Why does the U of I System care about an EU regulation?

The U of I System takes privacy seriously and is committed to protecting the privacy of students and employees consistent with its obligations under the law. In that regard, the GDPR applies not only to entities located in the European Economic Area (EEA), but also to entities outside the EEA when they engage in certain activities. Put simply, the GDPR states that if you want to conduct business in the EEA, you have to play by EU rules. Violating those rules could result in fines of up to €20 million or 4% of worldwide revenues, whichever is greater.

The GDPR applies to controllers (someone who determines the purposes and means of processing personal data) and processors (someone who processes data on behalf of a controller) in three circumstances:

  • When they are established in the EEA; or,
  • When they are not established in the EEA but they:
    • Offer goods or services to persons in the EEA; or,
    • Monitor the behavior of persons in the EEA.

Because the majority of our universities' activities do not take place in the EEA  (although individual researchers might collect data while in the EEA), generally the types of university activities that trigger GDPR requirements are those involving the offering of goods or services to persons in the EEA or where the university is monitoring their behavior. Examples of such activities could include undergraduate and graduate admissions programs, distance learning courses, study abroad, international programs (especially where participating students are from the EEA), collecting data using cookies on university websites, and research involving persons or entities in the EEA.