UTC PRIVACY STATEMENT REGARDING THE European Union’s General Data Protection Regulation (GDPR)

Notice of Collection and Use of Personal Data

The University of Tennessee Chattanooga (“UTC”) may be a data “controller” or “processor” with regard to certain activities as defined under the European Union’s General Data Protection Regulation (“EU GDPR”).  UTC is committed to protecting the rights of individuals in compliance with the GDPR.  You are notified that by applying for admission or other services, UTC is collecting certain personal data about you.  UTC is collecting this personal data in order to review your application for admission or other services.

Types of Personal Data collected and How it Will be Used

UTC collects a variety of personal data to meet one of its lawful bases, as referenced above.  Most often the data is used for academic admissions, enrollment, educational programs, job hiring, provision of medical services, participation in research, development, and public service.  Data typically includes name, address, transcripts, work history, information for payroll, research subject information, medical and health information (for student health services, or travel), and donations.  If you have specific questions regarding the collection and use of your personal data, please contact the Data Protection Officer identified herein.

If a data subject refuses to provide personal data that is required by UTC in connection with one of UT’s lawful bases to collect such personal data, such refusal may make it impossible for UT to provide education, employment, research, or other requested services.

Lawful Basis for Collecting and Processing of Personal Data

UTC is an institution of higher education involved in education, research, and public service.  In order for UTC to educate its students both in class and on-line, engage in research, and provide public service, it is essential, necessary, and UTC has lawful bases to collect, process, use, and maintain data of its students, employees, applicants, research subjects, and others involved in its educational, research, and public service programs.  The lawful bases include, without limitation, admission, registration, delivery of classroom, on-line, and study abroad education, grades, communications, employment, applied research, development, program analysis for improvements, and records retention.  Examples of data that UTC may need to collect in connection with these lawful bases are: name, email address, IP address, physical address or other location identifier, photos, as well as some sensitive personal data obtained with prior consent.

For more information regarding the EU GDPR, please review https://audit.tennessee.edu/compliance/gdpr.

Most of UTC’s collection and processing of personal data will fall under the following categories:

  • Processing which is necessary for the purposes of the legitimate interests pursued by UTC or third parties in providing education, employment, research and development, and public service.
  • Processing which is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
  • Processing which is necessary for compliance with a legal obligation to which UTC is subject.
  • Processing for which the data subject has given consent for UTC to use his or her personal data for one or more specific purposes. 

There will be some instances where the collection and processing of personal data will be pursuant to other lawful bases.

Where UTC Gets Personal Data

UTC receives personal data from multiple sources.  Most often, UTC gets this data directly from the data subject or under the direction of the data subject who has provided it to a third party (for example, application for admission to UTC through use of the Common App).

Rights of the Data Subject Under the GDPR

If you are an individual data subject under the GDPR, you may obtain the following information and exercise the following rights:

  • the identify and the contact details of the controller and, where applicable, the controller’s representative;
  • the contact details of UTC’s Data Protection Officer;
  • an explanation of the purposes and legal bases/legitimate interests of the data collection/processing;
  • the identification of the recipients of the personal data;
  • notice if UTC intends to transfer personal data to another country or international organization;
  • notice of the time period that the personal data will be stored;
  • the right to access personal data, rectify incorrect personal data, erase personal data, restrict or object to processing, and the right to data portability;
  • the right to withdraw consent at any time, if processing is based on consent;
  • the right to lodge a complaint with a supervisory authority (established in the EU);
  • an explanation of why the personal data are required, and possible consequences of the failure to provide the data;
  • notice of the existence of automated decision-making, including profiling; and
  • notice if the collected data are going to be further processed for a purpose other than that for which it was collected.

Any data subject who wishes to exercise any of the above-mentioned rights may do so by submitting such request to the Data Protection Officer identified herein.

Security of Personal Data subject to the EU GDPR

UTC is committed to ensuring the security of your information.  We have put in place reasonable physical, technical, and administrative safeguards designed to prevent unauthorized access to or use of the information collected online.  All personal data collected or processed by UTC under the scope of the GDPR will comply with the security controls and systems and process requirements and standards as set forth in UTC’s Information Technology Policies, which are available at https://universitytennessee.policytech.com/?public=true&siteid=1

Sharing Your Information

UTC will not share your information with third parties except:

  • as necessary to meet one of UTC’s lawful purposes, including but not limited to:
    • its legitimate interest,
    • contract compliance,
    • pursuant to consent provided by you,
    • as required by law;
  • as necessary to protect UTC’s interests; or
  • with service providers acting on our behalf who have agreed to protect the confidentiality of the data.

Data Retention

UTC keeps the data it collects for the time periods specified in UTC’s Records Retention Policy, which is available at https://universitytennessee.policytech.com/dotNet/documents/?docid=35

Data Protection Officers

If you have questions about this Privacy Statement, please contact the Data Protection Officer for your campus or institute at privacy@tennessee.edu:

  • Dr. Richard Brown, Executive Vice Chancellor for Administration and Finance

Changes to this Privacy Notice

UTC may, in its discretion, periodically update this GDPR Privacy Notice.