Skip to content

European Union General Data Protection Regulations

The GDPR is the European Union (EU) General Data Protection Regulation (GDPR) that was approved by the EU Parliament on April, 2016 with expected application and enforcement beginning on May 25, 2018. The GDPR replaces a previous data protection regulation created in 1995 that did not automatically apply to EU Member States and therefore the data protection requirements throughout the EU varied. The GDPR  addresses the protection of people physically within the EU with regard to the processing of personal data and rules relating to the free movement of such data.  There is no distinction based upon individuals’ permanent place of residence or citizenship.  The scope of the EU GDPR extends to foreign entities that are processing the ‘personal data’ of EU residents. The information on this page is intended to assist UTA departments in their efforts to comply with the GDPR

1. What does the GDPR require?

The GDPR requires the following principles for processing personal data. Personal data shall be:

  • Processed lawfully, fairly, and in a transparent manner in relation to the data subject;
  • Collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with the purpose;
  • Adequate, relevant, and limited to what is necessary in relation to the purpose for which the data is processed;
  • Accurate and necessary, kept up to date, and ensuring any inaccurate data is destroyed or rectified;
  • Kept in a form which allows for identification of data subjects for no longer than is necessary for the purpose for which the data is processed (note that personal data may be stored for periods longer than the intended purpose for archival/record retention purposes provided appropriate safeguard measures are in place);
  • Processed in a manner that ensures appropriate security of the personal data, including against loss, destruction or damage, or unauthorized disclosure.

2. What information is considered personal data?

Personal data is defined very broadly and consists of any information relating to an identified or identifiable person and includes name, identification number, location data, online identifier, or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that person.  Examples of personal data collected and processed at UTA include, without limitation: name, photo, email address, identification number (such as UTA ID), physical address or other location data, IP address or other online identifier.  Additionally, the GDPR provides additional protections for sensitive personal data that includes: racial and ethnic origin, health, genetic/biometric, religion, sexual orientation, political views.

3. Does the GDPR apply to UTA?

Yes. The GDPR directly applies to UTA when it controls or processes the personal data of any individual located in the EU (applies to data created/originated while that individual is in the EU). Examples include information from applicants located in the EU, students on study abroad in the EU, faculty and employee applicants in the EU, etc. Under the GDPR, “controller” is defined as the entity that determines the purposes, conditions, and means of the processing of personal data. “Processor” is defined as the entity which processes the personal data on behalf of the controller.

“Processing” is defined as “any operation or set of operations which is performed on personal data,” including but not limited to: collection, recording, storage, use, disclosure by transmission.

4. Can UTA collect/process data under the GDPR?

In order to collect and process personal data from the EU it must meet one of the following requirements:

  1. Processing is necessary for the purposes of the legitimate interests pursued by UTA or by a third party.
  2. Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
  3. Processing is necessary for compliance with a legal obligation to which UTA is subject.
  4. The data subject has given consent to the processing of his or her personal data for one or more specific purposes.

As an institute of higher education, UTA is a comprehensive research, teaching, and public service institution. In order for UTA to educate its foreign and domestic students both in person and on-line, engage in world-class research, and provide public service, it is essential, and UTA has a lawful basis to, collect, process, use, and maintain the personal data of its students, employees, applicants, research subjects, and others involved in its educational, research, and community programs. These activities include, without limitation, admission; registration; delivery of classroom, on-line, and study abroad education; grades; communications; employment; applied research; development; program analysis for improvements; and records retention.

5. How do I know the data my department collects and processes is performed under a lawful basis?

Complete the Lawful Basis Form.

6. When do I need consent of the data subject to collect personal data?

Consent is required whenever UTA collects any of the following information.

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • genetic data
  • biometric data
  • sexual orientation

Use the Model Consent Form as a template to collect this information or add the language to your existing form(s). Electronic consent is also permissible (including click acceptance), but the consent must be: 1) Freely given; 2) specific, informed and unambiguous; and clear affirmative action. Silence, pre-ticked boxes or inactivity does not constitute consent.

7. Do I need to add any information to my department’s website?

Yes. Each website should have a link to the UTA Legal and Privacy Notice at the bottom of the page.

8. What are the UTA security standards and requirements for data?

All personal data and sensitive personal data collected or processed by any UTA unit must comply with the security controls and systems and process requirements of UTA’s Data Classification Standard.

9. What rights do individuals have under the GDPR?

The GDPR provides data subjects the right to requests access to their data, a copy of their data, restriction if the use of their data, and/or erasure of their data. Refer to UTA’s Legal Standard and Privacy Notice for more information.

10.  Does UTA have a policy regarding the GDPR?

UTA’s GDPR policy is forthcoming.

11. If I have questions about the GDPR who do I contact?

Questions regarding GDPR requirements should be addressed to University Attorney, Shelby Boseman, at sboseman@uta.edu. Data security requirements should be addressed to UTA’s CISO, Bobby Edamala, at edamala@uta.edu.