Learn About the GDPR

At Cornell University, data privacy is everyone’s concern and responsibility. New privacy regulations are coming into effect around the world and have implications for our global and Ithaca campus-based operations.

Among those new regulations is the General Data Protection Regulation (“GDPR”). This European data protection law took effect on May 25th, 2018. It imposes stricter requirements on the use of personal data, increases penalties for non-compliance, and provides more uniform data privacy laws across European states.

Specifically, this regulation enhances data privacy for individuals located within the European Economic Area (“EEA,” which includes all 28 EU member states, as well as Iceland, Liechtenstein, and Norway). A person’s physical presence in the EEA, rather than citizenship or residency, typically determines whether the GDPR applies.


Data protection principles of the GDPR require that Cornell:

  • process data in a lawful and transparent manner
  • limit data processing activities to what is necessary (“data minimization”)
  • ensure the accuracy of data collected and created
  • retain data only for as long as it’s needed
  • provide reasonable technical and organizational security measures to protect data


Additionally, the GDPR requires the following data protection measures:

  • any business process making use of consent (e.g., web forms with consent check boxes, signed paper documents, etc.) for the collection or use of personal data must provide an easy means for an individual to withdraw their consent to have their information used/processed
  • transparent privacy notices are posted in easily accessible and relevant areas (e.g. websites, consent forms, web forms, signed paper documents, etc.) informing individuals of their data protection rights and how their information is processed or used
  • a timely response by Cornell University to individuals wishing to exercise their rights under the GDPR (30 days for standard requests, and up to 90 days for more complex requests)
  • contracts with our vendors, research partners, and other external campus relationships must include language defining the roles and responsibilities under the GDPR
  • an inventory of all business workflows involving personal data or “record of processing activities” must be maintained to document how data is managed and the lawful basis for processing it
  • immediate data breach reports must be made to the relevant data protection authority (72 hours)


For any questions or concerns related to the GDPR or campus activities that might be in scope of the regulation, please contact Support. Please consult these pages for additional information: