Skip to a question:
Please see our overview statement on the General Data Protection Regulation (“GDPR”) here.
Countries within the European Economic Area (EEA) are within the scope of the GDPR. This currently includes:
Any individual, regardless of their residency status or citizenship, who is physically present within the EEA countries listed above is within the scope of the GDPR. This means that any data these individuals submit, create, or is used which pertains to them is within the scope of the regulation.
Under Article 4 of the regulation, “any information relating to an identified or identifiable natural person…directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” — in short, any data about an identifiable individual.
The full life cycle of data: collection, processing, sharing, storage, retention/archiving, and disposal.
Cornell has taken the following steps to help the campus community prepare and demonstrate its data protection activities:
- assembled a Data Protection Committee, with a focus on the GDPR and including several key campus functions;
- initiated a compliance plan to review current campus policies, processes, and procedures;
- compiled GDPR survey results to assist academic and administrative units with their record of processing activities;
- crafted and updated privacy notices of Cornell and other Cornell affiliated websites;
- posted additional notices specific to prospective and current Cornell community members;
- improved existing processes to support timely breach reporting requirements;
- defined and standardized a campus GDPR rights request process;
- began a campus contract review process to confirm our processors and other campus partners are aware of our data protection requirements.
Due to the complexity of both the regulation and the Cornell campus, a review of your business function and data processing activities is necessary to ensure you are in compliance with the regulation. Technologies and business processes are also also constantly evolving, and collaborative reviews of these changes may help you proactively spot sensitive areas requiring GDPR compliance.
If you feel that your unit, division, department, program, or event may have a global or GDPR footprint, please contact email@example.com for consultation.
Please contact us for guidance and assistance: firstname.lastname@example.org.