The Catholic University of America


Miscellaneous  Laws

European Union General Data Protection Regulation (GDPR)

Text of the Regulation Approved on April 6, 2016 (actual articles start on page 109)

The GDPR replaces the Data Privacy Directive 95/46/EC and is designed to harmonize data privacy laws across the European Union (EU) and to protect the data privacy of all EU residents.  It affects U.S. institutions that process the personal information of EU residents, which would include many IHEs, both as to bringing in employees or students from the E.U or sending students abroad to an EU country and monitoring their behavior in some way while there, which would include receiving back data on the student while physically abroad in the EU Seven Areas of Requirements: Consent, Breach Notification, Right to Access, Right to be Forgotten, Data Portability, Privacy by Design, Data Protection Officers. 

Compliance is expected by May 25, 2018. For the purpose of this law, Britain would be covered until it has fully exited the EU UK has its own Data Protection Act, which we should already be following.

Citizenship is not the guardrail, it is location, i.e. EU residence.

If a University holds a conference in the EU, both the creator of the conference and the vendor hold liability.

Note this is umbrella legislation and there may be country specific regulations on privacy in Europe. 

GDPR requires entities that hold personal data from EU residents to demonstrate procedures that comply with the GDPR principles. 

Article 3  Territorial Scope NB This is important and a key piece to understand. The term is data subject, not EU citizens. 

1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
a. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

b. the monitoring of their behavior as far as their behavior takes place within the Union.

So per Article 3, the GDPR applies to organization outside the EU that offer goods and services to EU residents, and to organizations outside the EU that offer goods and services to EU residents provided from a location in the EU. 

Key Definitions: 

From Article 4 

Personal Data means any information relating to an identified or identifiable natural person
('data subject'); an identifiable natural person is one who can be identified, directly or
indirectly, in particular by reference to an identifier such as a name, an identification
number, location data, an online identifier or to one or more factors specific to the
physical, physiological, genetic, mental, economic, cultural or social identity of that natural

Consent of the data subject means any freely given, specific, informed and unambiguous
indication of the data subject's wishes by which he or she, by a statement or by a clear
affirmative action, signifies agreement to the processing of personal data relating to him or

From Article 9 

Sensitive Personal Data are personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data. See Sensitive data and lawful processing by Byrd and Byrd. This resources has excellent commentary. For example, the processing of photos will not necessarily be considered sensitive processing, but will be covered only to the extent they allow the unique identification or authentication of an individual as a biometric, such as when used as part of an electronic passport.

From Article 5  Principles Relating to Processing of Personal Data 

Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject
('lawfulness, fairness and transparency');

(b) collected for specified, explicit and legitimate purposes and not further processed in a
manner that is incompatible with those purposes; further processing for archiving
purposes in the public interest, scientific or historical research purposes or statistical
purposes shall, in accordance with Article 89(1), not be considered to be
incompatible with the initial purposes ('purpose limitation');

(c) adequate, relevant and limited to what is necessary in relation to the purposes for
which they are processed ('data minimization');

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken
to ensure that personal data that are inaccurate, having regard to the purposes for
which they are processed, are erased or rectified without delay ('accuracy');

(e) kept in a form which permits identification of data subjects for no longer than is
necessary for the purposes for which the personal data are processed; personal data
may be stored for longer periods insofar as the personal data will be processed solely
for archiving purposes in the public interest, scientific or historical research purposes
or statistical purposes in accordance with Article 89(1) subject to implementation of
the appropriate technical and organisational measures required by this Regulation in
order to safeguard the rights and freedoms of the data subject ('storage limitation'); 

(f) processed in a manner that ensures appropriate security of the personal data,
including protection against unauthorized or unlawful processing and against
accidental loss, destruction or damage, using appropriate technical or organizational
measures ('integrity and confidentiality').

Article 6 Lawful reasons for processing data 

1. Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Consent by the EU resident is a lawful basis for processing data, but not necessarily the ideal basis as consent may be revoked at any time. Also, if you use legitimate interest rather than consent you can also not deal with the right to erasure and the right to data portability.

However, consent would be required for processing of sensitive personal data. See also Gaining Explicit Consent Under the GDPR on when *explicit consent* would be required and how to document such consent. 

Consent can be given orally but needs to be recorded, and consent cannot be a condition of performance of the contract. 

Admissions: The Common App: Collects data, but some questions can be suppressed if not consistent with GDPR. See Four Things Campus needs to Know about EU's GDPR

Global Education: What health forms if any are collected? Any biometric data? What language is in exchange templates?

Research Data: If you comply with the Common Rule and EU equivalent is that enough? Generally yes, at least in the context of surveys. See The Impact of the EU general data protection regulation on scientific research

Policies: Need policies to respond to data erasure requests and data breach notification. Update data breach protection plan and Data Protection Policy.  Also web page Privacy Notices and Subject access Request Procedure. See How to Write a GDPR Compliant Data Subject Access Request Procedure

Human Resources: HR accessing a server that holds data on EU employees would be a cross border transfer of data. For institutions with employees in the EU, see General Data Protection Legislation and Everything every HR Leader Needs to Know and also Lawful Processing of HR Data under the GDPR.

IT: Have policies in place for reporting data breaches. See PWC Technology's Role in Data Protection. Under the GDPR regulation, any data breach will need to be reported to the DPA within 72 hours, unless the data is encrypted or doesn’t identify individuals.

Fines for non-compliance could lead up to 20 million euros. 



Q. Do we need a Data Protection Officer (DPO)? 

A. If the core function of the entity is not systematic monitoring on a large scale of data, then probably not.  

 Q. Is citizenship, country and city of birth the same as racial or ethnic origin? 

A. No. 

Q. Would collection of immunization records by a third party on behalf of the University (e.g. outsourced student health center) equate with collection of health records by the University. 

A. Arguably yes. 

Q. Does offering a website that might attract data subjects in the EU bring a U.S. entity within the scope of the law?

A. The GDPR may also apply to activities of a U.S. institution when it offers “goods or services” to data subjects in the EU. While operating a generally available website that is not targeted to EU residents is insufficient to bring an entity within the scope of the law,10 institutions often offer admissions, fundraising, and alumni engagement opportunities for EU residents or with the understanding that EU residents will participate. The law may also apply to a U.S. institution when it conducts research activities in the EU or with the personal data of individuals in the EU. (from NACUA outline 2018 by Stefan Quick pages 18, 20.

Stefan’s footnote 10 cites Recital 23  ( ):


In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. 3Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.

See also Educause article on GDPR: The General Data Protection Explained by Barmak Nassirian.  

The tier of US institutions newly affected by the extraterritorial reach of GDPR are those that target distance education programs to EU residents who are physically located in one of the member states. Such programs were generally not subject to EU privacy law under the Data Protection Directive if they did not have infrastructure within the EU, but will be covered under the black letter of the GDPR, even if they have no physical presence within the EU at all. However, Article 3 of the GDPR strongly suggests that incidental transactions, such as the mere availability of goods or services via a website, are not automatic grounds for subjecting non-EU entities to the GDPR.

It is tempting to believe that American institutions that enroll EU residents in the US are entirely exempt from compliance with the GDPR. This would certainly be true for EU residents who initiate their admission application process from outside the EU, but most EU applicants start the admissions process from their home countries and obtain visas to enter the US after gaining admission to eligible programs. In theory, active student recruitment campaigns targeting EU residents could subject the data collected from such students, whether via automated or non-automated means, to compliance requirements under the GDPR.3

It will take a few years for a more precise understanding of how the GDPR will be further defined, interpreted, and enforced by the EU and national data protection authorities of its member states. It seems unlikely that the most expansive interpretation of the regulation's extraterritorial application would be immediately enforced against non-EU entities. Clearly, institutions with significant engagement with the EU, either in the form of physical presence or of distance-delivered services, should take immediate steps to engage in good-faith compliance. Others should be paying close attention to the evolution of the law's compliance requirements over the coming years….



Wolters Kluwer: The Best of GDPR Questions (June 2018)

Example Data Protection Addendum: DLA Piper (addressing Article 28 GDPR)* excellent resource-linked at bottom of page

Daniel Solove: Why I Love the GDPR (blog)

Intersoft Consulting: General Data Protection Regulation GDPR

Amazing Resource with commentary and link ins on the articles

Inside Higher Ed *European Rules (and Big Fines) for American Colleges *(March 13, 2018)

 Bird and Bird GDP Guide

Article 29: Working Party Guidelines

The GDPR: How Blackboard's GDPR Implementation Supports our Clients

White and Case GDPR Handbook: Unlocking the EU General Data Protection Regulation

AACRAO Resource Page 

Implications of the General Data Protection Regulation: AACRAO An Interassociation Guide, May 2018. 

UK Guide to the General Data Protection Regulation

Mayer Brown: EU General Data Protection Regulation

 WCET: EU Regulations that are Enforceable Against U.S. Higher Education Institutions (November 2017)

 E.U. Data Protection Law Looms  Inside Higher Ed article (Nov. 6, 2017)

EDUCAUSE Presentation by William Hoye and Gian Franco Borio on the new regulations, Nov. 2, 2017 (includes slides on What IT Specialists need to Know

The General Data Protection Regulation Explained: Key Takeaways By Barmak Nassirian

Does GDPR Apply to American Companies?

 Thomson Reuters, Getting up to Speed on GDPR*(has webinar)

 Hogan Lovells, Future-proofing privacy, May 1, 2016 (42 page booklet-how to)

Gian Franco Borio: Preparing for the EU Data Protection Regulations, NACUA, Nov. 2017

Resources on the European Union General Data Protection Regulation -NACUA password protected



updated 8-21-18