Governance, Ethics and General

General Data Protection Regulation Compliance Policy


Section:
Governance, Ethics, and General Policies
Policy Name: General Data Protection Regulation Compliance Policy
Policy Owner: Vice President and General Counsel
Responsible University Office: Office of  General Counsel
Origination Date: May 24, 2018; February 2019
  1. SCOPE OF POLICYThis General Data Protection Regulation Compliance Policy (“GDPR Policy”) explains the policies and procedures that apply to collecting, handling and processing of the Personal Data that the University of Delaware (collectively, the “University” or “we,” as applicable) Processes about students and others who are in the European Union.
  2. POLICY STATEMENTThis Policy reflects the commitment of the University to protect the privacy of personal data that the University Processes that relates to people in the European Union. Capitalized terms used in this GDPR Policy (including above) have the meanings assigned to them in Section IV or where used within this GDPR Policy. Please note the following general rules:
    1. When Processing Personal Data of Data Subjects who are located in the European Union, every Data User must follow this GDPR Policy, as well as all other the University policies specifically related to the Processing of Personal Data, including the Data Governance Policy, Information Security Policy and Incident Response Policy (together with this GDPR Policy, the “Relevant Policies”). If this GDPR Policy and any other Relevant Policy are inconsistent, then this GDPR Policy governs to the extent of the inconsistency.
    2. Please notify the Office of General Counsel (“OGC”) if you believe this GDPR Policy was violated.  The University takes all violations of this GDPR Policy very seriously.  Violations may result in disciplinary action, up to and including termination.
    3. The OGC evaluates, monitors, and documents the University’s compliance with this GDPR Policy; and implements, supervises and maintains this GDPR Policy.
    4. If you have questions or concerns about this GDPR Policy, please contact the OGC.
  3. POLICY STANDARDS AND PROCEDURES
    1. What Is “Personal Data” And Who Is The “Data Controller”?
      1. Personal Data means Data relating to a Data Subject from which that individual can be directly or indirectly identified, either from that Data alone or from other information that is or is reasonably likely to come into the University’s possession. Examples of Personal Data include names, dates of birth, identity card or driver license numbers, contact details held on other University systems, medical data, financial data, and Data collected relating to the time, place and manner of use by individuals of any of the University’s systems and websites.
      2. Data Controllers are the people or organizations that determine the purposes for which and the manner in which any Personal Data are Processed.
      3. Data Processors include any person or organization that Processes Personal Data on behalf of a Data Controller.
      4. The scope of the University’s obligations with respect to Processing Personal Data is determined by whether the University is a Data Controller or Data Processor. The first step to determine whether the University is a Data Controller is to determine from where the control over the Personal Data arises. Control may arise from:
        1. explicit legal competence: an explicit appointment/requirement of the University by law to perform a certain function, e.g., credit checks;
        2. implicit competence: when traditional roles imply a certain responsibility, e.g., students’ Personal Data;
        3. factual influence: an assessment of the factual circumstances, such as by examining contractual relations between the parties involved (although not decisive) or the impression given to Data Subjects as to which party has control over the Processing of their Personal Data and the Data Subjects’ consequent reasonable expectations.
      5. If a person or organization does not have explicit legal authority, implicit competence or factual influence to determine how Personal Data are Processed, it is not a Data Controller.
      6. Please consult with the OGC if you need assistance determining whether the University is a Data Controller or a Data Processor in any particular situation.
    2. What Personal Data Does the University Collect?   We collect Personal Data relating to the following categories of EU Data Subjects:
      1. Donors and other individual contributors of money, goods and/or services to the University, including volunteers (Donor Personal Data);1. Donors and other individual contributors of money, goods and/or services to the University, including volunteers (Donor Personal Data);
      2. Faculty, instructors and other scholars who visit or the University for a semester or other time period to conduct research, teach or otherwise engage with the University (Scholar Personal Data);
      3. University employees and applicants for employment (Employee Personal Data);
      4. Students and applicants for admission, including academic records, next of kin contact details and employment records (Student Personal Data);
      5. Vendor contacts, industry professionals and other individuals who provide goods and/or services to the University (Supplier Personal Data); and
      6. Users of the University’s websites or other online or offline services, such as symposia (User Personal Data).
    3. Why do we collect Personal Data from Data Subjects?    We use Personal Data to manage the University and provide educational and other services, including for legal, personnel, administrative and management purposes. The following explains the specific purposes for which the University holds and Processes different types of Personal Data.
      1. Donor Personal Data
        1. administration and management of our relationships with our contributors and volunteers;
        2. responding to inquiries from our contributors and volunteers;
        3. marketing and promotion of the University; and
        4. compliance with applicable law.d. compliance with applicable law.
      2. Scholar Personal Data
        1. administration and management of our relationships with faculty, instructors and other scholars who are engaged with the University;
        2. responding to inquiries from our faculty, instructors and other scholars about the University;
        3. promotion of opportunities with the University; and
        4. compliance with applicable law.
      3. Employee Personal Data
        1. administration and management of our relationships with employees and applicants;
        2. responding to inquiries from employees or applicants; and
        3. compliance with applicable law.
      4. Student Personal Data
        1. administration and management of our relationships with our students and applicants;
        2. responding to student and applicant inquiries;
        3. marketing and promotion of the University; and
        4. compliance with applicable law.
      5. Supplier Personal Data
        1. administration of the receipt of goods and services from suppliers;
        2. administration and management of relationships with suppliers; and
        3. compliance with applicable law.
      6. User Personal Data
        1. supply of marketing and promotional materials;
        2. tracking website usage and administration and management of the University’s other electronic systems;
        3. administration and management of the University’s offline services, such as symposia; and
        4. compliance with applicable law.

        The University may share the Personal Data it collects with third parties Processing on the University’s behalf. The University only shares Personal Data with third parties that are required to protect Personal Data in accordance with applicable law and subject to appropriate security measures and directions from the University. The University must satisfy additional requirements if Personal Data are transferred to third parties located outside of the EU. If you are not sure about whether these necessary transfer requirements are met by a third party, do not share any Personal Data until receiving authorization from the OGC.

    4. How do we Process Personal Data? The University Processes all Personal Data in accordance with the data protection principles below. Data Users who Process Personal Data must follow these principles.
      1. Processing must be fair, lawful and transparent. For Personal Data to be Processed fairly and transparently, when the University collects Personal Data directly from Data Subjects, the University (as a Data Controller) must inform Data Subjects of the following:
        1. That the University is the Data Controller in regard to their Personal Data and the University’s contact details;
        2. The contact details for exercising or making requests about their privacy rights;
        3. Each purpose for which the University intends to Process their Personal Data and the legal basis;
        4. If the Processing is based on the grounds of legitimate interests, the legitimate interests pursued by the University or by a third party and an explanation of those interests; “Legitimate interest” is defined in GDPR Article 6f and requires a case-by-case balancing test.  The legitimate interest must be consistent with the data protection principles and not be overridden by personal privacy interests.
        5. If the Processing is based on consent, their right to withdraw consent at any time using any reasonable means;
        6. The third parties or categories of third parties, if any, to whom the University will disclose their Personal Data;
        7. Details of any transfers of their Personal Data out of the EU, the safeguards the University has in place and the means by which to obtain information about the safeguards (where relevant);
        8. The Personal Data retention period or criteria used to determine retention periods;
        9. The existence of their rights: to request access to their Personal Data; to request rectification or erasure of their Personal Data; to restrict or object to Processing; to request data portability; and to complain to the relevant regulator if they are unhappy with how the University is Processing their Personal Data;
        10. Details of any automated decision-making, including profiling and the logic involved, as well as the significance and consequences for the Data Subject of the Processing; and
        11. Whether providing Personal Data is a statutory or contractual requirement and the consequences of failing to provide the Personal Data.
      2. Processing must be for limited and specific purpose. In general, Personal Data must only be Processed for the specific purposes notified to the Data Subject when the Personal Data was first collected or for any other purposes specifically permitted by applicable law. That is, Personal Data should not be collected for one purpose and then used for another unless and until the Data Subject is informed. In some cases, the Data Subject’s consent also may be required.When the University intends to Process Personal Data for a purpose other than the specific purpose for which the Personal Data was first collected, then the University will provide the Data Subject with information on the new purpose prior to the further Processing.
      3. Processing must be adequate, relevant and limited to what is necessary for the purposes. Personal Data must only be collected to the extent that it is required for the specific purpose notified to the Data Subject.  Do not collect any Personal Data that is not necessary for that purpose in the first place.
      4. Personal Data must be accurate and kept up to date. Steps should be taken to check the accuracy of Personal Data at the point of collection and at regular intervals afterward. Correct, destroy or erase inaccurate or out-of-date Personal Data, as appropriate.
      5. Personal Data must not be kept longer than necessary for the purpose for which it was Processed. Personal Data must be destroyed or erased from our systems when it is no longer required for the specified purpose for which it was collected, provided that the University may retain Personal Data in order to comply with applicable laws, rules, and regulations. For guidance on how long certain Data (including Personal Data) may be kept before being destroyed, please see Section III.H.
      6. Personal Data must be Processed in line with the rights of Data Subject.  Data Subjects whose Personal Data are Processed by the University may have a number of rights under applicable law, as further set forth in Section III.E below.
      7. Personal Data must be kept secure. Appropriate security measures must be taken against unlawful or unauthorized Processing of Personal Data, and the accidental loss or unavailability of, or damage to, Personal Data. Applicable law requires us to put in place procedures, technologies and other measures to maintain the security of all Personal Data from the point of collection to the point of destruction.  Please refer to the University Information Security Policies (available at http://www1.udel.edu/security/policies/) for guidance and standards designed to protect the University’s information and IT assets. The University has and will maintain in place procedures and technologies to maintain the security of all Personal Data from the point of collection to the point of destruction.  Any Data security incidents that involve or may involve Personal Data must be immediately reported to the Office of General Counsel.  An assessment will then be carried out to determine whether a personal data breach (as defined by applicable law) has occurred.
      8. Personal Data must not be transferred to people or organizations situated outside the EU unless it will be adequately protected. The University follows certain restrictions when transferring Personal Data outside the EU, including to the USA.  The University may transfer Personal Data to a third party outside the EU, provided that one of the following conditions applies:
        1. The non-EU country to which the Personal Data is transferred ensures an adequate level of protection for the Data Subjects’ rights and freedoms. The European Commission deems the certain countries to have an adequate level of data protection. The list of these countries is available at https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en.
        2. The transfer is lawful pursuant to one of the derogations in the GDPR, such as the Data Subject has given his or her explicit consent; the transfer is necessary for the performance of a contract; for public interest reasons; authorized by law; necessary for the defense of legal claims, or to protect the vital interests of the Data Subject.
        3. Where none of the above safeguards or derogations apply, a transfer to a non-EU country may take place if the transfer is not repetitive, concerns only a limited number of Data Subjects and is necessary for the legitimate interest of the University which is not overridden by the rights of Data Subjects. The University must inform the applicable EU data protection regulator and the Data Subject of the transfer and the legitimate interests pursued.c. Where none of the above safeguards or derogations apply, a transfer to a non-EU country may take place if the transfer is not repetitive, concerns only a limited number of Data Subjects and is necessary for the legitimate interest of the University which is not overridden by the rights of Data Subjects. The University must inform the applicable EU data protection regulator and the Data Subject of the transfer and the legitimate interests pursued.

        When required by applicable law, the University will inform Data Subjects of any Data transfers to third parties outside the EU, the safeguards we have in place and the means by which to obtain a copy of them, where relevant.

      9. Personal Data from Other Sources: If the University receives Personal Data about a Data Subject from other sources, the University will provide the Data Subject with the information described in this Section III.D.1, as well as the categories of Personal Data concerned, the source from which the Personal Data originated and, if applicable, whether the Personal Data came from publicly accessible sources. The University will provide this information to the Data Subject within one month of obtaining the Personal Data, at the time of the first communication to the Data Subject (where applicable), or if a disclosure to another recipient is anticipated, when the Personal Data is first disclosed.
      10. Legal Grounds for Processing: Personal Data are Processed lawfully only when Processed on the basis of one of the legal grounds set out below:
        1. The Data Subject has given his/her free, informed, specific and unambiguous consent;
        2. It is necessary for the performance of a contract with the Data Subject or to take steps at the request of the Data Subject prior to entering into a contract;
        3. Compliance with a legal obligation to which the Data Controller is subject;
        4. It is necessary to protect the vital interests of the Data Subject or another person; or
        5. It is in for the legitimate interests of the Data Controller or a third party to whom or which the Personal Data are lawfully disclosed unless those interests are overridden by the interests of the Data Subject.
      11. Processing Special Personal Data: Processing of Special Personal Data is prohibited unless one of another set of legal grounds set out below:
        1. The Data Subject has given his/her explicit consent;
        2. The Special Personal Data were made public by the Data Subject;
        3. It is necessary for the establishment or defense of the University’s legal claims; or
        4. It is necessary to protect the vital interests of the Data Subject when the Data Subject is physically or legally incapable of giving his/her consent.In most cases, the Data Subject’s explicit consent to the Processing of Special Personal Data is required. Please contact the OGC for further guidance in relation to Special Personal Data.
    5. Rights of Data Subjects and Data Subject Access Requests
      1. Data Subjects may have the following rights regarding the Processing of their Personal Data.  Notify the OGC immediately if a Data Subject contacts you to:
        1. request access to or certain information about any Personal Data held by the University about the applicable Data Subject (including the purposes for which the Personal Data is Processed, how long it will be stored, details of any automated decision making, and the Data Subject’s right to lodge a complaint with a supervisory authority). This is known as a “Subject Access Request” (as further described in Section III.E.2 below);
        2. ask to have inaccurate Personal Data amended or erased;
        3. request the erasure of their Personal Data;
        4. object to or restrict the Processing of their Personal Data;
        5. request that their Personal Data be transferred to another Data Controller or provided in a format that will permit this transfer;
        6. request that the University cease Processing of his or her Personal Data when the Processing is likely to cause unwarranted substantial damage or distress to themselves or anyone else; and/or
        7. to object to decision making based solely on automated Processing, including profiling, when the decision-making produces a legal effect or another significant effect on the Data Subject, except where the decision is necessary for the performance of a contract, authorized by law or based on the Data Subject’s consent.
      2. Subject Access Requests: Subject Access Requests may be made in writing or orally. Before responding to an oral request (such as via telephone), the caller’s identity must be verified. If his or her identity cannot be verified, you must request the caller to put his or her request in writing. Establishing the identity of the Data Subject making the Subject Access Request should be done by carrying out standard checks on the date of birth and address details, e.g., ask for a driver’s license or another form of identification. If you receive a Subject Access Request from a Data Subject for his or her Personal Data, please contact the OGC immediately because the University must respond to the request within mandatory time limits.
      3. A Data Subject has a right of access to a copy of the Personal Data that the University holds about him/her, as well as the following information:
        1. The purposes of the Processing;
        2. The categories of the Personal Data concerned;
        3. The recipient to whom the Personal Data have been or will be disclosed;
        4. The data retention period or criteria used to determine same;
        5. The existence of the right to request rectification or erasure of Personal Data or restriction of Processing of Personal Data concerning that Data Subject or to object to such Processing;
        6. The right to lodge a complaint with the relevant data protection regulator;
        7. When Personal Data is not collected from the Data Subject, any available information as to the Personal Data’s source;
        8. The existence of automated decision-making, including profiling, the logic involved, and the anticipated consequences of such Processing for the Data Subject; and
        9. If Personal Data of a Data Subject is transferred out of the EU, the Data Subject must be informed of the appropriate safeguards in place.
      4. The University will provide a copy of the Personal Data (i) free of charge but may charge a reasonable fee, based on administrative costs, for any further copy the Data Subject requests and (ii) without undue delay, and at the latest within one month of receipt of the Data Subject’s request. This period may be extended by two more months where requests are numerous or complex. Where the Data Subject makes the request by electronic means, and unless otherwise requested by the Data Subject, the information will be provided in a commonly used electronic form.
      5. The University is required to provide the Data Subject with information on actions taken in response to the exercise of any of these rights without undue delay, and at the latest within one month of receipt of the Data Subject’s request. This period may be extended by two further months where requests are numerous or complex.
      6. Dealing with requests for any inaccurate or incomplete Personal Data to be rectified: When a Data Subject has requested the rectification of his or her Personal Data, the University must inform recipients to whom that Personal Data have been disclosed, unless this proves impossible or involves disproportionate effort. The University must also inform the Data Subject about the recipients to whom his or her Personal Data has been disclosed if he/she requests it.
      7. Dealing with objections to or requests for erasure or restriction of processing in specified circumstances: When a Data Subject has requested the erasure or restriction of his or her Personal Data, the University must inform recipients to whom that Personal Data have been disclosed, unless this proves impossible or involves disproportionate effort. The University must also inform the Data Subject about the recipients to whom his or her Personal Data has been disclosed if he/she requests it. The following methods may be used to restrict Processing the Personal Data:
        1. temporarily moving the selected Personal Data to another processing system;
        2. making the selected Personal Data unavailable to other users; or
        3. anonymizing or encrypting Personal Data.
      8. In automated filing systems, the restriction of Processing should be achieved by technical means so that the Personal Data is not subject to further Processing operations and cannot be changed. The fact that the Processing of Personal Data is restricted should be clearly indicated in the system.
      9. When a Data Subject has exercised his/her right to restrict Processing of his/her Personal Data, the University is permitted to store the Personal Data but not further Process the Personal Data. The University can only continue to Process the Personal Data where:
        1. The Data Subject consents;
        2. The Processing is necessary for the exercise or defense of legal claims;
        3. The Processing is necessary for the protection of the rights of other individuals or legal persons; or
        4. The Processing is necessary for public interest reasons.The University must notify the Data Subject before lifting the restriction.
      10. Dealing with requests for data portability: When a Data Subject has requested to port his or her Personal Data provided to the University, the University must provide the Personal Data in a structured, commonly used and machine-readable (i.e., electronic) format and have the Personal Data transmitted to another Data Controller without hindrance. This right does not extend to Personal Data generated by the University.
      11. Dealing with requests not to be subject to a decision based solely on automated processing, including profiling: the University may use automated processing of Personal Data if it is:
        1. necessary to enter into, or to perform, a contract between a Data Subject and the University;
        2. authorized by EU law; or
        3. based on the Data Subject’s explicit consent.In the case of contract performance and explicit consent, the University must implement suitable measures to safeguard the Data Subject. At a minimum, the safeguard must include a means for the Data Subject to obtain human intervention in order to express their point of view and to contest the decision.
      12. Dealing with objections to Processing: When a Data Subject has objected to the University’s Processing of his/her Personal Data for one of the following purposes:
        1. public interest or legitimate interest grounds (including profiling based on those grounds);
        2. direct marketing (including profiling to the extent that it is related to such marketing); or
        3. scientific, historical research or statistical purposes (unless the Processing is necessary for the performance of a public interest task),the University must stop Processing the Personal Data unless the University can demonstrate either compelling legitimate interests for the Processing which do not override the rights of the Data Subject or the Processing is necessary for the defense of legal claims. The University cannot refuse to comply with a Data Subject’s objection to processing for direct marketing purposes.
    6. Providing information to third parties
      1. Personal Data only may be transferred to a third-party Data Processor if that Data Processor can provide the University with sufficient guarantees that it can meet the requirements of applicable law and this GDPR Policy. As a Data Controller, the University will enter into a written contract (known as a “data processing addendum”) with the Data Processor that describes the subject-matter and duration of the Processing, the nature, and purpose of the Processing, the type of Personal Data and the categories of Data Subjects.  The contract shall set out the specific mandatory obligations of Data Processors, including to:
        1. Process the Personal Data only on documented instructions from the University, including with regard to non-EU transfers;
        2. Confirm the Data Processor’s employees are committed to confidentiality;
        3. Take all appropriate technical and organizational security measures;
        4. Sub-contract only with prior written authorization of the University;
        5. Assist the University in complying with the rights of Data Subjects;
        6. Assist the University in complying with its security, data breach notification, and Data Protection Impact Assessment;
        7. Delete or return all Personal Data to the University, if requested, after providing Processing services; and
        8. Make available to the University all information necessary to demonstrate compliance with its Processing obligations, allow audits, including inspections, to be conducted by the University, and immediately inform the University if an instruction infringes applicable law.
      2. Please take care when disclosing any Personal Data held by the University to any third party. In particular, all University employees should:
        1. check the identity of the person making the inquiry and whether he/she is legally entitled to receive the information he/she has requested;
        2. suggest that the third party put its request in writing so the third party’s identity and entitlement to the information may be verified;
        3. provide information only in accordance with the eight data protection principles (see above Section III.D) and use reasonable due diligence to check the other party’s security systems and processes;
        4. check whether the University has a contract in place with the third party and, if Personal Data are involved, confirm that the contract contains the obligations listed in Section III.F;
        5. consider whether the third party really needs to have the Personal Data;
        6. assess the potential benefits and risks to both the University and the Data Subjects involved of sharing/not sharing the Personal Data;
        7. consider whether the objective could be achieved without sharing Personal Data (e.g., can the Personal Data be anonymized?); and
        8. refer to the OGC for assistance in difficult situations.
    7. Record keeping
      1. The University shall demonstrate its compliance with this GDPR Policy by maintaining accurate and detailed records of:
        1. all Processing activities carried out by the University involving Personal Data, including details of (i) the Data Controller; (ii) purposes of the Processing; (iii) categories of Personal Data and Data Subjects; (iv) categories of recipients of the Personal Data; (v) transfers of the Personal Data to countries or organizations outside the EU and the appropriate safeguards put in place; (vi) anticipated time limits for retention of the Personal Data; and (vii) a description of the technical and organizational security measures in place to protect the Personal Data;
        2. any consents provided by Data Subjects to the Processing of their Personal Data; and
        3. all GDPR-related policies and procedures.Employees who Process Personal Data on behalf of the University shall retain adequate notes and records of all of the above in relation to such Processing activities.
    8. Document Retention
      1. As described in Section III.D.5, Personal Data should be destroyed and/or erased from our systems when it is no longer required for the relevant specified purpose for which it was collected. Please note that the University still must retain Personal Data in order to comply with applicable laws, rules, and regulations but may not Process the Personal Data in the records when that Personal Data is no longer needed for the purposes for which it was originally Processed.
      2.  As soon as the University becomes aware of any contemplated litigation, all documents potentially relating to that litigation must be preserved and routine document destruction procedures for those documents must be placed on hold. Any employee who receives notice of any contemplated litigation should refer the matter to the OGC.
      3. For further guidance on document retention and destruction, please consult the Office of General Counsel.
    9. Periodic Privacy Risk Assessments
      1. The Office of General Counsel, in collaboration with the University’s Information Technology department, shall conduct a Data Protection Impact Assessment (DPIA) as needed for any new type of Processing of Personal Data that is likely to result in a high risk to privacy rights of students, scholars, and others. The University is responsible for determining what is “high risk” based on the facts and circumstances of the University’s Personal Data Processing.  The purpose of the DPIA is to enable the University to assess the nature and severity of the “high risks” in advance of starting the new type of processing so that the University can adopt appropriate measures to mitigate the risks.  Please contact the OGC for more information.
      2. The OGC, in collaboration with the University’s Information Technology department, also shall be responsible for overseeing the preparation of periodic privacy risk self-assessments for current Personal Data Processing. Such self-assessments shall be conducted no less than once every two (2) years or more often if a significant organizational change indicates that a re-evaluation of any risk identified in a prior self-assessment is needed to ensure that the University is complying with the data protection principles or applicable law. The risk assessment process shall include evaluation of the reasonably foreseeable internal and external risks to the University’s technical infrastructure and Personal Data, as well as the safeguards in place to manage those risks in each relevant area of operations, including:
        1. Employee management and training;
        2. Information Technology;
        3. Information processing, storage, and transmission;
        4. Vendor management;
        5. Disposal of paper and electronic records; and
        6. Security management, including the prevention, detection, and response to attacks, intrusions or other systems failures.
    10. Policy Against Retaliation
      1. The University strictly prohibits threatening, intimidating, harassing or any other retaliatory action against any individual for the good-faith exercise of any right established by this GDPR Policy or applicable law, including the right to:
        1. File a good-faith complaint;
        2. Testify, assist or participate in good faith in an investigation, compliance review, proceeding or hearing involving a Personal Data compliance issue; or
        3. Oppose any act or practice made unlawful by applicable law, provided that the individual or person has a good-faith belief that the practice opposed is unlawful and the manner of opposition is reasonable and does not involve disclosing Personal Data in violation of applicable law.
      2. If any employee witnesses or has reason to believe or suspect that another employee has engaged in any retaliatory act prohibited under this GDPR Policy, the employee must immediately report the matter to the OGC.
    11. The OGC should be notified immediately of any actual violations or any suspected violations of this GDPR Policy.
    12. Monitoring and review of this GDPR policy
      1. This GDPR Policy is reviewed at least annually by the Office of General Counsel. The OGC will continue to review the effectiveness of this policy to confirm it is achieving its stated objectives in accordance with GDPR.
      2. The University reserves the right to change this GDPR Policy at any time and, where appropriate, we will notify Data Users of the changes by mail, email or posting.
  4. DEFINITIONSAs used in this GDPR Policy, the following terms shall have the meanings indicated.
    1. “Criminal Data” includes Data relating to criminal convictions and offenses. Criminal Data may only be Processed where permitted by law. If you expect to Process Criminal Data, you must receive written approval from the OGC before doing so.
    2. “Data” is information which is stored electronically on a computer or in certain paper-based filing systems.B. “Data” is information which is stored electronically on a computer or in certain paper-based filing systems.
    3. “Data Controller and Data Processor” are as defined in Section III.
    4. “Data Subject” includes students, scholars and other living individuals that reside in the European Union about whom the University holds Personal Data.  An individual is treated as a Data Subject if he or she is located in the EU when he or she first engages with the University or if he or she subsequently provides to the University a residential address located in the EU.
    5. “Data Users” include employees or others whose work involves any Processing of Personal Data. Data Users who Process Personal Data on behalf of the University must follow this GDPR Policy at all times.
    6. “European Union” or “EU” means the political and economic union of member states located primarily in Europe and listed here: https://europa.eu/european-union/about-eu/countries_en and the EFTA States of Norway, Iceland and Lichtenstein.
    7. “Personal Data” is as defined in Section III.
    8. “Processing” (and its variants (Process, Processed, Processes)) is any activity that involves use or retention of Personal Data. Processing includes obtaining, recording or holding the Personal Data, or carrying out any operation or set of operations on the Personal Data including organizing, amending, retrieving, using, disclosing, erasing, or destroying the Personal Data.  Processing also includes transferring Personal Data to third parties.
    9. “Special Personal Data” is a subset of Personal Data and it includes information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition, sexual life or orientation, or genetic or biometric identifiers. Special Personal Data can only be Processed under strict conditions and will usually require the explicit consent of the Data Subject. If you expect to Process Special Personal Data about Data Subjects, you must notify the OGC before doing so.  If you unexpectedly receive Special Personal Data from or about Data Subjects, please inform the OGC as soon as practicable.I. “Special Personal Data” is a subset of Personal Data and it includes information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition, sexual life or orientation, or genetic or biometric identifiers. Special Personal Data can only be Processed under strict conditions and will usually require the explicit consent of the Data Subject. If you expect to Process Special Personal Data about Data Subjects, you must notify the OGC before doing so.  If you unexpectedly receive Special Personal Data from or about Data Subjects, please inform the OGC as soon as practicable.