The European Union has passed a data privacy regulation that is applicable throughout the entire European Union ("EU") and to those who collect personal data about people while they are located in the EU. The EU General Data Protection Regulation ("GDPR") imposes obligations on entities, like Georgia Tech, that collect or process personal data about people while they are located in the EU. The EU GDPR applies to personal data collected or processed about anyone located in the EU, regardless of whether they are a citizen or permanent resident of an EU country.


General Principles

The general principles of the EU GDPR provide that personal data shall be:

  • Processed lawfully, fairly, and in a transparent manner
  • Collected for specific, explicit, and legitimate purposes, and not further processed in a manner that is incompatible with those purposes
  • Limited to what is necessary in relation to the purposes for which they are processed
  • Accurate and kept up to date
  • Retained only as long as necessary
  • Secure


Personal Data

Personal data is any information relating to an identified or identifiable person either directly or indirectly. Examples of how a person may be identified include, but are not limited to: name, photo, email address, identification number such as GT ID#, GT Account (User ID), physical address or other location data, IP address or other online identifier, etc. Additionally, the EU GDPR provides additional protections for special categories of sensitive personal data which include: racial and ethnic origin, data concerning health, genetic/biometric data for the purpose of uniquely identifying a person, religious or philosophical beliefs, data concerning a person's sex life or sexual orientation, political opinions, or trade union membership.


Georgia Tech Lawful Basis

In order for Georgia Tech to educate its foreign and domestic students both in class and on-line, engage in world-class research, and provide community services, it is essential and necessary, and Georgia Tech has a lawful basis, to collect, process, use, and/or maintain the personal data of its students, employees, applicants, research subjects, and others involved in its educational, research, and community programs. These activities include, without limitation, admission, registration, delivery of classroom, on-line, and study abroad education, grades, communications, employment, applied research, development, program analysis for improvements, and records retention.

Georgia Tech takes seriously its duty to protect the personal data it collects or processes. In addition to Georgia Tech's overall data protection program, the EU GDPR requires Georgia Tech to:

  • be transparent about the personal data it collects or processes and the uses it makes of any personal data
  • keep track of all uses and disclosures it makes of personal data
  • appropriately secure personal data


How Do I Comply?

Are you receiving personal data from the EU?

Are you collecting special categories of sensitive personal data from the EU?

The EU General Data Protection Regulation Compliance Policy describes Georgia Tech's data protection strategy to comply with the EU GDPR.

Start here.