Explanation and effective date
The European Union’s General Data Protection Regulation (EU GDPR) is a general privacy law that applies to personally identifiable information:
- collected in the European Union (EU);
- from individuals in EU countries that are related to either goods or services offered in the EU; or
- that involves the monitoring of individuals in the EU.
This regulation applies both inside and outside the EU and applies to data about anyone in the EU, regardless of whether they are a citizen or permanent resident of an EU country.
The regulation went into effect May 25, 2018.
Any department or unit of the University that collects, processes, discloses,or stores personally identifiable information related to any individual who is located in the EU may be impacted by this regulation.
Specific areas of impact include:
- Office of International Education and Development (OIED),
- Office of Admissions,
- Distance Education,
- Office of Research &
- Human Resources.
Information subject to the EU GDPR
The EU GDPR applies to the collection, use or storage of personally identifiable information or data, which is defined as any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, by reference to a particular identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that person.
Examples of personally identifiable information or data include, but are not limited to, the following:
- Name
- Photograph
- Email address
- Identification number (i.e. Banner ID #)
- Social Security number
- App State Account (User ID)
- Physical address or other location data
- IP address or another online identifier
Individual rights under EU GDPR
Generally, the EU GDPR provides identifiable natural persons with:
- the right to request access to or transfer of an individual’s personally identifiable information;
- the right to request information about the methods used to collect, store or process an individual’s personally identifiable information;
- the right to request information about any third parties that receive an individual’s personally identifiable information;
- the right to request restrictions on the use or disclosure of an individual’s personally identifiable information if the individual believes any data is processed unlawfully;
- the right to request corrections to any personally identifiable information that appears incomplete or inaccurate;
- the right to object to the collection, retention, and use of any personally identifiable information if there are legitimate grounds for such objection;
- the right to full and transparent information and communication about personal data practices, including the right to be notified about unauthorized access;
- the right to file a complaint with the appropriate authorities in the United States or European Union; and
- the right to withdraw consent at any time for the collection, storage or processing of personally identifiable information.
App State’s data security standards & requirements for EU GDPR Data
All personally identifiable data collected or processed by any Appalachian State University unit must comply with the security controls and process requirements designated under the University’s Information Security Policy and Associated Standards.
More about EU GDPR, including the text of the regulation, can be found at gdpr-info.eu.
App State’s EU GDPR privacy notice
Access App State's EU GDPR privacy notice at: https://data.appstate.edu/governance/regulations/privacy
Contact App State's Office of Information Security at 828-262-6946 or via email at security@appstate.edu.