General Data Protection Regulation (GDPR)
GDPR Overview
The General Data Protection Regulation is a privacy law that applies to personal information collected
So, how does this affect us at UNF?
Although this is an EU regulation it has significant potential to impact U.S. systems. There are three major categories of data that are most likely to be affected. These are; (1) data collected on students from the EU (e.g., international students), (2) human resources data (e.g., staff or faculty living or working overseas), and (3) marketing data (e.g., data collected from a potential student living in the EU who is interested in UNF).
Key Principles of GDPR
-
LAWFULLNESS, FAIRNESS & TRANSPARENCY
Personal data must be processed lawfully, fairly and in a transparent manner.
-
PURPOSE LIMITATION
Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
-
DATA MINIMIMIZATION
Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. -
ACCURACY
Personal data must be accurate and, where necessary, kept up to date.
-
STORAGE LIMITATION
Personal data must be kept in a form which permits identification of data subjects no longer than is necessary for the purposes for which the personal data was processed.
-
INTEGRITY & CONFIDENTIALITY
Personal data must be processed in a manner that ensures appropriate security of the personal data.
-
ACCOUNTABILITY
Controllers (see Important Terms) are responsible for and must be able to demonstrate compliance with the GDPR principles.
GDPR Terminology
The following terms are essential components of the regulation
Personal Data
Personal Data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing
‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Consent
‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Controller/ Data Controller
‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Your Rights as a Data Subject
At any point, while UNF is in possession of, or processing your personal data, you, the Data Subject, have the following rights:
Right of Access
As the Data Subject, you have the right to request a copy of the information that we hold about you.
Right of Rectification
As the Data Subject, you have the right to correct data that we hold about you that is inaccurate or incomplete.
Right to be Forgotten
As the Data Subject, there are certain circumstances in which you can ask for the data we hold about you to be erased from our records.
Right to Restriction of Processing
Where certain conditions apply, you have the right to restrict the processing of your personal data.
Right of Portability
As the Data Subject, you have the right to have the data we hold on you transferred to another organization.
Right to Object
As the Data Subject, you have the right to object to certain types of processing such as direct marketing.
Right to Object to Automated Processing, Including Profiling
As the Data Subject, you have the right to be subject to the legal effects of automated processing or profiling.
Right to Judicial Review
In the event that the University of North Florida refuses your request under any of the "rights of a data subject," we will provide you with a reason why.
UNF GDPR Privacy Notice
Review the standard UNF GDPR Privacy Notice. Please keep in mind that many departments have posted their own, unit-specific notices.