General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR) at Clemson University

WARNING: This webpage has been created for reference purposes only. It is a work in progress and not the official position of Clemson University or any of its departments or affiliates.  The webpage does not create any legal rights and should not be relied on with regard to the applicability of the GDPR to Clemson.

What is GDPR?

GDPR is a general privacy law that applies to the processing of personal data collected in or from the European Union (EU). It applies to: (A) the “processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not” (GDPR Article 3(1)) and (B) “the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to the offering of goods or services to data subjects in the Union orthe monitoring of individuals in the EU. “Data subjects” refer to identified or identifiable natural persons, regardless of whether they are citizens or residents of the EU. A U.S. organization (with or without an establishment in the U.S.) can be a controller or processor subject to the GDPR for all or part of its data.

The application of the Regulation started on May 25, 2018.

What are key terms under the GDPR? 

Data Subjects. A data subject is the identified or identifiable person to whom the personal data relates. A person is identifiable if he or she can be identified, directly or indirectly,by reference to a name, identification number, location or other physical, physiological, genetic, mental, economic, cultural or social identifier. GDPR Article 4(1). While only individuals are data subjects and hence protected, sometimes by processing data of entities, data of individuals are acquired, which are protected by the GDPR.

Data Controllers. A data controller, alone or jointly with others, determines the purposes and means of processing (see definition below) of personal data. (GDPR Article 4(7). Universities can be controllers, co-controllers, or rarely processors.

Data Processors. A data processor processes personal data on behalf of a data controller, and can be a natural person, public authority, agency or other body. Unless a university uses a third party to process its data, the university is also the data processor. GDPR Article 4(8).

Personal Data. Personal data is any information relating to the data subject, including information about the data subject’s family and lifestyle, education and training, medical history, employment, finances, IP static (and sometimes dynamic) addresses, etc. GDPR Article 4(1). It is worth noting that “personal data” includes but is a broader concept than (personally identifiable information (PII). The GDPR does not apply to anonymous information, i.e. “information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes. GDPR Whereas (26).

Special Categories of Personal Data. Special categories of personal data (formerly known as “sensitive data”) are subset of personal data that includes information revealing a racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health, sexual orientation, genetic information and biometric information. GDPR Article 9.

Processing. Processing means “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.” GDPR Article 4(2). Everything done with personal data is processing because the list is only illustrative.

What rights does GDPR convey to protected individuals (data subjects)? 

Among others, the data subject may have the following rights:

  • Right to Be Informed. A data subject has the right to receive certain information about the processing including, but not limited to, the nature of the data processing, the purpose of the processing, recipients or categories of recipients of the personal data, whether or not the data subject’s data is being processed, and the existence of any data breaches that create a high risk to the data subject’s rights and freedoms.
  • Right to Access. A data subject has the right to confirm whether his or her personal data is being processed and if that is the case, the right to obtain access to the data along with other detailed information about the use of the data.
  • Right to Rectification. A data subject has the right to request that the controller rectify any inaccurate personal data or complete any incomplete data.
  • Right to Erasure (aka the Right to be Forgotten). In certain cases (listed in GDPR Article 17), a data subject has the right to request that the controller erase the data subject’s personal data (e.g., when the data is no longer necessary for the purposes for which it was collected, when the data subject withdraws consent or when the data subject objects – having the right to do so – to data processing.) If the controller has already made the data public, it must take reasonable steps to inform anyone currently processing the data of the erasure request.
  • Right to Data Portability. In certain circumstances (listed in GDPR Article 20) a data subject has the right to request a copy of all personal data concerning him or her (e.g., when the processing is based on consent or a contract, and the processing is carried out by automated means.)
  • Right to Restrict Processing. A data subject has the right to object to the processing of his personal data in certain circumstances.
  • Right to Object. A data subject may have the right to object to processing based on legitimate interests, the performance of a task in the public interest/exercise of official authority or processing for purposes of scientific/historical research and statistics. A data subject always has the right to object to direct marketing. (See details in GDPR Article 21).
  • Rights related to automated decision making and automated profiling.

What are controllers’ obligations under GDPR? 

  • Protect rights of data subjects.
  • Appoint a Data Protection Officer (when required by GDPR Article 37)
  • Review contracts with third parties.
  • Protect personal data as provided in GDPR Article 25
  • Ensure lawful processing, i.e. process data only when one of the legal bases of GDPR Article 6 exists.
  • Institute and comply with purpose limitations.
  • Comply with documentation requirements.
  • Conduct data protection impact assessments when processing is likely to result in high risk to data subjects’ rights.
  • If a data breach occurs, notify the supervisory authority within 72 hours from discovery and, when the breach is likely to result in a risk to their rights, also notify data subjects.
  • Observe restrictions and rules on international data transfer (GDPR Articles 44 to 50)

Preliminary steps that Clemson has taken to prepare for the implementation of GDPR:

  • Clemson has established a GDPR working group to understand the impact of the GDPR on Clemson.
  • Clemson is updating policies and procedures.
  • Without reaching a final determination on whether it has a duty to do so, Clemson has appointed a Data Protection Officer (DPO).
  • This webpage, which is a work in progress, will be maintained as a central resource for GDPR and will provide stakeholders with information on the topic.

Additional Resources: 

EU’s GDPR information site: https://www.eugdpr.org/

UK GDPR information site: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

EDUCAUSE GDPR resource list: https://library.educause.edu/topics/policy-and-law/eu-general-data-protection-regulation-gdpr

List of EU Countries: https://europa.eu/european-union/about-eu/countries_en

Who can I contact at Clemson for more information?

  • Data Protection Officer:  dpo@clemson.edu