(421A) Kansas Athletics Data Protection Privacy Notice – General Data Protection Regulation (GDPR)

Return to Table of Contents

Effective 5/25/18

Kansas Athletics Data Protection Privacy Notice – General Data Protection Regulation (GDPR)

INTRODUCTION
The General Data Protection Regulation (GDPR) is a European Union (EU) regulation aimed at protecting the privacy of individuals within the European Union and the export of personal data outside the EU. Effective May 25, 2018, the GDPR will apply to Kansas Athletics’ collection or processing of personal data from the EU.

PURPOSE
This Kansas Athletics Data Protection Privacy Notice “Notice” supplements Kansas Athletics’ Privacy Policy, the University of Kansas (“University”) GDPR Privacy Notice, and the University’s General Privacy Policy. These policies can be located here: www.kuathletics.com
and www.policy.ku.edu.

This Notice governs the capture, use, transfer, and storage of personal data, as defined by the GDPR, and explains how Kansas Athletics will collect, use, transfer and store applicable information, to the extent that such actions do not conflict with state or federal laws or regulations.

Please read this Notice carefully and contact the designated representatives at the contact information provide below if you have any questions.

Collection of Personal Data
Under the GDPR, personal data is any information relating to an identified or identifiable natural person, which identifies or relates to an individual, either on its own or in conjunction with other information held by Kansas Athletics, such as a name, an identification number, location data, or online identifier (e.g., IP addresses and device IDs). Personal data can include: name, date of birth, address, telephone number, and email address. A special category of personal data (sensitive personal data) relates to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Kansas Athletics collects sensitive personal data if submitted as a voluntary response to inquiries from Kansas Athletics or its third-party service providers, as designated data processors.

Kansas Athletics collects and processes personal data for the purposes described below. Personal data is treated as Private Information under the University’s General Privacy Policy and at the Level 1 category level under the University’s Data Classification and Handling Policy. Kansas Athletics shall limit the collection of personal data, as defined by the GDPR, to only that information that is strictly necessary and lawful to accomplish a lawful purpose or legitimate interest as permitted under the GDPR.

Purposes and Use of Information
In order to fulfill Kansas Athletics’ mission, it needs to collect and process personal data relating to current, past, and prospective student-athletes, employees, alumni and supporters, suppliers and others with whom it conducts official business. Kansas Athletics uses personal data for a variety of reasons.

Examples include (but are not limited to):

  • Responding to inquiries or correspondence with a prospective or current student-athlete or third parties;
  • Managing a prospective, current or past student-athlete’s interaction with Kansas Athletics, to include administering applications, outreach and recruitment, and other processes and functions related to performance assessment, athletic training, admission, enrollment, attendance, communications, studies and educational programs, academic progress and advising, counseling, Title IX compliance, compiling of records and statistics for research, audit, assessment, or other reporting, discipline, financial reasons, support services, memberships, IT and information services, surveys, and health and safety services related to a prospective, current, or past student-athlete;
  • Administering applications for employment, including outreach and recruitment, and other processes and functions related to offers, hiring, past or present employment, monitoring equal opportunities, and health and safety compliance and reporting.

Kansas Athletics will share information, including personal data, with University units or with third parties in the delivery of goods or services by or in conjunction with Kansas Athletics or the University. Third parties with whom information is shared, including personal data, include (but are not limited to): authorized Kansas Athletics or University agents, support organizations and governing bodies, local, state, and federal agencies, accrediting bodies or commissions, press and publicity organizations, online learning or data management platforms, potential and current service providers, other educational institutions or work/athletic placement sites, relevant authorities for emergency circumstances, and any other authorized third party to whom Kansas Athletics or the University has a legal or contractual obligation to share personal data.

Applicable personal data will only be disclosed in accordance with the GDPR in force at the time. Consent is only one of several legal bases for which Kansas Athletics may collect or process personal data. If consent is required before personal data can be shared, Kansas Athletics will request the specific consent required.

Table 1 lists, generally, the legal bases for which Kansas Athletics will process personal data, directly or indirectly, as authorized under Article 6 of the GDPR or when processing special category personal data (sensitive personal data) under Article 9 of the GDPR.

TABLE 1

Article 6 - Personal DataArticle 9- Special Categories
Consent given by a positive opt-in, for a specific, pre-defined purposeExplicit Consent
Necessary for the performance of a contract with the individualNecessary for the purposes of carrying out the obligations of the University or the individual in the field of employment
Necessary for compliance with a legal obligationNecessary to protect the vital interests of an individual physically or legally incapable of giving consent; e.g., emergency circumstances
Necessary in order to protect the vital interests of an individual; e.g., emergency circumstancesCarried out in the course of the Kansas Athletics’ legitimate activities by a foundation, association, or any other not-for-profit body with a political, philosophical, religious, or trade union aim.
Necessary for the performance of a task carried out in the public interestProcessing relates to personal data which is made public by the individual
Necessary for the purposes of the legitimate interests pursued by Kansas Athletics or by a third party unless unwarranted because of its prejudicial effect on rights or legitimate interests.Necessary for the establishment, exercise or defense of legal claims or court proceedings.
Automated decision making for performance of a contract with an individualNecessary for reasons of substantial public interest
Necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems
Necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

If Kansas Athletics collects or processes sensitive personal data, as defined in the GDPR, additional safeguards will be put in place in accordance with the University’s Data Classification and Handling Policy. Fully anonymized data may be used and shared without limitation.Some of the above conditions for processing personal data will overlap, and Kansas Athletics relies on applicable multiple grounds to justify its lawful processing of personal data. Kansas Athletics also reserves the right to rely upon other grounds that are not referred to in Table 1 but are lawful under the GDPR.

When requesting personal data, Kansas Athletics will identify the legal bases for processing personal data. If the legal basis for processing personal data is based on consent, Kansas Athletics will provide notice if or when further processing for other purposes is intended.

When necessary to transfer or share personal data to organizations or agencies based outside the EU, Kansas Athletics will ensure appropriate and suitable safeguards are in place in accordance with the GDPR.

More information relating to the conditions for processing personal data can be obtained by contacting the University’s Data Protection Officer.

COOKIES AND OTHER INFORMATION TECHNOLOGY
The use of cookies and other data from information technology can be found in the University’s Information Technology Security policy.

Retention and destruction of your information
Personal data will be retained by Kansas Athletics, the University, its affiliated entities, or its third party service providers in accordance with the applicable federal and state laws and the applicable retention periods in Kansas Athletics’ and the University’s Records Retention Schedule.

Personal data will be destroyed upon request or after the expiration of the applicable retention period, whichever is later. The manner of destruction shall be appropriate to preserve and ensure the confidentiality of personal data given the level of sensitivity, value and criticality to Kansas Athletics or the University.

 RIGHTS UNDER THE GDPR
Residents of the EU and those with data in the EU have a number of rights under the GDPR.  These include the rights to request access to, a copy of, rectification, restriction in the use of, erasure of personal data and portability. The erasure of personal data is also subject to the University’s Record Retention Schedule and the Student Records Policy.  One may also withdraw consent to the use of personal data.

These rights may be exercised by contacting:  Corporate Counsel’s Office, Kansas Athletics, 785-864-4132.

If personal data was created within or transferred from the European Union, a complaint may be filed with the appropriate supervisory authority in the European Union.

RESPONSIBILITIES
This Data Protection Privacy Notice must be read by the owner of the personal data before or at the moment the personal data is being transferred.

UPDATES TO THIS GDPR- PRIVACY NOTICE
Kansas Athletics may update or change this Notice at any time. It is important to keep a reference to this document and review each time requested to provide personal data to Kansas Athletics, its affiliated entities, and its third party services providers or contractors. Any changes to this Notice will be posted at: https://kuathletics.com/sports/2013/6/21/GEN_0621132026.aspx?id=24