General Data Protection Regulation

The European Union’s (EU) General Data Protection Regulation (GDPR) is a new privacy law that went into effect on May 25, 2018.  It governs the use of personally identifiable information obtained in the EEA (European Economic Area - the EU and certain other member countries). The GDPR provides legal rights to people who are in the EEA when their personal data is collected and processed.  GDPR imposes legal obligations on entities that control or process personal data collected in the EEA.

Note: GDPR only applies to data collected after the effective date (May 25, 2018).

GDPR expands privacy rights for individuals whose personal data has been obtained in the EEA, regardless of the citizenship of the individuals.  It provides certain rights, depending on how the data is used and who is using it. Subject to exceptions, the basic GDPR rights are:

• The right to be informed about data collection, the specific intended use of the data, and the right to be informed if the intended use changes;
• The right to make informed decisions regarding the use and disclosure of the data;
• The right to access the data; and
• The right to have the data returned or deleted

The EEA intends for GDPR to govern data obtained in the EEA, even when that data is transferred to, or used in countries outside the EEA.  The basic GDPR framework for safeguarding use of personal data is as follows:

• Ensuring the data is collected, transferred, processed, stored and disposed using appropriate technical safeguards;
• Limiting the use of data for purposes that comply with GDPR requirements for lawful processing. (e.g., by consent, by public authority, in the organization’s legitimate interest).
• Requiring third parties that are not directly subject to EEA law to adopt GDPR protections and safeguards for protection of data originating from the EEA. This will generally be done through contract language or other agreements.  Third parties outside the EEA must ensure they accept only those GDPR provisions that are applicable to the specific circumstances and that can reasonably be implemented by the entity.

GDPR protects personal data obtained from individuals when they are located in the European Economic Area (EEA).  EEA includes the EU countries and Iceland, Norway and Lichtenstein.  When GDPR is discussed, “EU” is sometimes used as shorthand for all countries in the EEA.

See the list of EEA countries below

In general, GDPR covers recording, storage, internal use, external disclosure, and transfer of personal data obtained in the EEA, from individuals, when that data is identifiable and used for functions or activities that:

(1) take place in the EEA (e.g., a clinical trial conducted in France);

(2) involve specific intent to reach people in the EEA with an offer of goods or services (e.g., a solicitation from UMB to enroll students in a program conducted in Baltimore, where the solicitation is made in Italian, directed to Italian mailing addresses or e-mail addresses and, applicants respond by providing individually identifiable data to a UMB Italian language website while they are located in Italy);

(3) monitor the identifiable behavior of individuals who are located in the EEA while online or that involve the control or processing of identifiable data relating to people in the EEA (e.g., research that studies behavior data of identifiable individuals recorded on security cameras located in the EEA).

GDPR covers personal data of people physically within the EEA:

• GDPR makes no distinction based on a person’s permanent residence or nationality. GDPR applies to personal data if the data is collected while the person is physically in the EEA.
• Personal data in the context of GDPR means information relating to an identified or identifiable person. An “identifiable person” is one who can be identified by reference to other information such as an identification number, demographics, biometrics or location
• Examples of personal data include name, address, date of birth, photograph, email address, phone number, location data (e.g., from a cellphone), Internet Protocol (IP) address, internet cookie file, or medical record number. 

GDPR generally does not apply to the following areas/types of data:

• Data about legal entities, like corporations or non-profit organizations.
• Data on clinical care conducted in the United States including treatment, payment and health care operations in the U.S.;
• Data on clinical research conducted in the United States, where study participants are not specifically targeted for recruitment from the EEA;
• General marketing, where goods or services are not specifically targeted to individuals in the EEA
• Fully de-identified data that cannot be re-identified.

*Information will be updated as the process of research, analysis and review continues.   

Note: GDPR only applies to data collected after the effective date (May 25, 2018).

There is a GDPR working group under the direction of Dr. Peter Murray, UMB Chief Information Officer and Vice President.  The group is working to survey, analyze and work with schools and administrative units to address issues related to the applicability of GDPR at UMB.

Considerable uncertainty remains regarding GDPR’s application to activities conducted in the U.S. and the scope and nature of compliance activities that must be undertaken. Certain conflicts or inconsistencies may exist between GDPR and U.S. and State laws.    

UMB’s GDPR working group activities include:

• Assessing how GDPR will affect UMB programs and activities
• Developing tools and templates to assist UMB schools and units with GDPR preparedness
• Maintaining communication with UMB schools and units to support appropriate levels of education and transparency regarding the collection and use of personal data subject to GDPR
• Ensuring units responsible for physical and technical safeguards are engaged in GDPR activities to protect the personal data of individuals
• Working with collaborators, affiliates and vendors to ensure that GDPR data protections are maintained for GDPR-protected personal data that is disclosed outside of UMB.

Familiarize yourself with GDPR:

• Full text of the regulation: https://gdpr-info.eu/
• Guidelines from the European Commission’s Article 29 Working Party: http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1360

Austria

Azores (EU dependent territory/country)

Belgium

Bulgaria

Canary Islands (EU dependent territory/country)

Croatia,

Cyprus,

Czech Republic,

Denmark,

Estonia,

Finland,

France

French Guiana (EU dependent territory/country)

Germany,

Greece

Guadeloupe (EU dependent territory/country)

Hungary

Iceland (EEA)

Ireland,

Italy,

Latvia

Lichtenstein (EEA)

Lithuania,

Luxembourg

Madeira (EU dependent territory/country)

Malta

Martinique (EU dependent territory/country)

Mayotte (EU dependent territory/country)

Netherlands

Norway (EEA)

Poland,

Portugal

Reunion (EU dependent territory/country)

Romania

Saint Martin (EU dependent territory/country)

Slovakia,

Slovenia,

Spain,

United Kingdom (still part of the EU but plans to leave (Brexit). UK includes: Channel Isles,    England, Northern Ireland, Scotland, and Wales.

*Be aware of countries exiting and entering the EU and which are governed by GDPR.  The United Kingdom plans to leave (Brexit).  Potential Member States trying to enter are Albania, Bosnia & Herzegovina, Kosovo, Macedonia, Montenegro, Serbia, and Turkey.

• University of Pittsburgh: https://www.irb.pitt.edu/european-union-eu-general-data-protection-regulation-gdpr
• University of Michigan:  https://www.safecomputing.umich.edu/protect-the-u/compliance/general-data-protection-regulation-compliance
• The Ohio State University:  https://www.osu.edu/privacy/gdpr-faq.html
• University of Cincinnati:  https://www.uc.edu/about/policies/privacy.html

• Do you have a Privacy Policy that is specific to your system, portal or place?
• Where is the policy made available to your audiences?
• Does it describe the personally identifiable data elements you collect?
• Does it describe each purpose for which personally identifiable data may be used?
• Does it describe units, persons and officials internally at UMB who may see or use personally-identifiable data?
• Does it describe entities, persons and officials external to UMB who may see or use personally identifiable data?
• Is there contact information for questions and requests?
• Is your policy compliant with all law applicable to your system, portal or location, your audiences and your activities? Consider, e.g.,:  FERPA, HIPAA, GDPR, Maryland Code, General Provisions § 4 – 501 - Personal Records; § 4-502 - Corrections of Public Record, USM and UMB policies.

This form is only for use by a person who was physically located in the European Union when that person’s identifiable data was collected.
GDPR Erasure Request Form