UW Privacy Office

EU GDPR

(This webpage was updated on 12-2-2019, and again on 1-22-2020)

Overview

The European Union’s General Data Protection Regulation (EU GDPR) broadly applies to information relating to persons residing in the European Economic Area (EEA). EU GDPR limits when and how organizations worldwide can collect, store, use, or otherwise process personal data. It also provides individuals with certain rights related to their personal data, including the right to be informed, to make choices about personal data processing, to access personal data, and in some cases, to delete personal data, among other rights.

Applicability:

EU GDPR applies to areas of the UW that process personal data (ex. collecting, analyzing, storing, deleting, disclosing, etc.) about persons who reside in the EEA. This may include, but is not limited to: students, distance learners, athletes, employees, patients, research subjects, alumni, donors, etc.

Personal data is defined as any information relating to an identified or identifiable natural person. An identifiable natural person is a natural person (not a corporation or other legal entity) who can be identified, directly or indirectly, by reference to:

  • Any identifiers, such as name, ID, location data, online identifier; or
  • Factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

Effective Date:

May 25, 2018

Fines:

Up to 4% of global annual turnover (revenue) or 20 million euro

UW’s Approach to EU GDPR

UW adopted a multi-phase approach to address EU GDPR based on existing funding and resources available through the UW Privacy Office.

Diagram depicts Phases 1, 2 and 3 of EU GDPR implementation.

Phase 1 Initial Efforts:

Members of the UW developed a risk management approach to help units better understand and address EU GDPR requirements. Based on recommendations from the UW Division of the Attorney General’s Office, the UW initially focused on the high priority foundational elements of compliance for:

Collaborative Committee/Work Groups:

Phase 1 work included representatives from the UW Privacy Office, Academic and Student Affairs , Advancement, the Attorney General’s Office, Compliance and Risk Services, Enrollment Management, Financial Management, Global Affairs, Global Health, the Graduate School, Office of Research, UW Continuum College, UW Medicine Compliance, and UW Medicine IT Services.

Timeline:

October 2017 – May 2018: Convene workgroups, conduct training, and publish initial deliverables.

Ongoing efforts after May 2018: The UW Privacy Office will lead ongoing efforts to finalize additional deliverables and further interpret the areas of the EU GDPR that were not included in the initial effort.

Resources:

The EU GDPR resources posted to the UW Privacy website apply to all personal data processing activities except those limited to processing of protected health information (PHI).  Further information is contained in the Privacy Policy for EU GDPR linked below.


Privacy Policy for EU GDPR

Initially published as the “UW Standard for European Union General Data Regulation (EU GDPR),” this document was updated and reviewed by many process partners in the fall of 2019, and has been renamed the “Privacy Policy for EU GDPR“.


Data Protection Impact Assessment (DPIA)

Under EU GDPR, controllers must conduct a data protection impact assessment (“DPIA”) for certain types of processing that more heavily impacts the rights and freedoms of individuals, including when there is:

  • a systematic and extensive evaluation of personal aspects relating to [individuals] which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning [an individual] or similarly significantly affect [an individual];
  • processing on a large scale of special categories of data or of personal data relating to criminal convictions and offenses; or
  • a systematic monitoring of a publicly accessible area on a large scale.

(Above excerpted from EU GDPR Article 35)

Before a UW department or unit engages in processing that renders the UW a controller and requires a DPIA, that UW department or unit must complete a DPIA using the UW Privacy Office’s Privacy Impact Assessment (PIA) for Processing Activities, available on the Privacy Assessments webpage.

UW departments and units must err on the side of completing a DPIA when it is unclear whether a DPIA is required. If a UW department or unit evaluates an activity for high-risk processing and determines that the activity is not in fact high-risk and a DPIA is not required, the rationale for that determination must be documented.

See Frequently Asked Questions below for examples of and factors relating to high-risk processing.


Agreements

When the UW is making decisions about the purpose and means of data processing (i.e. when the UW is the controller) and a third-party is processing data at the UW’s direction, refer to the Agreements webpage to review the workflow and identify appropriate agreements to use, including possible use of the Personal Data Processing Agreement (PDPA).

When a third-party is making decisions about the purpose and means of data processing (i.e. when the third-party is the controller) and the UW is processing data at the third-party’s direction, please refer to the
EU Checklist for Third-party Controller-supplied Agreements (click to download in .docx format). This checklist helps UW departments and units inventory the terms and conditions in a third-party controller-supplied agreement. Please note that this checklist is not designed for evaluating:

  • The sufficiency of terms and conditions when UW is a processor (i.e., whether the precise terms and conditions in your agreement are legally sufficient or are favorable to the UW); or
  • Terms and conditions when UW is a controller and the Personal Data Processing Agreement is required.

This checklist does not constitute legal advice.


EU GDPR FAQs

What processing activities at the UW may be in scope for EU GDPR?

  1. When countries in the EEA are referred to by name;
  2. UW specifically directs advertising toward the EEA (such as by paying for advertising or obtaining an EEA domain);
  3. The nature of the activity is such that it can only be carried out in the EEA (such as study abroad or research programs directed at the EEA);
  4. The provision of travel instructions from countries in the EEA to UW;
  5. The mention of prior participants from the EEA in a particular UW program;
  6. The use of languages or currencies of countries in the EEA;
  7. Collecting job applicant or other human resources related information from individuals in the EEA;
  8. Recruiting students or student athletes who reside in the EEA;
  9. Recruiting employees who reside in the EEA;
  10. Maintaining alumni groups in or soliciting donations from people in the EEA;
  11. Soliciting and/or collection donations from people in the EEA; and
  12. Providing online education programs to people in the EEA.

A holistic analysis of the processing activities may be required to determine if the above example activities relate to personal data about individuals that are physically in the EEA at the time data are initially collected and is in connection with the UW offering of goods or services (even if free) to individuals in the EEA.

What are some examples of and factors relating to high-risk processing activities?

Examples of and factors relating to high-risk processing activities may include:

  1. Financial institutions screening customers against databases containing information about creditworthiness, particularly when such screening is the basis for lending decisions;
  2. Commercialized genetic testing for customers to evaluate or predict health conditions or risks;
  3. Developing behavioral or marketing profiles based on individuals’ website activity (such as the mining of social media profiles to develop directories of prospective customers);
  4. Automated processing that leads to exclusion or discrimination against individuals;
  5. Hospitals maintaining patient health records;
  6. Private investigators maintaining information about offenders;
  7. Combining or matching datasets that were originally processed for different purposes and/or by different controllers that individuals would not reasonably expect;
  8. Processing relating to vulnerable populations where there is an imbalance of power (such as employees with a diminished capacity to avoid or refuse processing by an employer);
  9. New and novel technologies (such as certain internet-of-things solutions that leverage personal data in innovative ways that may impact individuals’ privacy);
  10. Transferring personal data from the EEA to other jurisdictions, particularly when such jurisdictions do not have adequate data protection laws;
  11. Processing that prevents individuals from exercising privacy-related rights (such as processing carried out in a public areas that individuals are unable to avoid);
  12. Processing that results in individuals being unable to access a service or enter into a contract;
  13. Use of a camera system to monitor driving patterns on public roads through which specific vehicles can be identified and license plates are recognizable; or
  14. Monitoring employees’ communications, devices, or workspace use.[i]

[i] Article 29 WP on DPIAs at 7-9