General Data Protection Regulation

On May 25, 2018, the General Data Protection Regulation (GDPR) went into effect in the European Union (EU). The GDPR expands the privacy rights of EU individuals and places new obligations on all organizations that market, track, or handle EU personal data. The GDPR replaces the Data Privacy Directive 95/46/EC and is designed to harmonize data privacy laws across the EU and to protect the data privacy of all EU residents. It affects U.S. higher education institutions that process the personal information of EU residents both as to bringing in employees or students from the EU or sending students abroad to an EU country and monitoring their behavior in some way while there.

Scope of the GDPR

The GDPR applies to any entity, including a university, inside or outside of the EU that is offering goods or services (including educational services) to individuals physically located in the EU (even temporarily), and that is “controlling” or “processing” the personal data of those individuals.

As Andrew Cormack, Chief Regulatory Advisor for JISC in Great Britain stated during an Educause presentation, a great rule of thumb is: “If their feet are on the ground in Europe, the GDPR applies to them. As soon as they board a plane and the plane leaves the ground, GDPR no longer applies to them.” GDPR-covered individuals may therefore include EU citizens, EU residents, U.S. faculty teaching or leading travel study trips in Europe, U.S. students studying in Europe, an individual located in the EU taking a U.S. university’s course online, a U.S. university’s alumni who have relocated to the EU, prospective students or employees of a U.S. university, etc. To the extent your university is collecting, receiving, transmitting, or otherwise using the personal data of any such individuals, you are subject to the GDPR. However, once a GDPR-covered individual physically leaves the EU, the GDPR no longer applies to them.

Examples of individuals covered by the GDPR

1. A citizen of Germany who is currently in Germany is taking an online course from East Stroudsburg University of Pennsylvania. The GDPR is applicable to that student.
2. A Studio Art major (U.S. citizen or permanent resident) from East Stroudsburg University is doing a semester-long internship at the Louvre Museum in France.
3. During the time the ESU student is in France (or any EU country), the GDPR applies to the student.
4. Someone in Milan, Italy, submits a request to from East Stroudsburg University for more information about the University and academic programs offered. The GDPR applies to this person.
5. An alumna from East Stroudsburg University is located in Greece working for an American corporation. While the alumna is in Greece or any EU country, the GDPR applies to her.
6. A Belgium citizen is currently IN THE U.S. on a F-1 Academic Student visa studying at from East Stroudsburg University. The GDPR may have applied to data the University controlled or processed during the time the student was still in Belgium, the GPDR NO LONGER applies to that individual while physically present in the U.S.

Examples of Activities that are Subject to GDPR

• Data collected on student during the admission and matriculation process
• Data collected on students studying aboard
• Data collected on athlete during the recruitment process
• Data collected on faculty and staff during the recruitment process
• Data collected by ESU faculty during research[Data collected in the EU and sold to researcher]
• Data collected through cookies
• Data collected in meta data and logs [library records]

Key Resources

• ESU's GDPR Frequently Asked Questions (FAQ)
• Georgia Institute of Technology
• University of Michigan

Articles About the GDPR

• American Association of Collegiate Registrars and Admissions Officers (AACRAO)
• College and University Professional Association for Human Resources (CUPA-HR)
• EDUCAUSE
• National Association of Student Financial Aid Administrators (NASFAA)
• WICHE Cooperative for Educational Technologies (WCET)