The Foundation has updated its policies regarding the recording and use of personal data for individuals residing in the U.K. and the European Union, in compliance with the General Data Protection Regulation 2016/679 (“GDPR”).
If you are an individual residing in the U.K. or the EEA, please visit our Privacy Form to provide us with your communications preferences, or email or write to us at the addresses listed above.
Our privacy policy (the “Policy”) explains the categories of personal data we collect when you visit https://www.fororegonstate.org/ or any other online platforms owned and operated by the Foundation (detailed in our Policy as the “Sites”), or when you otherwise interact at all with the Foundation (collectively with the Sites, the “Services”). The Policy informs you about our practices for collecting, using, retaining and protecting your personal data and your rights to ensure proper management of this information.
For our users located in the EEA and the U.K., we must have a valid legal basis in order to process your personal data. Generally speaking, the main legal bases under the GDPR that justify our collection and use of your personal data are:
- Performance of a contract: when your personal data is necessary to enter into or perform our contract with you
- Consent: when you have consented to our use of your personal data via a consent form (online or offline)
- Legal obligation: when we need to use your personal data to comply with our legal obligations
- Legal claims: when your personal data is necessary for us to defend, prosecute or make a claim
- Legitimate interests: when we use your personal data to achieve a legitimate interest and our reasons for using it outweigh any prejudice to your data protection rights
Below are the general purposes and corresponding legal bases (in italics) for which we may use your personal data:
Personal Data Category | Purpose | Legal Basis |
Identifiers. (e.g., name, email address, phone number, address, official identification information, employment information, relationship to OSU, birth date, marital status and other personal background information) | To process donations and issue tax receipts | Performance of a contract |
Community Services/Events | Legitimate interest: to host, organize and/or sponsor fundraising events and community programming, based on legitimate interests in supporting OSU and fostering effective donor engagement. | |
To engage potential donors | Legitimate interest: to understand donor interests, manage relationships and tailor services based on legitimate interests in supporting OSU and fostering effective donor engagement. | |
To develop and maintain donor profiles | Performance of contract | |
Tax, compliance, employment, litigation and other legal rights and obligations | Legal obligation | |
To feature donors, alumni, staff, faculty, students and community members in promotional materials. | Consent | |
Financial Information (e.g., financial background information, including estimated expenses, total revenue and parental financial information) | To process donations | Performance of a contract |
To develop and maintain donor profile | Performance of a contract | |
Tax, compliance, employment, litigation and other legal rights and obligations | Legal obligation | |
Data Subject Submitted Content (e.g., interactions with the Foundation through social media and/or survey responses) | To provide or improve Services | Legitimate interest: to process user-submitted content, based on legitimate interests in enhancing community engagement, improving Services and advancing organizational goals through feedback and public contributions in accordance with the Foundation’s mission. |
Tax, compliance, employment, litigation and other legal rights and obligations | Legal obligation | |
Photo and Video (e.g., identifiers and/or sensitive data) >/em> | Community Services/Events | Legitimate interest: to document and promote community services and events through photography and videography, based on legitimate interests in fostering community engagement, preserving such activities and enhancing public awareness of the Foundation’s initiatives in accordance with the Foundation’s mission. |
To feature donors, alumni, staff, faculty, students and community members in promotional materials | Consent | |
Security | Legitimate interest: (1) fraud prevention; (2) for the proper functioning of our Services and (3) to protect stored personal information from unlawful, accidental and/or malicious actions or events. | |
Location Data (e.g., region, state/province and/or zip code) | Analytics | Consent |
Marketing | Consent | |
Security | Legitimate interest: (1) fraud prevention; (2) for the proper functioning of our Services and (3) to protect stored personal information from unlawful, accidental and/or malicious actions or events. | |
Online Identifiers (e.g., mobile types, mobile device type, browser type, IP address, unique identifiers, domain names, access times and geolocation information) | Analytics | Consent |
Marketing | Consent | |
Security | Legitimate interest: (1) fraud prevention; (2) for the proper functioning of our services and (3) to protect stored personal information from unlawful, accidental and/or malicious actions or events. | |
Internet Activity (e.g., time of website access, browsing activity and traffic data, including setting of non-essential cookies) | Analytics | Consent |
Marketing | Consent | |
Security | Legitimate interest: (1) fraud prevention; (2) for the proper functioning of our services and (3) to protect stored personal information from unlawful, accidental and/or malicious actions or events. | |
Special Category Data (e.g., racial, ethnic, religious, health-related information, sexual orientation and gender identity) | To accommodate disabilities at donor/community events | Explicit consent |
To develop and maintain donor profiles | Explicit consent | |
Review of applications for program or financial opportunities | Explicit consent |
Staying In Control of Your Personal Data: Your Rights
If you are in the EEA or the U.K., you have certain rights in relation to your personal data:
- The right to be informed: our obligation to inform you that we process your personal data
- The right of access: your right to request a copy of the personal data we hold about you (also known as a ‘data subject access request’)
- The right to rectification: your right to request that we correct personal data about you if it is incomplete or inaccurate
- The right to erasure (also known as the ‘right to be forgotten’): under certain circumstances, you may ask us to delete the personal data we have about you (unless it remains necessary for us to continue processing your personal data for a legitimate business need or to comply with a legal obligation as permitted under the GDPR, in which case we will inform you)
- The right to restrict processing: your right, under certain circumstances, to ask us to suspend our processing of your personal data
- The right to data portability: your right to ask us for a copy of your personal data in a common format (for example, a .csv file)
- The right to object: your right to object to us processing your personal data (for example, if you object to us processing your data for direct marketing)
- Rights in relation to automated decision-making and profiling: our obligation to be transparent about any profiling we do, or any automated decision-making
- The right to lodge a complaint at any time to the supervisory authority for data protection issues in your country of residence – however, we ask that you please contact us first so that we can first address your concerns.
These rights are subject to certain rules around when you can exercise them.
If you are located in the EEA or the U.K. and wish to exercise any of the rights set out above, you may contact us at privacy@osufoundation.org. You will not have to pay a fee to access your personal data (or to exercise any of the other rights) unless your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request under those circumstances.
We may need to request specific information from you to help us confirm your identity. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. If we cannot reasonably verify your identity, we will not be able to comply with your request(s).
Personal Data Transfers
Service Provider | Personal Data Category | Geographic Specificity | Adequacy Decision | Functional Description | Safeguards | Data Processing Role |
Identifiers, online identifier and internet activity | Ireland | Yes | Social Media Platform | Joint controller addendum: https://legal.linkedin.com/pages-joint-controller-addendum | Joint Controller | |
Meta | Identifiers, online identifier and internet activity | Ireland | Yes | Social Media Platform | Joint controller addendum: https://www.facebook.com/legal/controller_addendum | Joint Controller |
X | Identifiers, online identifier and internet activity | Ireland | Yes | Social Media Platform | Joint controller addendum: https://gdpr.x.com/en/controller-to-controller-transfers.html | Joint Controller |
YouTube | Identifiers, online identifier, and internet activity | Ireland | Yes | Social Media Platform | Joint controller addendum: https://business.safety.google/controllerterms/ | Joint Controller |
Act-On | Identifiers, professional information, online identifiers, interaction data and user generated data | United States | No | Marketing automation platform | Data Processing Addendum: https://act-on.com/data-processing-addendum/ | Processor |
AHI-Travel | Identifiers, travel information | United States | No | Tour operator, specializing in alumni travel | Processor | |
CaringCent | Identifiers | United States | No | Microdonation platform | Processor | |
Double the Donation | Identifiers | United States | No | Matching gift platform | Processor | |
Ellucian | Identifiers | United States | No | SaaS provider | Processor | |
Eventbrite | Identifiers, purchasing history | United States | No | Event management platform | Data Processing Addendum: https://www.eventbrite.com/help/en-us/articles/429030/data-processing-addendum-for-organizers/ | Processor |
EverTrue | Identifiers, employment information, social media | United States | No | Fundraising software | Processor | |
HundredX | Identifiers | United States | No | Feedback platform |
| Processor |
Fundmetric | Identifiers | United States | No | Fundraising platform |
| Processor |
Bonterra | Identifiers | United States | No | Fundraising platform | Data Processing Addendum: bonterra-data-processing-addendum-dpa-2.pdf | Processor |
Graduway | Identifiers, event registration information | United States | No | Alumni relations platform |
| Processor |
Ascent 360 | Identifiers, travel information | United States | No | Tour operator |
| Processor |
Gohagan Travel | Identifiers, travel information | United States | No | Tour operator |
| Processor |
Lindblad Expeditions | Identifiers, travel information | United States | No | Travel company |
| Processor |
Nasdaq | Identifiers | United States | No | Financial services |
| Processor |
Odysseys Unlimited | Identifiers | United States | No | Tour group operator |
| Processor |
Paciolan | Identifiers, purchase history | United States | No | CRM solution for athletics |
| Processor |
PG Calc | Identifiers, financial information | United States | No | Planned giving software |
| Processor |
Premier World Discovery | Identifiers, travel information | United States | No | Tour operator |
| Processor |
Progress | Identifiers, online identifiers, internet activity | United States | No | Software development |
| Processor |
SmartSoft / Data Tech | Identifiers | United States | No | Data verification |
| Processor |
Sports & Entertainment Travel, LLC | Identifiers, travel information | United States | No | Travel provider |
| Processor |
Salesloft | Identifiers, communication data | United States | No | Sales engagement platform | Data Processing Addendum: https://www.salesloft.com/legal/data-processing-addendum | Processor |
VoterVoice | Identifiers, legislative district information | United States | No | Digital advocacy platform | Data Processing Addendum: https://fiscalnote.com/fiscalnote-customer-data-eu-uk | Processor |
AudienceView | Identifiers, attendance history | United States | No | Software for live entertainment | Data Processing Addendum: https://audienceview.com/legal/data-processing-addendum/ | Processor |
Personal Data Retention
For personal data retention information, please see our Personal Data Retention Practices section.
Automated Decision-Making
The Foundation does not use automated decision-making without human intervention, including profiling, in a way that produces legal effects concerning you or that otherwise significantly affects you.
Our Contact Information
Should you have other questions or concerns about our EEA and U.K. Privacy Addendum or our Policy, please contact us at the information provided in our Who We Are and How to Contact Us section.