EU General Data Protection Regulation

What is the GDPR?

The European Union (EU) General Data Protection Regulation (GDPR) is a consumer-protection privacy law that applies to organizations that process the personal data of individuals physically located in the EU. The GDPR is far-reaching and expansive in its scope, requiring organizations to put significant safeguards in place regarding the collection, use, and processing of personal data of EU data subjects.

What is “personal data”?

Personal data is information that can directly or indirectly identify an individual. This may include a name, email address, date of birth, phone number, or any other identifying factors. Other sensitive personal information, such as religion, medical information, or sexual orientation, can also be personal data. Pseudonymous or anonymized data is typically not subject to the GDPR, but it can be considered personal data if, due to its nature, it makes identifying someone “relatively easy.”

Who does the GDPR apply to?

The physical location of the data subject triggers the GDPR, rather than the citizenship of the person or the physical location of the organization. When an organization processes or collects data on a person physically located in the EU, the GDPR applies. This includes any organization offering goods or services to or monitoring people in the EU. 

Some examples of the University’s interaction with the EU may include:

  • Study abroad activities
  • Operation of campuses and programs in the EU
  • Admissions and financial aid
  • Online learning and distance education
  • Online sales of University merchandise
  • Research activities
  • Procurement and contracting with entities in the EU
  • Development
  • Alumni relations

What is the purpose of the GDPR?

The GDPR is designed to allow individuals to take control of their personal data and ensure that organizations process and control individuals’ data lawfully. The GDPR lists seven key principles for processing personal data:

  1. Lawfulness, fairness, and transparency
  2. Purpose limitation
  3. Data minimization
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality
  7. Accountability

What is the “lawful basis” for processing data under the GDPR?

The GDPR requires that all personal data is processed according to a “lawful basis.” The processor can establish a lawful basis in various ways, but there are three bases that the University will likely use most frequently:

  1. Contract: Data processing is required for the data subject to enter into a contract.
  2. Consent: The data subject willfully provides their “specific, unambiguous” consent for data processing.
  3. Necessity: Processing is necessary to carry out a task in the public interest, a legal obligation or official function, or the University has a legitimate interest in the data. (These interests cannot override the fundamental rights afforded to the data subject.)

I’m a data subject under the GDPR. What are my rights?

If you are physically located in the EU and the University is processing, collecting, or holding your personal data, you have multiple rights you can exercise under the GDPR. They include:

  • Right to be informed: the right to know about the processing and collection of your personal data.
  • Right of access: the right to request a copy of any of your personal data that the University collects.
  • Right of rectification: the right to correct or complete any personal data that you suspect may be inaccurate or incomplete.
  • Right to erasure: the right to request to have your data deleted (as long as the data is not necessary).
  • Right to restrict processing: the right to request that your data is not processed.
  • Right to data portability: the right to request a copy of your data in an accessible format. “Accessible” means that you can reuse and transfer your data across organizations.
  • Right to object: the right to object to the processing of your data in certain circumstances.

UT Data Protection Officers

UT has Data Protection Officers for each campus and institute and its system administration. These Data Protection Officers can be contacted at privacy@tennessee.edu.

Key Terms

European Union (EU)

The European Union (EU) is a political and economic group of 27 European countries. They are listed below:

  • Austria
  • Belgium
  • Bulgaria
  • Croatia
  • Cyprus
  • Czechia
  • Denmark
  • Estonia
  • Finland
  • France
  • Germany
  • Greece
  • Hungary
  • Ireland
  • Italy
  • Latvia
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden

The United Kingdom (UK) left the EU in 2016. However, the UK has its own privacy law (known as the UK GDPR) that is almost identical to the EU GDPR.

EEA (European Economic Area)

The European Economic Area (EEA) is an agreement that extends the EU’s single market economy to European Free Trade Area (EFTA) countries. The GDPR applies to all of the countries in the EU, as well as each of the countries in the EEA: Norway, Iceland, and Liechtenstein.

Data subject

Any EU-residing person whose data is processed.

Processor

Any entity that processes data on behalf of the controller.

Controller

Any entity that decides how data will be used and processed.

Processing

Any operation or action performed on data. Examples include, though are not limited to, collecting, organizing, storing, erasing, using, altering, disseminating, recording.