This Arizona State University (ASU) Privacy Statement provides information required by Arizona law about ASU’s online information gathering and dissemination practices. Individual pages on ASU websites may provide additional information.
If you are in the European Union, please also review ASU’s Supplemental Privacy Provisions for Persons in the European Union. These EU Supplemental Privacy Provisions provide additional information regarding ASU’s processing of personal data you submit or disclose to ASU (or to a third party that transfers it to ASU for processing) while you are in the European Union.
We encourage you to periodically review this Privacy Statement because we may update it from time to time.
ASU’s websites provide online information and services to all users of ASU’s technology network (Users) consistent with ASU’s Charter and Mission.
In addition to information and services provided on ASU websites, ASU may also provide connections to external services and information provided by non-ASU service providers. These non-ASU provided services may include the education versions of Dropbox, Amazon Web Services, and Google, which includes Gmail. Non-ASU service providers have their own privacy policies that are not covered by this Privacy Statement. ASU is not responsible for the privacy practices or policies of non-ASU service providers. We recommend you review the privacy practices and policies of all non-ASU service providers.
ASU collects information actively provided by Users. We may also collect information about the computers, mobile devices, or other devices you use to access ASU’s technology network, such as IP address, unique device identifiers, browser types, browser languages, web pages requested, network software access, referring web pages, date, time, and duration of activity, passwords, and accounts accessed, volume of data storage and transfers, and locations of User devices when connected to ASU’s technology network. Logs of this information may be retained. We may contract with non-ASU service providers to help us better understand Users. These non-ASU service providers are not permitted to use the information collected on our behalf except to help us conduct and improve our services.
ASU uses information collected to provide services, in support of ASU’s Charter and Mission, to protect the security of ASU’s technology network, to support academic integrity, and to provide safety and security services to Users, as well as to monitor, preserve, and enhance the use, functioning, and integrity of ASU’s technology network. ASU may also use information collected from you for analysis and statistical purposes consistent with ASU’s Charter and Mission.
If you prefer not to provide information to ASU through our technology network, you may contact the ASU administrative unit responsible for the service to learn about available options.
ASU does not disclose confidential information we collect online to individuals or entities not affiliated with ASU, except in the limited circumstances described below. Non-confidential information may be disclosed or distributed pursuant to federal laws, state laws, including Arizona’s public records laws, and ASU and Arizona Board of Regents (ABOR) policies. These laws and policies explain what information may be shared or disclosed. They also explain what information is protected as confidential.
Student Records. Certain records of students are protected by the federal Family Educational Rights and Privacy Act (FERPA), Arizona law, and ASU Policy. Information about students’ access to their education records and protection of education records is available in ASU’s Student Services Manual in Section 107-01. This policy also provides information on students’ rights to limit access to their directory information. ASU may disclose confidential student information with the consent of the student, under subpoena or court order, or in other limited circumstances as permitted by FERPA.
Public Records Laws. ASU may be required to provide access to ASU records to third parties pursuant to Arizona’s public records laws ARS §§ 39-121 through 39-161. Additional information about Arizona’s public records laws is available at ogc.asu.edu/public-records/.
Court Order or Public Safety. ASU may be required to disclose confidential information pursuant to a valid court order or lawfully issued and served subpoena, search warrant, or other legal order. In addition, ASU may disclose confidential information to law enforcement if ASU believes that disclosure is necessary to protect ASU, to protect the health or safety of individuals, or if law enforcement believes that ASU’s resources have been used in the commission of a crime.
Contractors. ASU may contract with non-ASU service providers to provide services and information through ASU’s technology network. ASU may provide information, including personal information collected on our technology network; to non-ASU service providers to assist ASU deliver classes, programs, products, information, and services. ASU also contracts with non-ASU service providers to perform analysis, research, and administrative activities for ASU. ASU requires non-ASU service providers to protect personal information on our behalf.
ASU does not allow any non-ASU entities to collect information from ASU’s technology network unless those entities have received written permission from an ASU authorized signatory.
ASU takes steps to ensure that confidential information collected online is secure. These steps include: ongoing User education; using tools in an effort to restrict unauthorized access, viruses, phishing, and hacking attempts; and monitoring activity to identify potential system threats. ASU routinely assesses and enhances tools and processes available to strengthen our online security.
These Supplemental Privacy Provisions for Persons in the European Union (EU Privacy Provisions) are provided pursuant to Regulation (EU) 2016/679 (“Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data”) (the GDPR), effective May 25, 2018.
These EU Privacy Provisions supplement ASU’s Privacy Statement, and should be read together with ASU’s Privacy Statement. These EU Privacy Provisions are intended to be consistent with the GDPR principles of privacy, fairness, lawfulness, transparency, purpose limitation, accuracy, storage limitation, integrity, and accountability. For more information regarding the GDPR and these principles, the full text of the GDPR is available here. Terms in these EU Privacy Provisions are used consistent with their definitions in the GDPR.
These EU Privacy Provisions apply to you only if and to the extent ASU is Processing your EU Personal Data, where the Processing is related to ASU offering goods or services to you, or ASU is monitoring your behavior in the EU (e.g., through online course proctoring, or location tracking).
Personal Data means any information, recorded in any form, relating to you that can identify you, directly or indirectly, such as your name, date of birth, addresses (including email addresses), identification numbers, location data, online identifiers, or factors specific to your physical, physiological, genetic, mental, economic, cultural, or social identity.
EU Personal Data means Personal Data you submit or disclose to ASU (or to a third party that transfers it to ASU for Processing) while you are in the European Union (EU).
Processing (and Process) includes collecting, recording, organizing, storing, transferring, sharing, disclosing, erasing, or destroying your EU Personal Data, whether or not via ASU’s technology network.
Collection of Your EU Personal Data. ASU collects EU Personal Data from you:
Use of Your EU Personal Data. ASU may use your EU Personal Data to respond to your questions, provide you specific courses, services, products, programs and/or services you select, satisfy our contractual obligations to you, send you updates and information regarding ASU, send you email messages about maintenance or updates of ASU’s technology network, and to support of ASU’s alumni relations and fundraising. We may also: archive your EU Personal Data; use it for research and analytics purposes; use it for future communications with you; use it to establish, exercise, and defend legal claims; use it for reasons of substantial public interest, including archiving purposes; use it for historical, scientific, research, or statistical purposes, subject to appropriate safeguards; and use it for the legitimate interests of ASU or any third party to whom ASU discloses your EU Personal Data, if your fundamental rights and freedoms do not override those interests.
Lawfulness of Processing. ASU’s Processing of your EU Personal Data for the interdependent purposes set out in these EU Privacy Provisions is necessary for one or more of the following:
In addition to the information provided above, this Section provides additional information regarding how ASU Processes your EU Personal Data in specific situations.
Applications for Student Admissions from the EU. This part applies if, while you are in the EU, you apply for admission as a student to ASU (including as an exchange or visiting student), whether you intend to attend ASU online, remotely, or on campus, and whether you submit your application through ASU’s online student application portals (Undergraduate, Graduate), through a third party such as the Common Application, or directly via communications with an ASU department, program, or school. ASU may use the details you provide on your application, together with any supporting documents you submit, additional details and documents provided by any references or third parties, including education records and financial aid applications and records, and any records made by ASU during the application process.
In addition to the uses described in Part B above, we will process the EU Personal Data obtained during your application process for the purposes of identifying you, processing your application, verifying the information provided, deciding whether to offer you admission, and communicating that outcome. We may also use or disclose this information for the following statutory or public interest purposes: to prevent or detect fraud; for disciplinary or academic integrity proceedings; to meet reporting obligations, such as to state or federal Departments of Education; to help us to make reasonable decisions regarding accommodations for a disability, as requested by you; and for research and statistical purposes, but none of your EU Personal Data that can identify you will be published.
We consider the Processing of your EU Personal Data in connection with your student application process to be necessary for us to take steps with a view to creating a contractual relationship with you (e.g., to assess your application to study with us), necessary for compliance with a legal obligation, or necessary for the performance of tasks we carry out in the public interest (e.g., admissions research). We require you to provide ASU the information we request during the application process to assess your application properly.
As well as circulating your application and related materials to the appropriate people at ASU, we may share your EU Personal Data, as relevant and necessary, with your references, with entities that provide services to, or on behalf of, ASU, and with governmental organizations. If you are accepted, ASU will include in your ASU student files the EU Personal Data collected during your application process.
Enrollment and Participation in Programs and Courses while in the EU - Overview. ASU offers the opportunity to participate in ASU courses and programs while you are in the EU, including while traveling, and online through ASU’s technology network. If you desire to participate in an ASU course or program in the EU, you will be asked to provide certain Personal Data necessary for admission, registration, enrollment, and participation in the course or program. This information may include, among other things, your name, email address, date of birth, and registration information. Enrollment and participation in ASU courses and programs and receipt of related services while you are in the EU is a contractual obligation between ASU and you, and ASU will need your EU Personal Data to deliver these services to you.
In addition to the uses described in Part B above, we use the EU Personal Data we collect from you when you enroll and participate in ASU courses or programs while in the EU for Processing purposes, including tracking attendance, progress, and completion of a course or program. We may also share your EU Personal Data and your performance in a course or program with the instructors, teaching assistants, and other individuals designated by ASU to assist with the creation, modification, or operation of the courses or programs, and for research and statistical purposes, but none of your EU Personal Data that can identify you will be published.
Online. If you participate in courses or programs while in the EU on or through ASU’s technology network, we will collect from you certain student-generated content, such as assignments you submit to instructors, peer-graded assignments and peer grading student feedback. We also collect course data, such as student responses to in-video quizzes, stand-alone quizzes, exams, and surveys, online proctoring data and information, and other course, program, and degree related information.
Study or Travel Abroad. ASU travel and study abroad programs include academic and other ASU programs (such as travel with an ASU team). If you are an ASU student participating in an ASU travel or study abroad program, ASU requires that you sign a GDPR Contract and Consent before your leave the United States. ASU’s Contract and Consent allows ASU to use your Personal Data collected while you are in the EU. ASU also needs to be able to Process your Personal Data regarding your coursework as necessary to maintain your educational and degree records consistent with ASU policies, legitimate pedagogical purposes, and any applicable laws, rules, regulations, and policies.
Disclosure of Student Personal Data. The United States Family Educational Rights and Privacy Act (FERPA), Arizona law, and ASU policy provide ASU students with the right to limit access to their Personal Data. Due to the GDPR's requirements, if you are participating in ASU courses or programs on or through ASU's technology network while you are in the EU, ASU will endeavor to restrict third parties from access to your EU Personal Data that is directory information, as described and defined in ASU's Student Services Manual in Section 107-01. ASU may disclose EU Personal Data that is confidential student information with your consent, under subpoena or court order, or to comply with other legal obligations to which ASU is subject.
ASU Employment in the EU. If you are an ASU employee who is working for ASU while in the EU, ASU will maintain, retain, protect, and Process your personnel records as described in ACD 811 and SPP 1101, as applicable. If you request in writing to ASU’s Human Resources Department, ASU will endeavor to withhold from publication in the ASU Directory your EU Personal Data that is ”Directory Information." Directory Information is defined in SPP 1101 and ACD 811 as your name, title, academic unit or department, campus location, and campus telephone number. ASU may disclose your EU Personal Data as described in SPP 1101 and ACD 811, which includes disclosure with your consent, under subpoena or court order, or to comply with other legal obligations to which ASU is subject.
Employment with ASU while you are in the EU is a contractual obligation between ASU and you, and ASU’s duties as an employer are subject to Arizona laws, and ASU and Arizona Board of Regents Policies. ASU will need your Personal Data to comply with applicable laws, rules, regulations, and policies, as well as to fulfill ASU’s contractual obligations to you.
In addition to the uses described in Part B above, ASU may use an ASU employee's EU Personal Data to carry out specific rights and obligations in the context of employment law or laws relating to social security and employee benefits, to protect your vital interests or the vital interests of another person if you are incapable of giving consent, to carry out public functions, and for research and statistical purposes.
Applications for ASU Employment from the EU. If, while you are in the EU, you apply for a position with ASU through ASU’s online employment portal, or directly via communications with an ASU department or school, ASU may use the details you provide on your application form, together with any supporting documents you submit, additional details and documents provided by any references, and any records made by ASU during the employment process. If you are required to undergo additional background checks or procedures as part of the employment process (e.g., criminal convictions checks or visa application procedures), we will collect and use this information as well. Specifics regarding what background checks and other documentation and information ASU may require can be found at the Human Resource Website [or by contacting HRESC@asu.edu].
In addition to the uses described in Part B above, ASU will process your EU Personal Data obtained during your employment process for the purposes of identifying you, processing your application, verifying the information provided, assessing your suitability for the position, deciding whether to offer you a job, and communicating that outcome. We may also use or disclose this information for the following statutory or public interest purposes: to prevent or detect fraud; to help us to make decisions regarding accommodations for a disability that are requested by you; and for research and statistical purposes, but no EU Personal Data that can identify you will be published in connection with research or for statistical purposes.
We consider the Processing of your EU Personal Data in connection with the employment process to be necessary for us to take steps with a view to creating a contractual relationship with you (e.g., to assess your application for employment), necessary for compliance with legal obligations (e.g., equal opportunity monitoring, or disability accommodations), or necessary for the performance of tasks we carry out in the public interest. We require you to provide us with the information we ask for during the employment process to assess your application properly.
As well as circulating your application and related materials to the appropriate people at ASU, we may share your EU Personal Data, as relevant and necessary, with your references, and with entities that provide services to, or on behalf of, ASU, such as background checks. If you are hired, ASU will include in your personnel employment files EU Personal Data collected as part of your employment process.
ASU Alumni in the European Union. Developing a better understanding of our alumni allows ASU to keep in touch, to keep alumni apprised of ASU’s activities and developments, to provide services to alumni, and to identify ways alumni can support ASU, through donations or other forms of financial and non-financial support. For information regarding how ASU uses alumni EU Personal Data, please refer to the Guidance at alumni.asu.edu.
Identity Verification. ASU may require or offer you the ability to verify your identity before we provide certain services (such as resetting passwords, or releasing certain information), or for selected classes and programs. To verify your identity, ASU may require you to provide EU Personal Data, such as your name, address, date of birth, a headshot taken using a webcam, a photo identification document, and a sample of your typing patterns. We use the Personal Data we collect for verifying your identity, and for authenticating that submissions made on ASU's technology network were made by you.
Enrollment Sponsors. ASU may share your EU Personal Data with your employer, government programs, institutions, or other enterprises that sponsor your enrollment in a course or program for training or other educational purposes. If an entity pays for or otherwise sponsors your course or program participation, ASU will share information with the entity as needed to confirm your enrollment, participation, progress, and completion status in that course.
Research. As a Tier 1 Research University, the conduct of research is a fundamental part of ASU’s mission. Research at ASU is supported by ASU’s Office of Knowledge Enterprise Development researchadmin.asu.edu, consistent with applicable research grants and agreements, to ensure compliance with applicable laws, rules, regulations, and policies. Terms and conditions of ASU research projects are negotiated before acceptance to ensure the ability to comply, including with the GDPR.
ASU may use your EU Personal Data for research, analytics, and statistical purposes, but no EU Personal Data that can identify you will be published in connection with research or for statistical purposes.
ASU Service Providers. ASU may contract with non-ASU service providers, vendors, and contractors (Contractors) to assist ASU in providing services. These Contractors may have access to and may collect or otherwise Process your EU Personal Data as necessary to perform the services for ASU. These Contractors, for example, may provide ASU with network, website, platform, server, technology, services, course and program content and delivery, and administrative and student-related services, such as those related to providing ASU study abroad or other courses or programs offered to individuals in the EU. Access to your EU Personal Data by these Contractors is limited to the information reasonably necessary to perform their contracted functions. ASU requires Contractors to protect Personal Data on our behalf. We do not permit third parties to sell Personal Data we have shared with them.
Transfer to Third Parties. ASU will transfer your EU Personal Data to third parties only where ASU is comfortable that they will protect your EU Personal Data. Where we know that a third party we have provided EU Personal Data to is Processing that EU Personal Data in a manner contrary to the GDPR, we will take reasonable steps to prevent or terminate Processing by that third party unless and until the third party can Process EU Personal Data in compliance with the GDPR.
Government Authorities, Legal Rights and Actions. ASU may share your EU Personal Data with various government authorities in response to subpoenas, court orders, or other legal process; to establish or exercise our legal rights; to defend against legal claims; or as otherwise required by law. ASU also may share your EU Personal Data when we believe it is appropriate to investigate, prevent, or take action regarding unlawful or suspected illegal activities; to protect and defend the rights, property, or safety of ASU, ASU's technology network, ASU's students, employees, and others.
ASU Server Locations. ASU's websites, technology network, and online course platforms that contain your EU Personal Data are primarily operated and managed on servers located within the United States.
EU Personal Data Retention and Storage. ASU may permanently store and maintain, among other things, your name, subject(s), enrollment, registration and graduation details, unique ASU identification number, date of birth, verification, residency, affidavits, financial aid, grades, classes, courses, transcripts, disciplinary, and degree and employment related records containing your EU Personal Data: (i) to comply with ASU's obligations to you, including taking steps to enter into an employment, enrollment, or other contract with you; (ii) to comply with ASU's legal obligations; (iii) for reasons that are in the public interest; (iv) to comply with ASU's records retention policies https://apps.azlibrary.gov/records/general.aspx; or (v) in ASU's exercise of its authority as an Arizona University governed by the Arizona Board of Regents. If you exercise your right to erasure, we will continue to maintain a core set of your EU Personal Data, to ensure we do not contact you inadvertently in the future, to maintain your academic record for reference and archival purposes, and to meet our legal obligations.
You have certain rights regarding your EU Personal Data, subject to certain exclusions as described in the GDPR. Your rights include:
A response to a rights request needs to be sent within one month. However, nearly all of your rights are qualified in various ways and there are numerous specific exemptions (for example, almost all of the rights do not apply if your EU Personal Data are being processed solely in an academic research context).
Contact Information, Rights Requests. If you wish to exercise any of your rights regarding your EU Personal Data, please contact ASU’s GDPR data protection team (firstname.lastname@example.org). You may also file a complaint concerning your EU Personal Data Processing with the applicable EU Supervisory Authority. The Supervisory Authority Contact Information for all EU countries is at: http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm.
If you have specific requests relating to how ASU Processes your EU Personal Data, we will endeavor to resolve these, but there may be circumstances where ASU cannot comply with specific requests.
We will publish on our website any changes we make to these EU Privacy Provisions.