Report a Concern
Submit a report to the Compliance Helpline
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a regulation in European Union law on data protection and privacy concerning the processing by an individual, a company or an organization (including Universities like Rutgers) of personal data relating to individuals in the EU and EEA zone.
At Rutgers, we value the privacy of our students, our patients, our employees, our research subjects and partners, and all members of our community. At Rutgers, we are analyzing our systems and business practices to identify potential enhancements that would support the principles of the GDPR in conjunction with relevant privacy and data security frameworks established under our own US laws, regulations, and policies. While some enhancements have already been implemented by different units within the University, we will continue to assess our ongoing needs to enrich, maintain, and improve the Rutgers privacy program.
GDPR FAQs
What is the GDPR?
The General Data Protection Regulation (“GDPR”) is a regulation in the European Economic Area (“EEA”) on data protection and privacy for individuals within the EEA which became effective on May 25, 2018. The GDPR is designed to harmonize data privacy laws across the EEA and its purpose is to protect the personal data of natural persons while they are living in or traveling to the EEA.[1]
[1] The European Economic Area (EEA) includes EU countries and Iceland, Liechtenstein, Switzerland and Norway.
Why does this affect me in the United States?
The GDPR also addresses the export of data outside the European Economic Area (“EEA”). Personal data collected in, or transferred from, any of the EEA countries is subject to the GDPR. Failure to follow these regulations, if they apply, puts the University at risk of noncompliance, monetary fines, and reputational harm.
If I am an EEA citizen but live in the US, will the GDPR apply to my personal data?
The GDPR will only apply to personal data collected from about you from EEA sources (e.g. data collected about you in the EEA and transmitted to the US would be covered by the GDPR); data collected about you that originates from United States sources is generally not subject to the GDPR, though US privacy laws would apply where applicable.
I am a US Citizen and I will be --visiting the-- EEA (e.g. study abroad, business travel, research, etc.) will GDPR apply to me?
Yes. Any personal data collected about you while you are in the EEA will be subject to the GDPR, both in the EEA and also in the US if that data is transmitted to the US.
What Rutgers-related data does the GDPR protect?
GDPR applies to personal data[1] that are collected, stored or processed in the EEA by Rutgers, or Rutgers’ agents or contractors as well as personal data Rutgers receives from EEA sources. This includes, for instance, the personal data of students, faculty, staff, visiting scholars, alumni, applicants, patients, and web site visitors, who are:
- Permanently residing in the EEA, including EEA students taking on-line classes;
- Taking classes online is not a correct example of Permanent Residence;
- Temporarily located in the EEA and accessing RU services, including services relating to employment, academic studies and research; or,
- EEA data subjects whose data Rutgers collects as part of a research project.
[1] For more information on personal data under the GDPR, see: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/what-is-personal-data/what-is-personal-data/.
When is the GDPR request form used?
For any GDPR related requests from data subjects as described in GDPR regulations (GDPR Chap3 Art 12-23), please complete a GDPR request form.
GDPR will greatly impact researchers conducting research and/or collecting data from the European Union and EEA. To learn more about these new responsibilities, visit GDPR For Researchers
What should I be doing to address the new GDPR requirements? Learn more about GDPR while we setup our program. Do nothing is not the best advice but it would be very popular. Also, note for those with current activities in the EEA, contact UEC for assistance asap.
You do not need to do anything immediately. We are implementing prioritized GDPR requirements and developing recommendations for a sustainable GDPR compliance program. As the Task Force makes progress on the compliance plan, we will update the university’s GDPR web presence and share GDPR compliance resources with the University community as they become available. If you believe you have an immediate GDPR issue to be addressed or have additional questions, please contact Rutgers University Ethics and Compliance at privacy@uec.rutgers.edu.