Privacy at UC Santa Barbara under GDPR

Transparency Regarding the Use of Your Personal Data

As part of our commitment to protecting your privacy, this statement is designed to provide you with general information regarding how UC may use -- or process -- the information you share when you use or access UC websites, as well as information you share when you communicate with UC or participate in any of UC’s programs or activities (“UC Services”). This document further serves to educate you regarding your privacy rights as a UC program participant. This statement is applicable to individuals who are located in the European Economic Area1 (“EEA”) and use UC Services.

For purposes of the General Data Protection Regulation (“GDPR”), the data controller is the Regents of the University of California, with a location at UC Santa Barbara, Santa Barbara, CA. 93106.

Your Personal Data We Use

Information you provide directly to UC

Depending upon your participation in or utilization of UC Services, UC may collect personal information about you called Personal Data. Personal Data is any information that allows someone to identify you, including, for example, your name, address and contact information, as well as specific Personal Data elements related to your participation in UC programs and activities. Your Personal Data is collected when you register or fill in a form relating to any of one of UC’s Services, or contact UC. This includes information you provide when you register to use or access a UC Service.

To learn more about the types of Personal Data that a particular program, activity, service or product at UC processes about you, refer to the UC website associated with that UC Service, or contact the UC Santa Barbara Privacy Official.

Log, Cookie and Device Data

We also collect log data, which is information collected whenever you visit a website. This log data includes your Internet Protocol address, browser type and some settings, the date and time of your request, how you used the Service, and cookie data. Depending on how you are accessing the Services, we may use “cookies” (small text files stored by your computer when you visit our website) or similar technologies. For more detailed information about how we use cookies, please contact the UC Santa Barbara Privacy Official. In addition to log and cookie data, we also collect information about the device you’re using to access the Services, including what type of device it is, what operating system you are using, device settings, unique device identifiers and crash data. Whether we collect some or all of this information often depends on what type of device you are using and its settings. For example, different types of information are available depending on whether you are using a Mac or a PC, or an iPhone or Android phone. To learn more about what information your device makes available to us, please also check the policies of your device manufacturer or software provider.

Information from Other Sources

We may also obtain information about you from other sources and combine that information with information we collect from you directly. For example, we may collect information about you when you post content to our pages or apply to participate in a UC Service. To learn more about the types of Personal Data that a particular UC Service obtains from other sources, refer to the UC website associated with that UC Service, or contact the UC Santa Barbara Privacy Official.

How We Use Your Personal Data and the Lawful Basis for Such Processing

Depending upon your relationship with UC, UC may use your Personal Data where necessary in order to perform its obligations under a contract with you or based on a request you have made to use or participate in a UC Service. Use may also use your Personal Data where required by law, and/or where necessary for the legitimate interests of UC, provided there is no overriding impact on your interests or rights. To learn more about how a particular UC Service uses your Personal Data, refer to the UC website associated with that UC Service, or contact the UC Santa Barbara Privacy Official.

In certain instances, UC may be required to obtain your consent to collect and process your Personal Data for a specific purpose. This depends on the specific category of data collected and the intended use of the data. In these instances, the UC Service will inform you of the specific category of Personal Data that will be collected and the intended purpose of the collection, and will request that you affirmatively indicate that you consent to the intended collection of your Personal Data for that purpose, prior to collecting the data.

In these instances, if you do not consent to the collection and intended processing purpose, UC will refrain from collecting and processing your Personal Data, but this may impact your ability to use the UC Service.

Recipients of Your Personal Data

Depending upon your participation in a UC Service, UC may share your Personal Data with third parties. These third parties may include UC’s service providers, who may need access to Personal Data in order to provide products and services on UC’s behalf; UC partners and collaborators in order to support UC’s public service, education and research missions; or public, regulatory and governmental authorities that regulate or have jurisdiction over UC.

If your Personal Data is shared with a third party, UC will require that the third party use appropriate measures to protect the confidentiality and security of your Personal Data.

UC may also need to share your Personal Data as required to respond to lawful requests and legal processes; to protect our rights and property and those of our agents, customers and others, including to enforce our agreements and policies; and in an emergency, to protect UC and the safety of our students, faculty and staff or any third party.

To learn more about the recipients of your Personal Data from a particular UC Service, refer to the UC website associated with that UC Service, or contact the UC Santa Barbara Privacy Official.

Security

UC takes appropriate physical, administrative, and technical measures to protect the security, integrity, and privacy of your Personal Data. These measures are consistent with applicable privacy and data security laws and include the following practices:

  1. storing information we collect on computer systems located in controlled facilities with limited access;
  2. protecting the transmission of your information over the Internet, through the use of encryption, such as the Secure Socket Layer (SSL) protocol;
  3. using a variety of security technologies and procedures to help protect your Personal Data from unauthorized access, use, or disclosures; and
  4. limiting access to data to only authorized personnel.

We endeavor to protect the privacy of the Personal Data we hold in our records, but we cannot guarantee complete security. Unauthorized entry or use, hardware or software failure, and other factors, may compromise the security of your Personal Data.

For more information about how UC protects data, refer to UC Systemwide Policy IS-3: Electronic Information Security.

Retaining and Deleting Your Personal Data

UC will only retain your Personal Data for the duration necessary for the data collection purposes identified by the specific UC Service, unless there is a legal requirement to maintain it for a longer period.

International Transfer of Your Personal Data

In order to fulfill the intended processing purposes for the UC Services you use, your Personal Data will be transferred outside of the European Economic Area (EEA), specifically to the United States, which does not protect Personal Data in the same way that it is protected in the EEA. Depending upon your participation in or utilization of UC Services, your Personal Data may also be transferred to other countries outside of the EEA; refer to the UC website associated that UC service, or contact the UC Privacy Official below for more information. UC will undertake appropriate measures to ensure adequate protection of Personal Data, including utilizing appropriate physical, administrative, and technical safeguards to protect Personal Data, as well as executing standard contractual clauses approved by the European Commission or a supervisory authority under GDPR, or obtaining your consent, where appropriate.

Your Rights

As required by the General Data Protection Regulation and applicable EU Member State and EEA state law, if you are located in the European Economic Area, you have a right to:

  • Access your Personal Data, as well as information relating to the recipients of your Personal Data, the purposes of processing your Personal Data, the duration for which the Personal Data will be stored, and the source of Personal Data that has not been provided by you;
  • Rectify or correct inaccurate or incomplete Personal Data concerning you, taking into account the purposes of the processing, and the right to have incomplete Personal Data completed;
  • Move your Personal Data to another controller or processor. UC will facilitate the lawful transfer of your data to the extent possible;
  • Have your Personal Data erased in certain circumstances;
  • Restrict the processing of your Personal Data in certain circumstances;
  • Object to the processing of Personal Data in certain circumstances;
  • Withdraw your consent to the processing of your Personal Data, should UC ask for your consent for the processing of your Personal Data. The withdrawal does not affect the lawfulness of Processing based on your consent before its withdrawal.
  • Know whether your Personal Data is being used for automated decision-making, including profiling. In those cases, UC will give you meaningful information about the logic involved, the significance and the envisaged consequences of such processing for your data, and the right to request human intervention;
  • Lodge a complaint with a supervisory authority.

UC may be obligated to retain your Personal Data as required by U.S. federal or state law.
If you wish to exercise your rights, you can contact the UC Santa Barbara Privacy Official.

You may choose not to visit or use UC websites or participate in UC Services. If you choose not to share your Personal Data with UC or UC-approved third parties, depending upon the specific UC Service, your ability to use or participate in the UC Service may be affected. For example, you may not be able to participate in the UC Service, or you may not receive information relating to the UC Service. You may choose to set your web browser to refuse cookies, or to alert you when cookies are being sent. If you choose to reject cookies, some parts of UC’s websites may not function properly. To learn more about how your choices to share Personal Data may affect your ability to use or participate in a UC Service, refer to the UC website associated with that UC Service, or contact the UC Privacy Official identified below.

Questions and Complaints

If you have questions or complaints about our treatment of your Personal Data, or about our privacy practices more generally, please feel free to contact the UC Santa Barbara Privacy Official.

Effective Date: This statement is effective as of June 5, 2018.


1 The European Economic Area includes the European Union, Iceland, Liechtenstein, Norway and the United Kingdom.