Effective Date: 04/10/2020
CMU is the controller of the personal data collected through the Research Study. Any questions or concerns regarding CMU’s privacy and data protection practices can be directed to our Data Protection Officer, Melanie Lucht, Associate Vice President and Chief Risk Officer, at GDPRfirstname.lastname@example.org.
Our goal is to develop a voice-based testing system for Covid-19.
Please note that this Research Study is gathering information for research purposes only. We are not providing you with any health advice or diagnosing if you have COVID-19.
CMU collects data to provide the Research Study in which you have
agreed to participate, ease your navigation on our websites, and
communicate with you. You provide some of this information directly,
such as when you register for the Research Study. Some of the
information is collected through your interactions with the Research
Study. We collect such data using technologies like cookies and other
tracking technologies, error reports, and usage data collected when
you interact with CMU services running on your device.
The data we collect depends on the degree to which you participate in the Research Study and includes the following:
Identifiers. Such as Internet Protocol address, email address, account user name, or other similar identifiers.
Protected classification characteristics. Such as age (40 years or older), race, color, ancestry, national origin, medical condition, physical or mental disability, sex, and medical conditions.
Health information. Such as health status, medical conditions, smoking status, symptoms, diagnoses (including COVID-19 diagnosis), and other similar information.
Internet or other similar network activity. Such as browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.
Sensory data. Such as audio (including voice recordings), electronic, visual, thermal, olfactory, or similar information.
Inferences drawn from other personal information. Such as profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, and aptitudes.
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data for the following lawful purposes:
Please note that we may process your personal data without your
knowledge or consent, in compliance with the above rules, where
it is required or permitted by law.
We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.
|Purpose/Activity||Categories of Data||Lawful Basis for Processing|
|To manage our relationship with you, which will include:
||Performance of an applicable contract|
|To maintain your user account information and authenticate you.||
||Performance of an applicable contract|
|To conduct scientific research.||
||Necessary for our legitimate interests (to conduct scientific research under the Research Study)|
|To administer and protect our services and the Research Study (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data, preventing fraud and abuse)||
||Necessary for our legitimate interests (for running the Research Study, provision of administration and IT services, network security, and to prevent fraud and abuse.|
|To use data analytics to improve our services, user relationships and experiences||
||Necessary for our legitimate interests to keep our services updated and relevant, and to promote adoption and use of our services)|
We may provide your personal data to:
We will access, disclose and preserve personal data, when we have a good faith belief that doing so is necessary to:
Please note that the Research Study may direct you to services of third parties whose privacy practices differ from CMU’s. If you provide personal data to any of those services, your data is governed by their privacy statements or policies. Carnegie Mellon University is not responsible for the privacy practices of these other websites. Please review the privacy policies for these websites to understand how they process your information.
Security of Personal Data
CMU is committed to protecting the security of your personal data. Depending on the circumstances, we may hold your information in hard copy and/or electronic form. For each medium, we use technologies and procedures to protect personal data. We review our strategies and update as necessary to meet our business needs, changes in technology, and regulatory requirements.
These measures include, but are not limited to, technical and organizational security policies and procedures, security controls and employee training.
We may suspend your participation in all or part of the Research Study without notice if we suspect or detect any breach of security, abuse, or illegal or questionable activity. If you believe that information you provided to us is no longer secure, please notify us immediately using the contact information provided below.
If we become aware of a breach that affects the security of your personal data, we will provide you with notice as required by applicable law. To the extent permitted by applicable law, CMU will provide any such notice that CMU must provide to you at your account’s email address. By participating in the Research Study, you agree to accept notice electronically.
Storage and Transfer of Personal Data
CMU also collaborates with third parties such as cloud-hosting services and suppliers located around the world to serve the needs of our business, workforce, and users. In some cases, we may need to disclose or transfer your personal data within CMU or to third parties in areas outside of your home country. When we do so, we take steps to ensure that personal data is processed, secured, and transferred according to applicable law.
If you would like to know more about our data transfer practices, please contact our Data Protection Officer at GDPRemail@example.com.
Retention of Personal Data
CMU retains personal data in a form which permits identification of data subjects for as long as necessary to conduct the Research Study and fulfill the transactions you have requested, or for other business purposes such as complying with our legal obligations, resolving disputes, and enforcing our agreements. We are required by law to keep some types of information for certain periods of time (e.g., statute of limitations).
CMU respects your right to access and control your personal data. You have choices about the data we collect. When you are asked to provide personal data that is not necessary for the purposes of the Research Study, you may decline. However, if you choose not to provide data that is necessary to conduct the Research Study, you may not be able to participate in the Research Study.
We aim to keep all personal data that we hold accurate, complete and up-to-date. While we will use our best efforts to do so, we encourage you to tell us if you change your contact details. If you believe that the information we hold about you is incorrect, incomplete or out-of-date, please contact GDPRfirstname.lastname@example.org.
Access to personal data. In some jurisdictions, you have the right to request access to your personal data. In these cases, we will comply, subject to any relevant legal requirements and exemptions, including identity verification procedures. Before providing data to you, we will ask for proof of identity and sufficient information about your interaction with us so that we can locate any relevant data. We may also charge you a fee for providing you with a copy of your data (except where this is not permissible under local law). Our account system also currently enables you to download a copy of the data we currently have collected from you through the Research Study.
Correction and deletion. In some jurisdictions, you have the right to correct or amend your personal data if it is inaccurate or requires updating. You may also have the right to request deletion of your personal data. Our account system may enable you to directly delete information you have provided.
Portability. If you reside within the EU, you have the right to ask for a copy of your personal data and/or ask for it to be ported to another provider of your choice. Please note that such a request could be limited to only personal data you provided us with or that we hold at that given time and subject to any relevant legal requirements and exemptions, including identity verification procedures.
California Shine the Light Law: California Civil Code Section 1798.83 permits users who are California residents to obtain from us once a year, free of charge, a list of third parties to whom we have disclosed personal information (if any) for direct marketing purposes in the preceding calendar year. If you are a California resident and you wish to make such a request, please send an e-mail with “California Privacy Rights” in the subject line to GDPRemail@example.com or write us at: Carnegie Mellon University, Attention: Data Protection Officer.
While this information on its own may not constitute your “personal data”, we may combine the information we collect via Cookies with personal data that we have collected from you to learn more about how you use the Services to improve them.
Types of Cookies
We use session Cookies that expire once you log out or following a period of inactivity. To make it easier for you to understand why we need them, the Cookies we use on the Services can be grouped into the following categories:
Types of Cookies
Here is a representative list of the Cookies we use.
|CVD||session, session.sig||Strictly Necessary||1 day||Used for authentication|
|CVD||_csrf||Strictly Necessary||1 day||Used for authentication|
How to Control and Delete Cookies
Cookies can be controlled, blocked or restricted through your web browser settings. Information on how to do this can be found within the Help section of your browser. All Cookies are browser specific. Therefore, if you use multiple browsers or devices to access websites, you will need to manage your cookie preferences across these environments.
If you are using a mobile device to access the Services, you will need to refer to your instruction manual or other help/settings resource to find out how you can control Cookies on your device.
Please note: If you restrict, disable or block any or all Cookies from your web browser or mobile or other device, the Services may not operate properly, and you may not have access to the Services. CMU shall not be liable for any impossibility to use the Services or degraded functioning thereof, where such are caused by your settings and choices regarding Cookies.
To learn more about Cookies, visit www.allaboutCookies.org
Do Not Track
Some web browsers (including Safari, Internet Explorer, Firefox and Chrome) incorporate a “Do Not Track” (“DNT”) or similar feature that signals to websites that a user does not want to have his or her online activity and behavior tracked. If a website that responds to a particular DNT signal receives the DNT signal, the browser can block that website from collecting certain information about the browser’s user. Not all browsers offer a DNT option and DNT signals are not yet uniform. For this reason, many website operators, including CMU, do not respond to DNT signals.
IF YOU ARE UNDER THE AGE OF 18, DO NOT USE THE SERVICES.
The Research Study is intended for individuals who are at least 18 years old. Consistent with the requirements of the U.S. Children’s Online Privacy Protection Act, if we learn that we received any information directly from a child under age 13 without his or her parent’s verified consent, we will use that information only to inform the child (or his or her parent or legal guardian) that he or she cannot participate in the Research Study.
California Minors: If you are a California resident who is under age 18 and you are unable to remove publicly-available content that you have submitted to us, you may request removal by contacting us at: GDPRfirstname.lastname@example.org. When requesting removal, you must be specific about the information you want removed and provide us with specific information, such as the URL for each page where the information was entered, so that we can find it. We are not required to remove any content or information that: (1) federal or state law requires us or a third party to maintain; (2) was not posted by you; (3) is anonymized so that you cannot be identified; (4) you don’t follow our instructions for removing or requesting removal; or (5) you received compensation or other consideration for providing the Content or information. Removal of your content or information from the Research Study does not ensure complete or comprehensive removal of that content or information from our systems or the systems of our service providers. We are not required to delete the content or information posted by you; our obligations under California law are satisfied so long as we anonymize the content or information or render it invisible to other users and the public.
If you reside within the EU you may be entitled to other rights under the GDPR. These rights are summarized below. We may require you to verify your identity before we respond to your requests to exercise your rights. If you are entitled to these rights, you may exercise these rights with respect to your personal data that we collect and store:
You may exercise these rights free of charge. These rights will be exercisable subject to limitations as provided for by the GDPR. Any requests to exercise the above-listed rights may be made to: GDPRemail@example.com.
If you reside within the EU, you have the right to lodge a complaint with a Data Protection Authority about how we process your personal data at the following website: https://edpb.europa.eu/about-edpb/board/members_en.
Processing EU Personal Data
In the event that your personal data is subject to the GDPR, we will only use your personal data for the original purpose for which we collected it, unless we reasonably consider that we need to use it for another purpose and that purpose is compatible with the original purpose. If we need to use your EU personal data for an unrelated purpose, we will notify you and we will explain the legal basis, which allows us to do so. We require third parties to only use your EU personal data for the specific purpose for which it was given to us and to protect the privacy of your personal data. If your personal data is no longer necessary for the legal or business purposes for which it is processed, we will generally destroy or anonymize that data.
International Transfers of Personal Data
Whenever we transfer your personal data out of the EU, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
|Mail:||Attention: Legal Department
Carnegie Mellon University
Data Protection Officer
5000 Forbes Ave.
Pittsburgh, PA 15213
If you are not satisfied with our answer or how CMU manages your personal data, you may also have the right to make a complaint to a data protection regulator. If you reside within the EU, a list of National Data Protection Authorities can be found here: http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm.