STUDENT DATA PROTECTION PRIVACY NOTICE
The University of Limerick (the University) must process the personal data of its students (you) in order to carry out its functions and manage its operations. The processing of this data is carried out in accordance with the General Data Protection Regulation (GDPR) / Data Protection Acts 1988-2018 and with the University's Data Protection Policy. The University is the Data Controller for personal data we process about you.
The purpose of this Data Protection Privacy Notice is to explain how the University uses personal data we collect and hold about prospective, current and graduated students of the University. This notice should be read in conjunction with the University’s Data Protection Policy and Compliance Regulations (available at www.ul.ie/dataprotection).
This notice extends to all your personal data as defined under Article 2(1) of the General Data Protection Regulation (EU) 2016/679.
The full, printable version of the University's Student Privacy Notice can be viewed here.
1. Why the University Holds Your Personal Data
1.1 The University must process your personal data in order to provide educational services through its teaching, research and associated academic and administrative activities, for example, recruitment of students, provision of programmes of study, examinations, engaging with accrediting bodies and Government agencies such as the Higher Education Authority and Department of Education & Skills.
1.2 As part of its administrative activities and in order to ensure a safe and secure campus for you and your fellow students, the University processes personal information through the use of CCTV to monitor and collect images for the purposes of security, the prevention and detection of crime and, where necessary, to assist with serious disciplinary matters.
1.3 Other circumstances in which the University processes your personal data include the sharing of only the required level of data with the UL Students’ Union/Postgraduate Students’ Union and the UL Alumni Association in order to facilitate your membership of these bodies.
1.4 In addition, the University will process your personal data in order to promote University programmes of study; extracurricular services; circulation of UL Links Magazine; the undertaking of research, fundraising etc. and in these circumstances your explicit consent will be sought to enable such processing.
2. Student Personal Data Held by the University
2.1 Student data is mainly obtained from the details you provide through the CAO (Central Applications Office), PAC (Postgraduate Applications Centre), or directly through the application/enrolment/registration process. Student academic performance data will be collected during the course of your studies and held by the University on its records systems. Additional data is collected/recorded by a number of services/offices within the University to meet specific needs (e.g. Faculty/Department, Student Affairs Division, Library, Fees Office, Student Health Centre, Student Counselling Service etc).
2.2 The University provides this Privacy Notice, which in broad terms explains how and why we typically process and share your personal data.
2.3 Categories of personal data collected/recorded include:
3. Lawful Basis for University Processing Personal Data
3.1 Data Protection law requires that the University must have a valid lawful basis in order to process personal data. The University relies on a number of such bases as follows:
3.1.1 The provision of a contract - much of the personal information the University processes is necessary to meet its commitments to you, for example, processing your data in relation to teaching, assessment and associated administration. The following sets out the main purposes of which we process your personal data in the provision of a contract:
3.1.2 The fulfilment a legal obligation – the University must process your personal data when required to do so under Irish/EU law, for instance:
3.1.3 To protect the vital interest of you or another person - under extreme circumstances the University would share your personal data with third parties to protect your interests or those of another person, for example,
3.1.4 The performance of a public task - the University may process your personal data where necessary and expedient in accordance its functions and objects, for example,
.3.1.5 Consent - under certain circumstances, the University will only process your personal data with your explicit consent. Explicit consent requires you to make a positive, affirmative action and be fully informed about the matter to which you are consenting, for example:
4. Protecting Your Personal Data
4.1 Your personal data may be shared between members of staff within the University in order for the University to fulfil its functions and objects.
4.2 In addition to the foregoing principle, the University will employ reasonable and appropriate administrative, technical, personnel, procedural and physical measures to safeguard your information against loss, theft and unauthorised users’ access, uses or modifications.
4.3 The following principles apply:
5. Sharing Your Personal Data with Third Parties
5.1 The University may disclose certain personal data to third parties. These external organisations, and the purpose for sharing the information, are set out below (This list will be updated periodically as required). The University will only share your personal data with external third parties where we are required to do so under a statutory or legal obligation, or we are required to do so under a contractual obligation or we have your consent, or we are otherwise permitted to do so in accordance with data protection legislation. The disclosure of your data to third parties includes:
5.2 Parents, guardians and other relatives The University will not disclose your personal data to parents or relatives without your consent, other than in exceptional circumstances.
6. Transfer of personal data to other countries
6.1 In some instances your personal data will be shared with third parties outside of the European Economic Area (EEA) for example North America and Australia. When required, the University will transfer your personal data outside of the EEA when one of the following conditions have been met:
7. Retention of Data After You Graduate
7.1 The University retains all personal data in accordance with its Records Management and Retention Policy. The University will need to maintain some records relating to you after you graduate in order to provide services to you as a graduate of the University. This includes: verifying your award, providing transcripts of your marks, opportunities for further study, academic references, careers support, alumni and networking services
7.2 Alumni: When you graduate/complete your course, you will automatically be included as a member of the University’s Alumni Association, UL Alumni. You will receive emails from Alumni about the benefits of staying in touch. The UL Alumni webpage provides further information as to how your personal data will be used and how you can opt out from communications.
7.3 Data that is not required to fulfil the services the University will provide to you after you graduate will be securely deleted in accordance with the University’s Records Management & Retention Policy.
8. Your Rights
8.1 Your rights relating to your personal data include:
8.2 Requests for any of the above should be addressed by email to firstname.lastname@example.org or in writing setting out your specific request to the University’s Data Protection Officer, Office of the Corporate Secretary, University of Limerick, Limerick. Your request will be processed within 30 days of receipt. Please note, however, it may not be possible to facilitate all requests, for example, where the University is required by law to collect and process certain personal data including that personal information that is required of any student of the University.
8.3 Additionally, you can update your personal data on the SI system or alternatively by contacting the Student Academic Administration Office at email@example.com.
9. Your Responsibilities
9.1 Updating your details: The GDPR requires that personal data is accurate. Please let the University know if your contact details change. If we do not have the correct contact details, we cannot take responsibility if we are unable to provide you with any information you require, for example, missing an exam or deadline resulting in serious consequences.
9.2 Processing Personal Data: You must comply with the University’s Data Protection Policy and the GDPR if, as a student, you have access to the personal data of others; or if you wish to collect or process any personal data as part of your studies or research. You must ensure that you notify and seek approval from your supervisor and the relevant University Research Ethics Committee if required, before any processing occurs. If you are processing personal data other than as part of your studies, you should contact the Office of the Data Protection Commissioner (Supervisory Authority) as you will not be covered under the University’s registration. You can contact that Office at firstname.lastname@example.org or by writing to the Data Protection Commissioner, Canal House, Station Road, Portarlington, Co. Laois.
10. Queries, Contacts, Right of Complaint
10.1 Further information on Data Protection at the University of Limerick may be viewed at www.ul.ie/dataprotection. You can contact the University’s Data Protection Officer at email@example.com or by writing to Data Protection Officer, Room A1-073, University of Limerick, Limerick.
10.2 You have a right to lodge a complaint with the Office of the Data Protection Commissioner (Supervisory Authority). While we recommend that you raise any concerns or queries with us first, you may contact that Office at firstname.lastname@example.org or by writing to the Data Protection Commissioner, Canal House, Station Road, Portarlington, Co. Laois.