulatory authorities that oversee the safety of medical products and research); (4) processing data that is necessary for scientific or historical research purposes and is performed consistent with required data protection safeguards; (5) the necessity of performing tasks that are in the public interest (e.g., further research and understanding in fields of academic study); and (6) your consent, where applicable.
II. How We Use Personal Data
We use personal data in a variety of ways including those identified above in connection with the specific categories of personal data. Below is a summary of the different purposes for which we use your personal data that includes the uses above as well as some additional uses. Under certain circumstances, these additional uses may be based on your consent, or may be necessary to fulfill our contractual commitments to you, for legal compliance, or to serve our legitimate interest in the following operations:
- Responding to your requests or inquiries
- Carrying out our business operations and administering our educational programs and services
- Administering fellowships, grants and other programs in support of individual study and research projects
- Acquiring feedback through research, surveys and similar inquiries to increase our understanding of trends and needs individuals using our websites or other services
- Requesting and processing gifts and donations
- Maintaining compliance with accreditation requirements
- Compiling statistics and conducting surveys and research for internal and statutory reporting purposes
- Issuing safety or security alerts
- Preventing, investigating, and addressing fraud, unlawful or criminal activity, other misconduct, security or technical issues, or unauthorized access to or use of personal data, our website or data systems
- Meeting legal obligations including responding to subpoenas, court orders, or other legal process, enforcing our agreements, and protecting the health, safety, rights or property of you, the university, and others
- Providing communications, announcements, and other information that may be of interest to you
- Processing and fulfilling your requests to purchase UW–Madison merchandise or other products
- Engaging analytics to prepare marketing, promotions and advertising, either directly or through third parties, that may be of interest to you
III. Legal Bases for Processing – Legitimate Interests
Under GDPR, there are several legal bases on which data is processed at UW–Madison. As noted above, this may include your consent, where it is necessary for entering into or for the performance of a contract, or where it is necessary for the university’s legitimate interests. Below are several legitimate interests on which the university relies in using and sharing your personal data:
Under certain circumstances, these additional uses may be based on your consent, or may be necessary to fulfill our contractual commitments to you, for legal compliance, or to serve our legitimate interest in the following operations:
- Promoting the success of our current and former students, faculty, staff, and programs
- Providing and improving our educational programs
- Furthering research and understanding in fields of academic study
- Engaging alumni, donors, and prospective donors, and connecting them with others
- Conducting and growing the university’s operations
- Ensuring the safety and security of members of the campus community
- Meeting the university’s institutional obligations and enforcing our legal rights
- Evaluating and improving our online platforms and user experience
- Protecting against fraud, spam, harassment, intellectual property infringement, crime, and security risks
- Cybersecurity
- Providing opportunities to volunteer and to attend university events
IV. Your Rights
In light of UW–Madison’s data processing activities that are subject to GDPR, UW–Madison strives to facilitate the exercise of the rights granted to you by GDPR in a timely manner. This includes ensuring the:
- Rights to confirm, access, correct, and other requests — You have the right to obtain information about the personal data we process about you as well as a copy of the data. Additionally, and under certain circumstances, you may have the right to correct or update any of your personal data that is inaccurate, to request the deletion of your personal data, to restrict or limit the ways in which we use your data, and to request transfer of your personal data to another party. Upon a reasonable, good faith request, we will provide you with information about whether we hold any of your personal data as part of our EU/EEA processing activities to the extent required by and in accordance with applicable law.
- Right to object — You have the right to follow opt-out instructions in our marketing emails and to object to any processing of your personal data based on your specific situation. In the latter case, we will assess your request and provide a reply in a timely manner according to our legal obligations.
Right to withdraw consent — You have the right to withdraw your consent at any time for all data processing operations that are consent-based and we will stop those processing operations subject to certain legal limitations. In some cases, you can do this by discontinuing use of the services involved in the EU/EEA processing activities. This may include closing all of your online accounts with the university and contacting us at gdpr-program@wisc.edu to request that your personal data be deleted. If you withdraw your consent to the use or sharing of your personal data for the purposes described in this or other UW–Madison privacy statements that link to or expressly adopt this privacy notice, you may not have access to the related services, and we might not be able to provide you all (or any) of the services.
Note: In certain cases, we may continue to process your personal data after you have withdrawn consent and requested that we delete your personal data if there is a legal basis to do so. For example, we may retain certain data if we need to do so to comply with a legal obligation, if we still need the data for the lawful purposes for which we obtained the data, or if it is necessary to do so to pursue our legitimate interest in keeping our services and operations safe and secure.
When you make requests based on the rights listed above, you may be asked for further personal information to confirm your identity and used solely for the purposes of responding to your request
V. Retention Period
Personal data is kept on record at UW–Madison only as long as necessary for the purposes it was collected and processed. The disposition of your information is subject to the retention periods of applicable state and federal law. Retention periods vary and are established considering our legitimate interests and all applicable legal requirements. If you consented to the use of your information, you have the right to withdraw consent without affecting the university’s lawful use of the information prior to receiving your request to withdraw consent. Please see university record retention schedules and disposition at https://www.library.wisc.edu/archives/records-management/retention-disposition/.
VI. International Data Transfers
When you interact with UW–Madison either directly or through a third party, your personal information is transferred to the United States. The United States currently is not deemed by the European Commission to have an adequate level of legal protections for personal data information. UW–Madison relies on appropriate or suitable safeguards or specific derogations recognized under data protection laws including the GDPR. In particular, we rely on your explicit consent for some of the data transfers and on necessity for the performance of a contract or the implementation of pre-contractual measures taken at your request (e.g., for the transfer of personal data necessary for your application for admission to the university). We may also use Standard Contractual Clauses specifically adopted by the European Commission to provide safeguards for personal data transferred outside of the EU/EEA.
VII. Notice Updates
This privacy notice may be periodically updated. Please check the date our statement was last updated here. Last Revision Date — December 2, 2022
VIII. Concerns
If you have any concerns or questions regarding your personal data use, please contact the Office of Legal Affairs – lissa.koop@wisc.edu. We will respond to your request in a timely manner and will do our best to address your concern. However, if you believe we have not been able to deal with your concern appropriately, you have a right to complain to your local data protection authority, as granted by Article 77 of GDPR. You also have the right to submit a complaint in the EU/EEA Member State of your residence, place of work or of an alleged infringement of GDPR.