GDPR Supplemental Privacy Policy
Version 2: 6/21/23
Last Reviewed: 6/21/23
This University of Illinois Foundation GDPR Supplemental Privacy Policy (“GDPR Supplemental Privacy Policy”) supplements the University of Illinois Foundation Privacy Policy for certain persons in the European Economic Area (“EEA”).
1. COMMITMENT TO PROTECTING PRIVACY AND TRANSPARENCY
The University of Illinois Foundation (“Foundation”, “we”, “us” or “our”), as the official fundraising and private gift-receiving organization for the Board of Trustees of the University of Illinois and its three universities at Urbana-Champaign, Chicago and Springfield (collectively, the “University”), is committed to respecting and protecting the privacy rights of persons in the EEA—comprised of the European Union (“EU”) and the countries of Iceland, Norway, and Lichtenstein—pursuant to the EU General Data Protection Regulation (“GDPR”). This Supplemental Privacy Policy describes the Foundation’s commitment to the privacy of persons in the EEA.
2. DOES THIS SUPPLEMENTAL PRIVACY POLICY APPLY TO ME?
This Supplemental Privacy Policy applies to you if:
- You are a “Person” or “Data Subject”—meaning a natural person, not a corporation, partnership, or other legal entity—who is physically present in the EEA;
- It is with respect to your “Personal Information”—meaning any information relating to an identified or identifiable person—that is provided while you are physically present in the EEA;
- Such Personal Information is not earlier or later provided to the Foundation while you are outside the EEA; and
- Such Personal Information is provided to the Foundation:
- During the course of the Foundation offering you goods or services;
- While the Foundation is monitoring your behavior; or
- While you are associated with our United Kingdom affiliate which is the University of Illinois Foundation UK Limited (“UIUK Foundation”).
3. WHAT PERSONAL INFORMATION DOES THE FOUNDATION PROCESS?
GENERAL CATEGORIES
The Foundation processes the following general categories of Personal Information: names; addresses; telephone numbers; email addresses; identification numbers including but not limited to social security numbers, driver’s license numbers, University identification numbers, and personal identification numbers (PINs); usernames; passwords; demographic information; education history; background check information; personal references; financial information including but not limited to credit and debit card numbers, tax information, and financial aid information; transaction history; business information; passport and visa information; work history; donation history; insurance information; military service; IP addresses; location information; device information; metadata; any requests for accommodations or leave; and other information to support the purposes set forth in Table 1, below.
The Foundation requires Personal Information only when necessary. Table 1 identifies the purposes for which the Foundation processes Personal Information and the legal basis for each purpose.
SPECIAL CATEGORIES
In order to fulfill certain of the purposes identified in Table 1, the Foundation may need to request special categories of Personal Information—information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; genetic data; biometric data for the purpose of uniquely identifying a natural person; data concerning health; or data concerning a natural person’s sex life or sexual orientation.
Before the Foundation processes your special category Personal Information or your criminal conviction Personal Information, if any, the Foundation will ask for your affirmative consent unless the Foundation has another legal basis for the processing, in which case the Foundation will inform you of that basis.
PURPOSES FOR WHICH THE FOUNDATION PROCESSES PERSONAL INFORMATION
Table 1
Purpose | Legal Basis |
---|---|
To process Personal Information collected from individuals who contact the Foundation: (i) to deal with their inquiries or requests; or (ii) to provide them with news by mail about the Foundation or any projects, campaigns, or events that the Foundation may be involved in or how they can support the Foundation | Legitimate interests of the Foundation – legitimate interest in being able to process Personal Information collected from individuals who contact the Foundation |
To conduct direct fundraising marketing by telephone or electronic message (e.g. mail or SMS) | Consent |
To contact individuals for other purposes from time to time | Consent |
To conduct research into certain supporters or to conduct analysis of the Foundation’s donor database or persons who have expressed an interest in the Foundation or registering for or attending one of the Foundation’s events. To do this profiling, the Foundation may cross-check certain Personal Information against publicly available sources to get a better understanding of who the Foundation’s donors are and their capacity to give | Consent |
To raise funds to support the University and its programs | Consent |
To operate and facilitate the registration and participation in Foundation online and in-person education programs | Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract |
To facilitate application for and sponsoring of visas to work at the Foundation, including all functions necessary to comply with applicable immigration laws | Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract |
To respond to an individual’s request for records relating to their gifts made to the Foundation, such as gift receipts, gift letters, deeds, wills, tax documents, etc. | Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract |
To respond to an individual’s request for records relating to that individual’s time at the Foundation, such as tax documents, employment documents, etc. | Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract |
To engage the services of an independent contractor and all uses incident to that engagement | Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract |
To employ persons to work for the Foundation or the UIUK Foundation and all uses incident to that engagement including but not limited to evaluation and management of employees and administration of employee benefits | Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract |
To conduct transactions and business with individuals, such as processing payments made by credit card to the Foundation and payments made by the Foundation to you | Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract |
To host and allow individuals to attend and participate in Foundation events | Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract |
To facilitate review and evaluation of Foundation programs by government entities, third-party ranking organizations, and other appropriate bodies | Legitimate interests of the Foundation – legitimate interest in maintaining a world-class higher education foundation for the benefit of the University |
To promote safety, integrity, and security of the Foundation’s information technology systems | Legitimate interests of the Foundation – legitimate interest in maintaining IT and network security |
To protect the Foundation community, including you, and to keep its members safe wherever they are located | Legitimate interests of the Foundation – legitimate interest in physical security |
To report salary data to social security or tax authorities and otherwise comply with applicable EU or Member State laws | Necessary for compliance with a legal obligation |
To allow individuals to visit Foundation facilities | Legitimate interests of the Foundation – legitimate interest in physical security |
To facilitate the use of volunteers and to evaluate and manage individuals who volunteer to assist the Foundation in any capacity, and to perform related activities required to foster and maintain these relationships | Legitimate interests of the Foundation – legitimate interest in physical security |
To respond to subpoenas, court orders, agency requests, and other legal requests for records relating to an individual’s association with the Foundation | Legitimate interest of the Foundation – legitimate interest in complying with U.S. and state laws and not being held in contempt of court or having penalties imposed |
To engage third parties to collect sums owing to the Foundation or to otherwise take action to collect outstanding debt from an individual | Legitimate interests of the Foundation – legitimate interest in recovering sums owed to it and enforcing its legal claims whether in or out of court |
To respond to proper requests for information as required by the Illinois Freedom of Information Act | Legitimate interests of third parties – legitimate interest in publication of data for purposes of transparency and accountability |
To stay connected with University alumni | Legitimate interests of the Foundation – legitimate interest in communicating unsolicited non-commercial messages |
To geo-locate a UK IP address when someone lands on our U.S. Website and offer them the opportunity to switch to the UIUK Foundation’s Website through a pop up message | Legitimate interests of the Foundation – legitimate interest in identifying users in the EEA to provide tailored services |
4. HOW DOES THE FOUNDATION RECEIVE YOUR PERSONAL INFORMATION?
The Foundation may collect your Personal Information in various ways, for example:
- if you supply Personal Information when using our Website such as signing up to receive more information, entering your data on a form for event registration, and/or asking about volunteer opportunities or other ways you can support us;
- when you inquire about or if you agree to make a donation to the Foundation;
- when you provide Personal Information to the University, the University of Illinois Alumni Alliance, or the UIUK Foundation for subsequent use by UIF;
- from web tools, cookies, and related technologies; and
- if you provide your details to the Foundation for another purpose.
5. WHO RECEIVES/PROCESSES YOUR PERSONAL INFORMATION?
FOUNDATION
Your Personal Information may be processed by Foundation directors, employees, advancement staff, and volunteers as may be necessary to carry out the purposes for processing the information and the activities of the Foundation.
RELATED ORGANIZATIONS
The Foundation may share your Personal Information with our UIUK Foundation. In addition, your Personal Information may be shared with the University and the University of Illinois Alumni Alliance, each of which shares our commitment to treating Personal Information responsibly.
THIRD PARTIES
We never sell, trade, or rent your Personal Information. We do not disclose Personal Information to third parties unless we are legally required to do so or where we need assistance of data processors (acting under our instructions) or as mentioned above in the “Related Organizations” section.
We will take reasonable steps so that any Personal Information we collect is only used by those third parties for specific, lawful purposes in line with this Supplemental Privacy Policy. We always aim to make sure your Personal Information is treated by third parties to the same standard as you would reasonably expect to be applied in the EEA.
Please note that the Foundation may provide anonymized data developed from Personal Information to third parties, such as our peers, industry groups, and government entities, and that such anonymized data is outside the scope of this Supplemental Privacy Policy.
6. DATA RETENTION
The Foundation keeps records in accordance with all applicable laws and for purposes of business continuity and in support of anticipated constituent requests. Retention schedules are the Foundation’s official policy for the retention and disposal of Personal Information; retention schedules are developed in accordance with all applicable laws, regulations, and best practices. The Foundation’s retention policy states that all retained information must be stored in a manner designed to ensure its accessibility, integrity, confidentiality, authenticity, and legibility.
Foundation staff is responsible for the creation of records retention schedules in consultation with their specific departments/units and legal counsel, as necessary. Retention schedules include information regarding format, document creation date, office of record, retention period, method of disposition and document type description. Foundation staff is also responsible for the destruction of records stored in accordance with these schedules.
7. WHAT ARE YOUR RIGHTS AS A DATA SUBJECT?
As a Data Subject pursuant to the GDPR, you have certain rights. This Supplemental Privacy Policy summarizes what these rights under the GDPR involve and how you can exercise these rights. More detail about each right, including exceptions and limitations, can be found in Articles 15-21 and 77 of the GDPR.
Please note: Nothing in this Supplemental Privacy Policy is intended by the Foundation to waive any defenses or immunities afforded by any or all U.S. federal law, Illinois state law, and EU law.
RIGHT OF ACCESS
You have the right to request that the Foundation confirm whether it is processing your Personal Information. If the Foundation is processing your Personal Information, you have the right to access that Personal Information, and the Foundation will provide you with a copy of that Personal Information unless prevented by applicable law.
RIGHT TO HAVE INACCURATE PERSONAL INFORMATION CORRECTED
You have the right to request that the Foundation correct any inaccurate Personal Information that it maintains about you. You also have the right to request that the Foundation complete any incomplete Personal Information that it maintains about you, which could be accomplished by incorporating a supplementary statement that you submit. If the Foundation concurs that the Personal Information is incorrect or incomplete, the Foundation will promptly correct or complete it.
RIGHT TO ERASURE
You have the right to request the erasure of Personal Information that the Foundation maintains about you in certain circumstances. These circumstances are identified in Article 17 of the GDPR and include that the Personal Information is no longer necessary in relation to the purpose(s) for which it was collected.
Subject to applicable U.S., state, and EU law and Foundation policies, including but not limited to its Privacy Policy and Supplemental Privacy Policy, and provided that there are no overriding legitimate grounds for the Foundation to retain the Personal Information, the Foundation will comply with the request and will take reasonable steps to inform any third parties with whom the Personal Information was shared.
RIGHT TO RESTRICTION OF PROCESSING
You have the right to request that the Foundation restrict the processing of your Personal Information where one of the reasons identified in Article 18 of the GDPR apply. These reasons include that the Personal Information is inaccurate, the processing is unlawful, or the Foundation no longer needs the Personal Information.
If the Foundation grants your request to restrict processing, the Foundation will only process that Personal Information with your consent, for the protection of the rights of another natural or legal person, for reasons of important public interest, for the establishment, exercise or defense of legal claims, or as otherwise required by applicable U.S., state, or EU law.
RIGHT TO DATA PORTABILITY
Where the basis for processing is either consent or performance of a contract between you and the Foundation, and where the processing is carried out by automated means, you have the right to receive your Personal Information that you have provided to the Foundation. The Foundation will provide the Personal Information in a structured, commonly used, and machine-readable format. Where technically feasible and upon your request, the Foundation will transmit the Personal Information directly to another entity.
RIGHT TO WITHDRAW CONSENT
If the basis for processing your Personal Information is consent, you may revoke your consent at any time. Upon receipt of your notice withdrawing consent, and if there are no other legal grounds for the processing, the Foundation will stop processing the Personal Information unless the processing is necessary for the establishment, exercise, or defense of legal claims. Revoking consent does not affect the lawfulness of processing that occurred before the revocation.
RIGHT TO OBJECT TO PROCESSING
In certain situations, you may have the right to object to processing of your Personal Information.
- Public Interest or Legitimate Interests. If the basis for processing your Personal Information is public interest or legitimate interests, you have the right to object to processing the Personal Information. The Foundation will cease processing unless the Foundation demonstrates overriding legitimate grounds for processing or the processing is necessary for the establishment, exercise, or defense of legal claims.
- Direct Marketing. If the Foundation is using your Personal Information for direct marketing purposes such as fundraising, you have the right to object at any time, and the Foundation will stop using your Personal Information for that purpose.
RIGHT TO FILE A COMPLAINT
You have the right to submit a complaint with an EU supervisory authority, in particular the one in the EU Member State of your habitual residence, place of work, or place of the alleged violation, if you believe that the Foundation’s processing of your Personal Information violates the GDPR.
For more information on the process for submitting a complaint, consult the relevant EU supervisory authority: http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm.
8. HOW TO EXERCISE YOUR RIGHTS
In order to exercise any of these rights, except the right to file a complaint with an EU supervisory authority, you should submit your request to our Foundation Data Privacy Steering Team:
Email: UIF Data Privacy Steering Team | privacy@uif.uillinois.edu
Telephone: 217-333-0810
Address: 303 St. Mary’s Road, Champaign, IL 61820, USA
At that time, you will be asked to: 1) identify yourself; 2) provide information to support that the GDPR applies to you (see Section 2, above); 3) identify the specific information or data that you are concerned about; and 4) state what right(s) you wish to exercise.
To expedite processing your request, please identify the data collection location (e.g., the website where your Personal Information was collected), if known.
9. HOW DOES THE FOUNDATION RESPOND TO REQUESTS FOR PERSONAL INFORMATION?
In addition to the rights provided by the GDPR, you may also have rights with respect to your Personal Information pursuant to U.S. federal law, state law, or Foundation policy. When you submit a request to the Foundation to exercise your rights, the Foundation will respond in accordance with existing Foundation policies and procedures that implement the relevant privacy law(s).
10. EXISTENCE OF AUTOMATED INDIVIDUAL DECISION-MAKING
The Foundation, in conjunction with the University and the University of Illinois Alumni Alliance, uses automated decision-making, including profiling, to help identify prospective supporters of the University and its activities. The logic takes an all-factor approach to assessing a possible donor’s propensity to support the University and may result in a prospective donor being contacted to explore support opportunities.
You will not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, unless the decision is necessary for entering into or performing a contract or unless you explicitly consent.
11. TRANSFER OF PERSONAL INFORMATION OUTSIDE THE EEA
The Foundation is based in the U.S. and is subject to U.S. and Illinois law. Personal Information that you provide to the Foundation will generally be hosted on U.S. servers. To the extent that the Foundation needs to transfer your information either (a) from the EEA to the U.S. or another country or (b) from the U.S. to another country, the Foundation will do so on the basis of either (i) an “adequacy decision” by the European Commission; (ii) EU-sanctioned “appropriate safeguards” for transfer such as model clauses, a copy of which you may request, if applicable, by contacting the Foundation as set forth in Section 12; (iii) your explicit and informed consent; or (iv) it being necessary for the performance of a contract or the implementation of pre-contractual measures with the Foundation, in which case the Foundation will inform you of the intent to transfer the Personal Information. Please note that the U.S. is not currently considered a safe harbor country under the GDPR.
12. HOW DO I CONTACT THE DATA CONTROLLER?
The Foundation is the data controller. If you have any questions about anything contained in this Supplemental Privacy Policy, please contact our Foundation Data Privacy Steering Team:
Email: UIF Data Privacy Steering Team | privacy@uif.uillinois.edu
Telephone: 217-333-0810
Address: 303 St. Mary’s Road, Champaign, IL 61820, USA
13. GDPR
If you are interested in reviewing an English version of the GDPR, please see http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN.
14.UPDATES TO SUPPLEMENTAL PRIVACY POLICY
The Foundation may update this Supplemental Privacy Policy from time to time. Any changes will become effective upon posting of the revised Supplemental Privacy Policy.