Data Privacy Notice for Vendors in the E.U.
This Notice describes New York University’s practices with respect to the collection, use, storage, and disclosure (“processing”) of Personal Information covered by the European Union’s General Data Protection Regulation for purposes of evaluating prospective vendors and managing our vendor relationships. This Notice applies to NYU, with global headquarters at 70 Washington Square South, New York, NY 10012, as well as to its affiliated legal entities and branches (collectively “NYU,” “us” or “our”) with respect to processing of personal information of vendors in the context of NYU’s Global Sites in the European Union. All such vendors or prospective vendors (referred to below as “you” or “your”) should carefully read the provisions of this Privacy Notice.
“Personal Information,” as used in this Notice, means any information that can be used to identify you, whether directly or indirectly, including by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to your physical, physiological, genetic, mental, economic, cultural or social identity.
This Notice has the following sections:
- The Information We Process About You
- Purposes and Legal Basis for Processing Your Data
- Recipients of Your Personal Information
- Transfers to Third Countries
- Data Retention
- Your Rights
- Annex A: NYU Data Protection Officers
- Annex B: National Data Protection Authorities
You can contact NYU’s Data Protection Officer with any questions about this notice, our data collection practices, or your rights. You can reach NYU’s Data Protection Officer, Peter Christensen, at:
c/o Data Protection Officer’s Office
70 Washington Square South
New York, NY 10012
+1 212 992 7256
Contact information for NYU’s designated Data Protection Officers for NYU’s EU Global Sites is provided in Annex A.
The Data Protection Officers are collectively referred to throughout this Privacy Notice as the “DPO.” This general notice may be supplemented by additional notices at the point of any data collection. If you have specific questions about any of the data processing activities described in this or any other notice, please contact the DPO.
We process the information we collect from you directly, either during our communications with you about NYU, as part of the vendor selection and contracting process, or as part of your response to our request for information about your goods or services.
Throughout our relationship with you, certain information may be required in order for us to fulfill the terms of our contract with you or take an action you request. Failure to provide required information may result in the termination of your relationship with NYU or inability to take an action you request.
We use automated decision-making processes to screen vendors according to predetermined criteria. For example, we may use an automated process to review your response to a request for proposals for key terms associated with the request or your qualifications. You can find out more about the logic we use in our automated decision-making processes by contacting the DPO.
In addition, we collect the following kinds of information about you from third parties:
- Your contact, demographic information, references, and other publicly available information, which we collect from third parties who provide us information about prospective vendors who may be interested in working with NYU.
- Any criminal convictions or offenses, required governmental screening (e.g., Specially Designated National status), information about your credit, and other information about your previous employment and education, which we collect as part of a background check process (where permitted by applicable law) from government records, credit reporting companies, your previous employers, and other academic institutions.
NYU maintains video surveillance and card swipe systems for the security of our premises. NYU or our contracted service operator may process images and video of you, and information about your use of and access to our premises, in connection with the operation of these systems.
We process your Personal Information to recruit prospective vendors, evaluate vendors interested in working with NYU, communicate with you about NYU and your contract status with us, and, if we decide to work with you, to manage the procurement process, onboard you as a new vendor, and manage your business dealings with NYU. We also use data about you to make strategic decisions about NYU programs, administer those programs, file required reports with applicable governmental authorities, and engage in financial planning. We also use your data for purposes required by law, including complying with application retention requirements, and for the enforcement of NYU policies and applicable laws.
We combine the data that we collect in order to provide these functions.
We have the following legal basis for processing the information you provide us in your application or that we collect about you during the application process.
We have a legitimate interest in recruiting and retaining qualified vendors, complying with laws and regulations that govern our conduct in the countries where we operate, and administering NYU and its programs in an efficient, ethical, and appropriate manner. We process all the information we collect from or about you to meet these purposes. You can obtain additional information about the legitimate interests we have in processing your information by contacting the DPO.
We may also be required to process your Personal Information to complete a contract that you have entered into with us, including to provide you with contracted-for payments, fulfill our contractual obligations to you, or to ensure your compliance with contractual obligations. You can obtain additional information regarding processing we do to enter into contracts with you by contacting the DPO.
We may also be required to process your Personal Information to comply with laws applicable in the European Union or its member states. You can obtain additional information about the processing we do to comply with applicable laws by contacting the DPO.
[In the case of Sensitive Personal Information (which includes (i) information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; (ii) genetic and biometric data, and (iii) data concerning health, sex life, or sexual orientation), we process information either (i) because we have your consent to do so or (ii) because we are required to process the information to comply with applicable laws.
You can obtain more information about these laws by contacting the DPO. When we process your Sensitive Personal Information on the basis of your consent, you may withdraw that consent at any time by contacting the DPO. If you withdraw your consent, we may still be required to process your Sensitive Personal Information to comply with applicable law, but we will explain to you at the time your consent is withdrawn what processing activities will continue for legal compliance purposes.
Finally, we process your Personal Information for additional purposes that are compatible with those already described, including for the purposes of conducting scientific, statistical, or historical research or for the purpose of creating archives in the public interest. Where possible, we do not use identifiable information for these purposes, or we take steps, including making use of pseudonymous data, to limit the amount of Personal Information we use in our research or archives.
Your Personal Information will be received and processed by NYU employees and personnel, including third parties who provide services to NYU in connection with the purposes of processing described above. We share your Personal Information with our service providers only when they have agreed to process your Personal Information only to provide services to us and have agreed to protect your Personal Information from unauthorized use, access, or disclosure. You may contact the DPO to learn more about the categories of service providers to whom your data is disclosed.
We also disclose your information to government authorities as required by laws the regulate higher education, immigration, tax, national security, and criminal activity.
NYU is a global university headquartered in the United States. NYU offers study abroad programs at the following Global Sites outside of the EU: Accra, Ghana; Buenos Aires, Argentina; Sydney, Australia; and Tel Aviv, Israel. NYU operates degree-granting Portal Campuses in New York, NY, Abu Dhabi, United Arab Emirates, and in Shanghai, People’s Republic of China. If you are seeking a vendor relationship with or are chosen as a vendor of one of our Global Sites, your data will be transferred to our global headquarters in the United States and may be shared with other Global Sites or Portal Campuses in order to facilitate central management of NYU’s programs and administer NYU’s global operations.
NYU has executed Standard Contractual Clauses, as approved by the European Commission. These clauses permit NYU to transfer data from the EU to third countries, including the United States. If you would like to receive a copy of NYU’s Standard Contractual Clauses, you can contact the DPO.
You can find more information about how long we retain personal data by consulting our Retention and Destruction of Records Policy. Certain of our EU Global Sites may retain data for shorter or longer periods to meet local legal requirements or business practices. You can obtain additional information about any of these retention periods by contacting the DPO.
You have the right to the following information regarding NYU’s processing of your Personal Information:
- the purposes of the processing,
- the categories of Personal Information concerned,
- the recipients or categories of recipients to whom the Personal Information have been or will be disclosed,
- where possible, the envisaged period for which the Personal Information will be stored, or, if not possible, the criteria used to determine that period.
This Privacy Statement is intended to provide this information. Any questions about these details may be directed to the DPO.
You also have the following additional rights with respect to your Personal Information:
- The right to request access to the Personal Information that NYU has about you, as well as the right to request rectification of any data that is inaccurate or incomplete.
- The right to request a copy of your Personal Information in electronic format so that you can transmit the data to third parties, or to request that NYU directly transfer your Personal Information to one or more third parties.
- The right to object to the processing of your Personal Information for marketing and other purposes.
- The right to erasure of your Personal Information when it is no longer needed for the purposes for which you provided it, as well as the right to restriction of processing of your Personal Information to certain limited purposes where erasure is not possible.
- The right to lodge a complaint with the supervisory authority for the country where you live or work or where you believe that your rights have been violated. See Annex B for a list of supervisory authority contacts for NYU Global Sites in the EU.
Czech Republic (NYU Prague)
Jiri Pehe, Site Director
Male Namesti #2
Prague, CZ 1100 00
+420 2 2422 6874
France (NYU Paris)
Valerie Michelin, Associate Director
57 Boulevard St. Germain
Paris, FR 75005
+33 1 5373 21812
Germany (NYU Berlin)
Gabriella Ekmektsoglou, Site Director
Schnhauser Allee 3
Berlin DE 10435
+49 30 290291006
Greece (NYU Athens)
34 Tsakalof Str., Kolonaki 106 73, Athens
Italy (NYU Florence)
Lorenzo Ricci, Site Director
Villa La Pietra
120 Via Bolognese
Florence IT 50139
+39 055 5007 205
120 Via Bolognese
Florence IT 50139
+39 055 5007 201
The Office for Personal Data Protection
Urad pro ochranu osobnich udaju Pplk. Sochora 27 170 00 Prague 7
Tel. +420 234 665 111
Fax +420 234 665 444
Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
Husarenstraße 30 53117 Bonn
Tel. +49 228 997799 0; +49 228 81995 0
Fax +49 228 997799 550; +49 228 81995 550
Jurisdiction for complaints is split among different data protection supervisory authorities in Germany. Competent authorities can be identified according to this list.
Agencia de Protección de Datos
C/Jorge Juan, 6 28001 Madrid
Tel. +34 91399 6200
Fax +34 91455 5699
Commission Nationale de l'Informatique et des Libertés - CNIL
8 rue Vivienne, CS 30223 F-75002 Paris, Cedex 02
Tel. +33 1 53 73 22 22
Fax +33 1 53 73 22 00
Garante per la protezione dei dati personali
Piazza di Monte Citorio, 121 00186 Roma
Tel. +39 06 69677 1
Fax +39 06 69677 785
The Information Commissioner’s Office
Water Lane, Wycliffe House Wilmslow - Cheshire SK9 5AF
Tel. +44 1625 545 745
This list is provided for your reference, but you may file a complaint with the data protection authority in any Member State where you habitually work, live, or believe an infringement of EU data protection law occurred. You may consult a list of data protection authorities.