IIE Privacy Statement
IIE is committed to the preservation of privacy and the integrity of personal data of people engaging with us. IIE strives to comply with applicable personal data protection laws, and we are continuously improving our data protection policies and procedures. We welcome your feedback through the Data Subject Request Portal.
In addition to the English language, this Statement is offered in Spanish, Portuguese, French, Arabic, Mandarin Chinese, and Japanese for global convenience.
IIE’s Privacy Statement is designed to provide transparency into our privacy practices and principles in a way that people can navigate, read, and understand.
Please read the IIE Privacy Statement carefully as it details the ways in which IIE may process your personal data. Please note that what data IIE processes and how that data is processed may vary by program and/or by your engagement with IIE. This statement does not apply to how third parties define personal data or how they process it. We encourage you to read their privacy statements and know your privacy rights before interacting with them.
Effective Date
May 23, 2023
Note on Changes to This Statement
We reserve the right to change this Statement and any other relevant policies or procedures at any time without notice to you. If you continue to engage with IIE including accessing or using IIE Websites after this Statement has changed, we consider you to have accepted any changes made. We will always keep this Statement up to date on this website, where it is available to the public and accessible at any time. We recommend revisiting and reviewing this Statement regularly to ensure that you understand how we may be processing your personal data.
Definitions
- People refers to identifiable natural persons.
- Personal Data means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- Data Controller: The entity that determines the purposes and means of Processing Personal Data.
- Data Processor: The entity that Processes Personal Data on behalf of the Data Controller.
- To Process or Processing: Receiving, sending, storing, referencing, accessing, or otherwise using Personal Data in any way that falls under the scope of applicable data privacy laws and regulations, including any relevant international, state, or local laws.
- IIE Websites refers to websites managed by IIE on behalf of its own operations or sponsors.
Personal Data Categories
| Personal Data Category | Personal Data Category Examples/Description |
|---|---|
| Identifiers, Online Identifiers, Personally Identifiable Information (PII) | Name, Email Address, Contact Details, Passport Number, Government Issued Identification, Age, Bank Account Number, Credit Account Number |
| Protected Classifications, Special Categories of Personal Data, Sensitive Personal Information/Data, Health Data | Gender, Sexual Orientation, Racial/Ethnic Origin, Family Structure data, Health, Criminal Convictions or Offenses, Political, Religious or Philosophical Beliefs, Trade Union Membership, Preferences, Opinions, Intentions, Interests, Bank Account data, Income |
| Internet or Other Electronic Activity | Internet Browsing/Search History, Cookies, Application/Website Access Location and Interaction, Employee Time and Geolocation Related to use of Internet Website, Application or Physical Access to IIE Office |
| Sensory | Photographs, Audio, Electronic, Visual Recordings – usually during program engagement or employment |
| Professional, Employment, Education related information | Work History, Job Titles, Salary, Evaluations, References, Interviews, Certifications, Education Records, Transcripts, School Attended |
| Inferences | Any data drawn from the categories referenced above to create a profile about an employee reflecting the employee’s characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes |
Who are the Data Subjects and what personal data is processed by IIE?
Please note that these categories may overlap in some cases.
| Data Subject | Data Subject Description | Personal Data Category | Source of the Personal Data |
|---|---|---|---|
| People who visit IIE Websites | People who access or provide data to or engage in any way with IIE Websites |
| People who visit IIE Websites |
| People who receive marketing communications from IIE | People who have provided their data for the purposes of receiving promotional and marketing materials from IIE |
| People who visit IIE Websites, attend IIE events or provide their personal data to IIE in another way |
| People who represent Business Partners | IIE processes personal data of individuals and representatives of organizations who do business with IIE such as sponsors, donors, members, vendors, service providers, other partners and potential partners |
| People who represent Business Partners |
| People who engage with IIE Programs | People who engage with IIE programs funded either by sponsors or by IIE itself. Examples include: Fulbright, Gilman, Boren, Techwomen, Scholar Rescue Fund, Artist Protection Fund and the Student Emergency Initiatives |
| Refer to: With whom does IIE receive or share personal data associated with the program lifecycle? |
| Job Applicants and People who are Internal to IIE | Job applicants, employees, including temporary employees and interns, volunteers, members of the Board of Trustees, and Officers |
| Refer to: With whom does IIE receive or share personal data of Job Applicants and People Who are Internal to IIE? |
What is the basis upon which IIE processes personal data?
IIE processes personal data needed to pursue our legitimate interests or the legitimate interests of others. In most cases, IIE also processes personal data based upon contractual agreements. Provided that the legitimate interests below are not overridden by the interests or fundamental rights or freedoms of the people who are engaging with IIE, personal data may be processed:
- when entering or carrying out a contract with you and/or a program sponsor to administer a program;
- when entering or carrying out a contract with you to provide a service to IIE or for IIE to provide a service to you;
- when entering or carrying out an employment relationship with you;
- when investigating any complaints received from you or from others, about us, or our service providers; or
- in connection with legal claims, compliance, regulatory and investigative purposes as necessary (including disclosure of such information in connection with legal process or litigation).
Confidentiality and Data Access Controls
Your personal data processed under this Statement is shared with respective personnel on a need-to-know basis and/or as necessary to provide the services you requested.
Data Security and Incident Response
IIE has security procedures regarding the processing of personal data.
We have designed our security procedures to ensure the security, integrity, and privacy of your personal data against unauthorized access or unauthorized alteration, disclosure, or destruction. We use reasonable security controls for handling all categories of personal data, including sensitive personal data. We update and test our systems and processes on a routine basis. These measures and requirements are compliant with the guidelines set forth under applicable laws.
If IIE discovers a security incident that impacts personal data, we have dedicated people, processes, and technology in place to investigate, analyze and execute appropriate response actions and remediation. We analyze these facts – in the context of applicable laws, regulations, contractual obligations, and IIE’s commitment to data privacy – to determine whether incident notification is required for affected individuals, or other relevant parties such as sponsors or regulators. IIE will comply with all applicable laws that require security incident notification without undue delay.
While we undertake reasonable efforts to prevent unauthorized access, alteration, disclosure or destruction to personal data, we cannot ensure or warrant the security of data you transmit to us, data provided online, or data stored by us or our service providers. Personal data is submitted at your own risk. We are not liable for disclosures of your personal data due to errors in transmission or the acts of our service providers or other third parties, which means that you accept all risks associated with any data transmission and Internet usage, including the risk that your personal data may be intercepted in-transit.
Data Storage and Retention
Your personal data is stored by IIE on its servers and on the servers of cloud-based, third-party hosting and service providers with whom IIE engages.
IIE retains personal data for as long as necessary for the purposes described in this Statement. The period for which we retain personal data is determined by the type of data, the data subject type to whom the data relates, and the purposes for which the data was processed.
The length for which IIE retains personal data is further determined by applicable legal and regulatory requirements, contractual obligations, purposes of safety, security, and fraud prevention, or by issues relating to an unresolved claim or dispute.
IIE will save your personal data under the following circumstances:
- for as long as it is necessary and relevant to perform the purposes for which the data was processed, depending on the legal basis for which that data was processed,
- until we have no further legitimate interest in the data and/or a claim may be made in relation to our professional relationship with you
- until you withdraw your consent OR
- where legal/regulatory obligations mandate that we retain your personal data.
We may retain some or all personal data for purposes of business analytics, record-keeping, contractual obligations or legal purposes, to enforce our Terms and Conditions, or as a result of such information being stored on our systems through routine backup or archival processes.
Please note that IIE is not responsible for removing your personal data from the lists or systems of any third-party not connected to us who has previously been provided your data in accordance with this Statement.
Note on International Transfers of Personal Data
IIE is a global organization and may transfer personal data across national borders to other countries, in compliance with the laws that apply to that data, to perform processing activities such as those described in this Statement. Where required by law, we have put in place appropriate mechanisms (such as standard contractual clauses) to adequately protect personal data that we transfer across borders. IIE complies with laws on the transfer of personal data between countries to help ensure your data is protected, wherever it may be.
Please refer to the appropriate data subject notice based on how you are engaging with IIE to understand the purposes and types of personal data we process, how we share your personal data and your privacy rights.
People Who Visit IIE Websites
IIE Websites includes this website and any other websites that IIE maintains on behalf of program sponsors. Please refer to our Terms and Conditions.
Personal Data and Its Purposes of Processing on IIE Websites
Website Interaction Logs
IIE Websites automatically collect certain information and store it in log files. The information may include internet protocol (IP) addresses, the region or general location where your computer or device is accessing the internet, browser type, operating system, and other usage information about the use of the IIE Websites, including a history of the pages you view. We may use this information to help us design our site to better suit your needs. We may also use your IP address to help diagnose problems with our server and to administer our IIE Websites, analyze trends, track visitor movements, and gather broad demographic information that assists us in identifying your preferences.
IIE has a legitimate interest in understanding how people engage with IIE Websites. This assists IIE with providing more relevant content, communicating value to our participants, sponsors, and corporate members, and providing appropriate staffing to meet stakeholder needs.
Cookies
When you visit an IIE Website, the site may ask your browser to store a small piece of data (text file) called a cookie on your device to remember information about you, such as your login information or user preferences. IIE may also use cookies to determine the popularity of content and analyze site traffic and trends. Those cookies are set by IIE and called first-party cookies.
We may also use third-party cookies, which are cookies from a domain different than the domain of the website you are visiting, for advertising and marketing efforts, to deliver and measure the effectiveness of advertising campaigns, and generally understand the online behaviors and interests of people who demonstrate interest with IIE Websites. These entities may use cookies, web beacons, software development kits, and other technologies to identify the devices used by visitors to IIE Websites, as well as when they visit other online sites and services.
IIE has constructed the Cookie Policy that describes the cookies used on this website and provides information on how users can accept or reject them. Please refer to the cookie policy of any other IIE Website you are visiting for more information specific to that website.
How to Control and Delete Cookies
Consent Tool
You can access the cookie consent tool for this website anytime from the Cookie Settings link on the Cookie Policy page. Each of the IIE Websites provide this same capability.
Using Your Browser
Many of the cookies used on our IIE Websites can be enabled or disabled via our consent tool or by disabling the cookies through your browser. To disable cookies through your browser, follow the instructions usually located within the “Help,” “Tools” or “Edit” menus in your browser. Please note that disabling a cookie or category of cookies does not delete the cookie from your browser unless manually completed through your browser function.
Other Personal Data Processed
You may visit IIE Websites without being required to provide your name, email address or other personal data. Some features of IIE Websites may include features or services that permit you to enter personal data.
When you communicate your personal data to us through IIE Websites, we will inform you at each collection point what data is required and the purpose of its collection. You can choose not to enter some or all personal data, but if you do so, we may not be able to adequately respond to your inquiry, communicate further with you and/or provide requested services.
Depending on why and how you communicate with us via IIE Websites, we will use your personal data in the following way(s):
- To answer your questions and/or provide requested information if you inquire about IIE programs or services;
- To advise when we need your personal data to execute an agreement with you or your organization or to comply with a legal obligation if you inquire how your organization could support or work with IIE;
- To respond to your inquiry if you are a member of the public with questions about IIE employment and/or general inquiries;
- To verify your identity, organization and/or role if we are not yet familiar with you or your organization; or
- To share information about our programs, services, news and events if you opt-in to receive marketing communications. When you share your contact details for this reason, you will have consented that we may contact you for these purposes. We will only send you marketing communications based upon your consent.
Note on Public Forums
People who visit IIE Websites are solely responsible for the content they post online in public forums. Public forums may include, but are not limited to social media applications, chat rooms, bulletin boards, blogs or other publicly accessible forums that may be viewed and used by anyone with available access. Please be aware that when you voluntarily disclose and transmit personal data within a public forum, your personal data may be collected and used by others. We cannot control such uses of your personal data and by using such services, you assume the risk that whatever personal data you provide may be viewed and used by third parties.
You may withdraw your consent for IIE to use your personal data on Public Forums administered by IIE by amending or deleting your comment or by submitting a request via the Data Subject Request Portal. If you withdraw your consent, it will not change how we processed your personal data before you withdrew consent, but the comment will not be displayed in the future.
Note to Parents and Children
We comply with the Children’s Online Privacy Protection Act of the United States and similar laws around the world. IIE Websites are not specifically targeted to children, we do not actively solicit information from children, and we do not knowingly collect personal data from children without proper parental consent. Except in rare cases (such as an inquiry from a university student who is under the age of 18), IIE Websites are not intended for users under the age of 18. If you are under the age of 18, you may request that we remove any content you post to IIE Websites that can be accessed by another user. If you believe that we may have collected personal data from someone under the applicable age of consent without parental permission, please submit a request via the Data Subject Request Portal, and we will promptly address the issue.
With whom does IIE share your personal data?
We may share your personal data with:
- our IIE offices and affiliates
- our service providers and other third parties that make IIE Websites available, enhance its functionality or otherwise provide services to IIE or its service providers
- any other person or entity that we mention when you provide your personal data
- any other person or entity necessary for protecting the rights or safety of IIE or others
We will not share or otherwise distribute your personal data to others in ways different from what is disclosed in this Statement. We will not sell, market, or rent your personal data unless we receive your specific consent. Except as otherwise expressly stated in this Statement, we will release personal data to another person or company only with your consent or if required or permitted by law. If your personal data will be disclosed to any other recipients than are stated in this Statement, we will inform you at the time we collect your personal data and we will obtain your consent.
People Who Receive Marketing Communications from IIE
When you opt-in to receive marketing communications from us, you are granting consent for your personal data to be used to contact you by email, direct mail and/or phone to deliver personalized IIE Website experiences and to share information about relevant products, services, best practice information, industry news and events, funding needs, and/or send surveys or other information about products or services developed or provided by us or our business partners.
We will not give your personal data to another party to promote products or services directly to you without your specific consent.
If you opted-in to receive marketing emails, and you later decide you do not want to receive this correspondence from us, simply click the “Unsubscribe” link provided in that email message or reach out directly to the email sender and request that no more communications be sent to you.
Withdrawing your consent will not affect our use of the personal data prior to your withdrawal, but it signifies that we will not contact you in the future. There may be a brief delay between when you submit your request to “opt-out” and when it is processed and reflected in our systems, so you may continue to receive certain communications from us for a limited time after you unsubscribe. We apologize for any inconvenience and appreciate your patience.
Please note that we may continue sending non-marketing emails related to any account you have with us, any application you have submitted, or any transaction or agreement you have entered with us.
Except for personal data submitted as part of an application, purchase or donation, any communication or material you transmit to us by email or otherwise, including any data, questions, comments, suggestions, or the like, is, and will be treated as, non-confidential.
If you are not satisfied with the “Opt-Out” options, please submit a request via the Data Subject Request Portal, and we will promptly address the issue.
People who Represent Business Partners (Individuals & Representatives of Organizations)
IIE values its business relationships and processes personal data of Business Partners for contractual reasons. If any IIE business partner feels that this is not reflected in our business practices, please submit a request via the Data Subject Request Portal, and we will promptly address the issue.
We will not sell, market, or rent your personal data unless we receive your specific consent. We will not send you mailings on behalf of other organizations unless requested.
We may collect professional contact details, payment information, billing address and other information necessary to process a gift, event registration, send payment or receive payment. We may share reports about progress, activities, and other program-related information.
We may use your data to comply with the law or in the good faith belief that such action is necessary to conform to the requirements of law or comply with legal process served on us.
If you access IIE devices, systems, and networks throughout the business relationship with IIE, the IIE Acceptable Use Policy applies to you. IIE systems users should have no expectation of privacy on IIE-managed devices, systems, and networks. Non-business use of IIE assets is strongly discouraged to maximize data protection by separating business data from personal data that is not needed to carry out the business relationship.
People Who Engage with IIE Programs
IIE is contracted by sponsoring organizations to carry out the administration of programs. The sponsoring organization funds and sets the high-level directive, goals, and purpose of the program. IIE manages some or all administrative operations of the program under the general direction of the sponsoring organization. The sponsoring organization may also carry out its own data processing.
People who engage with IIE programs are classified as one of the following Data Subject Types due to different data retention requirements according to the level of program engagement:
- Program Applicants with an Unsubmitted Application
- Program Applicants with Submitted Application but Not Selected to a Program
- Program Participants and Alumni
If you have questions or concerns, please use our Data Subject Request Portal.
What are the purposes for processing personal data associated with the lifecycle of a program?
IIE will only process personal data when it is necessary and required for the purposes listed or if you choose to provide it to us voluntarily.
Please note that the most common scenarios for IIE processing special categories of personal data are when we collect medical data in order to review your medical history to determine eligibility to participate in a program; your criminal history when we are required to run a background check; and information concerning minors, if you are bringing dependents with you and we are required to process their data for visa sponsorship or other purposes. In most cases we only process other types of sensitive information if you voluntarily provide it to us, such as referring to religious or political views in an application essay.
| Process | Process Description |
|---|---|
| Academic Review and Placement | Reading, reviewing, submitting, and or/analyzing applications for the purpose of matching a participant with a host institution, employer, or other entity. |
| Alumni Management | Managing data of participants whose programs have ended, including the production of statistical reports, alumni correspondence and organizing alumni events. |
| Application/Selection | Collecting and reviewing applications for the purpose of selecting potential program participants and/or notification of their selection for a program. Please note that IIE programs do not use automatic data processing for this process. |
| Background Check | Automated screening of government watch lists and background information for regulatory compliance purposes. |
| Emergency Management | Automated screening of government watch lists and background information for regulatory compliance purposes. |
| Event Management | Planning and/or executing events including registration, scheduling of participants, or any other event-related activities for purposes including program enrichment or external engagements by IIE. |
| Financial Management | Processing payment transactions to or from participants, vendors or other payees using a bank transfer such as ACH, wire payments, checks or other methods. |
| Financial Verification | Verifying availability of funds or income to cover program-related costs/expenses, financial need, or other financial requirements of a program. |
| Insurance/Health Benefit Enrollment and or Management | Enrolling a participant in a health benefit plan to ensure coverage for medical issues or emergencies. |
| Medical Review | Reviewing medical data for the purpose of determining visa eligibility, identifying any issues that could affect participation in a program or activity, or would require additional accommodations to be arranged. |
| Participant Agreements | Drafting, sending, or receiving an agreement document such as Terms of Agreement, Terms of Appointment, Program Contracts, or any other type of agreement document with program participants. |
| Participant Progress Management | Collecting and analyzing any academic, employment or other data to ensure a participant is meeting the requirements of a program or on track for successful completion of an award. |
| Program Evaluation | Reporting, exporting, or compiling of data for the purposes of understanding or evaluating the state of the program/participants, impact, or any other legitimate interest related to administering the program. |
| Program Promotion and Outreach | Promoting IIE and/or IIE programs, including soliciting applications to programs or email marketing. |
| Program Reporting | Producing and sharing reports about progress, activities, and other program-related information. |
| Record Creation/Management | Creating and maintaining a record in IIE’s systems, electronic or otherwise, to carry out the administration of a program. |
| Tax Assistance | Preparation or filing tax returns on behalf of IIE participants. |
| Travel Management | Panning or booking of domestic or international travel by IIE or vendors on behalf of IIE. |
| Visa Sponsorship | Creating, monitoring and/or maintaining a SEVIS/Visa Sponsorship record. |
With whom does IIE receive or share personal data associated with the program lifecycle?
We may send your personal data to or receive it from third parties to carry out the processes listed above. These third parties may include:
- Academic credential evaluation companies
- Educational testing services
- Academic and research institutions
- Employers
- Insurance and health providers
- Program and award sponsors
- Commissions and posts
- External interview panelists and award selection committees
- Travel management companies
- Background check and watchlist providers
- Translation services
- Governmental agencies
Additional third parties may include legal counsel representing IIE, courts, tribunals, regulators, government authorities and law enforcement officials if required by law or for IIE’s legitimate interest in compliance with applicable laws/regulations.
How does IIE respond to requests for deletion of program lifecycle personal data?
| Data Subject Type | Data Retention Comments | Response to Request for Deletion |
|---|---|---|
| Program Applicants with an Unsubmitted Application | Delete | |
| Program Applicants with Submitted Application but Not Selected to a Program | The duration of processing is determined by the sponsor and follows the U.S. government guidelines on data retention. | Anonymized; demographic information retained for analytics and/or research purposes |
| Participants and Alumni | The duration of processing is determined by the sponsor and follows the U.S. government guidelines on data retention. Additionally, IIE must retain all records related to the Inbound participants’ exchange visitor program for at least three years per U.S. Federal regulations. | Retain according to retention period. |
Job Applicants and People Who are Internal to IIE
Job Applicants and people who are internal to IIE consent to personal data processing as a part of their application and/or employment agreement.
People who use IIE devices, systems and networks should have no expectation of privacy on IIE-managed assets. Non-business use of IIE assets is discouraged to maximize data protection. IIE strongly recommends that business data be segregated from personal data to further protect employee personal data.
Please reach out to your HR Business Partner or submit a request at our Data Subject Request Portal if you have any questions or concerns.
What are the purposes for processing personal data of People Who Are Job Applicants or Internal to IIE?
IIE will only process personal data when it is necessary and required for the purposes listed or if you choose to provide it voluntarily.
| HR Personal Data Type | Process | Process Description |
|---|---|---|
| Benefits |
|
|
| Compliance | Monitor Eligibility to Work | Monitoring and ensuring compliance of ability to work in a certain location. |
| Compliance Family, Medical |
|
|
| Personnel |
|
|
| Recruitment |
| Employment-related background screening and checks along with federally mandated Affirmative Action Program reporting. |
| Systems |
|
|
With whom does IIE receive or share personal data of Job Applicants and People Who are Internal to IIE?
We may send your personal data to or receive it from third parties to carry out the processes listed above. These third parties may include:
- Employers
- Insurance and health providers
- Travel management companies
- Background check and watchlist providers
- Governmental agencies
- Employee file hosting provider
- Payroll provider
- Retirement provider
- Compliance and reporting consultants
- Employee engagement providers
Additional third parties may include legal counsel representing IIE, courts, tribunals, regulators, government authorities and law enforcement officials if required by law or for IIE’s legitimate interest in compliance with applicable laws/regulations.
How does IIE respond to requests for deletion of data of Job Applicants and People Who are Internal to IIE?
Please note that acknowledgement of the Acceptable Use Policy and employment-related personal data processing is a condition of employment.
| Data Subject Type | Data Retention Comments | Response to Request for Deletion |
|---|---|---|
| Job Applicants | Recruitment data shall be retained in an electronic format by IIE for three years. If the person is hired by IIE, the applicable retention event is the date of termination of the employment relationship. For all other data, the applicable retention event is the date of the personnel action involved or the date that the data was created or received by IIE, whichever is later. | Retain according to retention period. |
| People Who are Internal to IIE | The applicable Retention Event is the date of termination of the employment relationship.
| Retain according to retention period. |
You may submit inquiries to IIE regarding the processing of your personal data; may withdraw consent where you have originally provided it for the processing of your personal data; address other concerns regarding personal data that IIE processes in relation to our engagement, including requesting that your personal data be deleted.
There are some limitations, for example, if fulfilling your request would reveal personal data about another person, or if you ask us to delete information that we are required by law to keep or have legitimate interests to maintain. IIE may retain a record of the existence of our professional relationship, to the extent that and for so long as we are required to do so by law. For example, IIE will retain a record of your personal data deletion request to ensure that we comply with the request.
Please note that restrictions you impose on the use, disclosure or processing of your personal data may result in losing eligibility for certain services where processing that personal data is needed for your participation.
How to Exercise Your Data Subject Rights
Please submit your request using IIE’s Data Subject Request Portal. Once you have confirmed your email address, IIE will verify your identity and then process your request as soon as possible.
If you are dissatisfied with any aspect of IIE’s handling of your personal data, please contact us using the Data Subject Request Portal so we can try to address your concern.
How IIE Processes Data Subject Requests
After you submit your Data Subject Request, you will receive an email to the email address provided asking you to confirm your email address. If your email is not confirmed, IIE will not process your Data Subject Request.
Once the email address is confirmed, IIE will route the request to the appropriate team to perform Identity Verification to confirm your identity and confirm that IIE is processing your personal data.
IIE will then address your request appropriately. You will receive all notifications and communication through the IIE Privacy Portal.
Contact Us
IIE Data Protection Officer/Grievance Officer
Institute of International Education, Inc.
One World Trade Center, 36th Floor
New York, NY 10007
Privacy@iie.org