This Notice establishes Kennesaw State University’s (“KSU”) privacy notices for both its website located at kennesaw.edu (“Site”) and in compliance with any applicable data privacy standards and legal requirements regarding the data collected, including compliance with the European Union General Data Protection Regulation (“EU GDPR”).  This Notice describes the type of information KSU collects from visitors to this Site, what we do with that information, and how visitors can update and control the use of information collected by this Site. 

Type of Information Collected and Why

Kennesaw State University (KSU) is committed to ensuring the privacy of your information. KSU collects two kinds of information on this site:  1) Information that is voluntarily supplied by visiting the site and enrolling in programs and 2) Information that is automatically collected as you navigate the site. 

Information voluntarily supplied by visitors seeking to access various features and information includes, among other things, name, address, and phone number. Any personal information that you choose to provide through the Site will be protected in accordance with the provisions of this Notice. If you refuse to provide personal data that is required by KSU in connection with one of KSU’s lawful bases to collect such personal data, such refusal may make it impossible for KSU to provide education, employment, or other requested services.

Information automatically collected includes the user’s IP address, date and time of the website access along with the web pages(s) visited. In addition, KSU may also collect any information that it receives from your web browser, including browser type and version, and operating system.  This information helps us understand aggregate uses of our site, track usage trends and improve our services. Additionally, university web sites use cookies to collect certain information. Cookies are small pieces of data that are sent by our Website to your Web browser. They are stored on your computer and are used to improve your web experience and improve the availability of web content. We may also use cookies to pre-fill forms so that you do not need to re-enter data. Accepting a cookie does not give us access to your computer or any personal information about you.

Links to Other Websites

Links within the university website may direct you to other websites not affiliated with KSU.  KSU is not responsible for the privacy practices, policies, actions, web content, services, or products of non-KSU sites to which we link. These links are not intended to, nor do they constitute, an endorsement by KSU of the linked materials.  We encourage you to read the privacy statements of other sites for assurance that their practices safeguard your privacy.

Security and Accuracy of Confidential Information 

KSU does its best to reasonably ensure that the personal information obtained from you is accurate. Visitors may review the information saved or submitted via the Site at any time up to the point when it is purged. If there is an error in your personal information, we will correct the information upon your request, which may be submitted to dataprivacy@kennesaw.edu. 

We have put in place reasonable physical, technical, and administrative safeguards designed to prevent unauthorized access to the online information we collect and use. While we strive to protect visitor’s personal information by encryption and other means, we cannot guarantee or warrant the security of the information you transmit to us, and if you choose to use the Site, you do so at your own risk. 

If you post any data within a public forum on any KSU website, that data is now public. 

Sharing of Information

KSU is committed to maintaining the privacy of your personal information. Any information submitted via the website will only be used for the purposes stated on the submission page.  KSU does not actively share personal information gathered from the Site, except:

• as required by law (including but not limited to the Georgia Open Records Act); 
• as necessary to protect KSU interests;
• as necessary to further research efforts pursuant to approvals from the appropriate data stewards and the Institutional Review Board;
• and/or with contracted service providers acting on behalf of the university who have agreed to protect the confidentiality of the data.  

KSU also complies with the Family Educational Rights and Privacy Act (“FERPA”), which generally prohibits (with some exceptions) the release of education records without student permission. Please visit KSU’s FERPA website for more information.

European Union General Data Protection Regulation (EU GDPR) Privacy Notice

Lawful Basis for Collecting and Processing of Personal Data

Kennesaw State University is an institution of higher education involved in education, research, and community engagement. For KSU to educate its students both in class and on-line, engage in world-class research, and provide community services, it is essential, necessary, and KSU has lawful bases to collect, process, use, and maintain data of its students, employees, applicants, research subjects, and others involved in its educational, research, and community programs. The lawful bases include, without limitation, admission, registration, delivery of classroom, on-line, and study abroad education, grades, communications, employment, applied research, development, program analysis for improvements, and records retention. Examples of data that KSU may need to collect in connection with the lawful bases are: name, email address, IP address, physical address or other location identifier, photos, as well as some sensitive personal data obtained with prior consent.

For more information regarding the EU GDPR, please review Kennesaw State’s EU General Data Protection Regulation Compliance Policy.  All personal data and sensitive personal data collected or processed by KSU under the scope of the KSU EU General Data Protection Regulation Compliance Policy must comply with the security controls and systems and process requirements and standards of KSU policies.

The majority of KSU’s collection and processing of personal data will fall under the following categories:

1. Processing is necessary for the purposes of the legitimate interests pursued by KSU or third parties in providing education, employment, research and development, and community programs.
2. Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. This lawful basis pertains primarily but not exclusively to research contracts.
3. Processing is necessary for compliance with a legal obligation to which KSU is subject.
4. The data subject has given consent to the processing of his or her personal data for one or more specific purposes.  This lawful basis pertains primarily, but not exclusively, to the protection of research subjects.

There will be some instances where the collection and processing of personal data will be pursuant to other lawful bases.

Where KSU Obtains Personal Data and Special Categories of Sensitive Personal Data 

KSU receives personal data and special categories of sensitive personal data from multiple sources. Most often, this data comes directly from the data subject or under the direction of the data subject who has provided it to a third party (for example, application for admission to KSU through use of the Common App). 

Individual Rights of the Data Subject under the EU GDPR

Individual data subjects covered by KSU’s EU General Data Protection Regulation Compliance Policy will be afforded the following rights:

• information about the controller collecting the data
• the data protection officer contact information
• the purposes and legal basis/legitimate interests of the data collection/processing
• recipients of the personal data
• if KSU intends to transfer personal data to another country or international organization
• the period the personal data will be stored
• the existence of the right to access, rectify incorrect data or erase personal data, restrict or object to processing, and the right to data portability
• the existence of the right to withdraw consent at any time
• the right to lodge a complaint with a supervisory authority (established in the EU)
• why the personal data are required, and possible consequences of the failure to provide the data
• the existence of automated decision-making, including profiling
• if the collected data are going to be further processed for a purpose other than that for which it was collected

Note: Exercising of these rights is a guarantee to be afforded a process and not the guarantee of an outcome.

Any data subject who wishes to exercise any of the above-mentioned rights under the EU GDPR may do so by submitting a Service Request with the Office of Cybersecurity at dataprivacy@kennesaw.edu.   

Website Data Collected and Why; Cookies

Please see the “Type of Information Collected and Why” section above for details regarding information collected from KSU websites and cookies.

Security of Personal Data subject to the EU GDPR

All personal data collected or processed by KSU under the scope of the KSU EU General Data Protection Regulation Compliance Policy must comply with organizational security controls, standards, processes and policies.  If you have questions about this Notice or believe that your personal information has been released without your consent or if you wish to correct information held by KSU, please contact us at dataprivacy@usg.edu. 

KSU will not share your information with third parties except as necessary to meet one of KSU’s lawful purposes. 

Georgia Open Records Act 

As an entity of the government of the State of Georgia, KSU is subject to the provisions of the Georgia Open Records Act (ORA). Except for those records that are exempt from disclosure under the ORA, the ORA provides that all citizens are entitled to view the records of state agencies on request and to make copies for a fee.  For more information on KSU’s ORA compliance, please visit the Open Records Requests page on the Division of Legal Affairs website. 

Data Retention 

KSU keeps the data it collects for the time periods specified in the University System of Georgia Records Retention Schedules. 

For examples of Student Records Retention Schedules, see: https://www.usg.edu/records_management/schedules/934

For examples of Human Resources (Employment) Records Retention Schedules, see: https://www.usg.edu/records_management/schedules/930

Who we are

Our website address is: https://xrlab.kennesaw.edu.

Comments

When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.

An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.

Media

If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.

Cookies

If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.

If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.

If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.

Embedded content from other websites

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.

Who we share your data with

If you request a password reset, your IP address will be included in the reset email.

How long we retain your data

If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.

For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

What rights you have over your data

If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

Where we send your data

Visitor comments may be checked through an automated spam detection service.

What Personal Data We Collect and Why We Collect It

Event, Venue, and Organizer Information

If you create, submit, import, save, or publish Event, Venue, or Organizer information, such information is retained in the local database:

1. Venue information: name, address, city, country, state, postal code, phone, website, geographical coordinates (latitude and longitude)
2. Organizer information: name, phone, website, email
3. Event information: website, cost, description, date, time, image

Importing Events, Venues, and Organizers

1. All data present within a CSV or ICS file and external URLs (for events, venues, organizers, and tickets)
2. Import origin data (URL from where events are being imported—such as Eventbrite, MeetUp, other compatible URL sources, and more, which can include similar or same data as listed above)
3. Eventbrite Ticket information: name, description, cost, type, quantity
   Please note that to create new events through the Community Events submission form, a user must hold a website account on this domain. This information is retained in the local database. It is also possible to create events anonymously, if the site owner has this option enabled.
   When purchasing Eventbrite Tickets, attendee, purchaser, and order information are stored and managed by Eventbrite.

Please note that to create new events through the Community Events submission form, a user must hold a website account on this domain. This information is retained in the local database. It is also possible to create events anonymously, if the site owner has this option enabled.
When purchasing Eventbrite Tickets, attendee, purchaser, and order information are stored and managed by Eventbrite.

API Keys

We make use of certain APIs, in order to provide specific features.
These APIs may include the following third party services: Google Maps (API key), Meetup (OAuth token), PayPal (email, Client ID, Client Secret), Eventbrite (API key, auth URL, Client Secret), and Zoom (email, Client ID, Client Secret).