Privacy Policy

This Privacy Notice is intended to describe the practices EY follows in relation to the Ernst & Young Foundation's Academic Resource Center (EYARC) website (the "Site") and the EYARC Experience platform (the "Platform") with respect to the privacy of all individuals whose personal data is processed and stored in connection with the Site or the Platform.

This Privacy Notice should be read together with the ey.com Privacy Statement, and in case of any conflict with the ey.com Privacy Statement, the terms of this Privacy Notice will prevail. Please read this Privacy Notice carefully.

"EY" refers to one or more of the member firms of Ernst & Young Global Limited ("EYG"), each of which is a separate legal entity and can determine the purposes and means for data processing in its own right (i.e. act as a data controller or in a similar capacity). The entity that is acting as data controller (or similar capacity) by providing this Site or the Platform on which your personal data will be processed and stored is the Ernst & Young Foundation (US).

The personal data in either the Site or the Platform may be shared by the Ernst & Young Foundation with one or more member firms of EYG (see "Who can access your personal data" section 6 below).

The Site is hosted on Microsoft Azure servers located in the U.S. The Platform is hosted on Amazon.

The Site and the Platform both provide free educational resources for non-profit, higher education staff as part of the Ernst & Young Foundation's philanthropic mission to support higher education.

Your personal data processed in the Site or the Platform is used to provide you access to the Site or the Platform and to analyze usage.

EY relies on your consent to legitimize the processing of your personal data in the Site and the Platform. The provision of your personal data to EY is optional. However, if you do not provide all or part of your personal data, we may be unable to carry out the purposes for processing. You have the right to withdraw your consent at any time.

Sensitive personal data reveals your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning sex life or sexual orientation.

EY does not intentionally collect any sensitive personal data from you via the Site or from you or the student users via the Platform. Both the Site and Platform's intentions are not to collect or process such information.

Your personal data is accessed in the Site and the Platform by the following persons/teams:

• Members of the Ernst & Young Foundation team who manage the Site and Platform, including content and results.
• Members of EY Technology who provide technical support for the Site and the Platform.

The access rights detailed above may involve transferring personal data in various jurisdictions in which EY operates (EY office locations are listed at www.ey.com/ourlocations). EY will process your personal data in the Site in accordance with applicable law and professional regulations in your jurisdiction. Transfers of personal data within the EY network are governed by EY's Binding Corporate Rules.

We may also transfer or disclose the personal data we collect to third-party service providers (and their subsidiaries and affiliates) who are engaged by us to support our internal ancillary processes. For example, we engage service providers to provide, run and support our IT infrastructure (such as identity management, hosting, data analysis, back-up, security and cloud storage services) and for the storage and secure disposal of our hard copy files.

It is our policy to only use third-party service providers that are bound to maintain appropriate levels of data protection, security and confidentiality, and that comply with any applicable legal requirements for transferring personal data outside the jurisdiction in which it was originally collected.

To the extent that personal data has been deidentified, aggregated or otherwise rendered anonymous in such a way that you or your device are no longer reasonably identifiable, such information will be treated as non-personal data and the terms of this Privacy Notice will not apply.

Our policy is to retain personal data only for as long as it is needed for the purposes described in the section "Why do we need your personal data". Retention periods vary in different jurisdictions and are set in accordance with local regulatory and professional retention requirements.

In order to meet our professional and legal requirements, to establish, exercise or defend our legal rights and for archiving and historical purposes, we need to retain information for significant periods of time.

Depending on the applicable jurisdiction, you may have certain rights in relation to your personal data, such as:

• To request details of the personal data EY processes about you and to access the personal data that EY processes about you.
• To have your personal data corrected, for example, if it is incomplete or incorrect.
• To restrict or object to the processing of personal data or request the erasure of your personal data.
• To receive a copy of the personal data which you have provided to EY in a structured, commonly used and machine-readable format (known as "data portability").
• Where you have provided consent to the processing of your personal data, the right to withdraw your consent.
• The right to complain to a data protection authority (see section "Complaints").

If you have any questions about how EY processes your personal data or your rights related to your personal data, please send an e-mail to global.data.protection@ey.com.

If you are concerned about an alleged breach of privacy law or any other regulation, contact EY's Global Privacy Leader, Office of the General Counsel, 6 More London Place, London, SE1 2DA, United Kingdom or via email at global.data.protection@ey.com or via your usual EY representative. An EY Privacy Leader will investigate your complaint and provide information about how it will be handled and resolved.

If you are not satisfied with how EY resolved your complaint, you have the right to complain to your country's data protection authority. You can also refer the matter to a court of competent jurisdiction.

Certain EY member firms in countries outside the European Union (EU) have appointed a representative in the EU to act on their behalf if, and when, they undertake data processing activities to which the EU General Data Protection Regulation (GDPR) applies.