European Union General Data Protection Regulation (GDPR)

The EU General Data Protection Regulation went into effect on May 25, 2018.

The GDPR applies to the European Economic Area (EEA), which includes all EU countries plus Iceland, Liechtenstein and Norway.

The GDPR applies to:

  1. A company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or
  2. A company established outside the EU and is offering goods/services (paid or for free) or is monitoring the behavior of individuals in the EU.

Thus, the GDPR applies to entities located outside of the EU who control or process personal data of natural persons physically located in an EU member state, regardless of the person’s citizenship and the reason for their presence.

Personal data is any information related to a natural person or “data subject” that can be used to directly or indirectly identify the person.

Data Subject Rights Under the GDPR

The GDPR gives EU data subjects’ rights over how their personal data is collected, processed, and transferred. They have the right to, among other things:

  • request information about the processing of their personal data
  • ·obtain access to data collected about them
  • ask for incorrect, inaccurate, or incomplete personal data be corrected
  • request that their personal data be erased (i.e. right to be forgotten)
  • ·object to the processing of their personal data for marketing purposes or on grounds relating to their personal situation
  • request that their personal data be delivered to themselves or a third-party
  • request restriction on the use of their personal data and/or withdraw their consent for processing
  • request that decisions significantly affecting them, including profiling, are not based solely on automated processing (i.e. computers)
  • know how long their personal data will be stored
  • withdraw consent in those circumstances where the University’s processing of personal data is based on the consent of the person whose data is at issue.

The above rights are not absolute. The University may decline requests where exceptions apply.

Questions:

Please contact the University’s Vice President and General Counsel