Stanford
University Privacy Office

GDPR Data Subjects Rights

I. PURPOSE

The European Union’s General Data Protection Regulation (GDPR) provides greater data protection for individuals in the European Union (EU). This comprehensive regulation, effective May 25, 2018, applies to all members of the European Union and the European Economic Area, and is designed to strengthen and unify data protection law and practice across the EU. The GDPR provides several rights to Data Subjects which are the subject of this policy.

II. SCOPE

This policy applies to permanent and temporary workforce members, including contractors and vendors. Individuals who violate these requirements are subject to disciplinary action, up to and including termination, in compliance with the Administrative Guide and Fundamental Standard.

III. RESPONSIBILITIES

The Chief Privacy Officer is the privacy official for Stanford University, and ensures that the requirements in these policies are maintained in accordance. All workforce members including employees, contracted staff, students and volunteers are responsible for ensuring that individuals comply with this policy. Violations of this policy will be reported to the University Privacy Office. Reported violations will be investigated by the University Privacy Office in collaboration with appropriate departments, such as the Office of General Counsel, Global Business Services or the Information Security Office. Workforce members who violate this policy may be subject to the appropriate disciplinary action up to and including termination.

IV. DATA SUBJECTS RIGHTS

Individuals located in the European Economic Area only, whose Personal Data Stanford processes (“Data Subjects”), have the following rights with regard to their Personal Data:

“Personal Information” is any information that we can reasonably use to identify you. If you are located in the European Economic Area (EEA), Personal Information includes all Personal Data as defined under EEA laws.

1. Right of access Data Subjects may request details of their Personal Information that the University holds. The University will confirm whether it is processing the individual’s Personal Information and will disclose supplementary information including the categories of Personal Information, the sources from which it originated, the purpose and legal basis for the processing, the expected retention period, and the safeguards regarding Personal Information transfers to non-EEA countries, subject to the limitations set out in applicable statutes, regulations and other laws.

2. Right of correction The University will comply with a Data Subject’s request to edit and update incorrect Personal Information promptly and in most cases within 30 days from the receipt of the request for correction. In the event that correction is not possible or cannot occur within 30 days, the University will document its reasons, specify the time frame in which correction will occur (to the extent knowable), and respond to the requestor with this information within 30 days from the receipt of request for correction.

3. Right to be forgotten At a Data Subject’s request, the University will delete their Personal Information promptly if:

  • it is no longer necessary to retain the Personal Information;
  • the Data Subject withdraws the consent which formed the basis of the Personal Information processing;
  • the Data Subject objects to the processing of their Personal Information and there are no overriding legitimate grounds for such processing;
  • the Personal Information was processed illegally; or,
  • the Personal Information must be deleted for the University to comply with its legal obligations.

The University will inform any third parties with whom it might have shared the Data Subject’s Personal Information of the deletion request.

The University may decline a Data Subject’s request for deletion if processing of their Personal Information is necessary:

  • to comply with a University legal obligation;
  • in pursuit of a legal action;
  • to detect and monitor fraud; or,
  • for the performance of a task in the public interest.

4. Right to restrict processing of Personal Information At a Data Subject’srequest, the University will limit the processing of their Personal Information if:

  • the Data Subject disputes the accuracy of their Personal Information;
  • the Data Subject’s Personal Information was processed unlawfully and they request a limitation on processing, rather than the deletion of their Personal Information;
  • the University no longer needs to process the Data Subject’s Personal Information, but the individual requires their Personal Information in connection with a legal claim; or,
  • the Data Subject objects to the processing pending verification as to whether an overriding legitimate ground for such processing exists.

5. Right to notice related to correction, deletion, and limitation on processing In so far as it is practicable, the University will notify a Data Subject of any correction, deletion, and/or limitation on processing of their Personal Information.

6. Right to data portability At a Data Subject’s request, the University will provide them a copy of their Personal Information in a structured, commonly used and machine-readable format, if: (i) the Data Subject provided the University with Personal Information; (ii) the processing of the Data Subject’s Personal Information is based on consent or required for the performance of a contract ; or, (iii) the processing is carried out by automated means.

7. Right to object Where the University processes a Data Subject’s Personal Information based upon the lawful basis of legitimate interest, then the individual has the right to object to this processing.

8. Right not to be subject to decisions based solely on automated processing Data Subjects will not be subject to decisions with a legal or similarly significant effect (including profiling) that are based solely on the automated processing of their Personal Information, unless the University has received explicit consent or where the automatic processing is necessary for a contract with the University.

9. Right to withdraw consent A Data Subject who has provided the University with consent to process their Personal Information has the right to withdraw any consent previously provided to the University at any time. If a Data Subject withdraws their consent, this will not affect the lawfulness of the University’s collecting, using and sharing of their Personal Information up to the point in time that consent was withdrawn. Even if a Data Subject withdrawstheir consent, the University may still use the information that has been anonymized and does not personally identify the Data Subject.

10. Right to complain to a supervisory authority If a Data Subject is not satisfied with the University’s response, they have the right to complain to or seek advice from a supervisory authority and/or bring a claim against the University in any court of competent jurisdiction. Any person, Department or School at the University that receives a request from a Data Subject seeking to exercise their rights under GDPR should contact the University Privacy Office to assist in the review of and response to the Data Subject’s request. Requests will be responded to within 30 days of receipt. Under certain circumstances, the University may inform the requesting Data Subject that additional time is needed to fully comply with the request. Such notification shall occur within 30 days of receipt of the request.

V. DOCUMENT INFORMATION

A. Legal Authority/References
Regulation 2016/679, April 27, 2016 (Effective May 25, 2018)

B. Review and Renewal Requirements
This GDPR policy will be reviewed and/or revised every three years or as required by change of law or practice.

C. Review and Revision History
(Version 1.0) May 25, 2018 reviewed by Office of the General Counsel

D. Approvals
Stanford University Privacy Office

E. Applicability
This policy applies to Stanford University Faculty, Staff and Students at all Departments and Schools

If you have any questions Related to this policy, please contact the University Privacy Office by making a Service Request.