Skip to content

Office of University Compliance and Ethics

European Union General Data Protection Regulation (GDPR)

Effective May 25, 2018 the European Union (EU) passed the EU General Data Protection Regulation (GDPR).  The law is intended to

  • harmonize data privacy laws across the EU;
  • protect and empower the data privacy rights of all persons regardless of nationality or residence; and
  • reshape the way organizations across the EU approach data privacy.
  • Terms to Know

    Personal Data:  Personal Data is any information that relates to an individual who can be directly or indirectly identified. Examples include names, email addresses, location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions. Pseudonymous data (replacing any information which could be used to identify an individual with a pseudonym, or, in other words, a value which does not allow the individual to be directly identified) can also fall under the definition if it’s relatively easy to identify someone from it.

    Data processing:  Any action performed on data, whether automated or manual. Examples include collection, organization, structuring, storage, alteration, consultation, use, communication, combination, restriction and erasure or destruction.

    Data subject:  The person whose data is processed.

    Controller:  The person or organization who decides why and how Personal Data will be processed.

    Processor:  The person or organization that processes Personal Data on behalf of a data Controller.

    Special categories: Categories of Personal Data designated as requiring special protections, specifically 

    • Racial or ethnic origin
    • Political opinions
    • Religious or philosophical beliefs
    • Trade union membership
    • Genetic data or biometric data for the purpose of uniquely identifying a person
    • Data concerning health
    • Data concerning a person’s sex life or sexual orientation
    • Criminal convictions or offenses

    Resource:  GDPR.EU

  • Who Must Comply

    GDPR applies to the processing of Personal Data by a Controller or a Processor based in the EU, regardless of whether the processing takes place in the EU or not.

    GDPR applies to

    • organizations based in the EU that process the Personal Data of persons physically located in the EU.
    • organizations not based in the EU but offer products or services (including if free) to persons physically located in the EU, or monitor their behavior.
  • Principles

    The GDPR is based on seven (7) principles related to processing Personal Data.

    • Lawfulness, fairness and transparency: Processing must be lawful, fair, and transparent to the data subject.
    • Purpose limitation: Process data for the legitimate purposes specified explicitly to the data subject when collected.
    • Data minimization: Collect and process only as much data as absolutely necessary for the purposes specified.
    • Accuracy: Keep personal data accurate and up to date.
    • Storage limitation: Only store personally identifying data for as long as necessary for the specified purpose.
    • Integrity and confidentiality: Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality.
    • Accountability: The Controller is responsible for being able to demonstrate GDPR compliance with all principles, and ensuring all contractors and their sub-contractors, as well as commodity and service vendors adhere to GDPR requirements.

    Resource:  GDPR.EU

Understanding GDPR: Key Questions and Concepts

What are the general GDPR requirements?

  • Understand and document data flows: Identify processes where Personal Data is received from persons physically located in the EU, and formally document how that data flows through and outside of the organization.
  • Ensure a legal basis for processing and transferring Personal Data.
  • Respond to data subject requests: Promptly review and respond to requests from data subjects exercising their rights under GDPR. 
  • Assess and revise contracts and agreements.
  • Provide notice of breaches of Personal Data.

What are Controller and Processor responsibilities?

Many responsibilities of Controllers and Processors are standard data protection best practices; however, some responsibilities are unique to the GDPR.  Review a checklist of responsibilities here.

What rights do data subjects have under GDPR?

In general, data subjects have certain rights related to their personal data.

  • The right to be informed about the collection and use of their personal data.
  • The right to access the information collected about them.
  • The right to rectification. (Correction or update information.)
  • The right to erasure/right to be forgotten.
  • The right to restrict processing.
  • The right to data portability. (Obtain data in a usable format.)
  • The right to object to the processing of their information
  • The right to object to automated decision making.

What are examples of scenarios requiring GDPR compliance?

  • Data collected from faculty and students recruited from a conference in an EU country.
  • Research studies involving the collection of data from individuals located in the EU.
  • Data collected from alumni or students located in the EU.
  • The University sends student resumes to a recruitment firm and the firm wants to send the resume to a prospective employer in the EU.
  • A prospective student living in the EU completes a form on the University website.
  • Online courses offered by the University to people living in the EU.
  • The University provides newsletters or networking opportunities to alumni located in the EU.

Have more questions or need assistance?

  • Staff and faculty: Request a consult by sending a communication to privacyconsult@clemson.edu.
  • All other inquiries: Contact the Data Protection Officer at dpo@clemson.edu.

Resources