List 39 Marketing and Media

European Union General Data Protection Regulation

To: Executive Vice Presidents, Chancellors, Vice Presidents, Vice Chancellors, Vice Provosts, Deans, Directors and Heads of Schools, Divisions, Departments and Offices

From: Greg Hedrick, Chief Information Security Officer & Trent Klingerman, Chief Privacy Officer

Date: June 12, 2018

Re: European Union General Data Protection Regulation

As previously reported, some of Purdue’s activities will be subject to new regulations (“GDPR”) governing the use of personal data collected from people in the 28 member countries of the European Union (“EU”). GDPR’s requirements apply to entities located outside of the EU who control or process the personal data of anyone who is in the EU. GDPR protects anyone in the EU whose data is being collected or processed regardless of whether the person whose data is controlled or processed is a citizen or permanent resident of an EU member country. This includes students studying abroad and faculty on sabbatical.

GDPR’s basic data protection principle provides that personal data must be “processed” fairly, lawfully and transparently. “Processing” means collecting, handling, storing, disclosing and destroying data. The principle requires the university to have a legal basis for processing an individual’s information. A legal basis is generally satisfied if the university can point to a legal obligation to process the information or otherwise establish that the information is necessary in order to fulfill an obligation the university has to the individual. In circumstances where no legal basis exists, an individual may consent to data processing, which provides the university with a legal basis for processing their personal data.

The GDPR working group continues its analysis of GDPR’s impact on the university, focusing its efforts on the priority areas of recruitment and admission of students in the EU. We have learned that the majority of processing in this space is performed by partners (e.g., Slate and the Common App) who are complying with GDPR and with whom the university is entering into Data Processing Agreements (“DPAs”). DPAs outline the method of data processing, the legal bases of the processing and the obligations of the university and our partner with respect to the collected data. In June, the Office of Legal Counsel will sponsor a GDPR information session for offices that are likely to receive and analyze these agreements.

There are circumstances in which the university directly processes personal data in the EU. In those circumstances, we must provide individuals with an adequate notice describing the basis for processing the data and disclosing how the university will use and share the data. In general, the notice should adhere to the following basic template:

Purdue University [Department Name] uses your personal data to [why collected – application, registration – for what purpose do we collect the data]. If you [ask us to/consent to], we share your information with [if we share, with whom do we share and why].

If you would like assistance in creating a notice for your specific purpose, please contact Trent Klingerman in the Office of Legal Counsel (klingert@purdue.edu or 6-6846).

The working group is also working on integrating GDPR compliance into the university’s existing information security and privacy program. For the near term, we will direct individuals to the university’s current policies that describe the legal bases for possessing the personal data and the manner in which we handle the data at the university (e.g., the Registrar’s FERPA page). As GDPR matures and its impact on the university begins to take shape, Purdue may update its policies to more directly respond to its requirements.