“Personal information” is information about a natural person that is readily identifiable to that specific individual. Personal information includes such things as an individual’s name, address, or telephone number. A domain name or Internet Protocol address is not considered personal information.
How We Receive Personal Information
We may receive Personal Information when you visit our websites, register for courses and programs, apply, volunteer, attend EWU events, participate in a survey, complete a form, or otherwise interact with EWU.
We may also receive your Personal Information when other individuals or organizations provide it to us. Some examples are given below:
- For members of the public: Some examples of how we may receive your Personal Information from other individuals or organizations include from State or Federal Agencies under a data sharing agreement or other institutions administering outreach programs as part of collaborative processes.
- For applicants or student, staff, and faculty: Some examples of how we may receive your Personal Information from other individuals or organizations include from previous employers, educational or vocational programs you have attended, references, or companies or individuals with whom we have contracted to perform services in relation to your employment or our provision of educational services and programs.
You May Choose Whether to Provide Personal Information Online
We collect, export, and use personal information as described in this Privacy Notice. You may choose not to contact us by email, participate in a survey, or to provide any personal information using an online form. Your choice to not participate in these activities will not impair your ability to browse Eastern Washington University’s website and read or download any information provided on the site.
If personal information is requested on the website or volunteered by the user, state law and the federal Privacy Act of 1974 may protect it. However, this information is a public record once you provide it, and may be subject to public inspection and copying if not protected by federal or state law.
Users are cautioned that the collection of personal information requested from or volunteered by children online or by email will be treated the same as information given by an adult, and may be subject to public access.
Non Disclosure of Certain Personal Information
Eastern Washington University may request certain personal information in order to provide additional information about the university. You may choose not to provide this information, but if you choose not to provide it, we will be unable to provide the requested information.
Personal Information of Children Under 13
The Children’s Online Privacy Protection Act (external link) (COPPA) governs information gathering online from or about children under the age of 13. We are especially concerned about protecting children’s privacy. Under COPPA, a web site must get parental permission before collecting personally identifiable information about a child under the age of 13.
COPPA imposes legal and regulatory requirements on certain operators of websites or online services directed to children under 13 years of age, and on certain operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age. The Federal Trade Commission, United States’ consumer protection agency, enforces COPPA, which spells out what operators of websites and online services that are subject to COPPA must do to protect the privacy and safety of children under the age of 13 online when COPPA applies. Eastern Washington University, and the vendors with whom we work, sometimes collect data from children under the age of 13, or share such information with one another. The sharing and collection of such information is done in accordance with all applicable law, including COPPA to the extent it applies under the circumstances.
Questions or Concerns
If you believe that your personal information is being used for a purpose other than what was intended when submitted, you may contact us as shown in the Contact Information section of this Notice.
Information Collected If You Only Browse This Site
If you do nothing during your visit to our website but browse, read pages, or download information, we will gather and store certain information about your visit. This information does not identify you personally. We may automatically collect and store the following information about your visit:
- The Internet Protocol Address and domain name used
- The date and time you visited this site
- The web pages or services you accessed
- Other web traffic statistics such as Google Analytics;
- The IP address of the website from which you linked to get to a EWU website or service
- The web browser, operating system and any device you used
- Categories that you have shown interest in, based on previous searches
The information we automatically collect or store is logged and used by Eastern Washington University to improve the content of our web services and to help us understand how people are using our services. Eastern Washington University analyzes this information to determine how our website is being used, so that we may continually improve the site’s usefulness to the public.
We connect data from different systems. We do not link IP addresses to any personal information, so that you will remain anonymous.
To better serve our users we use “cookies” to customize your browsing experience with Eastern Washington University. Cookies are simple text files stored on your computer by your web browser. Cookies created on your computer by using this website do not compromise your privacy or security.
What We Collect If You Volunteer Information
If during your visit to our website you participate in a survey, send an email, or perform some other transaction online, the following additional information will be collected:
- The email address, and contents of email, for those who communicate with us via email.
- Information volunteered in response to a survey.
- Information volunteered in an application.
- Information volunteered through a form for any other purpose.
The information collected is not limited to text characters and may include audio, video, and graphic information formats you send us.
We use your email to respond appropriately. This may be to respond to you, to address issues you may identify, to further improve our website, or to forward the email to another agency for appropriate action.
Specific Categories of Personal Information That We Process
Our systems and websites may process the following categories of personal data:
- Account Information, including usernames, passwords
- Addresses and Location Information
- Demographic Information
- Device Information
- Educational Records
- Email addresses, telephone numbers and social media identifiers
- Identification Numbers and ID Records, including driver’s license, passport, and visa information
- IP Addresses and website information
- Financial Information
- Insurance Information
- Medical Information
- Personal history
- Requests for Accommodations
- Other information to support our mission and legitimate purposes as a Washington State public university
Personal information may be used for legitimate academic or business purposes.
We process Personal Information for a variety of reasons depending on a person’s role and the activities they engage in. This includes, but is not limited to:
- Operating and facilitating the registration and participation in online and in-person education programs
- Providing online services and to support and maintain your account and use of our services
- Conducting transactions and business with individuals, such as processing payments made by credit card to our institution
- To host and allow individuals to attend and participate in our events, including educational, and recreational events
- To manage performance, safety, integrity, and security of our institution’s information technology systems
- And to respond to proper requests for information as required by subpoenas, court orders, agency requests, and Washington State and Federal law.
We may share your Personal Information internally with staff, faculty, researchers, or other agents of EWU who have been authorized to receive your Personal Information.
EWU Related Organizations
We may share your Personal Information with EWU-affiliated organizations such as the EWU Foundation, EWU Alumni Association, etc.
Outside Persons or Organizations
It is our usual practice not to share your personal information with other individuals and organizations. However, when circumstances arise for the need to share personal information, we may share as authorized or required including where:
- Required under state or federal law
- Permitted under state, general, or university policies
- Necessary in order to carry out legitimate education purposes or in the fulfillment of approved contracts
- To fulfill statutory or regulatory obligations
- As necessary to process requests you make of us
- Clearly stated on our website that such information will be shared and you have proceeded to provide that information
- May be provided to other individuals and organizations if your data has been aggregated with other data in a way that does not compromise privacy
- Allowed for purposes as may be detailed on our websites or mobile applications
- You have otherwise granted consent
- Otherwise described in this Privacy Notice
We keep your Personal Information as required by law or our policies to provide educational services, perform our legitimate interests, contracts, manage our services, or for substantial public interests. Many of our record retention schedules can be found at the EWU Records Management website at https://inside.ewu.edu/records-management/home/.
Existence of Automated Individual Decision-Making
We do not typically use automated individual decision-making tools for the provision of educational services and related programs and activities. In general, you will not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, unless the decision is necessary for entering into or performing a contract or unless you explicitly consent.
Eastern Washington University has taken several steps to safeguard the integrity of its data and prevent unauthorized access to information maintained by Eastern Washington University. We have put in place physical, electronic and managerial procedures to safeguard and help prevent unauthorized access, to assist in maintaining data security and to assist in correctly using the information we collect online. We implement appropriate technical and organizational security measures to protect your information when you transmit it to us. This ensures a level of security appropriate to the risks presented by the processing and the nature of the data to be protected when we store it on our information technology systems. These measures are designed and intended to prevent corruption of data, block unknown or unauthorized access to our systems and information, and to provide reasonable protection of private information in our possession.
This information should not be construed in any way as giving business, legal, or other advice, or warranting as fail proof, the security of information provided by EWU.
This privacy notice includes some specific information to support GDPR compliance which applies to persons who are protected under the GDPR as follows:
- You are a “Person” or “Data Subject” as defined by the GDPR—meaning a natural person and not a corporation, partnership, or legal entity within the meaning of the GDPR—and you are physically present in the EU.
- We process—meaning collect, record, organize, structure, store, adapt, alter, retrieve, consult, use, disclose by transmission, disseminate, make available, align, combine, restrict, erase, or destroy—your Personal Information—meaning any information relating to an identified or identifiable Person through direct or indirect ways.
- Your Personal Information is provided to us while you are in the EU (not earlier or later when you are outside the EU); and
- Your Personal Information is provided to us when:
- We are offering goods or services to you in the EU; or
- We are monitoring your behavior in the EU.
Please note that information pertaining to current, former, or prospective employment with EWU in the United States is not considered “Personal Information” and is excluded from GDPR specific requirements.
The GDPR applies to higher education institutions within other countries, including the United States, which (1) process personal data (2) of natural persons who are in the EU (3) when the processing is related to the offering of goods or services, regardless of whether the goods or services are provided free of charge.
Processing is defined very broadly within the GDPR as: ‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction’ Article 4(2), GDPR.
Therefore, entities within the scope of the GDPR’s territorial jurisdiction, that so much as “use” individuals’ personal data must comply with the law. This essentially means that if a university, college, or career school located within the United States directly communicates with an individual located in the EU in connection with any of the services that it provides, it likely is subject to the GDPR.
For example, routine activities of institutions such as:
(1) communicating with former students located in the EU;
(2) direct marketing to students located in the EU;
(3) accepting applications from students located in the EU;
(4) provision of distance education programs to students located in the EU; or
(5) partnering with higher education institutions located in the EU to provide services to individuals located in the EU would involve the “processing” of personal data and subject U.S. institutions to the GDPR.
In the examples provided above, the U.S. institutions would likely be classified as “data controllers” or entities that determine the purposes and means of the processing of personal data. In addition to regulating the data processing activities of data controllers, the GDPR also regulates the data processing activities of “data processors” or entities that process personal data on behalf of controllers. As explained in more detail below, under the GDPR, data controllers must take certain measures to ensure that their relationships with data processors are in compliance with the requirements of the GDPR.
What Are Our Legal Bases for Processing Your Information?
We process personal information as permitted by the GDPR, including under the following legal bases:
- To Perform a Contract: Our processing of your Personal Information is necessary for us to perform a contract or take steps at your request prior to our provision of educational or Extension services;
- Legitimate Interest: Our processing of your Personal Information is necessary for our legitimate interest in providing you services and assistance, while helping us provide educational and Extension services related to programs and activities as part of our core mission as a land grant institution;
- Vital Interest: Our processing of your personal data is to protect an interest that is essential to your life or the life of someone else;
- Legal Obligations: the processing is necessary to comply with State, Federal, EU or other applicable law
Special Categories of Data. In general, we process special categories of data in order to fulfill a substantial public interest in providing educational services and related programs and activities to students, staff, faculty and the public. At times, the processing might be to protect an interest that is essential to your life or the life of someone else.
If we do not have another legal basis for processing your special category Personal Information or criminal conviction Personal Information, we will ask for your consent.
In very limited circumstances, usually only in instances where we are collecting special categories of Personal Information, we may rely upon the legal basis of consent. If we require your consent for any specific use of your Personal Information, we will collect it at the appropriate time. Your consent (and right to withdraw consent) may be specifically limited to only the particular information for which consent is needed.
Please note that by providing us with special categories of Personal Information which are unsolicited by us (such as in inquiries, feedback, etc.), you have consented to give us that information and you understand that we will treat that information the same as we treat other information that we gather in a similar manner.
How Do I Contact the Data Controller?
The Data Controller for EWU is the Chief Information Officer (CIO) who may be contacted as follows:
Transfer of Personal Information outside the EU
We are based in the U.S. and are subject to U.S. and Washington law. The Personal Information that you provide to us will generally be hosted on U.S. servers. If we transfer your information either (a) from the EU to the U.S. or another country or (b) from the U.S. to another country, we will do so on the basis of one of the following:
- An “adequacy decision” by the European Commission;
- EU-sanctioned “appropriate safeguards” for transfer such as model clauses, a copy of which you may request, if applicable, by contacting us as set forth in Section 12;
- Your explicit and informed consent, understanding that though the appropriate safeguards
- under EU standards have not technically been met, reasonable measures have been taken to decrease the risk of unauthorized access;
- It being necessary for the performance of a contract or the implementation of pre-contractual measures with us, in which case we will inform you of the intent to transfer the Personal Information;
- It is necessary for the performance of a contract that is in your interest between us and another individual or organization;
- It is necessary for us to carry out its public interest mission;
- It is necessary for the establishment, exercise, or defense of a legal claim; or
- It is necessary to protect your vital interests or the vital interests of another individual where you or the other person are incapable of giving legal consent.
If you are interested in reviewing an English version of the GDPR, please see https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=CELEX:02016R0679-20160504&qid=1532348683434
Rights Under GDPR
As a Data Subject pursuant to the GDPR, you have certain rights. This GDPR Privacy Notice summarizes what these rights under the GDPR involve and how you can exercise these rights. More detail about each right, including exceptions and limitations, can be found in Articles 15-21 and 77 of the GDPR.
Please note: Nothing in this GDPR Privacy Notice is intended by EWU to waive sovereign immunity or any other defenses or immunities afforded by U.S. federal law, Washington state law, and EU law.
The Right of Access
You have the right to request that we confirm whether we are processing your Personal Information. If we are processing your Personal Information, you have the right to access that Personal Information. Upon request, we will provide you with a copy of that Personal Information unless prevented by applicable law.
The Right of Correction
You have the right to request that we correct any inaccurate Personal Information that we maintain about you. You also have the right to request that we complete any incomplete Personal Information that we maintain about you, which could be accomplished by incorporating a supplementary statement that you submit to us. If we agree that the Personal Information is incorrect or incomplete, we will timely correct or complete it.
The Right to Erasure
You have the right to request the erasure of Personal Information that we maintain about you in certain circumstances. These circumstances are identified in Article 17 of the GDPR and include that the Personal Information is no longer necessary in relation to the purpose(s) for which it was collected.
We will consider applicable U.S., state, and EU law and our policies to determine whether the Personal Information is necessary for purposes for which it was collected. If our retention of your Personal Information is no longer necessary, we will comply with your request and will take reasonable steps to inform any other individuals and organizations with whom the Personal Information was shared.
The Right to Restrict Processing of Personal Information
You have the right to request that we restrict the processing of your Personal Information where one of the reasons identified in Article 18 of the GDPR apply. These reasons include that the Personal Information is inaccurate, the processing is unlawful, or we no longer need the Personal Information.
If we grant your request to restrict processing, we will only process that Personal Information with your consent, for the protection of the rights of another natural or legal person, for reasons of important public interest, for the establishment, exercise or defense of legal claims, or as otherwise required by applicable U.S., state, or EU law.
The Right to Data Portability
Where the basis for processing is either consent or performance of a contract between you and us, and where the processing is carried out by automated means, you have the right to receive your Personal Information that you have provided to us. We will provide the Personal Information in a structured, commonly used, and machine-readable format. Where technically feasible and upon your request, we will transmit the Personal Information directly to another entity.
The Right to Withdraw Consent
If the basis for processing your Personal Information is consent, you may revoke your consent at any time. Upon receipt of your notice withdrawing consent, and if there are no other legal grounds for the processing, we will stop processing the Personal Information unless the processing is necessary for the establishment, exercise, or defense of legal claims. Revoking consent does not affect the lawfulness of processing that occurred before the revocation.
The Right to Object to Processing
In certain situations, you may have the right to object to processing of your Personal Information
Public Interest or Legitimate Interests. If the basis for processing your Personal Information is public interest or legitimate interests, you have the right to object to processing the Personal Information. We will cease processing unless we demonstrate overriding legitimate grounds for processing or the processing is necessary for the establishment, exercise, or defense of legal claims.
Direct Marketing. If we are using your Personal Information for direct marketing purposes such as fundraising, you have the right to object at any time, and we will stop using your Personal Information for that purpose
The Right to File a Complaint
You have the right to submit a complaint with an EU supervisory authority, in particular the one in the EU Member State of your habitual residence, place of work, or place of the alleged violation, if you believe that our processing of your Personal Information violates the GDPR. For more information on the process for submitting a complaint, consult the relevant EU supervisory authority: https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm
How to Exercise Your Rights
In order to exercise any of these rights, except the right to file a complaint with an EU supervisory authority, you should submit your request to us as shown in the Contact Information section of this Notice.
At that time, you will be asked to:
- Identify yourself
- Provide information to support that the GDPR applies to you
- Identify the specific information or data that you are concerned about
- State what right(s) you wish to exercise
To expedite processing your request, please identify the data collection location (e.g., the website where your Personal Information was collected), if known.
How Do We Respond to Requests for Personal Information?
In addition to the rights provided by the GDPR, you may also have rights with respect to your Personal Information pursuant to U.S. federal law, state law, or University policy. When you submit a request to us to exercise your rights, we will respond in accordance with existing policies and procedures that implement the relevant privacy law(s). These include, but are not limited to, policies pertaining to student education records and policies pertaining to certain health records that we maintain.
Questions, concerns, or requests under the GDPR or other applicable laws or regulations can be submitted through the contact information listed below:
Eastern Washington University is committed to safeguarding the privacy of data provided by individuals who use our services, online or offline. This Privacy Statement discloses the privacy practices for all sites and online services at Eastern Washington University and within the ewu.edu domain. This includes subdomains that look like abc.ewu.edu. We refer to sites as (“Site”).
In order to fully understand your rights, we encourage you to read this Privacy Notice. We reserve the right to modify this Privacy Notice at any time, and we encourage you to frequently check this page for any changes to this Privacy Notice. By using this Site or service, you consent to the collection and use of your information as described below.
This privacy notice includes specific protections to facilitate compliance with the European Union (EU) General Data Protection Regulation (GDPR). Please note: Nothing in this notice is intended by us to waive sovereign immunity or any other defenses or immunities afforded by any or all U.S. federal law, Washington state law, and EU law.
This statement addresses collection, use, and security of and access to information that may be obtained through use of Eastern Washington University’s Site and online services. Please note that other Eastern Washington University affiliates may have separate privacy policies. This notice covers the following topics:
B. Collection of Personal Information
C. What Personal Information Do We Process
D. How We Use Personal Information
E. How We Share Personal Information
F. How Long We Keep Personal Information
G. Automated Information and Processing
H. Technical Protections and Security
I. GDPR Specific Policies & Protections
J. Contact Information
This Privacy Notice applies to all websites, domains, services, applications, and technology products implemented and managed by Eastern Washington University (EWU).
Questions or Concerns
To offer comments about Eastern Washington University’s websites, or about the information presented in this Privacy Notice, you may contact us as shown in the Contact Information section of this Notice.
Questions Regarding the EWU Website
To ask a question or provide feedback about Eastern Washington University’s websites, please contact the Digital Marketing team below.
Prospective Student Information
To review the personal information collected by EWU Admissions, or to request correction, contact:
Eastern Washington University
526 5th Street, Cheney WA 99004