Additional Privacy Disclosures
1. Introduction
These Additional Privacy Disclosures (“Disclosures”) provide information on collection and use of personal data about individuals located in a Relevant Region (as defined below) and supplement the Harvard Business School Online Privacy Notice (“Privacy Notice”). Any capitalized terms not defined in these Disclosures are defined in the Privacy Notice.
In these Disclosures,
- “Harvard Entity” means a Harvard University school, center, or other Harvard unit or Harvard-controlled entity.
- “In-scope Processing” means the collection, use, handling, processing or sharing of Personal Data by a Harvard Entity when those activities are within the scope of any Relevant Law.
- “Relevant Law” means any personal data protection law applicable to individuals located outside the U.S. that apply to the processing of Personal Data by a Harvard Entity.
- “Relevant Region” means a country or U.S. state which has enacted a Relevant Law.
These Disclosures apply only to In-scope Processing. Please note that, depending on the situation, some processing of personal data described below may in the given case not constitute In-scope Processing as that term is used in these Disclosures.
These Disclosures concern In-scope Processing by any means, including hardcopy (such as paper applications or forms) and electronic means (such as websites and mobile applications).
What Personal Data Do We Collect?
Please see our Privacy Notice for details on the personal data we collect.
What is the Purpose of Processing?
Please see our Privacy Notice for details on our purposes of processing personal data.
What is Our Legal Basis of Processing?
Where a Relevant Law requires a legal basis to process your Personal Data, we have adopted the following legal bases as recognized by the Relevant Laws:
- to pursue our legitimate interests (for example, providing educational offerings and evaluating your performance; responding to your inquiries; conducting advertising and promotions; research and development; and security and optimization of our Services and Websites);
- to process transactions requested by you and meet our contractual obligations (for example, registering you for an online education course; processing your payments; delivering our Services; and evaluating your performance);
- as necessary for compliance with a legal obligation (for example, responding to a subpoena or government information request; maintaining legally-required financial records; maintaining legally-required education records; and instituting litigation holds in response to threatened or actual claims); or
- on the basis of your consent, where applicable (for example, to provide you with certain marketing communications or processing certain special categories of personal data).
We may apply more than one legal basis to the processing activities described under the Purposes of Processing and the types of Personal Data identified above. For example, in our processing of payment information, we may rely on the legal bases of “performance of contract” in order to fulfill our contract with you to provide Services and on “compliance with legal obligation” in order to comply with tax laws in the maintenance of financial records related to the transactions.
2. Personal Data We Obtain from Third Party Sources
Please see our Privacy Notice for details on personal data we may collect from third party sources.
3. Data Retention
We will retain your Personal Data for as long as is necessary for the purposes set out in these Disclosures, in accordance with Relevant Law and the legal bases for acquiring the data.
For example, we may generally retain Personal Data as follows:
- For as long as may be required under applicable law;
- As needed to resolve disputes or protect our legal rights;
- Where processing is based on your consent, for the period of time necessary to carry out the processing activities to which you consented;
- Where processing is based on contract, for the duration of the contract plus some additional limited period of time that is necessary to comply with law or that represents the statute of limitations for legal claims that could arise from the contractual relationship; or
- Where processing is based on our legitimate interests, for a reasonable period of time based on the particular interest, taking into account the fundamental interests and the rights and freedoms of the data subjects.
Consistent with the foregoing guidance, some data may be retained indefinitely. Additionally, where we have applied more than one legal basis to a certain processing activity, we may retain data for so long as permitted by one or more of the applicable legal bases that remain valid.
4. How We Share and Disclose Personal Data
Please see our Privacy Notice for details on how we share and disclose personal data.
5. International Data Transfers
Much of our Personal Data processing takes place in the United States, though sometimes we or third parties with whom we share data may process data in other countries. The data protection laws in the United States and other countries may provide different protections than such laws in your Relevant Region. In the event we transfer your Personal Data outside your Relevant Region as part of our In-scope Processing, we rely where required on appropriate or suitable safeguards or specific legal provisions permitting such transfers under the Relevant Law.
When transferring Personal Data from a country in the European Economic Area (EEA) or from the United Kingdom (UK) to a country outside the EEA and the UK, we may base such transfers on contracts containing legally authorized data protection clauses referred to as Standard Contractual Clauses. To learn more about any such transfer of your Personal Data, you may contact us as set forth in the “Contact Us” section below.
6. Cookies and Similar Technologies
Please see our Cookies Notice for details on our Website’s use of cookies.
7. Rights You May Have
To the extent required by Relevant Law, upon your request, we will inform you whether we hold any of your Personal Data as part of our In-scope Processing. With respect to your Personal Data collected and used in our In-scope Processing, under the Relevant Law you may also be able to:
- obtain a copy of your Personal Data in an easily accessible format;
- request that we correct or update any of your Personal Data that is inaccurate;
- restrict or limit the ways in which we use your Personal Data;
- object to the processing of your Personal Data;
- request the deletion of your Personal Data;
- request that we transmit your Personal Data to another party; or
- object to automated decision making (if any) in certain circumstances. HBS Online does not generally engage in such automated decision-making on its Websites or in its Services, and if it does, HBS Online complies with Relevant Laws in connection with such data processing.
If you have any questions about how we process your data under Relevant Laws, please reach out via our Support Portal. Because we want to avoid taking action regarding your Personal Data at the direction of someone other than you, we may need to ask you for information verifying your identity. We will respond to your request within a reasonable timeframe.
If our In-scope Processing of your Personal Data is based on your consent, in certain cases you may also have the right under a Relevant Law to withdraw your consent to our processing. If you withdraw your consent to the use or sharing of your Personal Data for the purposes set out in these Disclosures, or otherwise limit our use of your Personal Data or request its deletion, we may no longer be able to provide you some or all of the related services.
Please note that, in certain cases, we may continue to process your Personal Data after you have withdrawn consent or requested that we delete your Personal Data, or we may not be able to fulfill all or parts of other requests, if we have a legal basis to continue the processing or decline all or part of the request. For example, we may need to retain certain data to comply with an independent legal obligation, for achieving the lawful purposes for which we obtained the data, or for such reasons as keeping our services and operations safe and secure or safeguarding our rights or the rights or safety of others.
If you have any complaints regarding our privacy practices, you may be able to make a complaint to your national data protection authority, supervisory authority, or other legal authority.
8. Updates to the Disclosures
We may update these Disclosures from time to time without prior notice by posting revised Disclosures. You can determine when these Disclosures were last revised by checking the Last Updated date at the beginning of these Disclosures.
9. Representatives
Representatives in the European Union:
Harvard Global Research Support Centre Ireland DAC
10 Earlsfort Terrace
Dublin 2 D02 T380 Ireland
Attention: GDPR Representative
Email: GDPRrepresentative@harvard.edu
Representative in the UK:
Harvard Global UK
71 Queen Victoria Street
London, United Kingdom EC4V 4BE
Attention: GDPR Representative
Email: GDPRrepresentative@harvard.edu
10. Contact Us
If you have any questions, comments, requests or concerns about these Disclosures or other privacy-related matters, you may contact us in the following ways:
Harvard University
1033 Massachusetts Avenues, Suite 370
Cambridge, MA 02138 USA
Attention: International Privacy Disclosures Coordinator
Contact Us Through Our Support Portal
Last Updated: March 31, 2023