The European Union General Data Protection Regulations (the “EU GDPR”) is a regulation that was adopted by the European Parliament in April 2016 and becomes enforceable throughout the European Union (the “EU”) on May 25, 2018. It replaces a 1995 data protection directive that did not automatically apply to EU Member States and therefore the data protection requirements throughout the EU varied. The EU GDPR is a binding legislative act that must be applied in its entirety, whose goal is to address the protection of people physically within the EU with regard to the processing of personal data and rules relating to the free movement of such data. There is no distinction based upon individuals’ permanent place of residence or citizenship. The scope of the EU GDPR extends to foreign entities that are processing the ‘personal data’ of EU residents.
The general principles of the EU GDPR provide that personal data shall be:
- Processed lawfully, fairly and in a transparent manner
- Collected for specific, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
- Limited to what is necessary in relation to the purposes for which they are processed
- Accurate and kept up to date
- Retained only as long as necessary
Personal data is defined very broadly and consists of any information relating to an identified or identifiable person and includes name, identification number, location data, online identifier, or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that person. Examples of personal data collected and processed at Georgia State include, without limitation: name, photo, email address, identification number (such as Panther ID), Campus ID (User ID), physical address or other location data, IP address or other online identifier. Additionally, the EU GDPR provides additional protections for sensitive personal data that includes: racial and ethnic origin, health, genetic/biometric, religion, sexual orientation, political views.
In order to collect and process personal data from the EU, a lawful basis is required. As an institute of higher education, Georgia State is involved in education, research and community development. In order for Georgia State to educate its foreign and domestic students both in person and on-line, engage in world-class research, and provide community services, it is essential, and Georgia State has a lawful basis to, collect, process, use, and maintain the personal data of its students, employees, applicants, research subjects, and others involved in its educational, research, and community programs. These activities include, without limitation, admission; registration; delivery of classroom, on-line, and study abroad education; grades; communications; employment; applied research; development; program analysis for improvements; and records retention.
- Processing is necessary for the purposes of the legitimate interests pursued by Georgia State or by a third party.
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
- Processing is necessary for compliance with a legal obligation to which Georgia State is subject.
- The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
There will be some instances where the collection and processing of personal data will be pursuant to other lawful bases under the EU GDPR.