The GDPR is a data protection law that applies broadly to the processing of personal information about European Union (EU) residents (Note that, in addition to EU Member States, the GDPR also applies to Iceland, Norway, Liechtenstein, United Kingdom and Switzerland.) Generally speaking, the regulation applies to all personally identifiable data that is collected, used, stored or otherwise processed about individuals in the EU under certain circumstances, by any method including electronic and paper records. For more information about how the GDPR applies to NYU, please see the section below entitled “What areas of NYU may be impacted?”
The aims of the regulation include strengthening individuals' rights in the protection of their personal data while at the same time harmonizing rules across EU member states and facilitating the free flow of personal data.
GDPR replaces and expands upon the existing EU Data Protection Directive by adding new substantive requirements and extending the scope of the law to cover certain activities of organizations located outside of the EU.
The GDPR requires institutions to process data according to a set of fundamental principles including that the data is:
The GDPR also requires institutions to:
The GDPR applies to the processing of personal data in the context of organizations established in the EU, which includes NYU’s EU Global Sites. The GDPR also applies to the processing of data by organizations outside the EU, where those activities are related to offering of goods or services to individuals in the EU, or monitoring of behavior of individuals that takes place in the EU. For example, this may include processing of data by NYU in the context of recruiting prospective students who are located in the EU or offering services to alumni who are located in the EU.
Any department or school that collects, uses, or otherwise processes personal information about people while they are in the EU may be impacted by the GDPR. Please consult NYU’s GDPR Data Protection Officer to discuss how GDPR may affect your operations.
If individuals in the EU (including students, alumni, and employees) wish to exercise their rights under GDPR please download the NYU Data Request Form (Google Doc), fill it out, and send it to GDPR Data Request.
NYU will implement additional notices from time to time as necessary; they will be published here.
Under the GDPR, NYU has an obligation to have agreements with organizations that are processing personal data covered by the GDPR on NYU’s behalf. These agreements must include provisions to ensure that personal data is being appropriately protected. NYU has updated its Purchasing Terms and Conditions to reflect this requirement and has also developed standard contract templates that can be used where NYU is engaging a third party to process data or is entering into contracts that may involve collection or use of personal data covered by the GDPR. For assistance in this area please contact the NYU Procurement Department or the Data Protection Officer.