General Data Protection Regulation (GDPR)

 

At Rutgers, we value the privacy of our students, our patients, our employees and partners, and all members of our community. We are aware of recent changes to privacy requirements implemented by the European Union in its General Data Protection Regulation (GDPR), and are analyzing our systems and business practices to identify potential enhancements that would support the principles of the GDPR in conjunction with relevant privacy and data security frameworks established under our own US laws, regulations, and policies. While some enhancements have already been implemented by different units within the University, we will continue to assess our ongoing needs to enrich, maintain, and improve the Rutgers privacy program.

GDPR FAQs

What is the GDPR?

The General Data Protection Regulation (“GDPR”) is a regulation in the European Economic Area (“EEA”) on data protection and privacy for individuals within the EEA which became effective on May 25, 2018. The GDPR is designed to harmonize data privacy laws across the EEA and its purpose is to protect the personal data of natural persons while they are living in or traveling to the EEA.[1]

[1] The European Economic Area (EEA) includes EU countries and Iceland, Liechtenstein, Switzerland and Norway.

Why does this affect me in the United States?

The GDPR also addresses the export of data outside the European Economic Area (“EEA”). Personal data collected in, or transferred from, any of the EEA countries is subject to the GDPR. Failure to follow these regulations, if they apply, puts the University at risk of noncompliance, monetary fines, and reputational harm.

If I am an EEA citizen but live in the US, will the GDPR apply to my personal data?

The GDPR will only apply to personal data collected from about you from EEA sources (e.g. data collected about you in the EEA and transmitted to the US would be covered by the GDPR); data collected about you that originates from United States sources is generally not subject to the GDPR, though US privacy laws would apply where applicable.

I am a US Citizen and I will be in EEA (e.g. study abroad, business travel, research, etc.) will GDPR apply to me?

Yes.  Any personal data collected about you while you are in the EEA will be subject to the GDPR, both in the EEA and also in the US if that data is transmitted to the US.

What Rutgers-related data does the GDPR protect?

GDPR applies to personal data[1] that are collected, stored or processed in the EEA by Rutgers, or Rutgers’ agents or contractors as well as personal data Rutgers receives from EEA sources.   This includes, for instance, the personal data of students, faculty, staff, visiting scholars, alumni, applicants, patients, and web site visitors, who are:

  • Permanently residing in the EEA, including EEA students taking on-line classes;
  • Temporarily located in the EEA and accessing RU services, including services relating to employment, academic studies and research; or,
  • EEA data subjects whose data Rutgers collects as part of a research project.

[1] For more information on personal data under the GDPR, see: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/what-is-personal-data/what-is-personal-data/.

 

What should I be doing to address the new GDPR requirements?

You do not need to do anything immediately. We are implementing prioritized GDPR requirements and developing recommendations for a sustainable GDPR compliance program. As the Task Force makes progress on the compliance plan, we will update the university’s GDPR web presence and share GDPR compliance resources with the University community as they become available. If you believe you have an immediate GDPR issue to be addressed or have additional questions, please contact Rutgers University Ethics and Compliance at privacy@uec.rutgers.edu.