Lawful Bases for Collecting and Processing of Personal Data

Stony Brook University (SBU) is an institution of higher education involved in education, research, patient care, and outreach services.  In order for SBU to educate its students both in class and online, engage in world-class research, provide high-quality health care, and provide outreach services, it is essential, necessary, and SBU has lawful bases to collect, process, use, and maintain data of its students, employees, applicants, research subjects, patients, and others involved in its educational, research, patient care, and outreach programs. The lawful bases include, without limitation, admission, registration, delivery of classroom, online, and study abroad education, grades, communications, employment, applied research, health care, development, program analysis for improvements, and records retention. Examples of data that SBU may need to collect in connection with the lawful bases are: name, email address, IP address, physical address or other location identifier, photos, as well as some sensitive personal data provided voluntarily.

Most of SBU’s collection and processing of personal data will fall under the following categories:

  1. Processing is necessary for the purposes of the legitimate interests pursued by SBU or third parties in providing education, employment, research and development, health care, outreach programs, IT infrastructure.
  2. Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. This lawful basis pertains primarily but not exclusively to research contracts.
  3. Processing is necessary for compliance with a legal obligation to which SBU is subject.
  4. The data subject has given consent to the processing of his or her personal data for one or more specific purposes.  This lawful basis pertains primarily but not exclusively to the protection of research subjects, providing medical and mental health services.

There will be some instances where the collection and processing of personal data will be pursuant to other lawful bases.

Types of Personal Data collected and why

SBU collects a variety of personal and sensitive data to meet the lawful bases referenced above. Most often the data are used for academic admissions, enrollment, educational programs, job hiring, provision of health services, participation in research, development and community outreach. Data typically include name, address, academic records, work history, information for payroll, research subject information, medical and health information (for student health services, or travel), demographics, and donations. If you have specific questions regarding the collection and use of your personal data, please contact

If a data subject refuses to provide personal data that is required by SBU in connection with one of SBU’s lawful bases to collect such personal data, such refusal may make it impossible for SBU to provide education, employment, research or other requested services.

Where SBU gets Personal Data

SBU receives personal data from multiple sources. Most often, SBU gets this data directly from the data subject or under the direction of the data subject who has provided it to a third party (for example, application for admission to SBU through use of the Common App).

Questions should be directed to

Revised 21 May 2018

Far Beyond Giving Your support changes lives. Give Now