GDPR Privacy Notice

This Privacy Notice applies to all Rochester University departments and is intended to comply with the European Union’s (“EU”) General Data Protection Regulation (“GDPR”). This Privacy Notice applies to personal data that Rochester University collects or processes about an individual (“Data Subject”) while the Data Subject is located in the EU, regardless of whether the Data Subject is a citizen or permanent resident of an EU country. “Personal Data” means any information relating to an identified or identifiable Data Subject.

Lawful Basis or Bases for Collecting and Processing Personal Data

Rochester University is an institution of higher education that offers courses to undergraduate, graduate and continuing education students, conducts academic and sponsored research, and participates in various community engagement activities. Rochester University collects, processes and uses Personal Data for the purposes of recruitment, graduate and undergraduate admissions applications, Student Financial Services, international students, online learning, Career Services, Development, the School of Nursing, Human Resources, Legal Affairs, Business Affairs, Professional and Continuing Education, and other purposes on behalf of Rochester University.

Rochester University’s lawful basis or bases for collecting and processing personal data include the following:

  • Processing is necessary for the legitimate interests pursued by Rochester University in providing critical recruitment, enrollment, and education information for programs provided by Rochester University, and in providing admission to the University.
  • The Data Subject has given consent for the processing of his or her Personal Data for one or more specific purposes.

Types of Personal Data Collected/Processed and Purpose

Rochester University collects the following categories of Personal Data in order to fulfill various purposes for the University:

  • Name
  • Contact information including, without limitation, email address, physical address, phone number, and other location data
  • Unique personal identifiers and biographical information (e.g. date of birth)
  • Details of your education and/or employment qualifications
  • Information related to visa requirements, copies of passports and other documents to ensure compliance with U.S. laws
  • Financial information gathered for the purposes of verifying eligibility for study in the United States
  • Information related to the prevention and detection of crime and the safety of employees, students and visitors of Rochester University

The Personal Data that Rochester University collects may be shared with University offices and academic departments for the purpose of academic planning, financial aid processing and student billing, scholarship awarding, visa processing and enrollment reporting/verification.

If you have specific questions regarding the collection and use of your Personal Data, please contact the Office of the Registrar at or (248) 218-2096.

If a Data Subject refuses to provide Personal Data that Rochester University requires in connection with one of Rochester University’s lawful basis or bases for collecting such Personal Data, such refusal may make it impossible for Rochester University to provide education, employment, research or other requested services.

Where Rochester University gets Personal and Sensitive Personal Data

Rochester University receives personal and sensitive Personal Data from multiple sources. Most often, Rochester University gets this data directly from the Data Subject or under the direction of the Data Subject who has provided it to a third party. In addition to data collected from the Data Subject, Undergraduate Admissions collects data from educational institutions (secondary and postsecondary schools), test administration firms (e.g., ACT, College Board), credential evaluation services (e.g., World Education Services, Educational Credential Evaluators) and prospective student data collection companies (e.g., CollegeFish).

Individual Rights of the Data Subject under the GDPR

In addition to the right to receive the information provided in this Privacy Notice, Data Subjects covered by this Privacy Notice have the right to:

  • Request from Rochester University access to and rectification or erasure of Personal Data or restriction of processing concerning the Data Subject, the right to object to processing and the right to portability of Personal Data;
  • Where processing is based upon consent, to withdraw consent at any time, without affecting Rochester University’s right to process Personal Data based upon consent before its withdrawal;
  • The right to file a complaint with a supervisory authority appointed by an EU member state for the purpose of receiving complaints;
  • Additional notice of the existence of automated decision-making, including profiling;
  • If the Personal Data is going to be further processed for a purpose other than that for which it was collected, then notice of the purpose and basis or bases for the further processing;
  • If Personal Data is collected for Rochester University’s legitimate interests or for a task carried out in the public interest, then the Data Subject has the right to object, on the grounds of his or her particular situation, to the processing of Personal Data concerning him or her (including profiling);
  • Where Personal Data are processed for direct marketing purposes, the right to object at any time to processing Personal Data concerning him or her for such marketing; and
  • Not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her; provided, however, that this right does not apply if the decision is (a) necessary for entering into, or performance of, a contract between the Data Subject and Rochester University; or (b) is based upon the Data Subject’s consent.

Note: Exercising these rights guarantees access to a process but does not guarantee any particular outcome.

Any Data Subject who wishes to exercise any of the above-mentioned rights may do so by filing such request with the Office of the Registrar at or (248) 218-2096.


Cookies are files that many websites transfer to users’ web browsers to enable the site to deliver personalized services or to provide persistent authentication. The information contained in a cookie typically includes information collected automatically by the web server and/or information provided voluntarily by the user. Rochester University’s website uses persistent cookies in conjunction with a third-party technology partner to analyze search engine usage and web traffic patterns. This information is used in the aggregate to monitor and enhance our web pages. It is not used to track the usage patterns of individual users.

Security of Personal Data subject to the EU GDPR

All Personal Data and sensitive Personal Data collected or processed by Rochester University under the scope of the GDPR must comply with the security controls and systems and process requirements and standards set forth in Rochester University’s Rochester College Policy Manual, dated May 2019, as they are amended from time-to-time, including without limitation:

  • Chapter 3, Section 3.7 Personal Information;
  • Chapter 7, Information Technology
    • Section 7.1 Telecommunications;
    • Section 7.2 College Equipment;
    • Section 7.3 All Employee Email Distribution; and
    • Section 7.4 Software and Network Information.

Rochester University will not share your Personal Data with third parties except:

  • as necessary to meet one of its lawful purposes, including, but not limited to, its legitimate interest, contract compliance, pursuant to consent provided by the Data Subject, or as required by law;
  • as necessary to protect Rochester University’s interests;
  • with service providers acting on Rochester University’s behalf who have agreed to protect the confidentiality of the Personal Data.

Data Retention

Rochester University maintains records for the time periods specified in its Document Retention and Destruction Policy, Rochester College Policy Manual, Chapter 19, Section 19.2 dated May 2019.