General Data Protection Regulation (GDPR) Data Privacy Policy
Policy Purpose
This policy is published for the benefit of Indiana University Alumni Association, Inc. (IUAA) and Indiana University Foundation, Inc. (IUF) donors, volunteers, and alumni who are citizens or residents of the European Union (EU), Iceland, Liechtenstein, or Norway to explain what data is collected by IUAA and IUF and how it is used. We are providing you with this information, so you know what data we hold for you and why, and how we keep your data protected and in compliance with the GDPR.
This policy also provides information about the collection, use, processing and sharing of data about individuals located in the United Kingdom (UK), which has adopted legislation substantially similar to the GDPR. With respect to individuals located in the UK, references to the GDPR in this policy shall be read as referring to the UK’s similar legislation, the Data Protection Act of 2018.
This Policy applies to processing by any means, including hardcopy and electronic means.
Personal Data
For purposes of this notice, “Personal Data” is defined broadly as any information about you (the “data subject”) as an identified or identifiable person including your name, address, historical personal information, and virtually any other information that is or can be stored about you in our database.
Processing
For the purposes of this notice, “Processing” means the collection, use, processing or sharing of Personal Data when those activities are within the scope of the GDPR. Data is processed within the US.
Who is collecting your Personal Data?
IUAA and IUF are the “Data Controllers.”
What Personal Data is being collected?
IUAA and IUF collect your contact details, your history with IUAA, IUF and Indiana University (IU), biographical information, employment information (if available), matriculation information (if you attended IU), information about contacts with IUAA, IUF and IU staff, information on your interests that relates to events at or opportunities to support IU, and information related to your charitable donations. In addition, IUAA and IUF automatically collects certain technical information from your computer and about your connection (e.g., IP address, user-specific information on pages visited, referring website, etc.) as indicated in our Privacy Policy.
Learn more about our Passive/Automatic Data Collection
How is my Personal Data being collected?
In most cases, we acquire Personal Data from IU upon the graduation of classes from the different campuses. We also collect data that is shared with IUAA, IUF and IU staff, data that is collected as donations are made or received, data that may be collected during donor, alumni and other events, and data collected through purchased lists, data appends, wealth screenings and any publicly available sources.
What is the legal basis for processing your Personal Data?
Depending on the activity for which your Personal Data is used, IUAA and IUF will rely on one of the following reasons for processing: a legitimate interest; a legal obligation; or your consent to process your Personal Data, as explained here.
Legitimate Interest: “GDPR Article 6(1)(f) – Necessary for the purposes of legitimate interests pursued by the controller or third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.”
IUAA and IUF will hold Personal Data about your history attending IU in addition to all other Personal Data for the purpose of offering you a tailored opportunity to support and engage with IUAA, IUF, and IU in the specific ways that are or may be most important to you.
Legal Obligation: “GDPR Article 6(1)(c) -Processing is necessary for compliance with a legal obligation”
If you make or have made a charitable donation to IUF for the benefit of IU, we will process your name, address, and donation information under 6(1)(c) of the GDPR for the purpose of administering your donation.
Consent: “GDPR Article 6(1)(a) – Consent of the datasubject”
If not relying upon another legal basis, IUAA and IUF will only contact you about our events, services, and other fundraising and alumni activity, unless you have asked us not to. We may communicate with you through a variety of channels (e.g., email, phone, etc.), unless you have asked us not to. To help us contact you in the best way possible, please make sure your preferences are up to date in our records.
Will your Personal Data be shared with any third parties?
Your Personal Data can only be accessed through our database and therefore can only be seen by IUAA, IUF and IU personnel or limited others to whom we grant access to the database. For example, we do share your Personal Data with third-party service providers that complete transactions or perform services on our behalf or for your benefit. Additionally, we may disclose your Personal Data to legal or government regulatory authorities as required by applicable law.
Will Personal Data be obtained from third party sources?
We may obtain certain Personal Data about you from third party sources for the purpose of fundraising or engagement. Third-party sources may include but are not limited to the internet, published directories, news media, or other sources. See Privacy Policy for more information on third party sources.
How will your Personal Data be used?
IUAA and IUF will use the Personal Data it has received from IU or that you have given us to contact you by mail, e-mail or telephone about relevant activities or services unless you have asked us not to. These may include:
- the sending of alumni publications
- the sending of IUAA, IUF, and IU publications
- the promotion of benefits and services available to IU donors and alumni
- notification of and distribution of information about events and reunions
- IUAA and IUF fundraising and other engagement programs
- volunteering opportunities
- payment and donation processing
How will your Personal Data be Shared?
For more information on how your Personal Data will be shared, see our Privacy Policy.
How secure is my Personal Data?
All personnel who have access to your Personal Data have received thorough training that stresses the need to keep your Personal Data secure. Further, other university-related entities with which your Personal Data may be shared are required to undertake thorough training that stresses the need to keep your Personal Data secure.
How long will your Personal Data be stored?
IUAA and IUF will keep your information only for as long as needed to provide you with the goods, services, or information you have required, to administer your donation, to manage your relationship with us, to comply with the law, or to ensure we do not communicate with you after you have asked us not to. When we no longer need your Personal Data, we will always dispose of it securely.
What rights do you have as a data subject?
You have the following rights as an IU alum, donor, and data subject:
- right to access your own Personal Data;
- right to update and correct Personal Data;
- right to object to processing your Personal Data based on either public interests or legitimate interests;
- right to object to direct marketing;
- right to not have your Personal Data subject to processing;
- right to request deletion of Personal Data;
- right to restrict processing in certain situations;
- right of data portability; and
- right to object to processing for scientific, historical, or statistical purposes
To make a request, please notify iuf@iu.edu
What rights do you have to raise a complaint?
You have the right to raise a complaint about any aspect of our processing of Personal Data.
Please contact us:
Indiana University Alumni Association and Indiana University Foundation
Attention: Data Steward
Showalter House, 1500 N. State Road 46 Bypass
Bloomington, IN 47408
iuf@iu.edu
812-855-8311
What will IUAA and IUF do in the event of a data breach?
In the event of a data breach, we are required to notify the appropriate “Data Protection Authority” within 72 hours of the breach being discovered, unless it is demonstrably unlikely that the breach will result in a risk to you. We are also required to notify you if the breach is likely to result in high risk to you as an affected data subject. This risk is typically measured as the likelihood fraud will be committed with the leaked information or that publication of the information could cause extreme distress or embarrassment.
Effective Date
The effective date of this policy is: 2022-08-23
Changes
Because Internet technologies and services evolve rapidly, the IUAA and IUF reserve the right to change, modify, add, or remove portions of this GDPR policy at any time without prior notice by posting the revised version with an updated effective date. Your use of our digital platforms following any such change constitutes your agreement that all information collected from or about you through the digital platforms after the revision is posted will be subject to the revised GPDR Policy.
Whom do I contact for more information or other requests?
Please direct all such inquiries or requests to iuf@iu.edu.