For GDPR, who is covered is as important as what information is covered. For all University System of New Hampshire (USNH) institutions, GDPR applies to entities that “control” or “process” covered personal information of individuals who are physically located in the European Union (EU) and the United Kingdom (UK), regardless of the individuals’ citizenship or permanent residency.
Scope of GDPR as applicable to UNH
Processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to the offering of goods or services to such data subjects in the EU or the monitoring of their behavior within the EU.
Personal data: any information relating to an identified or identifiable natural person (e.g., name, identification number, location data, online identifiers such as IP addresses, images)
- Controllers: the principal entities and the main counterparties to transactions with individuals. They are the entities that determine the purposes, uses, and methods related to the "processing" of personal data.
- Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, erasure or destruction, etc.
- Data Subjects:
- Students, including:
- U.S. students going to study abroad programs in the EU
- International students, located in the EU, applying to/enrolling at UNH
- International students, located in the EU, applying to/enrolling in online courses
- Faculty (hired locally in the EU or working in the EU, even temporarily)
- Staff and other personnel (hired locally in the EU or working in the EU)
- Third parties (EU contractors, vendors, donors, research partners/subjects)
- Students, including:
Any UNH department or organization that collects, stores, processes, or otherwise utilize information about EU data subjects may be required to comply with the regulations.
The collection of personal information protected by GDPR requires explicit consent from the person whose information is being collected. Consent must be given to collect information each time additional information is collected about an individual and for each additional use of that information. For example, if personal information is collected for the purposes of registering for an open house, that information cannot be re-used to send marketing materials unless consent was given for both purposes. Consent to collect and process/use information protected by GDPR must be tracked and individuals must have the ability to revoke consent at any time.
There are other lawful bases for processing personal data when consent has not explicitly been obtained:
- Necessary for the performance of a contract
- Necessary for compliance with a legal obligation (EU and member states’ laws
- Necessary for legitimate interests, except where overridden by interests or fundamental rights and freedoms of data subjects (balancing test; legitimate interests broadly defined but must be specified and must use least invasive means to achieve interest; recommend opt-out)