Supplemental Privacy Policy
This University of Illinois Alumni Association Supplemental Privacy Policy (“Supplemental Privacy Policy”) supplements the University of Illinois Alumni Association Privacy Policy for certain persons in the European Economic Area (“EEA”) and the United Kingdom (“UK”).
1. Commitment to protecting privacy and transparency
The University of Illinois Alumni Association (“UIAA”, “we”, “us” or “our”), as the organization that oversees services that engage and benefit alumni of the University of Illinois Urbana-Champaign (the “University”), is committed to respecting and protecting the privacy rights of persons in the EEA—comprised of the European Union (“EU”) and the countries of Iceland, Norway, and Lichtenstein, pursuant to the EU General Data Protection Regulation (“GDPR”). Similarly, the UIAA is committed to respecting and protecting the privacy rights of persons in the UK, pursuant to the Data Protection Act of 2018 and the Retained Regulation (EU) 2016/679 (“UK GDPR”). Given the substantial similarity between the EU GDPR and the UK GDPR, hereinafter both regulations are collectively referred to in this Supplemental Privacy Policy as the “GDPR” unless otherwise indicated. Visit EU GDPR and UK GDPR for easy-to-use versions of both regulations.
This Supplemental Privacy Policy describes UIAA’s commitment to the privacy of persons in the EEA and the UK.
2. Does this Supplemental Privacy Policy apply to you?
This Supplemental Privacy Policy applies to you if:
- You are a “Person” or “Data Subject”—meaning a natural person, not a corporation, partnership, or other legal entity—who is physically present in the EEA or the UK;
- It is with respect to your “Personal Information”—meaning any information relating to an identified or identifiable person—that is provided while you are physically present in the EEA or the UK;
- Such Personal Information is not earlier or later provided to UIAA while you are outside the EEA and the UK; and
- Such Personal Information is provided to UIAA:
- During the course of UIAA offering you goods or services; or
- While UIAA is monitoring your behavior.
Please note that information pertaining to current, former, or prospective employment with UIAA in the United States is not considered “Personal Information” and is excluded from this Supplemental Privacy Policy.
3. What Personal Information does UIAA process?
General categories
UIAA processes the following general categories of Personal Information: names; addresses; telephone numbers; email addresses; identification numbers including but not limited to social security numbers, driver’s license numbers, University identification numbers, and personal identification numbers (PINs); usernames; passwords; demographic information; education history; background check information; personal references; financial information including but not limited to credit and debit card numbers, and tax information; transaction history; business information; passport and visa information; work history; social media URLs; donation history; insurance information; military service; IP addresses; location information; device information; metadata; any requests for accommodations or leave; and other information to support the purposes set forth in Table 1, below.
UIAA requires Personal Information only when necessary. Table 1 identifies the purposes for which UIAA processes Personal Information and the legal basis for each purpose.
Special categories
In order to fulfill certain of the purposes identified in Table 1, UIAA may need to request special categories of Personal Information—information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; genetic data; biometric data for the purpose of uniquely identifying a natural person; data concerning health; or data concerning a natural person’s sex life or sexual orientation.
Before UIAA processes your special category Personal Information or your criminal conviction Personal Information, if any, UIAA will ask for your affirmative consent unless UIAA has another legal basis for the processing, in which case UIAA will inform you of that basis.
Purposes for which UIAA processes Personal Information
Table 1
Purpose | Legal Basis |
To process Personal Information collected from individuals who contact UIAA: (i) to deal with their inquiries or requests; or (ii) to provide them with news by mail or email about UIAA or any projects, campaigns, programs or events that UIAA may be involved in or how they can support UIAA | Legitimate interests of UIAA – legitimate interest in being able to process Personal Information collected from individuals who contact UIAA |
To stay connected with University alumni and to provide information about the UIAA and the University | Legitimate interests of UIAA – legitimate interest in communicating unsolicited non-commercial messages |
To contact individuals regarding UIAA and University events and programs, as well as to offer you products and services due to your affiliation with the University | Consent |
To host and allow individuals to attend and participate in UIAA events and programs | Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract |
To allow individuals to visit UIAA facilities | Legitimate interests of UIAA – legitimate interest in physical security |
To facilitate networking and mentorship opportunities involving alumni, faculty or staff, non-alumni mentors, and current University students | Legitimate interests of UIAA – legitimate interest in maintaining a positive lifelong relationship with Data Subjects |
To facilitate the use of volunteers and to evaluate and manage individuals who volunteer to assist UIAA in any capacity, and to perform related activities required to foster and maintain these relationships | Legitimate interests of UIAA – legitimate interest in physical security |
To conduct direct fundraising marketing by mail, telephone, or electronic message (e.g., email or SMS) | Consent |
To conduct transactions and business with individuals, such as offering UIAA memberships, processing membership dues and other payments made by cash, check, or credit card to UIAA, and processing payments made by UIAA to you | Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract |
To facilitate application for and sponsoring of visas to work at UIAA, including all functions necessary to comply with applicable immigration laws | Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract |
To respond to a UIAA member’s request regarding Alumni Association records pertaining to that UIAA member | Legitimate interests of UIAA – legitimate interest in maintaining accurate records |
To respond to an individual’s request for records relating to that individual’s time at UIAA, such as tax documents, employment documents, etc. | Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract |
To engage the services of an independent contractor and all uses incident to that engagement | Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract |
To employ persons to work for UIAA and all uses incident to that engagement including but not limited to evaluation and management of employees and administration of employee benefits | Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract |
To facilitate review and evaluation of UIAA programs by the UIAA, government entities, third-party ranking organizations, and other appropriate bodies | Legitimate interests of UIAA – legitimate interest in maintaining a world-class higher education alumni association for the benefit of the University |
To promote safety, integrity, and security of UIAA’s information technology systems | Legitimate interests of UIAA – legitimate interest in maintaining IT and network security |
To protect the UIAA community, including you, and to keep its members safe wherever they are located | Legitimate interests of UIAA – legitimate interest in physical security |
To report salary data to social security or tax authorities and otherwise comply with applicable laws | Necessary for compliance with a legal obligation |
To respond to subpoenas, court orders, agency requests, and other legal requests for records relating to an individual’s association with UIAA | Legitimate interest of UIAA – legitimate interest in complying with U.S. and state laws and not being held in contempt of court or having penalties imposed |
4. How does UIAA receive your Personal Information?
UIAA may collect your Personal Information in various ways, for example:
- if you supply Personal Information when using our Website such as signing up to receive more information, entering your data on a form for event registration, and/or asking about volunteer opportunities or other ways you can support us;
- when your Personal Information is shared with UIAA by the University, the University of Illinois Foundation (“UIF”), or the University of Illinois Foundation UK Limited (“UIUK Foundation”);
- when you inquire about making a donation to the UIAA and/or the University or if you agree to make a donation to UIAA;
- when your Personal Information is shared with UIAA by contracted vendors to whom you directly provided information, such as through the Alumni Directory and IlliniLink;
- from web tools, cookies, and related technologies; and
- if you provide your details to UIAA for another purpose.
5. Who receives/processes your Personal Information?
UIAA
Your Personal Information may be processed by UIAA directors, employees and volunteers as may be necessary to carry out the purposes for processing the information and the activities of UIAA.
Related Organizations
UIAA may share your Personal Information with UIF and the UIUK Foundation, which may use the information to assist in raising funds to support the University and its programs. In addition, your Personal Information may be shared with the University, which shares our commitment to treating Personal Information responsibly.
Third parties
UIAA may share your Personal Information with third parties, such as: service providers to facilitate the full range of UIAA functions (e.g., cloud storage, software, process credit card transactions); vendor partners to connect you with other alumni and current students (e.g., PeopleGrove processes your Personal Information for IlliniLink), and other alumni and friends of the University through the Alumni Directory (e.g., OmniMagnet, LLC, processes your Personal Information for the Alumni Directory); and to offer you products and services due to your affiliation with the University (e.g., alumni travel and financial product opportunities).
We take reasonable steps so that any Personal Information we collect is only used by those third parties for specific, lawful purposes in line with this Supplemental Privacy Policy.
Please note that UIAA may provide anonymized data developed from Personal Information to third parties, such as our peers, industry groups, and government entities, and that such anonymized data is outside the scope of this Supplemental Privacy Policy.
6. Data Retention
UIAA keeps records in accordance with all applicable laws and for purposes of business continuity and in support of anticipated constituent requests. All retained information is stored in a manner designed to ensure its accessibility, integrity, confidentiality, authenticity and legibility.
7. What are your rights as a Data Subject?
As a Data Subject pursuant to the GDPR, you have certain rights. This Supplemental Privacy Policy summarizes what these rights under the GDPR involve and how you can exercise these rights. More detail about each right, including exceptions and limitations, can be found in Articles 15-21 and 77 of the EU GDPR and the UK GDPR.
Please note: Nothing in this Supplemental Privacy Policy is intended by UIAA to waive any defenses or immunities afforded by any or all U.S. federal laws, Illinois state laws, EU or Member State laws, UK laws, or international laws.
Right of access
You have the right to request that UIAA confirm whether it is processing your Personal Information. If UIAA is processing your Personal Information, you have the right to access that Personal Information, and UIAA will provide you with a copy of that Personal Information unless prevented by applicable law.
Right to have inaccurate Personal Information corrected
You have the right to request that UIAA correct any inaccurate Personal Information that it maintains about you. You also have the right to request that UIAA complete any incomplete Personal Information that it maintains about you, which could be accomplished by incorporating a supplementary statement that you submit. If UIAA concurs that the Personal Information is incorrect or incomplete, UIAA will promptly correct or complete it.
Right to erasure
You have the right to request the erasure of Personal Information that UIAA maintains about you in certain circumstances. These circumstances are identified in Article 17 of both the EU GDPR and the UK GDPR and include that the Personal Information is no longer necessary in relation to the purpose(s) for which it was collected.
Subject to applicable U.S., state, EU, and UK law and UIAA policies, including but not limited to its Privacy Policy and Supplemental Privacy Policy, and provided that there are no overriding legitimate grounds for UIAA to retain the Personal Information, UIAA will comply with the request and will take reasonable steps to inform any third parties with whom the Personal Information was shared.
Right to restriction of processing
You have the right to request that UIAA restrict the processing of your Personal Information where one of the reasons identified in Article 18 of the EU GDPR or the UK GDPR apply. These reasons include that the Personal Information is inaccurate, the processing is unlawful, or UIAA no longer needs the Personal Information.
If UIAA grants your request to restrict processing, UIAA will only process that Personal Information with your consent, for the protection of the rights of another natural or legal person, for reasons of important public interest, for the establishment, exercise or defense of legal claims, or as otherwise required by applicable U.S., state, EU, or UK law.
Right to data portability
Where the basis for processing is either consent or performance of a contract between you and UIAA, and where the processing is carried out by automated means, you have the right to receive your Personal Information that you have provided to UIAA. UIAA will provide the Personal Information in a structured, commonly used, and machine-readable format. Where technically feasible and upon your request, UIAA will transmit the Personal Information directly to another entity.
Right to withdraw consent
If the basis for processing your Personal Information is consent, you may revoke your consent at any time. Upon receipt of your notice withdrawing consent, and if there are no other legal grounds for the processing, UIAA will stop processing the Personal Information unless the processing is necessary for the establishment, exercise, or defense of legal claims. Revoking consent does not affect the lawfulness of processing that occurred before the revocation.
Right to object to processing
In certain situations, you may have the right to object to processing of your Personal Information.
- Public Interest or Legitimate Interests. If the basis for processing your Personal Information is public interest or legitimate interests, you have the right to object to processing the Personal Information. UIAA will cease processing unless UIAA demonstrates overriding legitimate grounds for processing or the processing is necessary for the establishment, exercise, or defense of legal claims.
- Direct Marketing. If UIAA is using your Personal Information for direct marketing purposes such as fundraising, you have the right to object at any time, and UIAA will stop using your Personal Information for that purpose.
Right to file a complaint
If you believe that UIAA’s processing of your Personal Information violates the EU GDPR, you have the right to submit a complaint to an EEA supervisory authority, in particular the one in the EEA country of your habitual residence, place of work, or place of the alleged violation.
For more information on the process for submitting a complaint, consult the relevant EEA supervisory authority.
If you believe the UIAA’s processing of your Personal Information violates the UK GDPR, you have the right to submit a complaint to the UK Information Commissioner’s Office (ICO).
For more information on the process for submitting a complaint, visit the ICO website.
8. How to exercise your rights
In order to exercise any of these rights, except the right to file a complaint with an EEA supervisory authority or the UK ICO, you should submit your request to our UIAA data privacy team:
Email: alumnigdprrequest@uillinois.edu
Telephone: +1 217-244-0640
Address:
University of Illinois Alumni Association
Alice Campbell Alumni Center
601 S. Lincoln Avenue
Urbana, IL 61801
Attn: Privacy Compliance
At that time, you will be asked to: 1) identify yourself; 2) provide information to support that the GDPR applies to you (see Section 2, above); 3) identify the specific information or data that you are concerned about; and 4) state what right(s) you wish to exercise.
To expedite processing your request, please identify the data collection location (e.g., the website where your Personal Information was collected), if known.
9. How does UIAA respond to requests for Personal Information?
In addition to the rights provided by the GDPR, you may also have rights with respect to your Personal Information pursuant to U.S. federal law, state law, or UIAA policy. When you submit a request to UIAA to exercise your rights, UIAA will respond in accordance with existing UIAA policies and procedures that implement the relevant privacy law(s).
10. Existence of automated individual decision-making
UIAA, in conjunction with the University and UIF, uses automated decision-making, including profiling, to help identify prospective supporters of the University and its activities. The logic takes an all-factor approach to assessing a possible donor’s propensity to support the University and may result in a prospective donor being contacted to explore support opportunities.
You will not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, unless the decision is necessary for entering into or performing a contract or unless you explicitly consent.
11. Transfer of Personal Information outside the EEA
UIAA is based in the U.S. and is subject to U.S. and Illinois law. Personal Information that you provide to UIAA will generally be hosted on U.S. servers. To the extent that UIAA needs to transfer your information to a third party that is in a country outside the EEA or the UK, UIAA will do so on the basis of either (i) an “adequacy decision” by the European Commission or “adequacy regulations” of the UK ICO, as appropriate; (ii) EU or UK-sanctioned “appropriate safeguards” for transfer such as model clauses, a copy of which you may request, if applicable, by contacting UIAA as set forth in Section 12; (iii) your explicit and informed consent; or (iv) it being necessary for the performance of a contract or the implementation of pre-contractual measures with UIAA, in which case UIAA will inform you of the intent to transfer the Personal Information. Please note that the U.S. is not currently considered a safe harbor or “adequate” country under the GDPR or UK GDPR.
12. How do I contact the data controller?
UIAA is the data controller. If you have any questions about anything contained in this Supplemental Privacy Policy, please contact our UIAA data privacy team:
Email: alumnigdprrequest@uillinois.edu
Telephone: +1 217-244-0640
Address:
University of Illinois Alumni Association
Alice Campbell Alumni Center
601 S. Lincoln Avenue
Urbana, IL 61801
Attn: Privacy Compliance
13. Official English Version of the EU GDPR and UK GDPR
In case it is helpful, the official English version of the EU GPDR and the official version of the UK GDPR are available for your review.
14. Updates to Supplemental Privacy Policy
UIAA may update this Supplemental Privacy Policy from time to time. Any changes will become effective upon posting of the revised Supplemental Privacy Policy.
Effective: 05/25/2018
Last revised: 07/01/2022