The European Union General Data Protection Regulation (GDPR)
The European Union (EU) General Data Protection Regulation (GDPR) is a privacy regulation adopted by the European Council and Parliament. Intended to harmonize the data privacy laws across Europe, the GDPR establishes broad privacy and security protections for the personal information of individuals residing in the EU or the European Economic Area (EEA). The breadth of the regulation means that it may apply to organizations located outside the EU or EEA, including universities. The GDPR formally took effect on May 25, 2018.
Put simply, the GDPR expands privacy protections for residents of the EU or EEA and imposes obligations on any organization that collects, uses, shares, or otherwise processes those residents’ personal information.
GDPR Information Processing Principles
As part of its framework to provide privacy protections, the GDPR establishes principles to guide organizations’ collection, use, sharing, and processing of EU or EEA residents’ personal information. Briefly, those principles state that organizations must:
- process personal information lawfully, fairly, and in a transparent manner;
- process personal information for a specified, explicit, and legitimate purpose and not process that information further in a manner that is incompatible with that purpose;
- ensure that any personal information processed is relevant and limited to what is necessary in order to achieve the purpose for which the information is being processed;
- keep personal information for no longer than is necessary;
- process personal information in a manner that ensures appropriate security of that information.
Legal Basis for Processing
Under its information processing principles, the GDPR requires that organizations collect, use, share, or otherwise process EU or EEA residents’ personal information according to a legal basis. Ohio State relies on different legal bases to process your personal information, depending on the circumstances. The following are the legal bases that Ohio State typically relies on to process your personal information under the GDPR:
- Contract (for online applications you submit; for the information provided when enrolling; or for the payment information we process for tuition);
- Necessity for Ohio State’s legitimate interests or those of third parties (our legitimate interest to maintain a community for alumni);
- Consent (for the research projects you may participate in; for processing of special categories of personal data).
Your Rights under the GDPR
The GDPR grants additional rights to individuals residing in the EU or EEA regarding the processing of their personal information. In the context of Ohio State’s information processing activities that are subject to the GDPR, you have the following rights regarding your personal information:
- Right to be Informed: You have the right to be informed about Ohio State's processing of your personal information.
- Right of Access: You may inquire whether Ohio State holds personal information about you. Additionally, you may ask for Ohio State to provide you with a copy of this information.
- Right to Rectification: If you suspect that the personal information that Ohio State holds about you is incomplete or inaccurate, you may request for the completion or correction of this personal data.
- Right to Erasure: You may request that Ohio State deletes the personal information about you that we hold. Ohio State will comply with this request, unless the data is necessary:
- For providing a service you have requested or for implementing or responding to another request you made;
- For exercising our right of freedom of expression and information;
- For compliance with a legal obligation that binds us;
- For archiving purposes, scientific or historical research purposes, or statistical purposes; or
- For the establishment, exercise of, or defense of legal claims.
- Right to Restrict Processing: You may request that Ohio State restrict from processing your personal information in certain situations.
- Right to Information Portability: You may request that Ohio State provide you with a copy of your personal information in a commonly used, machine-readable format.
- Right to Object: You may object to receiving marketing materials from Ohio State by following the opt-out instructions in our marketing emails. Additionally, you may object to any processing of your personal information in certain situations.
- Right to Withdraw Consent For processing activities based on your consent, you may withdraw consent, and Ohio State will stop those processing activities as allowed by law.
Ohio State is committed to facilitating your exercise of these rights in a timely manner.
Ohio State retains your personal information in accordance with our Records Retention Schedule. View the General Records Retention Schedule on the University Libraries website.
If your personal information is taken outside of the European Union and into the United States of America, it will be processed by The Ohio State University as explained above. In addition, your personal information may be also be processed in other countries using agents or vendors of The Ohio State University, who must commit as part of their contracts to follow the same protections as described in this statement.
GDPR Compliance Program
Ohio State has developed a GDPR compliance program to assist in complying with the requirements of the GDPR. A cross-departmental Privacy Governance Council collaborates to implement privacy requirements, including the GDPR, and includes representatives from University Compliance and Integrity, the Office of Academic Affairs, Enterprise Security, the Wexner Medical Center, the Office of Research, the Office of Legal Affairs, and other relevant units.
GDPR and Research Consent Form
This guidance can be used by researchers to determine whether the General Data Protection Regulation (GDPR) applies to their research, and if so, whether their informed consent document(s) meet the GDPR’s information requirements. This checklist is consistent with The Ohio State University’s current knowledge of the GDPR, which came into effect on May 25, 2018.
For general information, review the European Commissions EU Data Protection website.
If you are an EU or EEA resident, or if you are calling from the EU or EEA in regard to the GDPR, call the IT Service Desk at +1 (614) 688-4357 (HELP) or email firstname.lastname@example.org. Please mention the GDPR in your call or email request.
What is the GDPR?
The General Data Protection Regulation (“GDPR”) is a legal framework that sets guidelines for data privacy in the European Union (“EU”) and European Economic Area (“EEA”). The GDPR’s guidelines are intended to replace and enhance previous legislation that regulated data privacy.
Is the GDPR another security regulation?
No. The GDPR is not a data security regulation, since it does not set requirements for how companies and organizations protect stored data. The GDPR focuses on data privacy, specifically on individual rights related to how companies and organizations collect, use, and share the personal data of European residents.
Why is the GDPR important?
The GDPR represents a significant change in data privacy regulations by replacing the Data Protection Directive 95/46/EC. Through these changes, the GDPR clarifies what companies and organizations must do to ensure the rights of European data subjects are protected and describes what companies and organizations must do to protect these rights.
When did the GDPR take effect?
The GDPR took effect on May 25, 2018.
Whose data does the GDPR protect?
The GDPR protects the personal data of data subjects. Data subjects are natural persons—that is, people, not legal entities like corporations—who are residing, either permanently or temporarily, in the EU (“Data Subject”).
A Data Subject’s citizenship is not a condition that triggers the applicability of the GDPR. The GDPR may apply regardless of whether a Data Subject is an EU/EEA citizen.
What constitutes personal data?
The GDPR defines ‘personal data’ as any information relating to an identified or identifiable natural person. An identifiable natural person is an individual who can be identified, directly or indirectly, by reference to an identifier, such as a name, an identification number, location data, or an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of the individual.
Examples of personal data elements include, but are not limited to, names, photographs, email addresses, social media posts, Internet Protocol (IP) addresses, cookie IDs location data, and medical records.
Does the GDPR only apply to personal data collected after May 25, 2018?
No. The GDPR applies to all personal data collected about a Data Subject, even if that data was collected prior to May 25, 2018.
Does the GDPR apply to filing systems consisting of data recorded on hard copy documents?
Yes. The GDPR applies to data recorded physically on paper, as well as to data recorded digitally.
Does the GDPR apply to de-identified personal data?
No. The GDPR does not apply to anonymous information.
Does the GDPR apply to personal data stored and managed through automation?
Yes. Personal data that is stored and managed through automation is within the scope of the GDPR.
What organizations are subject to the GDPR’s requirements?
The GDPR not only applies to companies and organizations located within the EU/EEA, but also to companies and organizations located outside the EU/EEA if they offer goods or services to, or monitor the behavior of, Data Subjects. The law applies to all companies and organizations that process or possess the personal data of Data Subjects residing in the EU/EEA, regardless of the company’s or organization’s location.
Will the GDPR still apply to the United Kingdom (UK) after Brexit?
Yes, the GDPR applies to UK residents now and will continue to apply after Brexit. We are watching this issue, as it may be subject to change.
What’s the difference between a Data Controller and a Data Processor?
A Data Controller is the entity that determines the purposes and means of the processing of personal data. A Data Processor is the entity that processes personal data on behalf of the data controller.
Does GDPR apply to The Ohio State University?
No. The university is not subject to the requirements of the GDPR. However, the university may engage in specific, limited activities that collect or process the personal data of individuals residing in the EU. In these limited circumstances, Ohio State applies the GDPR requirements.
How does The Ohio State University apply GDPR requirements?
Ohio State has developed a GDPR compliance program to assist in applying the requirements of the GDPR in limited circumstances when necessary. This program consists of a cross-departmental working group that is collaborating to develop and implement GDPR compliance efforts. Learn more here.
Last Update: November 1, 2021
Ohio State Privacy Team