Supplemental Privacy Notice

This Butler University Supplemental Privacy Notice (“Supplemental Notice”) supplements the Butler University Privacy Statement for certain persons in the European Economic Area (“EEA”) and the United Kingdom (“UK”).

1. Commitment to protecting privacy and transparency

The Board of Trustees of the Butler University (“Butler”), by and through its academic, research, and administrative departments, is committed to respecting and protecting the privacy rights of persons in the EEA, comprised of the European Union (“EU”) and the countries of Iceland, Norway, and Liechtenstein, pursuant to the EU General Data Protection Regulation (“EU GDPR”). Similarly, Butler is committed to respecting and protecting the privacy rights of persons in the UK, pursuant to the Data Protection Act 2018 and the Retained Regulation (EU) 2016/679 (“UK GDPR”). Given the substantial similarity between the EU GDPR and the UK GDPR, hereinafter both regulations are collectively referred to in this Supplemental Notice as the “GDPR” unless otherwise indicated. Visit EU GDPR and UK GDPR for easy-to-use versions of both regulations.

This Supplemental Notice describes Butler’s commitment to the privacy of persons in the EEA and the UK.

2. Does this Supplemental Notice apply to you?

This Supplemental Notice applies to you if:

You are a “Person” or “Data Subject” meaning a natural person, not a corporation, partnership, or other legal entity;

AND

An establishment of Butler located in the EEA or UK processes your Personal Information;

OR

You are physically located in the EEA or UK, and

Your Personal Information is provided to Butler 1) during the course of Butler offering you goods or services or 2) while Butler is monitoring your behavior; and

Such Personal Information is not earlier or later provided to Butler while you are outside the EEA and the UK

“Personal Information” means any information relating to an identified or identifiable person.

Please note that information pertaining to current, former, or prospective employment with Butler in the United States is not considered “Personal Information” and is excluded from this Supplemental Notice.

3. What Personal Information does Butler process?

General categories

Butler processes the following general categories of Personal Information: names; addresses; telephone numbers; email addresses; identification numbers including but not limited to social security numbers, Resident Identity Cards, driver’s license numbers, university identification numbers, and personal identification numbers (PINs); usernames; passwords; demographic information; education history and transcripts; entrance exam scores; background check information; personal references; financial information including but not limited to credit and debit card numbers, tax information, tax identification numbers (TINs), and financial aid information; transaction histories; business information; passport and visa information; work histories; medical histories; donation histories; insurance information; military service; IP addresses; location information; device information; metadata; education records including but not limited to coursework, correspondence, evaluations, disciplinary complaints, and other records, and files maintained by Butler as part of the educational process; any requests for accommodations or leave; and other information to support the purposes set forth in Table 1, below.

Butler requires Personal Information only when necessary. Table 1 identifies the purposes for which Butler processes Personal Information and the legal basis for each purpose.

Special categories

In order to fulfill certain of the purposes identified in Table 1, Butler may need to request special categories of Personal Information—information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; genetic data; biometric data for the purpose of uniquely identifying a natural person; data concerning health; or data concerning a natural person’s sex life or sexual orientation.

Before Butler processes your special category Personal Information or your criminal conviction Personal Information, if any, Butler will ask for your affirmative consent unless Butler has another legal basis for the processing, in which case Butler will inform you of that basis.

Table 1: Purposes for which Butler processes Personal Information

To help Butler learn more about you and your interests

Legal Basis

Legitimate interests of Butler – legitimate interest in learning the educational needs of potential students and program participants

To help you learn more about and/or apply for Butler and its programs by giving you access to or sending you relevant information about university programs and events

Legal Basis

Legitimate interests of Butler – legitimate interest in making potential students and program participants aware of Butler’s offerings

To respond to requests for information about admission to Butler or about participating in online courses or other programs at Butler

Legal Basis

Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract

To recruit, evaluate, and manage persons who apply to Butler for admission, take courses at Butler, participate in programs offered by Butler, or attend Butler, either in person or online, and to perform related activities needed to foster and maintain these relationships

Legal Basis

Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract

To operate and facilitate the registration and participation in online and in-person education programs, including those relating to professional licensing requirements

Legal Basis

Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract

To evaluate applications for and administer financial aid, including reporting to relevant federal and state government agencies

Legal Basis

Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract

To facilitate application for and sponsoring of visas to study, work and/or research at Butler, including all functions necessary to comply with applicable immigration laws

Legal Basis

Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract

To assign housing and facilitate housing requests for individuals studying or participating in programs at or through Butler

Legal Basis

Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract

To conduct study abroad programs offered by or coordinated through Butler

Legal Basis

Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract

To provide on-campus and distance learning information technology and other services to students, including network, authentication and help desk services

Legal Basis

Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract

To respond to an individual’s request for records relating to an individual’s time at Butler, such as transcripts, tax documents, employment documents, etc.

Legal Basis

Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract

To engage the services of an independent contractor and all uses incident to that engagement

Legal Basis

Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract

To employ persons to work for Butler and all uses incident to that engagement including but not limited to evaluation and management of employees and administration of employee benefits

Legal Basis

Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract

To conduct transactions and business with individuals, such as processing payments made by credit card to Butler and payments made by Butler to you

Legal Basis

Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract

To host and allow individuals to attend and participate in Butler events, including educational, artistic, and sports camps and sporting events

Legal Basis

Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract

To facilitate review and evaluation of Butler programs, including academic, sports, and other programs, by Butler, accrediting organizations, government entities, third-party ranking organizations, and other appropriate bodies

Legal Basis

Legitimate interests of Butler – legitimate interest in providing and maintaining a world-class higher education experience at Butler

To evaluate usage of Butler websites and emails, improve website and email utility, enhance the website visitor experience, and improve Butler marketing efforts

Legal Basis

Legitimate interests of Butler – legitimate interest in effectively communicating about Butler and its programs to the public

To promote safety, integrity, and security of Butler’s information technology systems

Legal Basis

Legitimate interests of Butler – legitimate interest in maintaining IT and network security

To protect Butler community, including you, and to keep its members safe wherever they are located

Legal Basis

Legitimate interests of Butler – legitimate interest in physical security

To report salary data to social security or tax authorities and otherwise comply with applicable laws

Legal Basis

Necessary for compliance with a legal obligation

To allow individuals to visit Butler facilities

Legal Basis

Legitimate interests of Butler – legitimate interest in physical security

To facilitate and administer the reservation and use by individuals of Butler facilities

Legal Basis

Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract

To facilitate the use of volunteers and to evaluate and manage individuals who volunteer to assist Butler in any capacity, and to perform related activities required to foster and maintain these relationships

Legal Basis

Legitimate interests of Butler—legitimate interest in physical security

To respond to subpoenas, court orders, agency requests, and other legal requests for records relating to an individual’s time at Butler, such as transcripts, tax documents, employment documents, etc.

Legal Basis

Legitimate interest of Butler – legitimate interest in complying with U.S. and state laws and not being held in contempt of court or having penalties imposed

To engage third parties to collect sums owing to Butler or to otherwise take action to collect outstanding debt from an individual

Legal Basis

Legitimate interests of Butler—legitimate interest in recovering sums owed to it and enforcing its legal claims whether in or out of court

To stay connected with Butler alumni

Legal Basis

Legitimate interests of Butler—legitimate interest in communicating unsolicited non-commercial messages

To allow and facilitate individuals to perform research at or with Butler

Legal Basis

Performance of a contract or to take steps at the Data Subject’s request prior to entering into a contract

To comply with federal and state law

Legal Basis

Legitimate interests of Butler – legitimate interest in complying with U.S. and state laws

To utilize individuals as subjects of research performed at or through Butler, and to perform related activities required to foster and maintain this relationship

Legal Basis

Consent

To facilitate the provision of medical treatment and the filing of claims for payment from insurance companies and/or government agencies

Legal Basis

Consent

To raise funds to support Butler and its programs

Legal Basis

Consent

To facilitate employee donations to charities through the State and Butler Employee Combined Appeal

Legal Basis

Legitimate interests of Butler – legitimate interest in supporting the broader community Butler serves by giving all employees the opportunity to participate in the statewide appeal

To assist members of Butler community with educational and professional placement opportunities

Legal Basis

Consent

4. How does Butler receive your Personal Information?

From you

Butler may receive your Personal Information when you visit Butler websites, apply for or attend Butler classes or programs, apply for or take online courses with Butler, apply for financial aid or Butler housing, complete surveys or forms sponsored by Butler, participate in Butler research studies, participate in work for Butler at a location in the EEA or the UK, seek assistance from Butler to further your professional career, attend events sponsored by Butler, or otherwise interact with Butler.

From third parties

Butler may receive your Personal Information from third parties. Examples include college entrance exam scores received from testing agencies; college applications received from organizations that provide university admissions applications; online course registration information received from third parties that administer online courses; financial aid information from governmental agencies or commercial financial institutions; background information received from companies conducting export control screening or checks to support working with minors or employment with Butler; and companies and partner institutions abroad to facilitate study or work at Butler by international students and scholars.

5. Who receives/processes your Personal Information?

Butler personnel

Your Personal Information may be processed by Butler trustees and employees, including faculty, researchers, medical professionals, financial aid counselors, human resources

professionals, law enforcement officers, and others, as may be necessary to carry out the purposes for processing the information and the activities of Butler.

Butler may share your Personal Information with Butler related organizations, such as the Butler University foundation and the Butler University alumni association. Butler related organizations are entities established for the purpose of assisting Butler in the accomplishment of its educational objectives.

Third parties

Butler may share your Personal Information with third parties, such as: educational platform providers and course partners to further the purposes for processing the information and the activities of Butler; U.S. and foreign government entities to fulfill regulatory obligations (e.g., visa processing, tax and social security payments) and to facilitate access to funding sources (e.g., financial aid); partner institutions to facilitate study abroad and research activities; service providers to facilitate the full range of Butler functions (e.g., cloud storage, software); potential employers to assist with job placement; and vendors to provide services related to your affiliation with Butler (e.g., print diplomas, arrange housing) and to improve Butler outreach efforts.

Please note Butler may provide anonymized data developed from Personal Information to third parties, such as government entities and research collaborators, and that such anonymized data is outside the scope of this Supplemental Notice.

6. How long does Butler keep your Personal Information?

Butler retains Personal Information in accordance with applicable law. Records retention schedules for many types of Butler records can be found on the Records and Information Management records management webpage.

7. What are your rights as a Data Subject?

As a Data Subject pursuant to the GDPR, you have certain rights. This Supplemental Notice summarizes what these rights under the GDPR involve and how you can exercise these rights. More detail about each right, including exceptions and limitations, can be found in Articles 15-21 and 77 of the EU GDPR and the UK GDPR (as implemented by the Data Protection Act 2018).

Nothing in this Supplemental Notice is intended by Butler to waive sovereign immunity or any other defenses or immunities afforded by any or all U.S. federal laws, Indiana state laws, EU or Member State laws, UK laws, or international law.

Right of access

You have the right to request Butler confirm whether it is processing your Personal Information. If Butler is processing your Personal Information, you have the right to access that Personal Information, and Butler will provide you with a copy of that Personal Information unless prevented by applicable law.

Right to have inaccurate Personal Information corrected

You have the right to request Butler correct any inaccurate Personal Information it maintains about you. You also have the right to request Butler complete any incomplete Personal Information it maintains about you, which could be accomplished by incorporating a supplementary statement that you submit. If Butler concurs the Personal Information is incorrect or incomplete, Butler will promptly correct or complete it.

Right to erasure

You have the right to request the erasure of Personal Information Butler maintains about you in certain circumstances. These circumstances are identified in Article 17 of both the EU GDPR and the UK GDPR and include the Personal Information is no longer necessary in relation to the purpose(s) for which it was collected.

Subject to applicable U.S., state, EU, and UK law and Butler policies, including but not limited to the Butler University Privacy Statement, and provided there are no overriding legitimate grounds for Butler to retain the Personal Information, Butler will comply with the request and will take reasonable steps to inform any third parties with whom the Personal Information was shared.

Right to restriction of processing

You have the right to request Butler restrict the processing of your Personal Information where one of the reasons identified in Article 18 of the EU GDPR or the UK GDPR apply. These reasons include the Personal Information is inaccurate, the processing is unlawful, or Butler no longer needs the Personal Information.

If Butler grants your request to restrict processing, Butler will only process that Personal Information with your consent, for the protection of the rights of another natural or legal person, for reasons of important public interest, for the establishment, exercise or defense of legal claims, or as otherwise required by applicable U.S., state, EU, or UK law.

Right to data portability

Where the basis for processing is either consent or performance of a contract between you and Butler, and where the processing is carried out by automated means, you have the right

to receive your Personal Information you have provided to Butler. Butler will provide the Personal Information in a structured, commonly used, and machine-readable format. Where technically feasible and upon your request, Butler will transmit the Personal Information directly to another entity.

If the basis for processing your Personal Information is consent, you may revoke your consent at any time. Upon receipt of your notice withdrawing consent, and if there are no other legal grounds for the processing, Butler will stop processing the Personal Information unless the processing is necessary for the establishment, exercise, or defense of legal claims. Revoking consent does not affect the lawfulness of processing that occurred before the revocation.

Right to object to processing

In certain situations, you may have the right to object to processing of your Personal Information

Public Interest or Legitimate Interests. If the basis for processing your Personal Information is public interest or legitimate interests, you have the right to object to processing the Personal Information. Butler will cease processing unless Butler demonstrates overriding legitimate grounds for processing or the processing is necessary for the establishment, exercise, or defense of legal claims.

Direct Marketing. If Butler is using your Personal Information for direct marketing purposes such as fundraising, you have the right to object at any time, and Butler will stop using your Personal Information for that purpose.

Right to file a complaint

If you believe Butler’s processing of your Personal Information violates the EU GDPR, you have the right to submit a complaint to an EEA supervisory authority, in particular the one in the EEA country of your habitual residence, place of work, or place of the alleged violation. For more information on the process for submitting a complaint, consult the relevant EEA supervisory authority.

If you believe Butler’s processing of your Personal Information violates the UK GDPR, you have the right to submit a complaint to the UK Information Commissioner’s Office (ICO). For more information on the process for submitting a complaint, visit the ICO website.

8. How to exercise your rights

In order to exercise any of these rights, except the right to file a complaint with an EEA supervisory authority or the UK ICO, you should submit your request to Butler University GDPR Compliance:

Email: security@butler.edu

Telephone: 317-940-8000

Address: Butler University (ATTN:  Information Technology CISO), 4600 Sunset Avenue, Indianapolis, IN 46208

At that time, you will be asked to: 1) identify yourself; 2) provide information to support the GDPR applies to you (see Section 2, above); 3) identify the specific information or data that you are concerned about; and 4) state what right(s) you wish to exercise.

To expedite processing your request, please identify the data collection location (e.g., the website where your Personal Information was collected), if known.

9. How does Butler respond to requests for Personal Information?

In addition to the rights provided by the GDPR, you may also have rights with respect to your Personal Information pursuant to U.S. federal law, state law, and Butler policy. When you submit a request to Butler to exercise your rights, Butler will respond in accordance with existing Butler policies and procedures that implement the relevant privacy law(s). These include, but are not limited to, policies pertaining to student education records and policies pertaining to certain health records maintained by Butler.

10. Existence of automated individual decision-making

Butler, in conjunction with Butler related organizations such as the Butler University foundation, uses automated decision-making, including profiling, to help identify prospective supporters of Butler and its activities. The logic takes an all-factor approach to assessing a possible donor’s propensity to support Butler and may result in a prospective donor being contacted to explore support opportunities.

You will not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, unless the decision is necessary for entering into or performing a contract or unless you explicitly consent.

11. Transfer of Personal Information outside the EEA or the UK

Butler is based in the U.S. and is subject to U.S. and Indiana law. Personal Information that you provide to Butler will generally be hosted on U.S. servers. To the extent Butler needs to transfer your information to a third party that is in a country outside the EEA or the UK,

Butler will do so on the basis of either (i) an “adequacy decision” by the European Commission or “adequacy regulations” of the UK ICO, as appropriate; (ii) EU or UK-sanctioned “appropriate safeguards” for transfer such as model clauses, a copy of which you may request, if applicable, by contacting Butler as set forth in Section 12; (iii) your explicit and informed consent; or (iv) it being necessary for the performance of a contract or the implementation of pre-contractual measures with Butler, in which case Butler will inform you of the intent to transfer the Personal Information. Please note the U.S. is not currently considered a safe harbor or “adequate” country under the GDPR or UK GDPR.

12. How do I contact the data controller?

Butler is the data controller. If you have any questions about anything contained in this Supplemental Notice, please contact Butler University GDPR Compliance:

Email: security@butler.edu

Telephone: 317-940-8000

Address: Butler University (ATTN:  Information Technology CISO), 4600 Sunset Avenue, Indianapolis, IN 46208

13. Official English Version of the EU GDPR and UK GDPR

In case it is helpful, the official English version of the EU GDPR and the official version of the UK GDPR are available for your review.

In case it is helpful, the official English version of the EU GDPR and the official version of the UK GDPR are available for your review.

14. Updates to Supplemental Notice

Butler may update this Supplemental Notice from time to time. Any changes will become effective upon posting of the revised Supplemental Notice.