Chapter 46 – European Union General Data Protection Regulation

(President 5/25/18; amended 4/17/20)

46.1 General Policy

Effective May 25, 2018, the European Union General Data Protection Regulation (GDPR) began to regulate the processing of personal data, including special category data, in any format, of a living individual residing within the European Union (EU). “Processing” is any activity involving personal data, including holding and storing it. “Special category data” is defined below in II-46.2. To the extent that the GDPR applies to the University of Iowa, which is an instrumentality of the State of Iowa and which holds the sovereign immunities and defenses of a state entity, this policy describes how the university treats data that the GDPR claims it controls.

The University is the data controller for all personal data that it processes, except where it acts as a data processor on behalf of another data controller. The University’s Data Protection Officer is the Chief Information Security Officer.

The GDPR applies only to the processing of personal data of certain individuals in the University community, and this policy refers to these individuals as “EU residents.” EU residents include: 

  1. Applicants for admission to any of the University’s academic programs or activities, with respect to personal data and special category data pertaining to them, processed by the University while the applicant resides in an EU member state.
  2. University students studying abroad in a country that is a member state of the European Union, with respect to personal data and special category data pertaining to them, processed by the University while they reside in an EU member state.  
  3. Applicants for employment by the University or any of its units or affiliated entities, with respect to personal data and special category data pertaining to them, processed by the University while the applicant resides in an EU member state.
  4. Employees of the University with respect to personal data and special category data pertaining to them, processed by the University while the employee resides in an EU member state.
  5. Individuals who are subjects of human research with respect to personal data and special category data pertaining to them, processed by the University while they reside in an EU member state.
  6. Patients in the University’s health care enterprise with respect to personal data and special category data pertaining to them, processed by the University while they reside in an EU member state. 

46.2 What the University Does with Data Regulated by the General Data Protection Regulation

  1. Personal data. The University may obtain, hold, and process the personal data of EU residents, including personal details, family and social circumstances, education and training records, technological identifiers, and information regarding employment, finances, and research. 
  2. Special category data.
    1. The University may obtain, hold, and process special category data from EU residents, which is data revealing:
      1. racial or ethnic origin;
      2. political opinions;
      3. religious or philosophical beliefs;
      4. trade union membership; 
      5. physical or mental health;
      6. data concerning a natural person’s sex life or sexual orientation; or 
      7. genetic data or biometric data processed for the purpose of uniquely identifying a natural person. The University may obtain special category data from the EU resident directly, or in some cases from a third party involved in the services provided by a third party.
    2. In those cases where the University processes EU residents’ special category data, and where the EU resident has not made the information public, the University will seek and obtain explicit consent of the EU resident unless it requires the data for:
      1. protection of the vital interests of the student or another person;
      2. exercise or defense of a legal claim;
      3. substantial public interest; or
      4. purposes of medical or health care.
    3. Any University processing of special category data will be consistent with this policy and will relate to the University’s provision of services. Where possible, the University will anonymize the special category data used for monitoring and reporting purposes.  
  3. Personal data of students/applicants. The University holds the personal data and special category data of EU residents who are applicants or enrolled students in order to implement and manage all services and processes relating to students, including student recruitment, admission, registration, teaching and learning, examination, graduation, extracurricular programs and activities, and other services such as accommodation, student support, counseling, health care, career guidance, and other services. Information facilitating these purposes is maintained and processed, and, without it, the University might not be able to provide its services to these individuals or to others. Information is transmitted between and among various University units for operational reasons as is necessary and appropriate for intended purposes.  

    Personal data of EU residents who are applicants or enrolled students at the University is collected and processed by the University as it is necessary for the performance of the contract under which the University provides services to students. Some processing activities also may be performed under a legal obligation, where necessary to protect the vital interests of the student or another party (for example, disclosures to external parties to ensure safety and well-being); where it is necessary for performing a task in the public interest or in the exercise of official authority (for example, disclosing information for the benefit of public health concerns); or where it is necessary for legitimate interests pursued by the University or a third party (in such case, the legitimate interests will relate to the efficient, lawful, and appropriate delivery of services, and will not operate to the detriment of the interests or rights of individuals). In the event any of these lawful bases do not apply to University processing of student data, the University will seek the consent of the EU resident whose personal data is at issue. 

    The University may disclose students’ personal data and special category data to external agencies to which it has obligations. It may also disclose EU residents’ personal data to examining bodies, legal representatives, police or law enforcement agencies, suppliers or service providers, research institutions, sponsoring organizations, or regulatory authorities. The University may disclose information regarding students’ University debt to collection agencies in order to pursue the debt. 
  4. Personal data of employees/applicants. The University holds the personal data and special category data of EU residents who are job applicants and employees in order to implement and manage all services and processes relating to employees, including recruitment, hiring and/or appointment, training and professional development, testing, certification, programs and activities, and other services such as accommodation, employee support, counseling, health care, career guidance, and other services. Information facilitating these purposes is obtained and processed, and, without it, the University might not be able to provide its services to these individuals or to others. Information is transmitted between and among various University units for operational reasons as is necessary and appropriate for intended purposes.  

    Personal data of EU residents who are University employees or job applicants is collected and processed by the University as it is necessary for the performance of the contractual relationship under which the University provides services to employees. Some processing activities also may be performed under a legal obligation, where necessary to protect the vital interests of the employee or another party (for example, disclosures to external parties to ensure safety and well-being); where it is necessary for performing a task in the public interest or in the exercise of official authority (for example, disclosing information for the benefit of public health concerns); or where it is necessary for legitimate interests pursued by the University or a third party (in such case, the legitimate interests will relate to the efficient, lawful, and appropriate delivery of services, and will not operate to the detriment of the interests or rights of individuals). In the event any of these lawful bases do not apply to University processing of employee data, the University will seek the consent of the EU resident whose data is at issue. 

    The University may disclose personal data and special category data of EU residents who are employees or job applicants to external agencies to which it has obligations. It may also disclose such EU residents’ personal data to examining, licensing or certification bodies, legal representatives, police or law enforcement agencies, suppliers or service providers, research institutions, sponsoring organizations, or regulatory authorities. 
  5. Personal data of research subjects. The University holds the personal data and special category data of EU residents who are subjects of human research in order to implement and manage all services and processes relating to research, including research subject enrollment, intervention or interaction with research subjects, publishing of research data, and other services. Information facilitating these purposes is obtained and processed, and, without it, the University might not be able to provide its services to these individuals or to others.  

    All personal data and special category data of EU residents who are human research subjects that is processed by the University is governed by this policy and by II-27.4 General Policy and Procedures for Review of Research Projects Involving Use of Human Subjects, and the University will process it with the consent of the EU resident whose personal data or special category data is at issue. Some processing activities also may be performed under a legal obligation, where necessary to protect the vital interests of the research subject (for example, disclosures to external parties to ensure safety and well-being); where it is necessary for performing a task in the public interest or in the exercise of official authority (for example, disclosing information for the benefit of public health concerns); or where it is necessary for legitimate interests pursued by the University or a third party (in such case, the legitimate interests will relate to the efficient, lawful, and appropriate delivery of services, and will not operate to the detriment of the interests or rights of individuals). 

    Personal data of EU residents who are subjects of human research is collected and processed by the University as it is necessary for the performance of the contract under which the University receives research funding. 

    The University may disclose personal data and special category data of EU residents who are research subjects to external agencies to which the University has obligations. It may also disclose such EU residents’ personal data or special category data to examining bodies, legal representatives, police or law enforcement agencies, suppliers or service providers, research institutions, sponsoring organizations, or regulatory authorities. 
  6. Personal data of health care patients. The University holds the personal data and special category data of EU residents who are patients of the University’s health care enterprise. Information facilitating diagnosis, evaluation and treatment, billing for services, and services related to the provision of health care to these patients is obtained and processed, and, without it, the University might not be able to provide its services to these individuals or to others. All personal data and special category data of EU residents who are University patients is processed by the University on the basis of the consent of the EU resident whose personal data or special category data is at issue unless another lawful basis applies. 

    Some processing activities may be performed under a legal obligation, where necessary to protect the vital interests of the health care patient (for example, disclosures to external parties to ensure safety and well-being); where it is necessary for performing a task in the public interest or in the exercise of official authority (for example, disclosing information for the benefit of public health concerns); or where it is necessary for legitimate interests pursued by the University or a third party (in such case, the legitimate interests will relate to the efficient, lawful and appropriate delivery of services, and will not operate to the detriment of the interests or rights of individuals). 

    Personal data of some EU residents who are patients is collected and processed by the University as it is necessary for the performance of a contract under which the University provides care to these patients. 

    The University may disclose personal data and special category data of EU residents who are University patients to external agencies to which the University has obligations. It may also disclose such EU residents’ personal data to examining bodies, legal representatives, police or law enforcement agencies, suppliers or service providers, research institutions, sponsoring organizations, or regulatory authorities. 

46.3 Asserted Rights and Obligations of EU Residents with Respect to the University's Processing of Personal Data

  1. Individual rights. Subject to the university’s immunities and defenses as an instrumentality of the State of Iowa, EU residents whose personal data or special category data the University processes, have the following rights with respect to this data:
    1. The right to request access to their personal data held by the University.
    2. The right to have inaccurate or incomplete personal data rectified.
    3. The right to erasure of personal data, provided, however, that this may occur only in those very rare circumstances where the University has no legitimate reason to continue to hold/process that data, including legitimate reasons such as defense of legal claims. The University generally must maintain basic student records and some employment records indefinitely.
    4. The right to restrict processing of their personal data in certain situations.
    5. The right to data portability: EU residents may request in digital form those portions of the University’s personal data regarding them that pertain to their role at the University. For example, students may request data regarding their academic progress in order to provide it to other institutions or potential employers; and employees may request their respective personnel files.  
    6. The right to object to:
      1. the University’s processing of their personal data in certain circumstances such as the sending and receipt of direct marketing material; or 
      2. automated decision making without human intervention in certain circumstances.
    7. The right to withdraw consent in those circumstances where the University’s processing of personal data or special category data is based on the consent of the person whose data is at issue. To withdraw consent, the EU resident must contact the unit that obtained the consent or the University’s Data Protection Officer and follow the instructions provided.
    8. The right to report a concern regarding the University’s processing of the EU resident’s personal data or special category data by contacting the Data Protection Officer with information describing the concern. 
  2. Individual responsibilities. Individuals have responsibilities with respect to personal data held/processed by the University, as described in the University’s policies on the various types of personal data it processes, listed below. All members of the University community must familiarize themselves with these policies and are responsible for complying with them. 
    1. Information technology resources are subject to the University’s security and privacy protections in II-19.3 of the Policy on Acceptable Use of Information Technology Resources;
    2. Research subject data is subject to II-27.4 General Policy and Procedures for Review of Research Projects Involving Use of Human Subjects;
    3. Data from surveys and questionnaires is subject to II-27.5 Policy on Administrative Surveys and Questionnaires;
    4. Use of social security numbers in University records is subject to II-36 Social Security Numbers;
    5. Student records are subject to IV-6 Treatment of Student Education Records;
    6. Data regarding employees is subject to V-18 Personnel Records; and 
    7. Personal data and special category data regarding EU residents is subject to this policy, V-46 Compliance with EU General Data Protection Regulation (GDPR).
  3. Individuals who fail to comply with the University’s policies may be subject to University discipline and/or other legal recourse, including, without limitation, personal liability under the European Union General Data Protection Regulation, subject to the immunities and defenses available to the individual resulting from a relationship with the University of Iowa as an instrumentality of the State of Iowa.