General Data Protection Regulation (GDPR)
.jpg)
GDPR概述
The General Data Protection Regulation is a 隐私 law that applies to the personal information collected in or from the European Union (EU), or that is related to goods or 服务 offered in the EU, or that involves the monitoring of individuals in the EU.
So, how does this affect us at UWF?
Although, this is an EU regulation it has significant potential to impact U.S. 系统. There are three major categories of data that are most likely to be affected. These are; (1) data collected on students from the EU (e.g., international students), (2) human resources data (e.g., staff or faculty living or working overseas), and (3) marketing data (e.g., data collected from a potential student living in the EU who is interested in UWF).
GDPR的主要原则
The GDPR establishes seven key principles:
Personal data must be processed lawfully, fairly and in a transparent manner
Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
个人资料必须足够, relevant and limited to what is necessary in relation to the purposes for which they are processed
Personal data must be accurate and, where necessary, kept up to date
Personal data must be kept in a form which permits identification of data subjects no longer than is necessary for the purposes for which the personal data was processed
Personal data must be processed in a manner that ensures appropriate security of the personal data
Controllers (see Important Terms) are responsible for, and must be able to demonstrate compliance with the GDPR principles
GDPR术语
The following terms are essential components of the regulation
个人资料
‘个人资料’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, 直接或间接, in particular by reference to an identifier such as a name, 识别号码, 位置数据, an online identifier or to one or more factors 具体的 to the physical, 生理, 遗传, 精神, 经济, cultural or social identity of that natural person
处理
‘处理’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, 比如收藏, 记录, 组织, 构建, 存储, 适应或改变, 检索, 咨询, 使用, 通过传播披露, dissemination or otherwise making available, 对齐或组合, 限制, 擦除或销毁
同意
‘同意’ of the data subject means any freely given, 具体的, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her
控制器/数据控制器
‘Controller’ means the natural or legal person, 公共权力, 机构或其他组织, 单独的或与他人一起的, determines the purposes and means of the processing of personal data
您作为数据主体的权利
At any point, while UWF is in possession of, or processing your personal data, you, 资料当事人,拥有以下权利:
进入权
作为资料当事人, you have the right to request a copy of the information that we hold about you.
改正权
作为资料当事人, you have the right to correct data that we hold about you that is inaccurate or incomplete.
被遗忘的权利
作为资料当事人, there are certain circumstances in which you can ask for the data we hold about you to be erased from our records.
Right to Restriction of 处理
Where certain conditions apply, you have the right to restrict the processing of your personal data.
可携性权
作为资料当事人, you have the right to have the data we hold on you transferred to another 组织.
反对权
作为资料当事人, you have the right to object to certain types of processing such as direct marketing.
反对权 to Automated 处理, Including Profiling
作为资料当事人, you have the right to be subject to the legal effects of automated processing or profiling.
司法覆核权
In the event that the 火博体育 ref使用 your request under any of the "rights of a data subject," we will provide you with a reason why.
UWF GDPR隐私声明
The following site contains the standard UWF GDPR隐私声明. Please keep in mind that many departments have posted their own, unit-具体的 请注意s.
http://dctdsj.com/go/legal-and-
常见问题
Answers to Frequently Asked Questions (常见问题)
- Any collection of personal data must have a clearly defined purpose, which is prominently publicized, and the data cannot be 使用d for any other purpose
- Do not collect any more data than absolutely necessary
- Consumers must be informed when personal data is being collected
- Personal data is kept for only as long as necessary
- Delete data where it is no longer necessary
- Effectively secure all personal data being collected
- Maintain documentation on your data processing activities
- Ensure all sub-contractors and vendors adhere to GDPR rules
任何部门, 办公室, 系统, 和/或收集的函数, 使用, or stores information in or from the EU or relating to individuals in the EU, fall under the scope of the regulation and may be impacted.
First and foremost, you need to determine how exposed your area or function is to GDPR. In order to get the ball rolling, you should start by reflecting on the following questions and statements:
- Conduct an analysis of how your department/ 办公室/ function/ research interacts with the EU.
- Is there any personal data involved?
- Do you monitor individuals in any way?
- Are there any financial transactions with individuals in the EU?
- What is your legal basis for collecting information?
- Do your procedures need to be updated?
- What are the ways someone in the EU could access you?
- 接触点是什么?
- 想想我们的供应商, 服务, and internal and external websites that are 使用d to reach into the EU.
- 检查你的合同.
- Ask vendors and 3rd parties if they are GDPR compliant (or how they plan to become compliant)
The penalty for violations can range anywhere from a warning, a fine of 20 million Euros, or up to UWF年收入的4%.
GDPR将分析定义为“any form of automated processing of personal data consisting of the 使用 of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict certain aspects concerning that natural person’s performance at work, 经济形势, 健康, 个人喜好, 利益, 可靠性, 行为, 位置或移动”.
可能的影响和解决方案
The following table describes how certain areas might be impacted by GDPR and provides possible GDPR solutions. Please take note that these "solutions" do not represent legal guidance. This resource and web page and are only meant to inform and should be seen as tools to help aid in your understanding of the regulation.
| 业务流程 & 的潜在影响 | Possible Solutions (suggestions to be discussed internally) |
|---|---|
|
研究/技术转让: • Collaborations and agreements with EU professors or universities that involve collecting or sharing personal information |
• Additional grant/contract cla使用, 扩展同意文件, 具体的 consideration in IRB review • Internal process to handle withdrawn consent • Limit receipt of identifiable data Note that de-identified data is not GDPR, but if it can be re-identified (i.e., there is a key) then it is GDPR |
|
Faculty, Staff, and Students in or from the EU/ Human Resources: •Correspondence containing personal information with individuals in the EU, or faculty/ staff/ students that will reside in the EU |
•Notification, signed consents, 具体的 coverage of GDPR in University policy •Coordination with third party vendors who process data |
|
火博体育, Financial Aid, Registrar, 在线 Education: •Correspondence containing student personal information, transcripts or financial information being sent from EU students or parents |
•Notification, signed consents, 具体的 coverage of GDPR in University policy •Coordination with third party vendors who process data •General GDPR 请注意 in the General Announcements |
|
Study Abroad (including exchange programs and students doing research in EU): •Correspondence containing student personal information regarding individuals who are on programs in the EU |
•Notification, signed consents, 具体的 coverage of GDPR in University policy •Coordination with third party vendors who process data •General GDPR 请注意 in the General Announcements |
|
第九条/附注: •Tracking and reporting incidents in the EU (particularly where one party is not a student) |
•在可能的情况下签署同意书. Notification, signed consents, 具体的 coverage of GDPR in University policy •Document approach to potential conflicts up front •General GDPR 请注意 in the General Announcements |
|
University Advancement/ Development/ Alumni: •收集, 存储, and sharing personal and financial information in or from the EU, or relating to individuals in the EU |
•Signed consent where practical, internal process to respond to requests. 隐私政策中的GDPR •Coordination with third party vendors who process data |
|
风险管理: •Sharing and receiving personal information, including with International SOS |
•Signed consent, 隐私 请注意s. Coordination with third party vendors who process data |
|
国际学生: •Discussions with students or parents who are in the EU regarding personal information or visa information |
•Notification, signed consents, 具体的 coverage of GDPR in University policy •Coordination with third party vendors who process data •General GDPR 请注意 in the General Announcements |
|
机构的通信: •Publicly available stories or pictures of faculty, staff or students in the EU |
•在实际情况下同意 •Internal process to review and respond to take down requests |
|
信息技术: •Designated individual as POC for GDPR. |
•Specific scan/procedure for EU individuals following breach •Internal process to review and respond to take down requests |
额外的GDPR资源
The following are resources that should help provide you with a better understanding of the regulation; 具体的ally, 它和U有什么关系.S. 高等教育机构.