Vanderbilt University Medical Center (VUMC) is committed to upholding the privacy of everyone we interact with and appropriately safeguarding the information collected, used, and maintained in support of VUMC’s academic, research, and clinical missions in compliance with applicable data protection laws. This Privacy Notice describes how VUMC its programs, centers, and affiliated entities (collectively, “we”, “our”, or “VUMC”) collect and process Personal Information on international data subjects.
Recognizing that privacy rights vary from country to country, VUMC bases its international data privacy practices on the European Union’s General Data Protection Regulation (GDPR), a globally recognized benchmark for protecting personal data. We apply this standard as a minimum to safeguard your personal data, though your specific rights may depend on the laws of your country or region.
Foreign nationals’ personal data is subject to and processed in accordance with applicable U.S. state and federal laws and VUMC policies and procedures.
This policy specifically excludes information collected to facilitate the process of your becoming a patient for treatment at Vanderbilt University Medical Center. Please see our HIPAA Notice of Privacy Practices that explains how VUMC may use or share your medical information and your rights regarding your medical information.
About This Privacy Notice
This notice explains:
- What data we collect from you and how we use it.
- With whom we may share your data and why.
- How long we retain your information and how we keep it secure.
- Your rights to access, correct, or control your personal data.
- How to reach us if you have questions, concerns, or wish to exercise your rights.
Data We Collect and How We Use It
The type of personal data VUMC collects and how we use it (sometimes referred to as the purpose for the processing) depends on your role and the nature of your engagement with VUMC. In most instances, VUMC acts as a controller of personal data. In some research instances, VUMC acts as a processor of personal data on behalf of another organization.
“Personal Information” means information that can be used to identify you as a person. We collected several categories of personal information through our activities, including information you provide. We generally use the Personal Information we collect to operate the various functions of VUMC and provide services that may be available to you.
We rely on separate and overlapping lawful bases to collect and process your Personal Information depending on the activity. These lawful bases include processing that is necessary to fulfill a contract, processing to comply with a legal obligation, processing you have consented to, protection of an individual’s vital interests, or to further VUMC’s legitimate interests.
The ways in which we collect and process your information vary depending on the relationship between you and VUMC, as well as the specific VUMC function with which you interact.
Sharing Your Data
We may share your data, consistent with this Privacy Notice, within our programs, as well as with service partners and trusted third parties who complete transactions or perform or administer Activities on our behalf or for your benefit, such as:
- Joint research arrangements with sponsors, other hospitals and universities work.
- Training Activities, including registration, evaluation, program travel, and student engagement.
- Online education offerings through online platform.
- Employment activities, including human resources.
- U.S. government agencies or law enforcement as required by law.
- Payment and donation processing.
We only share data that is necessary for each specific purpose and ensure all third parties comply with our strict privacy and security standards when applicable.
Cross-border Transfers
VUMC processes all personal data in the United Statess, subject to the United States laws. The privacy laws of the United States may significantly differ from your home jurisdiction, and you may not enjoy the same rights under U.S. law. VUMC carefully considers the security of cross-border transfers, given the sensitivity of personal data.
Your Rights Regarding Your Data
Under applicable law, you may have the right to:
- Access your data.
- Correct inaccuracies or complete missing information.
- Erase your data under certain conditions.
- Restrict processing in specific circumstances.
- Object to certain types of data processing.
- Request data portability to transfer your data to another organization.
To submit a request to exercise these rights, please contact us as set forth in the Contact Us section below. We will respond to all valid requests within a reasonable time and in accordance with any deadlines required by law.
If you have any complaints regarding our privacy practices, we ask that you contact VUMC's International Privacy Office as set forth in the Contact Us section below. You also have the right to file a complaint with your national data protection authority.
Use of Personal Information
As a general matter, we use your data to:
- Contact you to respond to your requests or inquiries;
- Conduct VUMC operations, including research and educational activities;
- Provide you with newsletters, articles, service updates or announcements, event invitations, and other information we believe may be of interest to you;
- Process and complete transactions including, as applicable, employment applications, course registration, enrollment in research, training programs, or other activities offered by VUMC, processing payments for online purchases, processing donations, and use of software and other IT services provided by VUMC.
- Enforcing our Terms of Use and other agreements.
Additional categories of Personal Information collected and the purpose for processing the information is available below.
Security Measures
VUMC maintains reasonable technical and organizational measures to protect your data. Our International Privacy Office and Vanderbilt Enterprise Cybersecurity teams oversee these measures to maintain data security, avoid unauthorized access, and protect your rights.
Data Retention
We retain your data only as long as necessary for:
- Legitimate business purposes.
- Contractual or legal requirements.
- Dispute resolution, audits, or compliance needs.
- Compliance with research grant obligations and good clinical practices.
- Compliance with research publication requirements.
The retention period is determined based on the data type, sensitivity, risk, and applicable legal obligations.
Contact Us
For any questions or concerns about this privacy policy or to file a complaint, please contact our Data Protection Officer.
Email address: International.PrivacyOffice@vumc.org
Physical address:
VUMC Privacy Office
Medical Center North, T-3317
Nashville, TN 37203
VUMC maintains a UK and EU representative as required under Article 27 of the GDPR. VUMC has appointed DataRep as its Data Protection Representative for the purposes of GDPR in the EU/EEA and the Data Protection Act 2018/UK GDPR in the UK, and FADP in Switzerland. You may contact our representative at vumc@datarep.com or www.datarep.com/data-request. Please refer clearly to Vanderbilt University Medical Center in your correspondence.
ADDITIONAL CATEGORIES OF PERSONAL INFORMATION COLLECTED
Website Use
We may collect the following information through your visits to our website:
- Contact information
- IP address, browser type, internet service provider, date/time stamp
- Location information
- Payment information
The purposes of processing the information collected through our website use include responding to requests for information, conducting analytics on page visits to improve the services and tracking interactions with our website.
Donors
VUMC collects and maintains donor information to process donations and respond to comments and questions. We may also use donor information to keep you informed about VUMC activities that may interest you.
The main way we collect donor information is when you provide it to use. We may also collect information from publicly available sources or third-party sources. Personal information collected about donors include:
- Contact information
- Donation information
- Payment information
The purposes of processing the information collected include communicating with and providing information to you regarding donations and to process and confirm your donation.
Human Resources
VUMC collects information when you apply for employment and throughout your employment with VUMC for the primary purpose of providing employment, responding to employment-related questions and comments, or enabling authorized persons to utilize VUMC's services, activities, and facilities. Personal information collected by VUMC Human Resources includes:
- Contact information
- Demographic information
- Payment information
- Immigration documents
- Education and Employment history
- Background records
- Licensure information
The purposes for processing this information include providing you with employment-related notices, forms, insurance, and payments, and evaluating your application for employement.
Online Continuing Education
VUMC collects information when you apply for online continuing education offerings. Information is collected for the primary purpose of providing online continuing education courses, and if applicable, evaluating qualification for online certificates and credit. Personal information collected includes:
- Contact information
- Demographic information
- Payment information
- Education and Employment history
- Licensure information
- Learner Interaction Data
- Course Assessment Data
- Log files
- Location Information
The purposes for processing this information include communicating with you regarding your online program, responding to requests for information, processing payments, evaluating your completion of online courses, and providing secure, online education platforms.
Research
VUMC researchers and affiliates may collect, use, and share your Personal Information as part of a research study in which you have consented to participate as a research subject or research, or in which your existing personal data are used.
Examples of data that may be collected for research purposes are listed below. These data are provided as examples only; not every research study will collect each of these categories of data. Often, when personal data are collected for research purposes, you will be proivded with a consent form that explains the type of data collected and the purpose for which such data are processed and shared. If you have any questions about the processing of your data in connection with a research study, you should contact the VUMC personnel who are conducting the research or the contact person named in any informed consent form you signed when you joined the study. Examples of personal data collected through research include:
- Contact information
- Demographic information
- Education and Employment history
- Family Inforamtion
- Financial Information
- Medical Information (Health Records)
- Genetic Data
- Biometric Data
The purpose of processing by each category of Personal Information includes enrolling you in a research study and conducting research.
Students and Trainees
VUMC collects information from students and other trainees participating in VUMC training programs for the primary purpose of facilitating your training at VUMC, responding to training program related questions and comments, facilitating international travel to VUMC, or enabling authorized persons to utilize VUMC's services, activities, and facilities. Personal information collected by VUMC includes:
- Contact information
- Demographic information
- Health records
- Payment information
- Education and/or Employment history
- Background, including criminal, records
- Licensure information
- Visa and other travel document information
The purposes for processing this information include providing you with training-related information, facilitating travel to and from VUMC, and providing academic guidance or mentorship.