Skip to main content
Privacy Resources at Cornell University

GDPR FAQ

Skip to a question:

What is the GDPR?
Which countries are included in the the scope of the GDPR?
Who does the GDPR apply to?
What is considered “personal data”?
What is considered “data processing”?
What is Cornell doing in response to the GDPR?
How will my unit, department, or program be affected by the GDPR?
Who do I contact if I have questions about data protection or the GDPR?

 

 

What is the GDPR?

Please see our overview statement on the General Data Protection Regulation (“GDPR”) here.

 

Which countries are included in the the scope of the GDPR?

Countries within the European Economic Area (EEA) are within the scope of the GDPR. This currently includes:

Austria Finland Latvia Portugal
Belgium France Liechtenstein Romania
Bulgaria Germany Lithuania Slovakia
Croatia Greece Luxembourg Slovenia
Cyprus Hungary Malta Spain
Czech Republic Iceland Netherlands Sweden
Denmark Ireland Norway United Kingdom
Estonia Italy Poland

 

Who does the GDPR apply to?

Any individual, regardless of their residency status or citizenship, who is physically present within the EEA countries listed above is within the scope of the GDPR. This means that any data these individuals submit, create, or is used which pertains to them is within the scope of the regulation.

 

What is considered “personal data”?

Under Article 4 of the regulation, “any information relating to an identified or identifiable natural person…directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” — in short, any data about an identifiable individual.

 

What is considered “data processing”?

The full life cycle of data: collection, processing, sharing, storage, retention/archiving, and disposal.

 

What is Cornell doing in response to the GDPR?

Cornell has taken the following steps to help the campus community prepare and demonstrate its data protection activities:

  1. assembled a Data Protection Committee, with a focus on the GDPR and including several key campus functions;
  2. initiated a compliance plan to review current campus policies, processes, and procedures;
  3. compiled GDPR survey results to assist academic and administrative units with their record of processing activities;
  4. crafted and updated privacy notices of Cornell and other Cornell affiliated websites;
  5. posted additional notices specific to prospective and current Cornell community members;
  6. improved existing processes to support timely breach reporting requirements;
  7. defined and standardized a campus GDPR rights request process;
  8. began a campus contract review process to confirm our processors and other campus partners are aware of our data protection requirements.

 

How will my unit, department, or program be affected by the GDPR?

Due to the complexity of both the regulation and the Cornell campus, a review of your business function and data processing activities is necessary to ensure you are in compliance with the regulation. Technologies and business processes are also also constantly evolving, and collaborative reviews of these changes may help you proactively spot sensitive areas requiring GDPR compliance.

If you feel that your unit, division, department, program, or event may have a global or GDPR footprint, please contact gdpr@cornell.edu for consultation.

 

Who do I contact if I have questions about data protection or the GDPR?

Please contact us for guidance and assistance: gdpr@cornell.edu.