Student Privacy Rights under Federal Law (FERPA)
The Family Educational Rights and Privacy Act (FERPA), commonly known as the "Buckley Amendment," affords students certain rights with respect to their education records. Learn more about Student Privacy Rights under Federal Law (FERPA).
General Data Protection Regulation
PRINCETON UNIVERSITY – PRIVACY NOTICE FOR STUDENTS
Princeton University (“Princeton”) respects and protects the privacy of your personal data. In general, student privacy rights are governed by the Family Educational Rights and Privacy Act (“FERPA”), as described in Section 2.7 of Rights, Rules, Responsibilities. This notice, which is pursuant to the European Union’s (“EU’s”) General Data Protection Regulation (“GDPR”), contains additional information about how and why Princeton collects your personal data and what we do with that information. The GDPR may apply to the processing of personal information that you provide Princeton while you are in the EU, but it does not apply to information that you provide while you are in the U.S. (for example, on campus).
1. What Constitutes “Personal Data” Under the GDPR?
Personal data is information that Princeton holds about you and which identifies you. This includes information such as your date of birth and address, as well as information like exam results and grades, scholarship and funding information, admissions records, and disciplinary records.
Under the GDPR, special categories of personal data are afforded an extra level of security and confidentiality. This includes information about racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, data concerning health, or data concerning sex life or sexual orientation.
2. How We Collect Personal Data
The personal data that Princeton holds about you is obtained from a number of sources and may include the following types of information:
- Admission information, including information identifying potential candidates for admission from third-party sources; information you have provided on your application through application platforms and via a third party, such as testing organizations; information from references; and information from educational institutions attended previously;
- Personal information that you provide pre-matriculation, including through the “Your Path to Princeton” website (https://path.princeton.edu/) or pre-matriculation questionnaires, or as part of your orientation registration and placement;
- Personal information that you provide after matriculation, including demographic information, parent and emergency contact information, housing requests;
- Information about your education, including information that you provide to us during the course of your education and information related to your education, such as your grades and courses taken (including research experience and resume information); internship, fellowship and student leadership applications; and enrollment status changes or disciplinary actions, if any;
- Information about your participation in athletics, including through student-athlete forms;
- Funding information, such as information from the Free Application for Federal Student Aid (FAFSA) or from external fellowship or scholarship providers; and billing information, such as home address and billing contact;
- Information from partner organizations, such as professional bodies, employers, and other educational establishments for the purposes of study or research abroad or exchange programs;
- Career outcomes information, such as the type and location of employment you pursue after graduating;
- Passport information;
- Religious preference, but only if you choose to provide it, and for the sole purpose of connecting you to the religious community of your interest;
- Medical information, such as information about any disabilities that you disclose or pertinent medical conditions; special accommodations for any learning or physical disabilities; health insurance information; and information that you supply to University Health Services (UHS) as part of matriculation, including your health history and immunization records; and
- Criminal history information, such as previous convictions for any European visa processing purposes
3. Why We Process Your Personal Data
Our primary reason for collecting and using your personal data is to provide you with an education. When you apply and accept an offer to attend Princeton, you agree that we can process your personal data for administrative and educational purposes. The purposes of processing include, but are not limited to:
- Administering and providing education and training;
- Administering and providing housing;
- Managing and administering our services, including accommodation services;
- Administering financial aid or support;
- Providing advice and support to you, including health care services, health and safety, attendance monitoring, and academic and career information and guidance;
- Managing behavioral or disciplinary issues and complaints;
- Recruitment, admission and enrollment;
- Providing you with information about educational programs and services;
- Analyzing and improving our educational programs;
- Maintaining your student record and managing academic processes;
- Administering financial matters including payment of fees;
- Managing Princeton facilities including libraries and athletic facilities;
- Managing your immigration-related information and records, if any;
- Institutional research and studies to support University decision making and planning;
- Graduation and confirmation of awards;
- Alumni membership;
- Statistical and archival purposes;
- Regulatory reporting;
- Complying with applicable laws and regulations, including NCAA regulations; and
- Verifying your enrollment and your degrees.
4. Sending Personal Data to Other Countries
For these purposes, personal data may also be transferred to countries outside of the United States, to countries which may not have data protection laws that offer the same protections as your home country. Examples of circumstances when personal data may be transferred outside the U.S. include:
- Managing collaborations with overseas educational institutions including study and research abroad and exchange programs;
- If you experience a health emergency in another country;
- Working with overseas recruitment agencies;
- Providing external providers of student financial support verification of enrollment and progress;
- Information posted on our website which is accessible outside the U.S.;
- Verifying your enrollment and your degrees; and
- Some of the systems and services the University uses to store data in the cloud which may include storage facilities based outside the U.S.
The European Commission has produced a list of countries which, according to the Commission, have adequate data protection rules. The list can be found here: http://ec.europa.eu/justice/data-protection/international- transfers/adequacy/index_en.htm.
If the country that we are sending your information to is not on the list, or is not a country within the EEA (which means the EU, Liechtenstein, Norway and Iceland), then it might not have the same level of protection for personal data as the EU provides.
Upon request, we will provide you with additional information about the safeguards which Princeton has in place outside of this privacy notice. If you have any questions about the safeguards that are in place, please contact Princeton’s Information Security Office at email@example.com.
5. How We Share Your Personal Data
We may share your personal data with the following third parties or for the following purposes:
- With our service providers: We may share your personal data with third parties that help us provide services to you. For example, we may share some information with our insurance company to make sure that we have the insurance coverage that we need, or with vendors who provide or support the online or electronic tools that you use.
- To improve our services: For example, we may occasionally use consultants, experts, or other advisors to assist Princeton in fulfilling its obligations and to help run the university properly. We might need to share your information with them if this is relevant to their work. For example, we may share your personal data with the National Student Clearinghouse to help meet Princeton’s compliance, administrative, student access, accountability, and analytical needs.
- With government entities: In response to a valid government request, we may share your personal data with a government agency or law enforcement. We may also be required to report certain personal data, for example, to the Department of Education, to comply with our obligations under U.S. law or to protect our rights or the rights of others, or prevent fraud or other criminal activity.
- With parents or legal guardians: If you are a minor, we may be required by law to share certain personal data with your parents or legal guardians.
- With other educational institutions: If you choose to continue your education at another institution, we may share information about your education at Princeton with such institution.
- With external providers of financial support: So that they may verify enrollment and progress.
- With the public: After obtaining your consent, we may share information about you on our website, such as information about your achievements or photographs of attendees at university events.
Third parties that receive your personal information from us are required to abide by applicable law in their use of your information.
6. Our Legal Basis for Processing Your Personal Data Under GDPR
This section contains information about the legal bases that we are relying on, for purposes of the GDPR, when processing your personal data.
Absent overriding, countervailing interests, Princeton may process your personal data for its legitimate interests. Specifically, Princeton has a legitimate interest in:
- Providing you with an education;
- Safeguarding and promoting your health and welfare and the health and welfare of other students;
- Promoting the objectives and interests of the university, including fundraising and marketing;
- Facilitating the efficient operation of the university; and
- Ensuring that all relevant legal obligations of the university are complied with.
In addition your personal data may be processed for the legitimate interests of others. For example, we may process your personal data when investigating a complaint made by another student.
If you object to Princeton using your personal data in a particular situation, please contact
- The Office of the Registrar, Helm Building, 330 Alexander Street, 4th floor, or via email to firstname.lastname@example.org, if your inquiry pertains to general student records; or
- Francesca Schenker, email@example.com, if you are an undergraduate and your inquiry pertains to international programs, including study abroad.
Princeton may process your personal data in order to comply with a legal obligation, for example, to report a concern about your wellbeing to the appropriate government agency. We may also have to disclose your information to third parties such as the courts, local authorities, or law enforcement where legally obliged to do so.
Princeton may need to process your personal data to protect your vital interests, or someone else’s, for example to prevent someone from being seriously harmed or injured.
Princeton is acting in the public interest when providing students with an education, and we may process your personal data in connection with that public interest.
7. Processing Special Categories of Personal Data
Special categories of personal data are treated with extra sensitivity. These special categories include: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic information, health information, and information about sex life or orientation. Princeton may process special categories of personal data under the following legal bases:
Substantial public interest
The processing is necessary for reasons of substantial public interest.
To protect the vital interests of any person where that person cannot give consent, for example, if they are seriously hurt and are unconscious.
The processing is necessary for the establishment, exercise or defense of legal claims. This allows us to share information with our legal advisors and insurers.
Emergency circumstances and medical purposes
This includes medical treatment and the management of healthcare services.
We may ask for your consent to use your personal data in certain ways. If we ask for your consent to use your personal data, you can revoke this consent at any time. Any use of your personal data before you withdraw your consent remains valid. If you would like to revoke any consent given, please contact
- The Office of the Registrar, Helm Building, 330 Alexander Street, 4th floor, or via email to firstname.lastname@example.org, with respect to general student records, or
- Francesca Schenker, email@example.com, with respect to undergraduate international programs, including study abroad
8. How Long We Retain Your Personal Data
We keep your personal data for as long as we need to in order for you to complete your education. If you stop attending Princeton prior to completing your education, or apply and do not attend, we will retain your personal data as required for operational and regulatory needs, or in case you want to apply again. We will keep certain personal data after you are no longer attending Princeton, for example, so that we can confirm your completion of your degree, share your personal data with another educational institution should you choose to apply for admission elsewhere, or invite you to participate in alumni events.
We may keep certain personal data indefinitely for historical, research, or statistical purposes.
We will also keep your personal data for as long as necessary to comply with applicable record retention laws and obligations.
For additional information about Princeton’s record retention practices, please see Princeton’s “University-wide Records Management Principles” (https://records.princeton.edu/policies-procedures).
9. Your Rights Under GDPR With Regards to Your Personal Data
Subject to certain limitations and conditions, you have the following rights with regards to the processing of your personal data:
- Right of access: You have the right to request access to the personal data that we hold about you.
- Right of rectification: You have the right to correct personal data that we hold about you that is inaccurate or incomplete.
- Right to erasure: In certain circumstances, you have the right to request that certain personal data we hold about you be erased from our records.
- Right to restriction of processing: In certain circumstances, you have the right to restrict certain processing of your personal data.
- Right of portability: You have the right to request that personal data we hold about you be transferred to another organization.
- Right to object: You have the right to object to certain types of processing of your personal data, such as direct marketing (to the extent applicable).
- Right to judicial review: In the event that we refuse a request under rights of access, we will provide you with a reason. Individuals in the EU have the right to object as outlined in the “Further Information and Guidance” section below.
10. Further Information and Guidance
Please contact us using the information below should you have any questions or concerns.
Please contact The Office of the Registrar, Helm Building, 330 Alexander Street, 4th floor, or via email firstname.lastname@example.org if:
- You object to us using your personal data for marketing purposes, e.g., to send you information about University events.
- You would like us to update the personal data we hold about you.
- You would prefer that certain information about you is kept confidential.
If you believe that we have not acted properly when using your personal data you can file a complaint with the appropriate supervisory authority in the EU (http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm).