European Union General Data Protection Regulation (EU GDPR)
The European Union General Data Protection Regulations (the “EU GDPR”) is a regulation that was adopted by the European Parliament in April 2016 and becomes enforceable throughout the European Union (the “EU”) on May 25, 2018. It replaces a 1995 data protection directive that did not automatically apply to EU Member States and therefore the data protection requirements throughout the EU varied. The EU GDPR is a binding legislative act that must be applied in its entirety, whose goal is to address the protection of people physically within the EU with regard to the processing of personal data and rules relating to the free movement of such data. There is no distinction based upon individuals’ permanent place of residence or citizenship. The scope of the EU GDPR extends to foreign entities that are processing the ‘personal data’ of EU residents.
The general principles of the EU GDPR provide that personal data shall be:
• Processed lawfully, fairly and in a transparent manner
• Collected for specific, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
• Limited to what is necessary in relation to the purposes for which they are processed
• Accurate and kept up to date
• Retained only as long as necessary
Personal data is defined very broadly and consists of any information relating to an identified or identifiable person and includes name, identification number, location data, online identifier, or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that person.
Examples of personal data collected and processed at Georgia Tech-Lorraine include, without limitation: name, photo, email address, identification number (such as GT ID), GT Account (User ID), physical address or other location data, IP address or other online identifier. Additionally, the EU GDPR provides additional protections for sensitive personal data that includes: racial and ethnic origin, health, genetic/biometric, religion, sexual orientation, political views.
EU General Data Protection Regulation Compliance Policy
In order to collect and process personal data from the EU, a lawful basis is required. As an institute of higher education, Georgia Tech-Lorraine is involved in education, research and Innovation. In order for Georgia Tech Lorraine to educate its foreign and domestic students, and to engage in research projects, it is essential, necessary, and Georgia Tech-Lorraine has a lawful basis to, collect, process, use, and maintain the personal data of its students, teachers, employees and others involved in education, research and innovation. These activities include, without limitation, admission; registration; teaching; grades; communications; employment; research; development; and records retention.
Lawful Basis for Collecting or Processing Personal Data
Georgia Tech-Lorraine has a lawful basis to collect and process personal data. Most of Georgia Tech’s collection and processing of personal data will fall under the following categories:
1. Processing personal data is necessary for the purposes of the legitimate interests pursued by Georgia Tech-Lorraine or by a third party in providing education and research.
2. Processing personal data is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. This lawful basis pertains primarily but not exclusively to research contracts.
3. Processing is necessary for compliance with a legal obligation to which Georgia Tech-Lorraine is subject.
4. The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
There will be some instances where the collection and processing of personal data will be pursuant to other lawful bases under the EU GDPR.
Data Protection & Governance
Georgia Tech Lorraine will protect all personal data and sensitive personal data that it collects or processes for a lawful basis. Any personal data and sensitive personal data collected or processed by Georgia Tech-Lorraine shall be:
1. Processed lawfully, fairly, and in a transparent manner
2. Collected for specified, explicit, and legitimate purposes, and not further processed in a manner that is incompatible with those purposes
3. Limited to what is necessary in relation to the purposes for which they are collected and processed
4. Accurate and kept up to date
5. Retained only as long as necessary
Types of Personal Data collected and why
Georgia Tech Lorraine collects a variety of personal and sensitive data to meet one of its lawful bases, as referenced above. Most often, the data is used for academic admissions, enrollment, educational programs, job hiring and research projects. Data typically includes name, address, transcripts, work history, information for payroll, research subject information, medical and health information (for student health services, or travel), and donations. If you have specific questions regarding the collection and use of your personal data, please contact the Data Protection Officer at firstname.lastname@example.org.
If a data subject refuses to provide personal data that is required by Georgia Tech-Lorraine in connection with one of his lawful bases to collect such personal data, such refusal may make it impossible for Georgia Tech Lorraine to provide education, employment, research or other requested services.
Where Georgia Tech-Lorraine gets Personal and Sensitive Personal Data From
Georgia Tech-Lorraine receives personal data from multiple sources. Most often, Georgia Tech-Lorraine gets this data directly from the data subject or under the direction of the data subject who has provided it to a third party (for example, application for admission to Georgia Tech through use of the Common App). Georgia Tech Atlanta provide directly to Georgia Tech-Lorraine some potential sensitive data after respecting consent procedure from the data subject.
Sensitive Personal Data & Consent
Georgia Tech-Lorraine ensures consent procedure has been respected before it processes sensitive personal data.
Individual Rights of the Data Subject under the EU GDPR
Individual data subjects covered by this policy will be afforded the following rights and information:
1. information about the controller collecting the data
2. the data protection officer contact information
3. the purposes and lawful basis of the data collection/processing
4. recipients of the personal data
5. if Georgia Tech-Lorraine intends to transfer personal data to another country or international organization
6. the period the personal data will be stored
7. the existence of the right to access, rectify incorrect data or erase personal data, restrict or object to processing, and the right to data portability
8. the existence of the right to withdraw consent at any time
9. the right to lodge a complaint with a supervisory authority (established in the EU)
10. why the personal data are required, and possible consequences of the failure to provide the data
11. the existence of automated decision-making, including profiling
12. if the collected data are going to be further processed for a purpose other than that for which it was collected
Note: Exercising of these rights is a guarantee to be afforded a process and not the guarantee of an outcome.
Any data subject who wishes to exercise any of the above-mentioned rights may do so by filling such request with the Data Protection Officer at email@example.com
Security of Personal Data subject to the EU GDPR
All personal data and sensitive personal data collected or processed by Georgia Tech under the scope of the Georgia Tech EU General Data Protection Regulation Compliance Policy must comply with the security controls and systems and process requirements and standards of NIST Special Publication 800-171 as set forth in the Georgia Tech Controlled Unclassified Information Policy.
We will not share your information with third parties except:
- as necessary to meet one of its lawful purposes, including but not limited to,
- its legitimate interest,
- contract compliance,
- pursuant to consent provided by you,
- as required by law;
- as necessary to protect Georgia Tech-Lorraine’s interests;
- with service providers acting on our behalf who have agreed to protect the confidentiality of the data.
This policy applies to the personal data and sensitive personal data protected by the EU GDPR and Georgia Tech-Lorraine who collect or process personal data and sensitive personal data protected by the EU GDPR.