Skip to content
The GDPR is the European Union (EU) General Data Protection Regulation (GDPR) that was approved by the EU Parliament on April, 2016 with expected application and enforcement beginning on May 25, 2018. The GDPR replaces a previous data protection regulation created in 1995 that did not automatically apply to EU Member States and therefore the data protection requirements throughout the EU varied. The GDPR addresses the protection of people physically within the EU with regard to the processing of personal data and rules relating to the free movement of such data. There is no distinction based upon individuals’ permanent place of residence or citizenship. The scope of the EU GDPR extends to foreign entities that are processing the ‘personal data’ of EU residents. The information on this page is intended to assist UTA departments in their efforts to comply with the GDPR
The GDPR requires the following principles for processing personal data. Personal data shall be:
Personal data is defined very broadly and consists of any information relating to an identified or identifiable person and includes name, identification number, location data, online identifier, or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that person. Examples of personal data collected and processed at UTA include, without limitation: name, photo, email address, identification number (such as UTA ID), physical address or other location data, IP address or other online identifier. Additionally, the GDPR provides additional protections for sensitive personal data that includes: racial and ethnic origin, health, genetic/biometric, religion, sexual orientation, political views.
Yes. The GDPR directly applies to UTA when it controls or processes the personal data of any individual located in the EU (applies to data created/originated while that individual is in the EU). Examples include information from applicants located in the EU, students on study abroad in the EU, faculty and employee applicants in the EU, etc. Under the GDPR, “controller” is defined as the entity that determines the purposes, conditions, and means of the processing of personal data. “Processor” is defined as the entity which processes the personal data on behalf of the controller.
“Processing” is defined as “any operation or set of operations which is performed on personal data,” including but not limited to: collection, recording, storage, use, disclosure by transmission.
In order to collect and process personal data from the EU it must meet one of the following requirements:
As an institute of higher education, UTA is a comprehensive research, teaching, and public service institution. In order for UTA to educate its foreign and domestic students both in person and on-line, engage in world-class research, and provide public service, it is essential, and UTA has a lawful basis to, collect, process, use, and maintain the personal data of its students, employees, applicants, research subjects, and others involved in its educational, research, and community programs. These activities include, without limitation, admission; registration; delivery of classroom, on-line, and study abroad education; grades; communications; employment; applied research; development; program analysis for improvements; and records retention.
Complete the Lawful Basis Form.
Consent is required whenever UTA collects any of the following information.
Use the Model Consent Form as a template to collect this information or add the language to your existing form(s). Electronic consent is also permissible (including click acceptance), but the consent must be: 1) Freely given; 2) specific, informed and unambiguous; and clear affirmative action. Silence, pre-ticked boxes or inactivity does not constitute consent.
Yes. Each website should have a link to the UTA Legal and Privacy Notice at the bottom of the page.
All personal data and sensitive personal data collected or processed by any UTA unit must comply with the security controls and systems and process requirements of UTA’s Data Classification Standard.
The GDPR provides data subjects the right to requests access to their data, a copy of their data, restriction if the use of their data, and/or erasure of their data. Refer to UTA’s Legal Standard and Privacy Notice for more information.
UTA’s GDPR policy is forthcoming.
Questions regarding GDPR requirements should be addressed to University Attorney, Shelby Boseman, at firstname.lastname@example.org. Data security requirements should be addressed to UTA’s interim CISO, Cheryl Nifong, at email@example.com.