GDPR

The GDPR requires the following principles for processing personal data. Personal data shall be:

• Processed lawfully, fairly, and in a transparent manner in relation to the data subject;
• Collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with the purpose;
• Adequate, relevant, and limited to what is necessary in relation to the purpose for which the data is processed;
• Accurate and necessary, kept up to date, and ensuring any inaccurate data is destroyed or rectified;
• Kept in a form which allows for identification of data subjects for no longer than is necessary for the purpose for which the data is processed (note that personal data may be stored for periods longer than the intended purpose for archival/record retention purposes provided appropriate safeguard measures are in place);
• Processed in a manner that ensures appropriate security of the personal data, including against loss, destruction or damage, or unauthorized disclosure.

Personal data is defined very broadly and consists of any information relating to an identified or identifiable person and includes name, identification number, location data, online identifier, or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that person. Examples of personal data collected and processed at UTA include, without limitation: name, photo, email address, identification number (such as UTA ID), physical address or other location data, IP address or other online identifier. Additionally, the GDPR provides additional protections for sensitive personal data that includes: racial and ethnic origin, health, genetic/biometric, religion, sexual orientation, political views.

Yes. The GDPR directly applies to UTA when it controls or processes the personal data of any individual located in the EU (applies to data created/originated while that individual is in the EU). Examples include information from applicants located in the EU, students on study abroad in the EU, faculty and employee applicants in the EU, etc. Under the GDPR, “controller” is defined as the entity that determines the purposes, conditions, and means of the processing of personal data. “Processor” is defined as the entity which processes the personal data on behalf of the controller.

“Processing” is defined as “any operation or set of operations which is performed on personal data,” including but not limited to: collection, recording, storage, use, disclosure by transmission.

In order to collect and process personal data from the EU it must meet one of the following requirements:

1. Processing is necessary for the purposes of the legitimate interests pursued by UTA or by a third party.
2. Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
3. Processing is necessary for compliance with a legal obligation to which UTA is subject.
4. The data subject has given consent to the processing of his or her personal data for one or more specific purposes.

As an institute of higher education, UTA is a comprehensive research, teaching, and public service institution. In order for UTA to educate its foreign and domestic students both in person and on-line, engage in world-class research, and provide public service, it is essential, and UTA has a lawful basis to, collect, process, use, and maintain the personal data of its students, employees, applicants, research subjects, and others involved in its educational, research, and community programs. These activities include, without limitation, admission; registration; delivery of classroom, on-line, and study abroad education; grades; communications; employment; applied research; development; program analysis for improvements; and records retention.

Complete the GDPR - Lawful Basis Form.

Consent is required whenever UTA collects any of the following information.

• racial or ethnic origin
• political opinions
• religious or philosophical beliefs
• genetic data
• biometric data
• sexual orientation

Use the GDPR Model Consent Form as a template to collect this information or add the language to your existing form(s). Electronic consent is also permissible (including click acceptance), but the consent must be: 1) Freely given; 2) specific, informed and unambiguous; and clear affirmative action. Silence, pre-ticked boxes or inactivity does not constitute consent.

Yes. Each website should have a link to the UTA Legal and Privacy Notice at the bottom of the page.

All personal data and sensitive personal data collected or processed by any UTA unit must comply with the security controls and systems and process requirements of UTA’s Data Classification Standard.

The GDPR provides data subjects the right to requests access to their data, a copy of their data, restriction if the use of their data, and/or erasure of their data. Refer to UTA’s Legal Standard and Privacy Notice for more information.

UTA’s GDPR policy is forthcoming.

Questions regarding GDPR requirements should be addressed to University Attorney, Shelby Boseman, at sboseman@uta.edu. Data security requirements should be addressed to UTA’s interim CISO, Cheryl Nifong, at cheryl.nifong@uta.edu.