Purpose

Clayton State University is an institute of higher education involved in education, and community development. In order for Clayton State to educate its foreign and domestic students both in class and on-line, engage in world-class research, and provide community services, it is essential and necessary, and Clayton State has a lawful basis, to collect, process, use, and/or maintain the personal data of its students, employees, applicants, research subjects, and others involved in its educational, research, and community programs. These activities include, without limitation, admission, registration, delivery of classroom, on-line, and study abroad education, grades, communications, employment, applied research, development, program analysis for improvements, and records retention.  

Clayton State takes seriously its duty to protect the personal data it collects or processes. In addition to Clayton State’s overall data protection program, the European Union General Data Protection Regulation (“EU GDPR”) imposes obligations on entities, like Clayton State, that collect or process personal data about people in the European Union (“EU”). The EU GDPR applies to personal data Clayton State collects or processes about anyone located in the EU, regardless of whether they are a citizen or permanent resident of an EU country. Among other things, the EU GDPR requires Clayton State to:  

  1. Be transparent about the personal data it collects or processes and the uses it makes of any personal data  
  2. Keep track of all uses and disclosures it makes of personal data  
  3. Appropriately secure personal data  

This notice describes Clayton State’s data protection strategy to comply with the EU GDPR.  

Notice Statement

Lawful Basis for Collecting or Processing Personal Data  

Clayton State has a lawful basis to collect and process personal data. Most of Clayton State’s collection and processing of personal data will fall under the following categories:  

  1. Processing is necessary for the purposes of the legitimate interests pursued by Clayton State or by a third party.  
  2. Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.  
  3. Processing is necessary for compliance with a legal obligation to which Clayton State is subject.  
  4. The data subject has given consent to the processing of his or her personal data for one or more specific purposes.  

There will be some instances where the collection and processing of personal data will be pursuant to other lawful bases.  

Types of Personal Data Collected and Why

Clayton State has a lawful basis to collect and process personal data to provide education activities. The personal data collected may include but not limited to:

  • Name
  • Contact information including, without limitation, email address, physical address, phone number, and other location data
  • Unique personal identifiers and biographical information (e.g., date of birth)
  • Photographs of you
  • Details of your education and/or employment qualifications
  • Medical information including, without limitation, immunization records and food allergies
  • Information related to visa requirements, copies of passports and other related immigration documents to ensure compliance with U.S. laws
  • Financial information gathered for the purposes of issuing immigration forms, administering fees and charges, loans, grants, scholarships, etc.
  • Information related to the prevention and detection of crime and the safety of employees, students and visitors of Clayton State.

The personal data collected by Clayton State may be shared with the following:

University Services

Business Unit Legal Basis
Office of Admissions: Legitimate Interest: Personal Information collected and processed through the application is necessary to evaluate candidates for admissions and for our internal statistical and analytics purposes.
Office of the Registrar: Legitimate Interest: Personal Information collected and processed for matriculated students, staff, faculty, and members of the public, as appropriate to register in courses or classes
Office of Financial Aid: Legitimate Interest: Personal Information collected and processed through the financial aid application is necessary to evaluate whether the applicant is eligible to receive financial aid and for our internal statistical and analytics purposes.
Residence Life (Housing) Legitimate Interest: Personal Information will be collected and processed to facilitate housing.
 
Human Resources: Legitimate Interest: For individuals interested in employment opportunities, processing applications
Student Life: Legitimate Interest: To process registration for sports, cultural, other events, and educational programs

Third Parties

  
Third Party Purpose
Travel Agencies Legitimate Interest: Administering study abroad programs
Insurance Companies – CISI Legitimate Interest: Provision of insurance to students and faculty participating in study and intern abroad programs
Federal and State Agencies
(Department of Homeland Security, Student Exchange Visitor Program, U.S. Department of State)		 Legitimate Interest: U.S. visa and immigration compliance
Embassies and Consulates in the countries of international Studies

Emergency Personnel in the countries of international study		 Vital Interest: Assisting students in emergencies while abroad

If you have specific questions regarding the collection and use of your personal data, please contact the Data Protection Officer (DPO) at dataprivacy@clayton.edu.

If a data subject refuses to provide personal data that is required by Clayton State in connection with one of institution’s lawful bases to collect such personal data, such refusal may make it impossible for Clayton State to provide education, employment, research or other requested services.          

Data Protection & Governance  

Clayton State will protect all personal data and sensitive personal data that it collects or processes for a lawful basis.  Any personal data and sensitive personal data collected or processed by Clayton State shall be:  

  1. Processed lawfully, fairly, and in a transparent manner  
  2. Collected for specified, explicit, and legitimate purposes, and not further processed in a manner that is incompatible with those purposes  
  3. Limited to what is necessary in relation to the purposes for which they are collected and processed  
  4. Accurate and kept up to date  
  5. Retained only as long as necessary  
  6. Secure  

Sensitive Personal Data & Consent  

Clayton State must obtain consent before it collects or processes sensitive personal data.  

Individual Rights  

Individual data subjects covered by this policy will be afforded the following rights:  

  1. information about the controller collecting the data  
  2. the data privacy officer contact information 
  3. the purposes and lawful basis of the data collection/processing  
  4. recipients of the personal data  
  5. if Clayton State intends to transfer personal data to another country or international organization  
  6. the period the personal data will be stored  
  7. the existence of the right to access, rectify incorrect data or erase personal data, restrict or object to processing, and the right to data portability  
  8. the existence of the right to withdraw consent at any time  
  9. the right to lodge a complaint with a supervisory authority (established in the EU)  
  10. why the personal data are required, and possible consequences of the failure to provide the data  
  11. the existence of automated decision-making, including profiling  
  12. if the collected data are going to be further processed for a purpose other than that for which it was collected  

Note: Exercising of these rights is a guarantee to be afforded a process and not the guarantee of an outcome.

Scope

This policy applies to the personal data and sensitive personal data protected by the EU GDPR and all Clayton State Units who collect, or process personal data and sensitive personal data protected by the EU GDPR.  

Definitions

Collect or Process Data

Collection, storage, recording, organizing, structuring, adaptation or alteration, consultation, use, retrieval, disclosure by transmission/dissemination or otherwise making data available, alignment or combination, restriction, erasure or destruction of personal data, whether or not by automated means.  

Consent

Collection, storage, recording, organizing, structuring, adaptation or alteration, consultation, use, retrieval, disclosure by transmission/dissemination or otherwise making data available, alignment or combination, restriction, erasure or destruction of personal data, whether or not by automated means.

Under the EU GDPR:  

  1. Consent must be a demonstrable, clear affirmative action.  
  2. Consent can be withdrawn by the data subject at any time and must be as easy to withdraw consent as it is to give consent.  
  3. Consent cannot be silence, a pre-ticked box or inaction.  
  4. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.  
  5. Request for consent must be presented clearly and in plain language.  
  6. Maintain a record regarding how and when consent was given.  

Controller

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.  

Clayton State Unit

A Clayton State college, school, office or department.  

Identified or Identifiable Person

An identified or identifiable person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that person.  

Examples of identifiers include but are not limited to: name, photo, email address, identification number such as CSU Laker ID#  

Account (User ID), physical address or other location data, IP address or another online identifier.  

Lawful Basis

Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:  

  1. The data subject has given consent to the processing of his or her personal data for one or more specific purposes;  
  2. Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;  
  3. Processing is necessary for compliance with a legal obligation to which the controller is subject;  
  4. Processing is necessary in order to protect the vital interests of the data subject or of another natural person;  
  5. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;  
  6. Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.  

Legitimate Interest

Processing of personal data is lawful if such processing is necessary for the legitimate business purposes of the data controller/processor, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.  

Personal Data

Any information relating to an identified or identifiable person (the data subject).  

Processor

A natural or legal person, public authority, agency or other body who processes personal data on behalf of the controller.  

Sensitive Personal Data (Special Categories)

Special categories of personal data that require consent by the data subject before collecting or processing are:  

  1. Racial or ethnic origin  
  2. Political opinions  
  3. Religious or philosophical beliefs  
  4. Trade union membership  
  5. Genetic, biometric data for the purposes of uniquely identifying a natural person  
  6. Health data  
  7. Data concerning a person’s sex life or sexual orientation  

Procedures:

Document Lawful Basis for Collection or Processing

All Clayton State Units who collect or process personal data protected by the EU GDPR must document the lawful basis for the collection or processing of personal data and sensitive personal data they collect or process, why they collect it, and how long they keep it using the onlineClayton State EU GDPR Lawful Basis Form.

All data at Clayton State collects shall be kept for the time periods specified in the USG-BOR Records Retention Schedules.

Clayton State’s Privacy Notice

Clayton State’s Privacy Notice to data subjects must specify the lawful basis for Clayton State to collect or process personal data and include:

  1. Whether their personal data are being collected or processed and for what purpose
  2. Categories of personal data concerned
  3. To whom personal data is disclosed
  4. Storage period (records retention period)
  5. Existence of individual rights to rectify incorrect data, erase, restrict or object to processing
  6. How to lodge a complaint?
  7. The source of the personal data (if not collected from the data subject)
  8. The existence of automated decision-making, including profiling

A link to the Clayton State Privacy Notice is available on the footer of all Clayton State websites – “Privacy”.

Exercise of Rights

Any individual wishing to exercise their rights under this policy should email dataprivacy@clayton.edu.

Security of Personal Data

All personal data and sensitive personal data collected or processed by any Clayton State Units under the scope of this policy must comply with the security controls and systems and process requirements and standards of NIST Special Publication 800-171 as set forth in the Clayton State Controlled Unclassified Information Policy found here:  Controlled Unclassified Information

Breach Notification

Any Clayton State Unit that suspects a potential breach or a breach is reported to Clayton State personnel by vendors must report the incident to USG Cybersecurity through the Enterprise Service Desk helpdesk@usg.edu at 706-583-2001, or 1-888-875-3697 (Toll free within Georgia) and the HUB at (678) 466-4357 or thehub@clayton.edu. 

Responsibilities: 

Clayton State Units

To document the lawful basis for personal data or sensitive personal data collected or processed pursuant to this policy.

To cooperate with Institutional Research when individuals inquire about their personal data or sensitive personal data collected or processed pursuant to this policy.

To immediately notify (24/7) and cooperate with Clayton State Information Security relating to any data breach:

  • Students, Faculty, and Staff contact The HUB (678) 466-4357 or thehub@clayton.edu.

Office of Data Privacy

To field inquiries about personal data or sensitive personal data collected from individuals while in the EU 

To coordinate with Clayton State Unit responding to inquiries about personal data or sensitive personal data collected from individuals while in the EU.

Information Security

To answer questions about and review data security measures.
To handle data breach notification for the Institution.

Enforcement: 

Violations of the policy may result in loss of system, network, and data access privileges, administrative sanctions (up to and including termination or expulsion) as outlined in applicable Clayton State disciplinary procedures, as well as personal civil and/or criminal liability.  

To report suspected instances of noncompliance with this policy, please contact Clayton State University Ethics and Compliance Reporting Hotline a secure and confidential reporting system, at: https://clayton.alertline.com  

Related Information: 

Clayton State Data Privacy & Legal Notice
Clayton State Controlled Unclassified Information
NIST Special Publication 800-171
USG-BOR Records Retention Schedules