Frequently Asked Questions
The European Union General Data Protection Regulation ("EU GDPR") is a new and more stringent regulation governing the use of personal data. It imposes new obligations on entities that control or process personal data about people who are located in the European Union ("EU"). This regulation applies both inside the EU and outside of the EU, and applies to data about anyone in the EU, regardless of whether they are a citizen or permanent resident of an EU country.
The regulation went into effect on May 25, 2018.
The EU GDPR applies to the control or processing of 'personal data,' which is defined as:
Any information relating to an identified or identifiable natural person (the data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that natural person.
Examples of identifiers include but are not limited to: name, photo, email address, identification number such as GT ID#, GT Account (User ID), physical address or other location data; IP address or other online identifier.
Georgia Tech's EU General Data Protection Regulation Compliance Policy can be found in the Georgia Tech Policy Library.
How do I document my Georgia Tech unit’s lawful basis for the collection and processing of personal data?
All personal data and special categories of sensitive personal data collected or processed by any Georgia Tech Unit under the scope of the EU General Data Protection Regulation Compliance Policy must comply with the security controls and systems and process requirements and standards of NIST Special Publication 800-171 as set forth in the Georgia Tech Controlled Unclassified Information Policy.
If you have any questions or concerns about steps required to achieve compliance with NIST Special Publication 800-171, please contact the GT Cyber Security Compliance Team at firstname.lastname@example.org.
Special categories of sensitive personal data are:
- Data revealing racial or ethnic origin
- Data revealing political opinions
- Data revealing religious or philosophical beliefs
- Data revealing trade union membership
- The processing of genetic, biometric data for the purposes of uniquely identifying a natural person
- Data concerning health
- Data concerning a person's sex life or sexual orientation
Yes. If the Cooperative Organizations collect and process personal data of persons located in the EU, the EU GDPR applies to those collection and processing activities. The Cooperative Organizations should follow their compliance policies with regard to this data.
For more information on Georgia Tech's Cooperative Organizations, visit the Legal Affairs & Risk Management Affiliated Organizations page.