Statement of Privacy Practices: GDPR - Research

1. Transparency Regarding the Use of Your Personal Data

As part of our commitment to protecting your privacy, this statement is designed to provide you with information regarding how UC Riverside (UCR) researchers, research administrators and research departments of may collect, receive, use and share information about you when you agree to participate as a research subject, when existing information about you is used, or when you agree to be a researcher at UC, as a fellow or student. This statement is applicable to any individuals who are located in the European Economic Area (EEA).

For purposes of the General Data Protection Regulation (GDPR), the data controller is the Regents of the University of California, with a location at 900 University Ave. Riverside, CA 92521.

2. Your Personal Data We Use

Information you provide directly to UC:

UC Riverside researchers and research staff collect personal information about you called Personal Data. Most often, before any Personal Data are collected for research purposes, you will be provided a consent and/or authorization form relating to the specific research project that explains the types of data collected and for the purposes for which such data are processed and shared. In such a case, the description of the collection and use of your Personal Data provided in the consent and/or authorization form will replace the information provided here. The Personal Data collected by our researchers is collected for the primary purpose of furthering research and understanding in various fields of academic study. Examples of Personal Data that may be collected for research purposes are listed below. Not every research study will collect each of these types of data. If you have questions about the processing of your data in connection with a research study, you should contact the UC personnel who are conducting the research or the contact persons named in any consent form you signed when you joined the study.

Information from Other Sources:

UC Riverside researchers and research staff may also receive information about you from other sources and may combine that information with information we collect from you directly. Examples of Personal Data that may be collected from research organizations or other third parties are listed below. Not every research study will use each of these types of data.

Examples of Personal Data:

Examples of Personal Data that we or third-party vendors may collect and use for research purposes include the following. Please note that in most cases these data, if identifiable, would initially be provided voluntarily by you:

  • Contact Information: for example, your name, home address, email address and phone number;
  • Tax Information: for example, government identification number if you are being paid in connection with the research;
  • Demographic Information: for example, race, ethnicity, gender, age, education, profession, occupation, income level and marital status;
  • Personal Information and History: for example, personal interests, profession, and other information about your background;
  • Family Information: for example, family members, ages, occupations and health;
  • Employment History: for example, prior employers, titles, wages, work experience, trade union membership and disciplinary record;
  • Education History: for example, prior schools, transcripts, awards, honors and disciplinary records;
  • Health and Dietary Information: for example, doctor’s records, surgical records, immunizations and medications, allergies and dietary preferences;
  • Biometric Data: for example, facial measurements, finger prints and retinal scans;
  • Genetic Data: for example, genetic information obtained from your biological samples;
  • Course Engagement and Assessment Data: for example, assignment responses, test scores and course interactions (including, for example, the ways in which you move through and interact with the course materials);
  • Log Files: for example, IP address, browser type, internet service provider, pages visited (including referring/exit pages), operating system, date/time stamp and/or clickstream data;
  • Cookies and Similar Technologies: Information collected automatically through cookies and similar technologies. For more information regarding our use of cookies and similar technologies, consult the UC Privacy Official identified below; and
  • Location Information: for example, latitude, longitude, date and time (the precision of these data varies greatly and is determined by factors controlled by your device or mobile service provider); and
  • Mobile Device Sensor Information: for example, health-related information that may be available through an application using a sensor or component of your mobile device.

3. How We Use Your Personal Data and the Lawful Basis for Such Processing

UC Riverside researchers and research staff process your Personal Data for the following purposes and bases:

  • To further research and understanding in fields of academic study. It is in our legitimate interests as a research institution to conduct such research;
  • To enroll you in a particular research study as a research subject or to administer the study if you are a researcher. This is generally required to process a transaction requested by you;
  • To satisfy legal, regulatory, and contractual obligations for conducting research. It is in our legitimate interests as a research institution to conduct such research in a compliant manner;
  • Processing and addressing any complaints or inquiries made by you or legally on your behalf. We do this because it is in our legitimate interest as part of the services UC offers to you; or
  • Utilizing sensitive Personal Data in connection with research, with your consent.

In certain instances, UC may be required to obtain your consent to collect and process your Personal Data for a research study. This depends on the specific category of data collected and the intended use of the data, as well as when automated processing was used to assign you to receive a certain treatment that may be required by the research study. For more information on automated decisions, please see below. In these instances, we will ask for your consent to the intended collection of your Personal Data, prior to collecting the data.

4. Recipients of Your Personal Data

UC Riverside researchers and research staff may share your Personal Data with the following recipients:

  • Other UC locations or departments: Other UC locations or departments in order to provide you with a UC service requested by you or where it is in UC’s legitimate interests.
  • Service Providers: Vendors that need access to your Personal Data in order to assist in UC in conducting and administering research.
  • UC Partners and Collaborators: When permitted by law, UC may share Personal Data with researchers at other institutions or research sponsors in order to support UC’s research mission.
  • Public and Governmental Authorities: Entities that regulate or have jurisdiction over UC’s research program including for example federal agencies involved in the oversight of research, such as the Office of Human Research Protection and the Food and Drug Administration, and state agencies, such as the California Department of Public Health.

If your Personal Data is shared with a third party, UC will require that the third party use appropriate measures to protect the confidentiality and security of your Personal Data.

We may also need to share your Personal Data as required to respond to lawful requests and legal process; to protect our rights and property and those of our agents, customers and others, including to enforce our agreements and policies; and in an emergency, to protect UC and the safety of our students, faculty and staff or any third party.

5. Security

UC is committed to protecting your Personal Data that are consistent with applicable privacy and data security laws and regulations. For more information about how UC protects data, refer to Systemwide Information Security Polices and Standards.

6. Retaining and Deleting Your Personal Data

Where UC is processing your Personal Data based on our legitimate interests, UC generally will retain the data for the time needed for those interests. Where UC is processing your Personal Data based on your consent, UC generally will retain the information for the period of time necessary to carry out the processing activities to which you consented unless there is a legal requirement to maintain it for a longer period.

International Transfer of Your Personal Data

In order to fulfill the intended processing purposes described above, your Personal Data will be transferred outside of the European Economic Area (EEA), specifically to the United States, which does not protect Personal Data in the same way that it is protected in the EEA. UC will undertake appropriate measures to ensure adequate protection of Personal Data, including utilizing appropriate physical, administrative, and technical safeguards to protect Personal Data, as well as executing Standard Contractual Clauses approved by the European Commission or a supervisory authority under GDPR, or obtaining your consent, where appropriate. If your Personal Data is affected, you may contact the UC Privacy Official below to obtain a copy of the Standard Contractual Clauses.

7. Automated Decision-Making

Automated decisions are defined as decisions about individuals that are based solely on the automated processing of data and that may produce legal effects that could significantly affect the individuals involved or that have similarly significant impact. For example, assigning clinical trial subjects to receive an intervention or placebo based solely upon each subject’s diagnostic data, where the assignment is done without any meaningful input from a physician or the research team, could be regulated by GDPR. Depending upon the type of research study you consent to, UC researchers may make automated decisions in conducting the specific research study.

In these instances, UC will inform you of the automated decision-making and will request that you affirmatively indicate that you consent to the intended use of your Personal Data for that purpose, prior to the automated decision-making. Where automated decisions are made, research subjects may contact the UC research team with any questions. In most cases, because the research study requires the use of automated decisions, if the person objects to, or opts out of such processing, the person will not be able to participate in the research study.

8. Your Rights

As required by the General Data Protection Regulation and applicable EU Member State and EEA state law, if you are located in the European Economic Area, you have a right to:

  • Access your Personal Data, as well as information relating to the recipients of your Personal Data, the purposes of processing your Personal Data, the duration for which the Personal Data will be stored, and the source of Personal Data that has not been provided by you;
  • Rectify or correct inaccurate or incomplete Personal Data concerning you, taking into account the purposes of the processing, and the right to have incomplete Personal Data completed;
  • Move your Personal Data to another controller or processor. UC will facilitate the lawful transfer of your data to the extent possible;
  • Have your Personal Data erased in certain circumstances;
  • Restrict the processing of your Personal Data in certain circumstances;
  • Object to the processing of Personal Data in certain circumstances;
  • Withdraw your consent to the processing of your Personal Data, should UC ask for your consent for the processing of your Personal Data. The withdrawal does not affect the lawfulness of processing based on your consent before its withdrawal.
  • Know whether your Personal Data is being used for automated decision-making in a research study. In those cases, UC will give you meaningful information about the decision, the significance and the envisaged consequences of such processing of your data, and the right to withdraw from the research study; and
  • Lodge a complaint with a supervisory authority.

UC may be obligated to retain your Personal Data as required by U.S. federal or state law.

If you wish to exercise your rights, you can contact the UC Privacy Official identified below.

You may choose not to share your Personal Data with UC or UC-approved third parties for UC’s research activities. If you choose not to share your Personal Data with UC for research purposes, you will not be able to participate in UC research.

9. Questions and Complaints; UC Privacy Official

If you have questions or complaints about our treatment of your Personal Data, or about our privacy practices more generally, please feel free to contact the UCR Compliance Analyst & Privacy Officer: Mr. Ian Hazrduk at or the UC Office of the President interim Privacy Official: Ms. Nicole Delange, Healthcare Compliance Manager, at

Effective Date: This statement is effective as of June, 2020.