Home > V. Administrative, Financial, and Facilities Policies > Ch.46 - European Union General Data Protection Regulation

46.1 General Policy

Effective May 25, 2018, the European Union General Data Protection Regulation (GDPR) began to regulate the processing of personal data, including special category data, in any format, of a living individual residing within the European Union (EU). “Processing” is any activity involving personal data, including holding and storing it. “Special category data” is defined below in II-46.2. To the extent that the GDPR applies to the University of Iowa, which is an instrumentality of the State of Iowa and which holds the sovereign immunities and defenses of a state entity, this policy describes how the university treats data that the GDPR claims it controls.

The University is the data controller for all personal data that it processes, except where it acts as a data processor on behalf of another data controller. The University’s Data Protection Officer is the Chief Information Security Officer.

The GDPR applies only to the processing of personal data of certain individuals in the University community, and this policy refers to these individuals as “EU residents.” EU residents include: 

  1. Applicants for admission to any of the University’s academic programs or activities, with respect to personal data and special category data pertaining to them, processed by the University while the applicant resides in an EU member state.
  2. University students studying abroad in a country that is a member state of the European Union, with respect to personal data and special category data pertaining to them, processed by the University while they reside in an EU member state.  
  3. Applicants for employment by the University or any of its units or affiliated entities, with respect to personal data and special category data pertaining to them, processed by the University while the applicant resides in an EU member state.
  4. Employees of the University with respect to personal data and special category data pertaining to them, processed by the University while the employee resides in an EU member state.
  5. Individuals who are subjects of human research with respect to personal data and special category data pertaining to them, processed by the University while they reside in an EU member state.
  6. Patients in the University’s health care enterprise with respect to personal data and special category data pertaining to them, processed by the University while they reside in an EU member state.