CSU Global’s’s Compliance with the European Union’s General Data Protection Regulation (GDPR), and the California Consumer Protection Act (CCPA)

Version 2023-10-31

This document provides an overview of CSU Global’s compliance with the European Union’s General Data Protection Regulation, or GDPR, which became effective on May 25, 2018, and the California Consumer Protection Act, or CCPA, which became effective January 1, 2020. It provides a summary of the areas covered by the GDPR and the CCPA, CSU Global’s high-level compliance in terms of governance and responsible parties, a general discussion about CSU Global’s IT Security and Privacy environment, and specific information regarding the nature and legitimate business need for processing the data.

The GDPR and the CCPA apply to organizations involved in the processing of personally identifiable information (PII) of individuals.

The GDPR applies to residents of the EU located in the EU. An organization may or may not maintain an “establishment” in the EU and be covered by GDPR. Without determining if or when CSU Global maintains an establishment, we recognize that GDPR applies when, acting as a controller or processor, “the processing activities are related to offering goods or services to data subjects in the EU,” even when the goods and services are offered for free. Further, GDPR protections apply when CSU Global processes the PII of data subjects in the EU and that processing is related to the “monitoring” in the EU of the “behavior” of data subjects as their behavior takes place within the EU.

The CCPA bill was passed by the California State Legislature and signed into law by Jerry Brown, Governor of California, on June 28, 2018, to amend Part 4 of Division 3 of the California Civil Code. It provides essentially the same protections for Californians as does the GDPR for EU residents. However, it contains an additional provision that individuals who protect their privacy rights are not to be discriminated against. Also, users may use this toll-free telephone number to inquire about their rights and privileges under the CCPA: 833-610-1259.

Web pages and other forms may, through the use of forms, collect PII as well as by recording IP addresses or recognizing cookies from the end user. All such PII that we collect is extremely well protected, and CSU Global desires to be transparent about how we secure and protect such data. Therefore, all University web pages offering services to individuals which process PII shall include a URL (Uniform Resource Locator) reference to this document on the home web page offering such a service.

A list of commonly used abbreviations and acronyms is provided at the end of this document.

Provisions of the GDPR and the CCPA

The GDPR and the CCPA include three areas involving individual’s personal data, each provided in a subsection below.

General Principles for Processing Data

Personal Data shall be:

• Processed (i.e. collected, handled, stored, backed up, made accessible, disclosed and destroyed) fairly, lawfully and transparently. An organization must have a ‘legal basis’ for processing an individual’s personal data (e.g. the individual has consented to the processing, or the processing is necessary to operate a contract with them, or the processing is necessary to fulfill a legal obligation).
• Processed only for specified, explicit and legitimate purposes.
• Adequate, relevant and limited to only what is necessary or for which consent has been given.
• Accurate (and corrected if it becomes inaccurate).
• Not retained for longer than necessary – data retention periods.
• Processed securely.

An Individual’s Rights

• The right to be informed of how their personal data are being used.
• The right of access to their personal data.
• The right to have their inaccurate personal data corrected.
• The right to have their personal data erased (right to be forgotten).
• The right to restrict the processing of their personal data pending its verification or correction.
• The right to receive copies of their personal data in a machine-readable and commonly-used format .
• The right to object: to processing (including profiling) of their data that proceeds under particular legal bases; to direct marketing; and to processing of their data for research purposes where that research is not in the public interest.
• The right not to be subject to a decision based solely on automated decision-making using their personal data.
• The right not to have their personal information sold to external entities.

Responsibilities of CSU Global

The legislations introduce a range of accountability requirements to encourage a proactive and documented approach to compliance. These accountability requirements include:

• Implementing policies, procedures, processes and training to promote ‘data protection by design and by default’.
• Having appropriate contracts in place when outsourcing functions that involve the processing of personal data.
• Maintaining records of the data processing that is carried out across the organization.
• Documenting and reporting personal data breaches.
• Defining Controller(s) as the points of contact for questions regarding the GDPR and the CCPA for data and services from the units covered.
• Identifying and acting on data retention periods for its data and acting upon that (i.e. purging data) when the retention period is exhausted.

There are various exemptions from compliance, two of which are pertinent to institutions of higher educations,namely:

• Personal data processed for journalistic, artistic, literary or ‘academic purposes’ are exempt from the principles and almost all of the rights, though not the accountability requirements
• Personal data processed for ‘scientific or historical research purposes’, ‘statistical purposes’ or ‘archiving purposes in the public interest’ are exempt from two of the principles (those stating that personal data shall be processed solely for specified purposes and not kept for longer than necessary) and most of the rights, though not the other principles, the right to be informed (unless providing the privacy notice would be impossible or would involve ‘disproportionate effort’), or the accountability requirements.

An individual’s consent is not required to process personal information for legitimate business purposes. Indeed, virtually all of the data we collect falls into this category, and direct, affirmative consent is not required. However, activities which are peripheral to the University’s learning environment, research environment, and outreach environment are not exempt from having to obtain affirmative consent.

Finally, it is noted that CSU Global is required to collect, secure, keep, and maintain PII data under a wide variety of mandatory rules, regulations, and policies, including:

• State of Colorado records retention policy, which mandates keeping various types of documents and information for various time periods, as required by the State of Colorado Records Retention Manual (http://www.colorado.gov/pacific/archives/state-agency-records-management). Section 8 of that manual pertains to higher education in Colorado. CSU Global has its own complementary policies on records retention, as well.
• CALEA – the federal Communications Assistance for Law Enforcement Act of 1994 (47 USC §1002), enacted in 1994, requires CSU Global to collect and maintain information about individuals’ uses of our network and communication systems, for possible needs by law enforcement.
• GLBA – the federal Gramm-Leach-Bliley Act of 1999 (12 USC §1811) is like the GDPR and the CCPA, and requires certain protections to be put into place regarding IT Security and privacy of an individual’s financial records.
• SOX – the federal Sarbanes-Oxley Act of 2002 (116 USC §745) mandated strict reforms to improve financial disclosures from corporations and prevent accounting fraud, specifying reporting and retention clauses for financial data.
• Statewide reporting into the Colorado Department of Higher Education is required of student unit records into the statewide SURDS (Statewide Unit Record Data System) is required by state law.

General IT Security and Privacy Environment, and CSU Global’s Privacy Environment

We are committed to maintaining the accuracy, confidentiality, and security of your personally identifiable information (“Personal Information”). As part of this commitment, our privacy policy governs our actions as they relate to the collection, use and disclosure of Personally Identifiable Information (PII). Specifically, in response to the requirements of these two legislative bills,

1. CSU Global follows the State of Colorado State Agency Records Management.
2. We have reviewed all of the PII we collected, and verified a business need to collect it.
3. We have reviewed, revised and put into place contractual terms for all of our external vendors who hold our PII to comply with the GDPR and the CCPA. We have also included an affirmative acknowledgment that all users must accept to participate as a CSU stakeholder in compliance with our Acceptable Use Policy.

How to Use the Information in This Document

Californians, or individuals residing in the EU who are covered under the GDPR, with questions regarding the processing of their personal data may contact the points of contact listed below:

Students: Registrar@csuglobal.edu

Employees: hr@csuglobal.edu

Right to Petition for Redress

Californians, or individuals residing in the EU who are covered under the GDPR, who have submitted a question to the Student or Employee point of contact  and received an answer with which they are unsatisfied, or have not received an answer within a reasonable time period may petition for redress to the University’s Provost for Students, or Vice President of Finance and Administration (VPFA) for Employees. The Provost or VPFA will collaborate with the Director of Information Technology, and respond to the request, normally within one week of receipt of the request. Should the individual be unsatisfied with that answer, or have not received an answer within two weeks of submitting the request, the individual may contact the University President, whose determination shall be final.

General Approaches to Special Circumstances

There are several areas that merit special circumstances for services of a general nature, as described below.

• General data collection – CSU Global collects very little information of a personal nature, except as needed to fulfill a required business function. In most cases, we will not be able to accommodate “right to be forgotten” requests, as we must maintain complete and comprehensive information in order to facilitate efficient and effective operations in our environment. We do not sell your personal information to any provider for a fee.
• Cookies – Cookies are small files contained on your personal device, computer, laptop, table, smart phone, etc. that are particular to specific web pages you visit. Cookies are processed by the web page to maintain your connections and your identity as you browse across web pages (the web is stateless, meaning that the. web by itself will not remember who you are as you browse through pages, “cookies” are required for this purpose). You have complete control of cookies on your device and you can choose to disable them. However, if you do so, you may then be unable to receive services from CSU Global, System and network logs – CSU Global is required by several laws (referenced above) to maintain system and network logs for specified periods of time. In most cases the retention period for the data is determined by the software/application, and we have little or no say in that. As these logs are a legal requirement, we cannot support the “right to be forgotten” in these logs.