Governance, Ethics and General

General Data Protection Regulation Compliance Policy

Section:	Governance, Ethics, and General Policies
Policy Name:	General Data Protection Regulation Compliance Policy
Policy Owner:	Vice President and General Counsel
Responsible University Office:	Office of  General Counsel
Origination Date:	May 24, 2018
Revisions:	February 2019; February 2, 2022
Legacy Policy Number::	New

1. SCOPE OF POLICYThis Policy addresses the University’s compliance with the European Union’s General Data Protection Regulation (“GDPR”)[1] which sets standards applicable to the Processing of Personal Data about Data Subjects (as these terms are defined below) located in the European Economic Area (“EEA”), as well as the rights of Data Subjects with regard to their Personal Data. This Policy applies to all University personnel but imposes additional obligations on the GDPR Components, defined below, that Process Personal Data.
2. DEFINITIONS
   1. “Personal Data” means any information related to an identified or identifiable natural person a “Data Subject”). Personal Data includes name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of such natural person. Personal Data becomes “Sensitive Personal Data” when it reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, health data, or data concerning a person’s sex life or sexual orientation.
   2. “Processing” means doing anything to Personal Data, including any collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, erasure, or destruction.
   3. “GDPR Component” means those University offices or units that collect, store, or use the Personal Data of applicants, students, faculty, or staff or any other person while they are in the EU to the extent that the University’s activities with respect to such persons (i) intentionally target goods or services to persons within the EEA when making the offer and regardless of whether payment is required; or (ii) purposefully monitor the behavior of Data Subjects while in the EEA. The GDPR Components include:
      1. Office of the University Registrar
      2. Student Financial Services
      3. Center for Global Programs and Services
      4. Office of Development and Alumni Relations
      5. Information Technologies
      6. Human Resources
3. POLICY STATEMENTThe University will Process Personal Data in accordance with the GDPR, and as further specified in this Policy, when University activities (i) intentionally target goods or services to persons within the EEA when making the offer and regardless of whether payment is required, or (ii) purposefully monitor the behavior of persons located in the EEA (collectively, “University GDPR Activities”).
4. POLICY STANDARDS AND PROCEDURES
   1. University GDPR Obligations. When engaging in University GDPR Activities, the University will comply with the GDPR and will Process the Personal Data by:
      1. Limiting its collection of Personal Data from Data Subjects to that required to (i) provide services to students, faculty, staff and others associated with the University, (ii) administer University programs, and (iii) perform contractual obligations.
      2. Processing the Personal Data lawfully, fairly, and in a transparent manner, limited only to the Personal Data which is (i) necessary, (ii) maintained for accuracy, (iii) stored only for the length of time required or needed, and (iv) safeguarded from unauthorized disclosure.
      3. Processing the Personal Data for a legal basis such as when:
         1. The Data Subject has consented to the Processing for a specific purpose;
         2. The Processing is necessary for the performance of a contract to which the Data Subject is a party or in order to take steps at the request of the Data Subject prior to entering into a contract;
         3. The Processing is necessary for compliance with a legal obligation to which the University is subject;
         4. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the University; or
         5. Processing is necessary for the legitimate interests pursued by the University or by a third party, except where such interests are overridden by the interest of the fundamental rights and freedoms of the Data Subject which requires the protection of the Personal Data.
      4. Limiting the request for Sensitive Personal Data and Processing it only with the express consent of the Data Subjects. Notwithstanding the foregoing, in some circumstances, health information may be required under state or federal law in order for the University to provide services or in the interest of public health and safety.
      5. Allowing Data Subjects to exercise their rights under the GDPR, including the right to:
         1. Access their Personal Data that the University Processes;
         2. Rectify inaccuracies in Personal Data that the University holds about them;
         3. Have their Personal Data removed from systems that the University uses to Process their Personal Data;
         4. Restrict the Processing of their Personal Data in certain ways;
         5. Obtain a copy of their Personal Data in a commonly used electronic form;
         6. Object to certain Processing of their Personal Data by the University; and
         7. Request that the University stop sending them direct marketing communications, if any.
      6. Maintaining and implementing policies designed to protect the confidentiality and security of Personal Data.
      7. Ensuring that appropriate safeguards are in place to protect the Personal Data when it is necessary for the University to transfer Personal Data to third parties within and outside of the EEA in order to conduct University functions. Such safeguards include but are not limited to requiring third parties to execute contractual clauses to secure the Personal Data or to anonymize the Personal Data.
      8. Retain Personal Data in accordance with applicable state and federal laws, regulations, and accreditation guidelines as well as other University policies; and securely destroy Personal Data when no longer required for University services and programs, upon the request, or after the expiration of any applicable retention period, whichever is later.
      9. In the event of a breach of Personal Data, notify the affected Data Subjects and other regulatory authorities as required by the GDPR as well as state and federal laws.
   2. Responsibilities
      1. The Chief Privacy Officer coordinates the University’s compliance with the GDPR by:
         1. Analyzing University activities to determine whether they are subject to the GDPR;
         2. Ensuring education regarding the GDPR and its limited application to the University is available to GDPR Components and other University personnel, as appropriate;
         3. Identifying, periodically validating, and documenting the University’s GDPR Components and updating this Policy as appropriate;
         4. Notifying GDPR Components of their compliance obligations and assisting them in meeting the obligations as requested;
         5. Obtaining assurances from GDPR Components of material compliance with the obligations as specified in this Policy;
         6. Responding to requests from Data Subjects to exercise their GDPR rights;
         7. Proposing appropriate safeguards in the form of standard contractual clauses for transfers of Personal Data to third parties;
         8. Responding to inquiries from individuals or entities regarding the University’s compliance with the GDPR;
         9. Notifying Data Subjects and other persons or entities in the event of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data to the extent required by the GDPR; and
         10. Informing University leadership regarding compliance with this Policy.
      2. GDPR Components must:
         1. Comply with the University’s GDPR obligations as set forth in this Policy with respect to the Processing of Personal Data;
         2. Comply with other pertinent University polices regarding privacy and security of data;
         3. Notify the Chief Privacy Officer of any request from a Data Subject to enforce a GDPR right or an inquiry by a regulatory authority regarding the University’s compliance with its GDPR obligations;
         4. Report any Processing of Personal Data they determine or reasonably suspect to be contrary to the GDPR or this Policy to the information security professional in their department or college or to the Security Operations Center by calling 302-831-6000 or completing the Reporting Form as set forth in the Information Security Event Reporting policy.[2] The University will not retaliate against anyone who makes a report in good faith; and
         5. Responding to inquiries from the Chief Privacy Officer regarding their compliance with this Policy.
      3. Other University Personnel must consult with the Chief Privacy Officer if they are considering, directly or indirectly engaging in University GDPR Activities.
   3. Compliance
      Violations of this Policy may result in disciplinary action.

[1] The GDPR applies to the countries located in the European Economic Area (“EEA”) which includes Iceland, Liechtenstein, and Norway and the countries in the European Union (“EU”). The EU countries are Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden.

[2] The Information Security Event Reporting Policy and the Report Form are available at https://sites.udel.edu/generalcounsel/policies/information-security-event-reporting.