General Data Protection Regulation (GDPR) Frequently Asked Questions

Version: 2.1 OGC Approved 

Q1: What is the GDPR?

The General Data Protection Regulation (GDPR) is a new, European-wide law on data protection and privacy for all EU citizens and residents. The GDPR replaces the previous 1995 Data Protection Directive (DPA) and expands significantly the protection of personal data. The GDPR lays down rules for collecting, processing, and transferring personal data, regardless of whether such activities take place within or outside the EU. The GDPR came into effect on 25 May 2018.

Q2: Key GDPR terms to know?

Data controller
The entity determines the purposes and means of the processing of personal data.

Data processor
The entity that processes personal data on behalf of the data controller.

Data subject
An identified or identifiable natural person, based on personal data related to that person.

Personal data
Any information relating to a data subject, that can be used to identify the person, directly or indirectly.

Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, broadly defined to include collecting, organizing, structuring, storing, altering, retrieving, using, disclosing, transmitting, erasing or destroying that data.

Automated individual decision-making
The process of making decisions about an individual solely by automated means without any human involvement.

Automated processing of personal data to evaluate certain things about an individual. Profiling can be part of an automated decision-making process.

Q3: Who does the GDPR affect?

The GDPR not only applies to organizations located within the EU but also to those located outside of the EU if they offer goods or services to, process personal data or monitor behaviour of, EU data subjects. The GDPR applies to all organizations that process and hold personal data of data subjects residing in the European Union and collected within the EU, regardless of the organizations’ location.

Q4: What rights will individuals have under the GDPR?

  1. The right to be informed
    A key transparency requirement under the GDPR, which states that Individuals have the right to be informed about the collection and use of their personal data.
  2. The right of access 
    Commonly referred to as subject access. The right for individuals to obtain confirmation from the data controller on whether their personal data is being processed, the purpose of it, and how the personal data is stored, disclosed and transferred.
  3. The right to rectification
    The right for individuals to have inaccurate personal data rectified, or completed if it is incomplete.
  4. The right to erasure (right to be forgotten)
    The right for individuals to have personal data erased and further disseminated in certain circumstances.
  5. The right to restrict processing
    The right for Individuals to request the restriction or suppression of their personal data in certain circumstances.
  6. The right to data portability
    The right that allows individuals to obtain and reuse their personal data for their own purposes across different services, in a safe and secure way, without affecting its usability. The right only applies to information an individual has provided to a data controller.
  7. The right to object
    The right for individuals to object to the processing of their personal data in certain circumstances, including an absolute right to stop their data being used for direct marketing.
  8. Rights in relation to automated decision making and profiling
    The right for individuals not to be subject to a decision based solely on automated processing, including profiling, which has legal or similarly significant effects on them.

Q5: What constitutes personal data?

Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data. Examples of personal data include name, address, phone number, email address, date of birth, passport number, IP address (static or dynamic), MAC address, cookies, GPS data, financial & bank account information, license plate number.

Q6: What is the impact of the GDPR on Notre Dame?

GDPR applies to the processing of data subjects’ personal data collected within the EU, even if the processor has no establishment in the EU, when that processing relates to the offering of goods or services to the data subjects, including free goods and services, or the monitoring of data subjects’ behavior. The University is similar to many US-based universities that offer programs for their students to travel and study abroad, while welcoming international students to study and connect with the US academic community. Because we maintain locations within the European Union and offer educational and academic services to students located in the EU, the University is nominally subject to GDPR.

Q7: What is Notre Dame Doing to respond to GDPR requirements?

Notre Dame takes its obligations under the GDPR seriously. The Notre Dame Office of General Counsel and the Office of Information Technologies have carried out a campus-wide assessment with the goal of evaluating and understanding the impact of the GDPR on the University and to provide guidance on interpreting the University’s obligations and responsibilities under the new regulation in all of our locations. This FAQ is one of the documents developed by the assessment project, intended to provide Departments with general information about the GDPR. A key result of the assessment project is for each Department to identify a dedicated contact person who will be responsible for coordinating, and if necessary, escalating any incoming GDPR inquiries made of the University through its various Departments.

Q8: What should I do if my department receives a GDPR related inquiry?

When receiving a GDPR related inquiry, the departmental GDPR contact person should refer the inquiry to the central administration by completing an inquiry form in ServiceNow (General Data Protection Regulation Inquiry) and providing the relevant details. University central administration will coordinate and help the departments with responding to the inquiry.

Q9: Who should I contact if I have questions about GDPR?

Please direct all questions or queries related to the GDPR to the Office of Information Security and Compliance at infosec@nd.edu.

Q10: What about inquiries related to data privacy from jurisdictions other than the EU?

The University is certainly subject to US data privacy and security laws, and may be subject to data privacy obligations in other jurisdictions in which the University operates. If you should receive a request or demand related to someone’s personal information, feel free to contact THE GENERAL ADDRESS FROM ABOVE or the Office of General of Counsel (gencoun@nd.edu).