Lawful Bases for Collecting and Processing of Personal Data
Stony Brook University (SBU) is an institution of higher education involved in education,
research, patient care, and outreach services. In order for SBU to educate its students
both in class and online, engage in world-class research, provide high-quality health
care, and provide outreach services, it is essential, necessary, and SBU has lawful
bases to collect, process, use, and maintain data of its students, employees, applicants,
research subjects, patients, and others involved in its educational, research, patient
care, and outreach programs. The lawful bases include, without limitation, admission,
registration, delivery of classroom, online, and study abroad education, grades, communications,
employment, applied research, health care, development, program analysis for improvements,
and records retention. Examples of data that SBU may need to collect in connection
with the lawful bases are: name, email address, IP address, physical address or other
location identifier, photos, as well as some sensitive personal data provided voluntarily.
Most of SBU’s collection and processing of personal data will fall under the following
Processing is necessary for the purposes of the legitimate interests pursued by SBU
or third parties in providing education, employment, research and development, health
care, outreach programs, IT infrastructure.
Processing is necessary for the performance of a contract to which the data subject
is party or in order to take steps at the request of the data subject prior to entering
into a contract. This lawful basis pertains primarily but not exclusively to research
Processing is necessary for compliance with a legal obligation to which SBU is subject.
The data subject has given consent to the processing of his or her personal data for
one or more specific purposes. This lawful basis pertains primarily but not exclusively
to the protection of research subjects, providing medical and mental health services.
There will be some instances where the collection and processing of personal data
will be pursuant to other lawful bases.
Types of Personal Data collected and why
SBU collects a variety of personal and sensitive data to meet the lawful bases referenced
above. Most often the data are used for academic admissions, enrollment, educational
programs, job hiring, provision of health services, participation in research, development
and community outreach. Data typically include name, address, academic records, work
history, information for payroll, research subject information, medical and health
information (for student health services, or travel), demographics, and donations.
If you have specific questions regarding the collection and use of your personal data,
please contact firstname.lastname@example.org.
If a data subject refuses to provide personal data that is required by SBU in connection
with one of SBU’s lawful bases to collect such personal data, such refusal may make
it impossible for SBU to provide education, employment, research or other requested
Where SBU gets Personal Data
SBU receives personal data from multiple sources. Most often, SBU gets this data directly
from the data subject or under the direction of the data subject who has provided
it to a third party (for example, application for admission to SBU through use of
the Common App).