General Data Protection Regulation (GDPR)
The GDPR is a data protection law that applies broadly to the processing of personal information about European Union (EU) residents (Note that, in addition to EU Member States, the GDPR also applies to Iceland, Norway, Liechtenstein, United Kingdom and Switzerland.) Generally speaking, the regulation applies to all personally identifiable data that is collected, used, stored or otherwise processed about individuals in the EU under certain circumstances, by any method including electronic and paper records. For more information about how the GDPR applies to NYU, please see the section below entitled “What areas of NYU may be impacted?”
The aims of the regulation include strengthening individuals' rights in the protection of their personal data while at the same time harmonizing rules across EU member states and facilitating the free flow of personal data.
GDPR replaces and expands upon the existing EU Data Protection Directive by adding new substantive requirements and extending the scope of the law to cover certain activities of organizations located outside of the EU.
The GDPR requires institutions to process data according to a set of fundamental principles including that the data is:
- processed fairly and in a transparent manner;
- collected for specific and legitimate purposes;
- limited to what is necessary for the specified purposes;
- kept accurate and up-to-date;
- only retained for as long as is necessary;
- and appropriately secured.
The GDPR also requires institutions to:
- Ensure that all processing meets one of certain legal bases that are specified under the GDPR
- Provide data subjects with certain individual rights including the right to receive detailed notices about the collection and the use of their data and to access and amend personal data that is collected about them
- Engage in data protection impact assessments for activities that pose a high risk of harm to individuals and to incorporate “privacy by design and default” into all of its processing activities
- Notify the applicable regulatory authority and individuals in the event of certain data breaches and
- Maintain detailed records of its data processing activities and appoint a Data Protection Officer under certain circumstances.
The GDPR applies to the processing of personal data in the context of organizations established in the EU, which includes NYU’s EU Global Sites. The GDPR also applies to the processing of data by organizations outside the EU, where those activities are related to offering of goods or services to individuals in the EU, or monitoring of behavior of individuals that takes place in the EU. For example, this may include processing of data by NYU in the context of recruiting prospective students who are located in the EU or offering services to alumni who are located in the EU.
Any department or school that collects, uses, or otherwise processes personal information about people while they are in the EU may be impacted by the GDPR. Please consult NYU’s GDPR Data Protection Officer to discuss how GDPR may affect your operations.
- NYU has named Tani Raiford as its Data Protection Officer (DPO).
- NYU has created a GDPR Steering Committee and a Core Team that are leading NYU’s review and implementation work. The Core Team will provide guidance to process owners, departments, and other stakeholders across the University on implementation.
- Training will be provided to staff who have a role in GDPR procedures.
- GDPR compliance resources are currently located in a shared Google drive that will be made available to relevant process owners as applicable.
- New/Updated Policy: IT Security Information Breach Notification
If individuals in the EU (including students, alumni, and employees) wish to exercise their rights under GDPR please download the NYU Data Request Form (Google Doc), fill it out, and send it to GDPR Data Request.
NYU will implement additional notices from time to time as necessary; they will be published here.
- Students studying in the E.U.
- Prospective students in the E.U.
- Online students in the E.U.
- Employees in the E.U.
- Prospective employees in the E.U.
- Alumni and Friends of NYU in the E.U.
- Vendors in the E.U.
- Supplement to Data Privacy Notice for Daily COVID-19 Screener for Campus Access
- Supplement to Data Privacy Notice for COVID-19 Testing - NYU Florence, London, Prague
Under the GDPR, NYU has an obligation to have agreements with organizations that are processing personal data covered by the GDPR on NYU’s behalf. These agreements must include provisions to ensure that personal data is being appropriately protected. NYU has updated its Purchasing Terms and Conditions to reflect this requirement and has also developed standard contract templates that can be used where NYU is engaging a third party to process data or is entering into contracts that may involve collection or use of personal data covered by the GDPR. For assistance in this area please contact the NYU Procurement Department or the Data Protection Officer.