The European Union General Data Protection Regulation (“GDPR”) was adopted in 2016 and becomes effective on May 25, 2018. Information concerning the GDPR can be found here. Guidance issued by authorities within the EU to aid in the interpretation of the GDPR can be found here. Penalties for non-compliance can be up to $20 million EU dollars.
The GDPR replaces the Data Privacy Directive 95/46/EC and is designed to harmonize data privacy laws across the European Union (“EU”). The GDPR is designed to protect the privacy of data concerning a natural person that is collected or processed in, or transferred out of, the EU, and to regulate entities that offer goods or services in the EU. The GDPR defines personal data to include any information related to an identified or identifiable person which may include but is not limited to a name, reference number, identification number, location data, online identifier, email address, IP address, or one or more factors specific to a physical, physiological, genetic, mental, economic, cultural or social identity of a person. Therefore, the GDPR has broader protections that U.S. and Rhode Island laws.
The GDPR requires personal data to be processed lawfully, fairly and in a transparent manner, limited only to that data which is necessary, maintained for accuracy, stored only for the length of time required or needed, and safeguarded from unauthorized disclosure.
The legal bases under the GDPR which permit the University of Rhode Island to collect and process personal data include but are not limited to the following: 1) the data subject has given consent to the processing for a specific purpose; 2) the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract; 3) the processing is necessary for compliance with a legal obligation to which the University, as controller of the data, is subject; 4) the processing is necessary in order to protect the vital interests of the data subject or another natural person, 5) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the University; or 6) processing is necessary for the legitimate interests pursued by the University or by a third party, except where such interests are overridden by the interest of the fundamental rights and freedoms of the data subject which require protection of the personal data.
The GDPR requires consent, and the ability to revoke consent, whenever personal data includes race, ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life, or sexual orientation (“Sensitive Data”). Consent must be obtained unless the GDPR permits Sensitive Data to be collected and processed without consent.
The University may be subject to the GDPR if it recruits students or employees in the EU, conducts marketing in the EU, participates in student or faculty exchange programs within the EU, conducts fundraising targeted to the EU, conducts research with human subjects in the EU, or engages in other activities within the EU. Therefore, Privacy Notices have been adopted by each affected unit of the University to describe the personal data collected, the applicable legal basis, the purposes for which data is used, safeguards imposed, the retention period, and a point of contact for an individual to exercise his/her rights under the GDPR.
The following departments and offices at the University of Rhode Island collect personal Information from individuals as part of their permitted business functions and activities:
- Academic Affairs and Office of the Provost
- Research and Economic Development
- Undergraduate Admission
- Division of Administration and Finance
- The Graduate School
- Human Resources
- Office of International Education
Individuals who wish to exercise their rights under the GDPR should review the Universities Privacy Notice found here.
In those cases where the individual’s affirmative written consent is required for the University’s collection or processing of personal data (i.e. when it is not permitted without explicit written consent under one of the alternative legal bases described in the GDPR rules and referenced in the above listed URI departmental notices), the consent form template available here may be used. In all such cases, individuals must also be provided the ability to revoke their consent in as easy a manner as their consent was given.
The University shall take all required actions to properly protect the privacy and security of personal data covered by the GDPR, as required by the GDPR, including entering into appropriate data security agreements, when required, with third parties (e.g. data storage providers) who are not members of the U.S. Privacy Shield.