​​General Data Protection Regulation (GDPR)

​​​​​​​​​​​​​​​​​​​​​​​​​General Data Protection Regulation (GDPR)

What is th​​​​​​​​e GDPR?​

The GDPR is a European data privacy law that establishes a fundamental right to data protection for any person who is physically present in the European Economic Area (EEA), regardless of nationality. Personal data protected by the GDPR includes any information related to an identifiable person in the EEA. The rights and protections provided by the GDPR claim to extend to personal data collected or processed by any organization, even those located outside of the EEA, when the organization's activities are related to the offering of goods or services to data subjects in the EEA or monitoring of data subjects' behavior within the EEA.

How Does the GDPR Impact DePaul?

The vast majority of data collected and retained by DePaul University is not subject to the GDPR. However, the GDPR may protect certain personal data collected or processed by DePaul from individuals who are present in the EEA, such as students participating in stu​dy abroad programs, and foreign applicants for admission or employment. With this in mind, it is important for university employees to be aware of the rights and protections offered by the GDPR, along with the various other privacy laws that protect university data.

Exercising Data Subject Rights Pursuant to the GDPR

Faculty, Staff, and Students who have questions or concerns related to data retained by the university are strongly encouraged to contact the department that collected the data and/or refer to one of the policies listed below. Requests to erase data that is subject to the GDPR should be directed to the DePaul University's Chief Information Officer via email at security@depaul.edu. Erasure requests will be processed within thirty (30) days, when possible. Extensions will be requested, when necessary. Please note that DePaul will not respond to erasure requests that, based on the information available to the university, relate to a data subject we are unable to identify, or appear to be related to data that is not subject to the GDPR.

Links to Related Policies and Resources​

• FERPA Compliance Policy
  
• Health Information Security & Privacy​ Policy
  
• Access to and Responsible Use of Data​ Policy
  
• Records Management​ Policy and Records Retention Schedule​

 Please contact the Office of the General Counsel with any questions or concerns.