Skip to Page Content
section image picture

Policies, Standards, and Guidelines

European Union General Data Protection Regulation Compliance Policy

1.   Reason for Policy

The European Union has passed a data privacy regulation that is applicable throughout the entire European Union (“EU”), and to those who collect personal data about people in the EU. The European Union General Data Protection Regulation (“EU GDPR”) imposes obligations on entities, like the University of Georgia, that collect or process Personal Data about people in the EU. The EU GDPR applies to Personal Data collected or processed about anyone located in the EU, regardless of whether they are citizen or permanent resident of an EU country.[1] 

The University is an institute of higher education involved in education, research, and community development.  In order for the University to educate its students both in class and on-line, engage in world-class research, and provide community services, it is essential, necessary, and the University has lawful bases to collect, process, use, and maintain data of its students, employees, applicants, research subjects, and others involved in its educational, research, and community programs. The lawful bases include, without limitation, admission, registration, delivery of classroom, on-line, and study abroad education, grades, communications, employment, research, development, program analysis for improvements, and records retention. Examples of data that the University may need to collect in connection with the lawful bases are: name, email address, IP address, physical address or other location identifier, photos, as well as some sensitive personal data obtained with prior consent.

The University of Georgia takes seriously its duty to protect the Personal Data it collects or processes. In addition to the University’s overall data protection program, the University of Georgia must make sure it complies with the dictates of the EU GDPR. Among other things,the EU GDPR requires the University to:

  1. be transparent about the Personal Data it collects or processes and the uses it makes of any Personal Data;
  2. keep track of all uses and disclosures it makes of PersonalData; and
  3. appropriately secure Personal Data.

This policy describes the University’s data protection strategy to comply with the EU GDPR.

2.   Policy Statement

2.1  Lawful Basis for Collecting or Processing Personal Data

The University of Georgia has a lawful basis to collect and process Personal Data.  Most of the University’s collection and processing of Personal Data will fall under the following categories:

a. Processing is necessary for the purposes of the legitimate interests pursued by the University of Georgia or by a third party.

b. Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract.

c. Processing is necessary for compliance with a legal obligation to which the University of Georgia is subject.

d. The Data Subject has given consent to the processing of his or her Personal Data for one or more specific purposes.

There will be some instances where the collection and processing of Personal Data will be pursuant to other lawful bases.

2.2  Data Protection & Governance

The University of Georgia will protect all Personal Data and Sensitive Data that it collects or processes for a lawful basis. Any Personal Data and Sensitive Data collected or processed by the University of Georgia shall be:

a. Processed lawfully, fairly, and in a transparent manner;

b. Collected for specified, explicit, and legitimate purposes, and not further processed in a manner that is incompatible with those purposes;

c. Limited to what is necessary in relation to the purposes for which they are collected and processed;

d. Accurate and kept up to date;

e. Retained only as long as necessary; and

f. Secure

2.3 Sensitive Data & Consent

Sensitive Data is a subset of Personal Data and is subject to stricter collection and processing standards. The University of Georgia must obtain consent from the Data Subject before it collects or processes Sensitive Data.

2.4 Information to be Provided to Data Subjects

Individual Data Subjects covered by this policy will be provided the following information at the time Personal Data is collected from the Data Subject:

a. information about the Controller collecting the Personal Data;

b. contact details for the data protection officer (if assigned);

c. the purposes and lawful basis of the data collection/processing, including the legitimate interest for the processing (if applicable);

d. who the recipients or categories of recipients of the Personal Data are;

e. whether the University intends to transfer Personal Data to another country or international organization;

f. the period for which the Personal Data will be stored;

g. the existence of the right to access, make corrections to, or erase Personal Data, the right to restrict or object to processing, and the right to data portability;

h. the existence of the right to withdraw consent at any time (if applicable);

i. the right to lodge a complaint with a supervisory authority (established in the EU);

j. justification for why the Personal Data are required, and possible consequences of the failure to provide the Personal Data;

k. the existence of automated decision-making, including profiling; and

l. if the collected Personal Data are going to be further processed for a purpose other than that for which it was collected.

2.5 Rights of Data Subjects

Individual Data Subjects covered by this policy will be provided the following rights (as applicable), provided that the University determines that the exercise of the right is permitted and/or required by the EU GDPR:

a. the right to receive confirmation from the University as to whether the Data Subject’s Personal Data is being processed by the University, and if so, the right to access such Personal Data and the right to receive information regarding, among other things, the categories of Personal Data collected and how such Personal Data is being used;

b. the right to correct inaccurate Personal Data concerning the Data Subject;

c. the right to obtain erasure of Personal Data concerning the Data Subject;

d. the right to restrict or object to the processing of the Data Subject’s Personal Data; and

e. the right to request a copy of Personal Data concerning the Data Subject.

3.   Scope

This policy applies to the Personal Data and Sensitive Data protected by the EU GDPR and all University of Georgia units who collect or process Personal Data and Sensitive Data protected by the EU GDPR.

4.   Definitions

Collect or Process Data

 

Collection, storage, recording, organizing, structuring, adaptation or alteration, consultation, use, retrieval, disclosure by transmission/dissemination or otherwise making data available, alignment or combination, restriction, erasure or destruction of personal data, whether or not by automated means. 

Consent

 

Consent of the Data Subject means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Under the EU GDPR:

a)     Consent must be a demonstrable, clear, affirmative action.

b)    Consent can be withdrawn by the Data Subject at any time, and it must be as easy to withdraw consent as it is to give consent.

c)     Consent cannot be silence, a pre-checked box or inaction. Consent must be “opt-in” rather than “opt-out.”

d)    Consent should not be regarded as freely given if the Data Subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

e)     Request for consent must be presented clearly and in plain language.

f)     Maintain a record regarding how and when consent was given.

Controller

 

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. When the University and its employees or agents are determining the purposes and means of the processing of Personal Data, the Controller is the University.

Data Subject

 

A Data Subject is an identified or identifiable natural person.

An identified or identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that person.

Examples of identifiers include but are not limited to: name, photo, email address, identification number such as a MyID, social security number, physical address or other location data, IP address or other online identifier.

Lawful Basis

 

Processing of Personal Data shall be lawful only if and to the extent that at least one of the following applies:

a)     The Data Subject has given consent to the processing of his or her Personal Data for one or more specific purposes;

b)    Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;

c)     Processing is necessary for compliance with a legal obligation to which the Controller is subject;

d)    Processing is necessary in order to protect the vital interests of the Data Subject or of another natural person;

e)     Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;

f)     Processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party.

Legitimate Interest

 

Processing of Personal Data is lawful if such processing is necessary for the legitimate business purposes of the data Controller/Processor, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of Personal Data.

Located in the EU

A Data Subject is located in the EU if they are physically located in the EU at the time that Personal Data is collected about that Data Subject.

Personal Data

Any information relating to an identified or identifiable person (the Data Subject) and subject to the EU GDPR.

Processor

 

A natural or legal person, public authority, agency or other body who processes Personal Data on behalf of the Controller.

Sensitive Data

Special categories of Personal Data that require consent by the Data Subject before collecting or processing are:

a)     Racial or ethnic origin;

b)    Political opinions;

c)     Religious or philosophical beliefs;

d)    Trade union membership;

e)     Genetic, biometric data for the purposes of uniquely identifying a natural person;

f)     Health data; and

g)    Data concerning a person’s sex life or sexual orientation.

University Unit

A University of Georgia college, school, office or department.

5.   Procedures

5.1 Data Governance

Document Lawful Basis for Collection or Processing

All University of Georgia Units who collect or process personal data protected by the EU GDPR must document the lawful basis for the collection or processing of personal data and sensitive personal data they collect or process, why they collect it, and how long they keep it using the online University of Georgia EU GDPR Lawful Basis Form.

All data at the University of Georgia shall be kept in compliance with the USG-BOR Records Retention Schedules.

 

5.2.  Privacy Notice

The University of Georgia’s Privacy Notice

The University of Georgia’s Privacy Notice to Data Subjects must specify the lawful basis for the University to collect or process personal data and include:

a)     whether their personal data are being collected or processed and for what purpose;

b)    categories of personal data concerned;

c)     to whom personal data is disclosed;

d)    storage period (records retention period);

e)     existence of individual rights to rectify incorrect data, erase, restrict or object to processing;

f)     how to lodge a complaint;

g)    the source of the Personal Data (if not collected from the Data Subject); and

h)    the existence of automated decision-making, including profiling.

A link to the University of Georgia Privacy Notice is available on the footer of all University of Georgia websites – “Privacy Notice”: https://eits.uga.edu/access_and_security/infosec/pols_regs/policies/privacy/

[NOTE:  The University of Georgia Privacy Notice will be in final form by May 25, 2018]

University of Georgia Units Privacy Notice

Each University of Georgia Unit that collects or processes Personal Data protected by the EU GDPR must create and publicly post a privacy notice that meets the requirements (a) through (h) set forth above.

 

5.3 Consent

Documentation of Consent

University of Georgia Units must obtain affirmative consent before they collect or process Sensitive Data.

University of Georgia EU GDPR Model Consent Form

Withdrawal of Consent

The University of Georgia must have a process for individuals who request to withdraw their consent.

 

5.4 Individual Rights

Exercise of Rights

Any individual wishing to exercise their rights under this policy should contact EITS Office of Information Security at: infosec@uga.edu. The individual may be requested to provide additional information to facilitate the exercise of such individual’s rights.

 

5.5 Data Protection

Security of Personal Data

All Personal Data and Sensitive Data collected or processed by any University of Georgia Units under the scope of this policy must comply with the security controls and systems and process requirements and standards set forth in the University of Georgia Data Classification and Protection Policy found at: https://eits.uga.edu/access_and_security/infosec/pols_regs/policies/dcps/

Breach Notification

Any University of Georgia Unit that suspects that a breach or disclosure of Personal Data has occurred must immediately notify the Information Security Office at: infosec@uga.edu

6.   Forms

Title

Link

EU GDPR Lawful Basis Form

Click here to download GDPR Lawful Basis Form

EU GDPR Model Consent Form

Click here to download EU GDPR Model Consent Form

7.   Responsibilities

7.1. Responsible Party:

University of Georgia Units

To document the lawful basis for Personal Data or Sensitive Data collected or processed pursuant to this policy.

To cooperate with Enterprise Information Technology Services when individuals inquire about their Personal Data or Sensitive Data collected or processed pursuant to this policy (See Sections 2.3 and 2.4).

To immediately notify (24/7) and cooperate with the University of Georgia Information Security Office relating to any data breach: infosec@uga.edu         

7.2.Responsible Party:

Enterprise Information Technology Services

To field inquiries about Personal Data or Sensitive Data collected from individuals while in the EU (See Sections 2.4 and 2.5).

To coordinate with University of Georgia Unit responding to inquiries about Personal Data or Sensitive Data collected from individuals while in the EU.

7.3.Responsible Party

Information Security Office

To answer questions about and review data security measures.

To handle data breach notification for the University.

8.   Enforcement

Violations of the policy may result in loss of system, network, and data access privileges, administrative sanctions (up to and including termination or expulsion) as outlined in applicable University of Georgia disciplinary procedures, as well as personal civil and/or criminal liability.  

To report suspected instances of noncompliance with this policy, please contact the Office of Information Security at infosec@uga.edu.

Enforcement of the EU GDPR shall be carried out by the appropriate Data Protection Authority within the European Union.

9.   Related Information

Resource

Link

EU General Data Protection Regulation (EU GDPR)

 

https://www.eugdpr.org

UGA Privacy Notice

 

https://eits.uga.edu/access_and_security/infosec/pols_regs/policies/privacy/

UGA Data Classification and Protection Policy

https://eits.uga.edu/access_and_security/infosec/pols_regs/policies/dcps/

UGA Data Management and Governance

https://datamanagement.uga.edu/

USG-BOR Records Retention Schedules

 

http://www.usg.edu/records_management/schedules

           

10.Policy History

Revision Date

Author

Description

May 10, 2018

GDPR Compliance Committee

New Policy

[1]The European Union currently consists of 28 Member States, listed here: https://europa.eu/european-union/about-eu/countries_en. While the United Kingdom has taken initial steps to depart the EU (“Brexit”), the formal separation will not occur prior to May 25, 2018. As a result, for at least some period of time the University’s operations in the United Kingdom and with respect to individuals located in the United Kingdom will need to be conducted in compliance with the GDPR. It is also likely that the post-Brexit United Kingdom will adopt some form of data protection and privacy approach similar to the GDPR.