GDPR Frequently Asked Questions

What is the GDPR?

The General Data Protection Regulation (GDPR) represents a significant change in data privacy regulation. It replaces the Data Protection Directive 95/46/EC and is designed to harmonize data privacy laws across Europe, provide rights to European Union (EU) citizens regarding data privacy, and reshape the way organizations across the region approach data privacy.

Whose data does the GDPR protect?

The GDPR covers personal information of all natural persons—that is, people, but not legal entities like corporations or nonprofits—physically within the EU ("EU data subjects"). The GDPR makes no distinctions based on individuals' permanent places of residence or nationality. The GDPR applies to all such individuals' personal data.

What constitutes personal data?

Personal data in the context of GDPR means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to, among other things, an identifier such as a name, an identification number, location data, or an online identifier. Examples of personal data include, but are not limited to, name and surname, home address, a photograph, email address (such as [email protected]), identification card numbers, personal phone numbers, location data (for example, the location data function on a mobile phone), Internet Protocol (IP) addresses, cookie IDs, the advertising identifier of a phone, data held by a hospital or doctor that uniquely identifies a person (for example, a unique patient number), and the content of exam papers.

Who does the GDPR affect?

The GDPR applies to organizations located within the EU, and it also states that it applies to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. Put another way, it will attempt to apply to all companies processing and holding the personal data of EU data subjects, regardless of the company’s location.

Do the rules only apply to EU citizens or residents?

Citizenship or residence is not a condition that triggers the application of the GDPR rules, requirements, and rights. GDPR may apply whether you are a EU citizen or not, depending on the circumstances.

What are the penalties for non-compliance?

Organizations can be fined up to 4% of annual global turnover for breaching the GDPR or €20 Million, whichever is more. This is the maximum fine that can be imposed for the most serious infringements—for example, not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines, however, and a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach, or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors—meaning "clouds" will not be exempt from GDPR enforcement.

What does GDPR mean to the University of Michigan?

The University of Michigan has developed a GDPR compliance program to assist in complying with the requirements of GDPR. The program was developed by the University Privacy Officer and the Office of General Counsel, in collaboration with representatives from Office of General Counsel, Office of Research, International Center, Global Engagement, Academic Innovation, Michigan Medicine Corporate Compliance, Procurement, University Development, Enrollment Management, University HR, and Alumni Association.

Understanding of how GDPR is defined, interpreted, and enforced by the EU and national data protection authorities of its member states continues to evolve. The University of Michigan is paying close attention to the evolution of the law's compliance requirements and responding as needed.

Why does GDPR apply to the University of Michigan?

GDPR may apply to certain personal data collected by the University of Michigan because, in certain limited circumstances, we engage in business activities that collect or process the personal data of individuals residing in the EU.

What are examples of where GDPR applies and does not apply at U-M?

Examples of when the GDPR may apply at U-M:

  • A cohort of non-EU students is participating in a semester-long study abroad in Italy, Belgium, and UK.
  • Office of Development is engaged in a fundraising campaign and is collecting donor information from alumni residing in the EU.
  • A research consortium in the EU provides the University of Michigan with the personal data of EU citizens for research analysis.

Examples of when the GDPR does not apply at U-M:

  • Expatriate research group formed on campus, that is, groups at the university made up of EU citizens who are students at U-M.
  • EU faculty are recruited at an academic conference held in Orlando, Florida. In contrast, GDPR would apply if these faculty members were recruited at a conference in Barcelona, Spain.

How does the University of Michigan comply with GDPR?

We have identified and assessed data flows that may be impacted by GDPR and developed a risk-based GDPR compliance strategy in support of GDPR requirements. We have implemented prioritized GDPR requirements, established a sustainable GDPR compliance program, and made GDPR compliance resources available to the University community.

What do I need to do if I receive a pop-up or other notification from a software application or a service provider regarding GDPR compliance?

Pursuant to Delegation of Authority to Bind the University to External Agreements on (SPG 601.24), most University of Michigan employees are not authorized to accept agreements or certify compliance on behalf of the university. Please refer third party notifications related to GDPR compliance to [email protected].

Does GDPR apply to data collected prior to May 25, 2018 (when the regulation took effect)?

Requirements around the process of collecting data protected by GDPR are not enforced retroactively. For example, if data subject to GDPR were collected using an old consent form, or without consent, prior to May 25, 2018, the University of Michigan will not seek consent for this existing data. However, if that data continued to be stored and/or processed by the university after May 25, 2018, the university is required to meet its obligations as a data controller under GDPR.

Does the GDPR apply to de-identified data?

The GDPR does not apply to anonymous information.

Can or does U-M certify to Privacy Shield?

No. The Privacy Shield framework does not apply to U-M, and therefore the unversity cannot certify to it. Furthermore, in July 2020, the EU Court of Justice invalidated the Privacy Shield mechanism.

Disclaimer: The information contained in this FAQ is for informational purposes and does not constitute legal advice. Each individual case is different, and advice may vary depending on the situation. Further, the law and policy considerations may change as GDPR is implemented and analyzed a legal setting, and the information contained herein may not be updated as needed to maintain accuracy in a changing legal landscape. If you have questions about this or any other legal issue, you are advised to seek the advice of a qualified attorney.