EU General Data Protection Regulation Compliance Policy
EU General Data Protection Regulation Compliance PolicyThe European Union has passed a data privacy regulation that is applicable throughout the entire European Union (“EU”), and to those who collect personal data about people in the EU. The European Union General Data Protection Regulation (“EU GDPR”) imposes obligations on entities, like Georgia Tech, that collect or process personal data about people in the EU. The EU GDPR applies to personal data collected or processed about anyone located in the EU, regardless of whether they are a citizen or permanent resident of an EU country.
Georgia Institute of Technology (“Georgia Tech” or the “Institute”) is an institute of higher education involved in education, research and community development. In order for Georgia Tech to educate its foreign and domestic students both in class and on-line, engage in world-class research, and provide community services, it is essential and necessary, and Georgia Tech has a lawful basis, to collect, process, use, and/or maintain the personal data of its students, employees, applicants, research subjects, and others involved in its educational, research, and community programs. These activities include, without limitation, admission, registration, delivery of classroom, on-line, and study abroad education, grades, communications, employment, applied research, development, program analysis for improvements, and records retention.
Georgia Tech takes seriously its duty to protect the personal data it collects or processes. In addition to Georgia Tech’s overall data protection program, Georgia Tech must make sure it complies with the dictates of the EU GDPR. Among other things, the EU GDPR requires Georgia Tech to:
- be transparent about the personal data it collects or processes and the uses it makes of any personal data
- keep track of all uses and disclosures it makes of personal data
- appropriately secure personal data
This policy describes Georgia Tech’s data protection strategy to comply with the EU GDPR.
2.1 Lawful Basis for Collecting or Processing Personal Data
Georgia Tech has a lawful basis to collect and process personal data. Most of Georgia Tech’s collection and processing of personal data will fall under the following categories:
- Processing is necessary for the purposes of the legitimate interests pursued by Georgia Tech or by a third party.
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
- Processing is necessary for compliance with a legal obligation to which Georgia Tech is subject.
- The data subject has given consent to the processing of his or her special categories of sensitive personal data for one or more specific purposes.
There will be some instances where the collection and processing of personal data will be pursuant to other lawful bases
2.2 Data Protection & Governance
Georgia Tech will protect all personal data and special categories of sensitive personal data that it collects or processes for a lawful basis. Any personal data and special categories of sensitive personal data collected or processed by Georgia Tech shall be:
- Processed lawfully, fairly, and in a transparent manner
- Collected for specified, explicit, and legitimate purposes, and not further processed in a manner that is incompatible with those purposes
- Limited to what is necessary in relation to the purposes for which they are collected and processed
- Accurate and kept up to date
- Retained only as long as necessary
- Secure
2.3 Sensitive Personal Data & Consent
Georgia Tech must obtain consent before it collects or processes special categories of sensitive personal data.
2.4 Individual Rights
Individual data subjects covered by this policy will be afforded the following rights:
- information about the controller collecting the data
- the data protection officer contact information (if assigned)
- the purposes and lawful basis of the data collection/processing
- recipients of the personal data
- if Georgia Tech intends to transfer personal data to another country or international organization
- the period the personal data will be stored
- the existence of the right to access, rectify incorrect data or erase personal data, restrict or object to processing, and the right to data portability
- the existence of the right to withdraw consent at any time
- the right to lodge a complaint with a supervisory authority (established in the EU)
- why the personal data are required, and possible consequences of the failure to provide the data
- the existence of automated decision-making, including profiling
- if the collected data are going to be further processed for a purpose other than that for which it was collected
Note: Exercising of these rights is a guarantee to be afforded a process and not the guarantee of an outcome.
This policy applies to the personal data and special categories of sensitive personal data protected by the EU GDPR and all Georgia Tech Units who collect or process personal data and special categories of sensitive personal data protected by the EU GDPR.
Definitions:
Collect or Process Data |
Collection, storage, recording, organizing, structuring, adaptation or alteration, consultation, use, retrieval, disclosure by transmission/dissemination or otherwise making data available, alignment or combination, restriction, erasure or destruction of personal data, whether or not by automated means. |
Consent
|
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Under the EU GDPR:
|
Controller
|
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. |
Georgia Tech Unit |
A Georgia Tech college, school, office or department. |
Identified or Identifiable Person
|
An identified or identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that person. Examples of identifiers include but are not limited to: name, photo, email address, identification number such as GT ID#, GT Account (User ID), physical address or other location data, IP address or other online identifier |
Lawful Basis
|
Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:
|
Legitimate Interest
|
Processing of personal data is lawful if such processing is necessary for the legitimate business purposes of the data controller/processor, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. |
Personal Data |
Any information relating to an identified or identifiable person (the data subject). |
Processor
|
A natural or legal person, public authority, agency or other body who processes personal data on behalf of the controller. |
Special Categories of Sensitive Personal Data |
Special categories of sensitive personal data that require consent by the data subject before collecting or processing are:
|
5.1 Data Governance | |
---|---|
Document Lawful Basis for Collection or Processing |
All Georgia Tech Units who collect or process personal data protected by the EU GDPR must document the lawful basis for the collection or processing of personal data and special categories of sensitive personal data they collect or process, why they collect it, and how long they keep it using the online Georgia Tech EU GDPR Lawful Basis Form: http://eugdpr.gatech.edu/georgia-tech-compliance All data at Georgia Tech shall be kept in compliance with the USG-BOR Records Retention Schedules. |
5.2. Privacy Notice | |
---|---|
Georgia Tech’s Privacy Notice |
Georgia Tech’s Privacy Notice to data subjects must specify the lawful basis for Georgia Tech to collect or process personal data and include:
A link to the Georgia Tech Privacy Notice is available on the footer of all Georgia Tech websites – “Legal & Privacy Information”: http://www.gatech.edu/privacy |
Georgia Tech Units Privacy Notice | Each Georgia Tech Unit that collects or processes personal data protected by the EU GDPR must create and publicly post a privacy notice that meets the requirements (a) through (h) set forth above. A link to the Georgia Tech Unit Privacy template is available at: http://eugdpr.gatech.edu/georgia-tech-compliance |
5.3 Consent | |
---|---|
Documentation of Consent |
Georgia Tech Units must obtain affirmative consent before it collects or processes sensitive personal data. |
Withdrawal of Consent | Georgia Tech must have a process for individuals who request to withdraw their consent. |
5.4 Individual Rights | |
---|---|
Exercise of Rights |
Any individual wishing to exercise their rights under this policy should contact: privacy@gatech.edu |
5.5 Data Protection | |
---|---|
Security of Personal Data |
All personal data and special categories of sensitive personal data collected or processed by any Georgia Tech Units under the scope of this policy must comply with the security controls and systems and process requirements and standards of NIST Special Publication 800-171 as set forth in the Georgia Tech Controlled Unclassified Information Policy found here: https://policylibrary.gatech.edu/information-technology/controlled-unclassified-information |
Breach Notification |
Any Georgia Tech Unit that suspects that a breach or disclosure of personal data has occurred must immediately notify Georgia Tech Cyber Security here: https://security.gatech.edu/report-incident |
8.1 Responsible Party:
Georgia Tech Units:
To document the lawful basis for personal data or special categories of sensitive personal data collected or processed pursuant to this policy.
To cooperate with the Privacy Program within the Office of Ethics and Compliance when individuals inquire about their personal data or special categories of sensitive personal data collected or processed pursuant to this policy (See Section 2.3).
To immediately notify (24/7) and cooperate with Georgia Tech Cyber Security relating to any data breach: https://security.gatech.edu/report-incident
8.2 Responsible Party:
Privacy Program within the Office of Ethics and Compliance:
To field inquiries about personal data or special categories of sensitive personal data collected from individuals while in the EU (See Section 2.4).
To coordinate with Georgia Tech Units responding to inquiries about personal data or special categories of sensitive personal data collected from individuals while in the EU.
8.3 Responsible Party:
Cyber Security:
To answer questions about and review data security measures.
To handle data breach notification for the Institute.
Violations of the policy may result in loss of system, network, and data access privileges, administrative sanctions (up to and including termination or expulsion) as outlined in applicable Georgia Tech disciplinary procedures, as well as personal civil and/or criminal liability.
To report suspected instances of noncompliance with this policy, please contact: privacy@gatech.edu, or visit Georgia Tech’s EthicsPoint, a secure and confidential reporting system, at: https://secure.ethicspoint.com/domain/en/report_custom.asp?clientid=7508
Enforcement of the EU GDPR shall be carried out by the appropriate Data Protection Authority within the European Union.
Revision Date | Author | Description |
---|---|---|
01-25-2022 | Office of Ethics and Compliance | Editorial Updates |
05-03-2018 | Institutional Research & Enterprise Data Management | New Policy |