The General Data Protection Regulation (GDPR) is a new, European-wide law on data protection and privacy for all EU citizens and residents. The GDPR replaces the previous 1995 Data Protection Directive (DPA) and expands significantly the protection of personal data. The GDPR lays down rules for collecting, processing, and transferring personal data, regardless of whether such activities take place within or outside the EU. The GDPR came into effect on 25 May 2018.
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, broadly defined to include collecting, organizing, structuring, storing, altering, retrieving, using, disclosing, transmitting, erasing or destroying that data.
The GDPR not only applies to organizations located within the EU but also to those located outside of the EU if they offer goods or services to, process personal data or monitor behaviour of, EU data subjects. The GDPR applies to all organizations that process and hold personal data of data subjects residing in the European Union and collected within the EU, regardless of the organizations’ location.
- The right to be informed
A key transparency requirement under the GDPR, which states that Individuals have the right to be informed about the collection and use of their personal data.
- The right of access
Commonly referred to as subject access. The right for individuals to obtain confirmation from the data controller on whether their personal data is being processed, the purpose of it, and how the personal data is stored, disclosed and transferred.
- The right to rectification
The right for individuals to have inaccurate personal data rectified, or completed if it is incomplete.
- The right to erasure (right to be forgotten)
The right for individuals to have personal data erased and further disseminated in certain circumstances.
- The right to restrict processing
The right for Individuals to request the restriction or suppression of their personal data in certain circumstances.
- The right to data portability
The right that allows individuals to obtain and reuse their personal data for their own purposes across different services, in a safe and secure way, without affecting its usability. The right only applies to information an individual has provided to a data controller.
- The right to object
The right for individuals to object to the processing of their personal data in certain circumstances, including an absolute right to stop their data being used for direct marketing.
- Rights in relation to automated decision making and profiling
The right for individuals not to be subject to a decision based solely on automated processing, including profiling, which has legal or similarly significant effects on them.
Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data. Examples of personal data include name, address, phone number, email address, date of birth, passport number, IP address (static or dynamic), MAC address, cookies, GPS data, financial & bank account information, license plate number.
GDPR applies to the processing of data subjects’ personal data collected within the EU, even if the processor has no establishment in the EU, when that processing relates to the offering of goods or services to the data subjects, including free goods and services, or the monitoring of data subjects’ behavior. The University is similar to many US-based universities that offer programs for their students to travel and study abroad, while welcoming international students to study and connect with the US academic community. Because we maintain locations within the European Union and offer educational and academic services to students located in the EU, the University is nominally subject to GDPR.
Notre Dame takes its obligations under the GDPR seriously. The Notre Dame Office of General Counsel and the Office of Information Technologies have carried out a campus-wide assessment with the goal of evaluating and understanding the impact of the GDPR on the University and to provide guidance on interpreting the University’s obligations and responsibilities under the new regulation in all of our locations. This FAQ is one of the documents developed by the assessment project, intended to provide Departments with general information about the GDPR. A key result of the assessment project is for each Department to identify a dedicated contact person who will be responsible for coordinating, and if necessary, escalating any incoming GDPR inquiries made of the University through its various Departments.
When receiving a GDPR related inquiry, the departmental GDPR contact person should refer the inquiry to the central administration by completing an inquiry form in ServiceNow (General Data Protection Regulation Inquiry) and providing the relevant details. University central administration will coordinate and help the departments with responding to the inquiry.
Q9: Who should I contact if I have questions about GDPR?
Please direct all questions or queries related to the GDPR to the Office of Information Security and Compliance at firstname.lastname@example.org.
Q10: What about inquiries related to data privacy from jurisdictions other than the EU?
The University is certainly subject to US data privacy and security laws, and may be subject to data privacy obligations in other jurisdictions in which the University operates. If you should receive a request or demand related to someone’s personal information, feel free to contact THE GENERAL ADDRESS FROM ABOVE or the Office of General of Counsel (email@example.com).