European Union General Data Protection Regulation (EU GDPR) Toolkit
The General Data Protection Regulation (GDPR) is a European Union (EU) regulation designed to protect and empower the data privacy of people in the EU.
If your department/unit collects, uses, or shares personal data, use this toolkit to determine if the EU GDPR applies to that data and start the work to address the EU GDPR requirements. (This document is a work-in-progress, so please check back regularly for updated information.)
Determine if GDPR Applies
Answer these questions to help determine whether the EU GDPR applies to the data that you collect, use, or share:
- Is the data about individuals physically in the European Union (EU) at the time of collection or sharing? (yes or no)
- Does the data include personal data? (yes or no)
Personal data is defined by the EU as any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
If you answered no to either Question 1 or 2, GDPR likely does not apply. No further action is required at this time.
If you answered yes to both Questions 1 and 2, GDPR likely applies. Continue to Question 3.
- Is the data related to offering goods or services to data subjects in the EU? (yes or no)
- Is the data being used to monitor the behavior of individuals physically located in the EU? (yes or no) [e.g., website usage tracking, physical location tracking, etc.]
If you answered no to both Questions 3 and 4, GDPR likely does not apply. No further action is required at this time.
If you answered yes to either question 3 or 4, GDPR likely applies.
If GDPR Likely Applies
Complete the GDPR Data Survey (Wesleyan login required)
Ensure that appropriate contracts are in place
Wherein Wesleyan is contracting for services involving the processing of EU GDPR data or sharing EU GDPR data with third parties, Wesleyan should ensure that a contract/agreement is in place for the protection of data with a requirement/provision similar to the following to comply with GDPR. (please consult the General Counsel's Website for the latest information)
Third Party acknowledges and agrees that, through its services hereunder, it will or may process personal data as defined by the General Data Protection Regulations of the European Union (“EUGDPR”). The subject matter and duration of that data processing is defined in Exhibit A to this Agreement. Third Party hereby commits to the confidentiality obligations of the EUGDPR and to take all security measures required pursuant to Article 32 thereof. Third Party warrants and agrees not to use a vendor or subcontractor without Wesleyan’s express written consent and agrees to assist Wesleyan with its EUGDPR obligations related to security, data breach notification and data protection impact assessments pursuant to the EUGDPR. At Wesleyan’s request, Third Party will return to Wesleyan all EUGDPR personal data unless otherwise required by applicable law. Third Party will, upon request by Wesleyan, make information available to Wesleyan evidencing Third Party’s compliance with Article 28 of the EUGDPR."
Acquire consent to collect and use GDPR related data
The EU GDPR requires an informed affirmative action to provide consent for Wesleyan to process GDPR related data. An example of an appropriate consent for data processing is as follows:
Please review Wesleyan University's data security and privacy protection policy, which is available on our website here. We are requesting your consent to collect and process the following information of yours: [list data points here] by checking off each line and signing below.
___ I acknowledge that I received and read this privacy notice and associated links.
___ I consent to the collection and processing of the my data as listed above.
___ I consent to the sharing of my information in accordance with Wesleyan's Data Collection, Usage, and Sharing
_________________________
Print Name
_________________________ ____________
Signature Date
You have the right to withdraw this consent at any time. The withdrawal of your consent will not affect the lawfulness of processing that occurred prior to the withdrawal. In order to withdraw your consent, please contact DPO@wesleyan.edu. If you withdraw your consent to this processing activity, we will continue to process your personal data for other purposes consistent with this notice.
Related Policies or Notices
- Data Security and Privacy Protection Policy (a general statement on how the university uses and protects data)
- Website Privacy Notice (a general statement about data collection by the Wesleyan website)
Additional Information
More information about the EU GDPR is available on the EU Data Protection Website
Questions, Comments, or Concerns?
Please email Wesleyan's Data Protection Officer at DPO@wesleyan.edu.