Privacy & Legal Notice
Below is the Georgia Institute of Technology’s (Georgia Tech) privacy and legal notice for both its website and for compliance with the European Union General Data Protection Regulation (“EU GDPR”) and the Personal Information Protection Law ("PIPL") of the People's Republic of China (the "PRC"). The Office of Institute Communications is responsible for information related to the Georgia Tech website and the Privacy Program within the Office of Ethics and Compliance is responsible for compliance with the EU GDPR and PIPL.
Website
What we collect and why
Georgia Tech collects information from individuals or entities when they access any Georgia Tech website. Information that is collected from this contact includes the contactor’s IP address, date and time of the website access and the web pages(s) visited. In addition, Georgia Tech may also collect any information that it receives from your web browser, including browser type and version, and operating system. This information is used for routine information security and service delivery purposes including helping us understand aggregate uses of our site, track usage trends, improve our services and respond to security events.
The following is a typical log entry when someone visits our website:
73.207.112.121 130.207.244.191 - - [01/Jun/2015:13:12:49 -0400] "GET /sites/default/files/uploads/images/admissions_graduate_0.jpg HTTP/1.1" 200 35380 "http://www.gatech.edu/admissions" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/600.6.3 (KHTML, like Gecko) Version/8.0.6 Safari/600.6.3"
Cookies
Cookies are files that many websites transfer to users’ web browsers to enable the site to deliver personalized services or to provide persistent authentication. The information contained in a cookie typically includes information collected automatically by the web server and/or information provided voluntarily by the user. Our website uses persistent cookies in conjunction with a third party technology partner to analyze search engine usage and web traffic patterns. This information is used in the aggregate to monitor and enhance our web pages. It is not used to track the usage patterns of individual users.
Security
Our office is committed to ensuring the security of your information. We have put in place reasonable physical, technical and administrative safeguards designed to prevent unauthorized access to or use of the information collected online.
Sharing your information
We will not share your information with third parties except:
- as required by law;
- as necessary to protect Institute interests;
- as necessary to further Institute research efforts pursuant to approvals from appropriate data stewards and the IRB; and/or
- with service providers acting on our behalf who have agreed to protect the confidentiality of the data.
Links to other websites
This site may contain links to other websites not affiliated with the Institute. We are not responsible for the privacy practices of these other sites. We encourage you to read the privacy statements of other sites for assurance that their practices safeguard your privacy.
Legal Notice
Notwithstanding any language to the contrary, nothing contained herein constitutes nor is intended to constitute an offer, inducement, promise, or contract of any kind. The data contained herein is for informational purposes only and is not represented to be error free. Any links to non-Georgia Institute of Technology information are provided as a courtesy. They are not intended to nor do they constitute an endorsement by the Georgia Institute of Technology of the linked materials.
Copyright Infringement
Pursuant to 17 U.S.C. Sec. 512(c)(2), notice of claims of copyright infringement should be directed to copyright.notify@gatech.edu. For additional copyright-related information, please send an email to copyright.notify@gatech.edu.
European Union General Data Protection Regulation (EU GDPR) Privacy Notice
Lawful Basis for Collecting and Processing of Personal Data
Georgia Tech is an institute of higher education involved in education, research, and community development. In order for Georgia Tech to educate its students both in class and on-line, engage in world-class research, and provide community services, it is essential, necessary, and Georgia Tech has lawful bases to collect, process, use, and maintain data of its students, employees, applicants, research subjects, and others involved in its educational, research, and community programs. The lawful bases include, without limitation, admission, registration, delivery of classroom, on-line, and study abroad education, grades, communications, employment, applied research, development, program analysis for improvements, and records retention. Examples of data that Georgia Tech may need to collect in connection with the lawful bases are: name, email address, IP address, physical address or other location identifier, photos, as well as some sensitive personal data obtained with prior consent.
For more information regarding the EU GDPR, please review Georgia Tech’s EU General Data Protection Regulation Compliance Policy.
In addition, Georgia Tech units may have their own EU GDPR-compliant Privacy Notice posted on their website.
Most of Georgia Tech’s collection and processing of personal data will fall under the following categories:
- Processing is necessary for the purposes of the legitimate interests pursued by Georgia Tech or third parties in providing education, employment, research and development, community programs.
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. This lawful basis pertains primarily but not exclusively to research contracts.
- Processing is necessary for compliance with a legal obligation to which Georgia Tech is subject.
- The data subject has given consent to the processing of his or her personal data for one or more specific purposes. This lawful basis pertains primarily but not exclusively to the protection of research subjects, providing medical and mental health services.
There will be some instances where the collection and processing of personal data will be pursuant to other lawful bases.
Types of Personal Data collected and why
Georgia Tech collects a variety of personal and sensitive data to meet one of its lawful bases, as referenced above. Most often the data is used for academic admissions, enrollment, educational programs, job hiring, provision of medical services, participation in research, development and community outreach. Data typically includes name, address, transcripts, work history, information for payroll, research subject information, medical and health information (for student health services, or travel), and donations. If you have specific questions regarding the collection and use of your personal data, please contact the Privacy Program within the Office of Ethics and Compliance at privacy@gatech.edu.
If a data subject refuses to provide personal data that is required by Georgia Tech in connection with one of Georgia Tech’s lawful bases to collect such personal data, such refusal may make it impossible for Georgia Tech to provide education, employment, research or other requested services.
FERPA
The Family Educational Rights and Privacy Act (FERPA) provides that “Directory Information” is information not generally considered harmful or an invasion of privacy if disclosed. Directory Information is considered public information, but the categories of information that comprise Directory Information also comprise “personal data” under the EU GDPR. Please review Georgia Tech's definition of Directory Information for further information, including how to prohibit the release of Directory Information.
Where Georgia Tech gets Personal Data and Special Categories of Sensitive Personal Data
Georgia Tech receives personal data and special categories of sensitive personal data from multiple sources. Most often, Georgia Tech gets this data directly from the data subject or under the direction of the data subject who has provided it to a third party (for example, application for admission to Georgia Tech through use of the Common App).
Individual Rights of the Data Subject under the EU GDPR
Individual data subjects covered by Georgia Tech’s EU General Data Protection Regulation Compliance Policy will be afforded the following rights:
- information about the controller collecting the data
- the data protection officer contact information
- the purposes and legal basis/legitimate interests of the data collection/processing
- recipients of the personal data
- if Georgia Tech intends to transfer personal data to another country or international organization
- the period the personal data will be stored
- the existence of the right to access, rectify incorrect data or erase personal data, restrict or object to processing, and the right to data portability
- the existence of the right to withdraw consent at any time
- the right to lodge a complaint with a supervisory authority (established in the EU)
- why the personal data are required, and possible consequences of the failure to provide the data
- the existence of automated decision-making, including profiling
- if the collected data are going to be further processed for a purpose other than that for which it was collected
Note: Exercising of these rights is a guarantee to be afforded a process and not the guarantee of an outcome.
Any data subject who wishes to exercise any of the above-mentioned rights may do so by filling such request with the Privacy Program in the Office of Ethics and Compliance at privacy@gatech.edu.
Website Data Collected and Why; Cookies
Please see the Website section above for details regarding information collected from Georgia Tech websites and Cookies.
Security of Personal Data subject to the EU GDPR
All personal data and special categories of sensitive personal data collected or processed by Georgia Tech under the scope of the Georgia Tech EU General Data Protection Regulation Compliance Policy must comply with the security controls and systems and process requirements and standards of NIST Special Publication 800-171 as set forth in the Georgia Tech Controlled Unclassified Information Policy.
We will not share your information with third parties except:
- as necessary to meet one of its lawful purposes, including but not limited to,
- its legitimate interest,
- contract compliance,
- pursuant to consent provided by you,
- as required by law;
- as necessary to protect Georgia Tech’s interests;
- with service providers acting on our behalf who have agreed to protect the confidentiality of the data.
Georgia Tech is a unit of the Board of Regents of the University System of Georgia (the “BOR”), and data is shared with the BOR and its employees.
Georgia Open Records Act
As a state university, Georgia Tech is subject to the provisions of the Georgia Open Records Act (ORA). Except for those records that are exempt from disclosure under the ORA, the ORA provides that all citizens are entitled to view the records of state agencies on request and to make copies for a fee. The ORA requires that Georgia Tech produce public documents within three business days. For more information on Georgia Tech’s ORA compliance, please visit the Open Records Act page on the Legal Affairs website.
Data Retention
Georgia Tech keeps the data it collects for the time periods specified in the University System of Georgia Records Retention Schedules: https://www.usg.edu/records_management/schedules/
For examples of Student Records Retention Schedules, see: https://www.usg.edu/records_management/schedules/934
For examples of Human Resources (Employment) Records Retention Schedules, see: https://www.usg.edu/records_management/schedules/930
Personal Information Protection Law (PIPL) of the People's Republic of China Privacy Notice
Lawful Basis for Processing of Personal Information
Georgia Tech is an institute of higher education involved in education, research, and community development. In order for Georgia Tech to educate its students both in class and on-line, engage in world-class research, and provide community services, it is essential, necessary, and Georgia Tech has lawful bases to collect, process, use, and maintain personal information of its students, employees, applicants, research subjects, and others involved in its educational, research, and community programs. The lawful bases include, without limitation, admission, registration, delivery of classroom, on-line, and study abroad education, grades, communications, employment, applied research, development, program analysis for improvements, and records retention. Examples of personal information that Georgia Tech may need to handle in connection with the lawful bases are: name, email address, IP address, physical address or other location identifier, date of birth, phone number, photos, details of education and/or employment qualifications, as well as sensitive personal information obtained with separate consent.
For the purpose hereunder, to handle personal information includes personal information collection, storage, use, processing, transmission, provision, disclosure, deletion, etc.
In addition, Georgia Tech units may have their own PIPL-compliant Privacy Notice posted on their website.
Most of Georgia Tech’s processing of personal information will fall under the following categories:
- The data subject has given consent to the processing of his or her personal information.
- Processing is necessary for entering into or the performance of a contract to which the data subject is a party.
- Processing is necessary for compliance with a legal obligation to which Georgia Tech is subject.
- To process personal information disclosed by the data subject or otherwise lawfully disclosed within a reasonable scope in accordance with the applicable laws.
There will be some instances where the processing of personal information will be pursuant to other lawful bases.
Georgia Tech will not collect and and handle sensitive personal information unless the separate and explicit consent as required under the applicable laws is obtained.
Types of Personal Information Handled and Why
Georgia Tech handles a variety of personal and sensitive information to meet one of its lawful bases, as referenced above. Most often the personal information is used for academic admissions, enrollment, educational programs, job hiring, provision of medical services, participation in research, development and community outreach. Personal information typically includes name, address, transcripts, work history, information for payroll, research subject information, medical and health information (for student health services, or travel), and donations. If you have specific questions regarding the handling of your personal information, please contact the Privacy Program within the Office of Ethics and Compliance at privacy@gatech.edu.
If a data subject refuses to provide personal information that is required by Georgia Tech in connection with one of Georgia Tech’s lawful bases to handle such personal data, such refusal may make it impossible for Georgia Tech to provide education, employment, research or other requested services.
FERPA
The Family Educational Rights and Privacy Act (FERPA) provides that “Directory Information” is information not generally considered harmful or an invasion of privacy if disclosed. Directory Information is considered public information, but the categories of information that comprise Directory Information also comprise “personal information” under the PIPL. Please review Georgia Tech's definition of Directory Information for further information, including how to prohibit the release of Directory Information.
Where Georgia Tech gets Personal Information and Sensitive Personal Information
Georgia Tech receives personal information and sensitive personal information from multiple sources. Most often, Georgia Tech gets this data directly from the data subject or under the direction of the data subject who has provided it to a third party (for example, application for admission to Georgia Tech through use of the Common App).
Individual Rights Under the PIPL
Individual Data Subjects will be afforded the following rights:
- Information about the handler
- the data protection officer contact information
- the purposes and legal basis/legitimate interests of the personal information processing
- recipients of the personal information
- if the handled personal information is transferred, including without limitation, international transfers from the PRC to abroad countries/area, transfers to third party service providers
- the period the personal information will be stored
- the right to access, copy, rectify incorrect data or erase personal information, restrict or object to handling, and the right to data portability
- the right to withdraw consent at any time
- why the personal information are required, and possible consequences of the failure to provide information
- the existence of automated decision-making, including profiling
- if the collected personal information are going to be further processed for a purpose other than that for which it was collected
Note: Exercising of these rights is a guarantee to be afforded a process and not the guarantee of an outcome.
Any data subject who wishes to exercise any of the above-mentioned rights may do so by filling such request with the Privacy Program within the Office of Ethics and Compliance at privacy@gatech.edu.
Website Data Collected and Why: Cookies
Please see the Website section above for details regarding information collected from Georgia Tech websites and Cookies.
Security of Personal Information subject to the PIPL
All personal information and sensitive personal information handled by Georgia Tech must comply with the security controls and systems and process requirements and standards of NIST Special Publication 800-171 as set forth in the Georgia Tech Controlled Unclassified Information Policy.
Transfer and Disclosure of Personal Information
Georgia Tech is a unit of the Board of Regents of the University System of Georgia (the “BOR”), and personal information is shared with the BOR and its employees.
Personal information may also be transferred to third party service providers of Georgia Tech to process on Georgia Tech’s behalf. These third party service providers include providers of IT services, identity management, website hosting and management, data analysis, data back-up and archiving, security and storage services(including cloud service providers), and other services related to education, research and community service. When Georgia Tech transfer personal information to third parties, it is done for the purposes stated hereunder, for the administration and maintenance of websites and associated systems, and/or other internal or administrative purposes. It is Georgia Tech’s policy to use only third party service providers that are bound to maintain appropriate levels of security and confidentiality and handle personal information only as instructed by Georgia Tech pursuant to the contract concluded between them.
As required, personal information may be transferred to other countries/area from the PRC. Georgia Tech will ask for separate consent to the transfer of personal information across border.
Georgia Tech may also disclose personal information to law enforcement, regulatory and other government agencies and authorities, professional bodies and other third parties, as required by and/or in accordance with applicable law or regulation.
Georgia Open Records Act
As a state university, Georgia Tech is subject to the provisions of the Georgia Open Records Act (ORA). Except for those records that are exempt from disclosure under the ORA, the ORA provides that all citizens are entitled to view the records of state agencies on request and to make copies for a fee. The ORA requires that Georgia Tech produce public documents within three business days. For more information on Georgia Tech’s ORA compliance, please visit the Open Records Act page on the Legal Affairs website.
Personal Information Retention
Georgia Tech keeps the personal information it collects only for as long as is necessary for the fulfillment of the purposes for which the information is to be used, or for the time periods specified in the University System of Georgia Records Retention Schedules: https://www.usg.edu/records_management/schedules/
For examples of Student Records Retention Schedules, see: https://www.usg.edu/records_management/schedules/934
For examples of Human Resources (Employment) Records Retention Schedules see: https://www.usg.edu/records_management/schedules/930
Amendment
This Notice will be updated from time to time by Georgia Tech to comply with applicable law and regulations or other legitimate purposes. Subject to obtaining the explicit consent of data subject as may be required by applicable law, the new modified Privacy Notice will apply from that revision date. Therefore, Georgia Tech encourages you to review this Notice periodically to be informed about how Georgia Tech are protecting personal information.
Last updated: 25 January 2022