General Data Protection Regulation
The General Data Protection Regulation (“GDPR”) is a general privacy law that applies to personal data collected in or from the European Economic Area (“EEA”), related to goods or services offered in the EEA or involving the monitoring of individuals in the EEA. Any UHS university (“University”) department or division that collects, uses, or stores “personal data” in or from the EEA or relating to individuals in the EEA may be impacted. For example, receipt of personal data from an individual in the EEA (even one temporarily living in the EEA) who is -- applying for admission, responding to a donation solicitation, collaborating on research activities, or participating in a study abroad program could trigger application of GDPR rules.
“Personal Data” is any information related to an individual that can be used to directly or indirectly identify the person, such as name, a photo, an email address, bank account, or a computer IP address. Personal Data also includes special categories of sensitive data identified as racial or ethnic origin, political opinions, genetics or biometrics, health, sexual orientation and criminal records, all of which require a higher level of protection.
In order for the University to process Personal Data from an individual in the EEA (“EEA Data Subject”), the University should have a lawful basis for such processing. The University’s privacy notice details the types of Personal Data processed, the purposes of the processing, and the lawful bases for each processing activity.
Additional Guidelines for Faculty and Staff:
EEA Data Subjects have the following rights with regard to their Personal Data:
- Right of access. An EEA Data Subject may request details of the Personal Data held by the University. The University will confirm whether it is processing the EEA Data Subject’s Personal Data and information regarding the categories of Personal Data, the sources from which it originated, the purpose and legal basis for the processing, the expected retention period, and the safeguards implemented for transfers to non-EEA countries, subject to the limitations set out in applicable statutes, regulations and other laws.
- Right of correction. An EEA Data Subject may request that any inaccurate information of their Personal Data be corrected.
- Right to be forgotten. Personal Data may be deleted upon the written request of an EEA Data Subject if:
- it is no longer necessary to retain the EEA Data Subject’s Personal Data;
- consent has been withdrawn and it is the sole basis for processing;
- the EEA Data Subject withdraws consent or objects to the processing of their Personal Data and there are no overriding legitimate grounds or other legal basis for such processing;
- the Personal Data was processed illegally; or
- the Personal Data must be deleted for the University to comply with its legal obligations.
A request for deletion will be denied if processing of the Personal Data is necessary:
- to comply with the University’s legal obligations;
- to defend or pursue legal action;
- to detect and monitor fraud; or
- for the performance of a task in the public interest.
Right to restrict processing of Personal Information. At the request of an EEA Data Subject, the University will limit the processing of their Personal Data if:
- the accuracy of the Personal Data is disputed;
- Personal Data was processed unlawfully and the Data Subject requests a limitation on processing, rather than deletion;
- there is no longer the need to process the Personal Data, but the EEA Data Subject requires the Personal Data in connection with a legal claim; or
- the EEA Data Subject objects to the processing pending verification as to whether an overriding legitimate ground or other legal basis for such processing exists.
Right to notice related to correction, deletion, and limitation on processing. In so far as it is practicable, the University will notify the EEA Data Subject of any correction, deletion, and/or limitation on processing of Personal Data.
Right to data portability. The EEA Data Subject will be provided their Personal Data, free of charge, in a structured, commonly used and machine readable format, if: (i) the Personal Data was provided to the University; (ii) the processing is based on the EEA Data Subject’s consent or required for the performance of a contract; or (iii) the processing is carried out by automated means.
Right to object. Where the University processes Personal Data based upon legitimate interest then the EEA Data Subject has the right to object to this processing; provided, however, the University may decline the request if another legal basis for such processing exists.
Right not to be subject to decisions based solely on automated processing. An EEA Data Subject has the right to request to not be subject to decisions that are based solely on the automated processing of their Personal Data.
Right to withdraw consent. An EEA Data Subject has the right to withdraw any consent previously given at any time. If such consent is withdrawn, it will not affect the lawfulness of the University collecting, using and sharing of any Personal Data up to the point in time that consent was withdrawn. Even if consent is withdrawn, the University may still use Personal Data that has been fully anonymized and does not personally identify the EEA Data Subject or if another legal basis is applicable.
Right to complain to a supervisory authority. An EEA Data Subject has the right to complain to or seek advice from a supervisory authority and/or bring a claim against the University in any court of competent jurisdiction. EEA Data Subjects may contact the University regarding the exercise of their rights under the GDPR by email at firstname.lastname@example.org and the University will respond without unreasonable delay and in accordance with any deadlines imposed by law.
Any faculty or staff who receives communication from an EEA Data Subject regarding rights under the GDPR or who has questions concerning the handling of Personal Data from an EEA Data Subject must immediately contact the Privacy Officer or the Office of the General Counsel for guidance.
When processing Personal Data of an EEA Data Subject, appropriate technical and organizational safeguards should be implemented by the University. In accordance with the GDPR, University officials are required to notify the appropriate EEA authority within 72 hours (unless a longer notice period is justified by law) in the event of a data breach affecting Personal Data of an EEA Data Subject.