The European Union General Data Protection Regulation (GDPR)

Grand Valley State University

Registrar’s Office

GDPR Privacy Notice and Request for Consent

The European Union General Data Protection Regulation, or GDPR (EU 2016/679), is a regulation concerning the collection, protection, and processing of personal data provided by an individual ("data subject") while in a European Union Member State, regardless of citizenship or residency.  Therefore, the terms and conditions contained in the Regulation and detailed in this Notice only apply while an individual is physically present in one of the EU Member States.  Complete information is available on the European Commission website.

Grand Valley State University continues to be committed to conducting the collection and processing of personal data with integrity and in compliance with applicable data protection laws.  This Privacy Notice, required under the GDPR, presents information about how the University collects, uses, and protects personal data you provide as an enrolled student.

General Data Protection Regulation (GDPR) Details

Grand Valley State University serves as the Data Controller and determines the purposes and means of processing your personal data.  The individual below serves as the primary contact for GDPR compliance related to the academic records for enrolled students and is responsible for responding to questions about this Notice and requests to exercise a data subject's rights.

Pam Wells, University Registrar
Registrar’s Office
150 Student Service Building
1 Campus Drive,
Allendale MI 49401
[email protected]
(616) 331-3327

The Registrar’s office collects your personal data for creating and maintaining records related to your academic progress at Grand Valley State University. 

Student data collected by the Registrar’s Office is shared in accordance with our Family Educational Rights and Privacy Act (FERPA) policies. Grand Valley State University shares academic education records without a student’s prior written consent under the FERPA exception for disclosure to university officials with legitimate educational interests. A University official typically includes a person employed by the University in an administrative, supervisory, academic, research, or support staff position (including law en­forcement unit personnel and health staff); a person serving on the board of trustees; or a student serving on an official committee, such as a disciplinary or grievance com­mittee. A University official also may include a volunteer or contractor outside of the University who performs an institutional service of function for which the University would otherwise use its own employees, and who is under the direct control of the school with respect to the use and maintenance of personally identifiable information from education records, such as an attorney, auditor, or collection agent, or a student volunteering to assist another school official in performing his or her tasks.  A University official typically has a legitimate educational interest if the official needs to review an educa­tion record in order to fulfill his or her professional responsibilities for the University.

FERPA Directory-level Information is information the University can release without the prior written consent of the student.  GVSU FERPA directory information includes name, local phone number and email address, dates of attendance, enrollment status, degrees and certificates and date earned, and major(s).  Full directory information is restricted to the National Student Clearinghouses DegreeVerify and EnrollmentVerify Services and other uses by the University and its contractors for carrying out the university’s mission. Otherwise only name and email address will be included. 

Students have the option to prohibit the release of your directory information under FERPA. To exercise this option, student must complete the Directory Information Release/Withhold Form.

Data is retained in accordance with University policy and as required under applicable U.S. laws and regulations. 

Sensitive data will be processed only as needed for University business purposes and in compliance with any applicable mandatory provision of the GDPR.

While in the EU, you will be able to exercise your rights as a data subject described in Article 15-22 of the GDPR:  right of access to your personal data, right to correct that data, right to have the data erased, right to restrict processing, right to data portability, right to object to processing, right to withdraw consent, the right not to be subject to automated decision-making, and the right to lodge a GDPR-related complaint with an EU Supervisory Authority. Please note that the University is subject to federal and state laws, including but not limited to the Family Educational Rights and Privacy Act, that may require that we request, process, retain, and report on certain types of data.  These legal obligations may also affect actions we would be permitted to take in response to a request to exercise your GDPR data rights, especially the right to have your data erased.

If the requested data is not provided, we cannot create or maintain accurate academic records which could affect your ability to enroll at Grand Valley State University.

The University has put in place reasonable physical, technical, and administrative safeguards designed to prevent unauthorized access to or use of information collected online. 

Page last modified March 17, 2021