Skip Navigation LinksTrinity College > LITC > Information Technology Services > Security and Policies > EU General Data Protection Regulation (EU GDPR) Toolkit

EU General Data Protection Regulation (EU GDPR) Toolkit

The General Data Protection Regulation (GDPR) is a European Union (EU) regulation designed to protect and empower the data privacy of people in the EU. 

If your department/unit collects, uses, or shares personal data, use this toolkit to determine if the EU GDPR applies to that data and start the work to address the EU GDPR requirements. (This document is a work-in-progress, so please check back regularly for updated information.) 

Determine if GDPR Applies 
Answer these questions to help determine whether the EU GDPR applies to the data that you collect, use, or share: 
1.  Is the data about individuals physically in the European Union (EU) at the time of collection or sharing? (yes or no)
2.  Does the data include personal data? (yes or no)
Personal data is defined by the EU as any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 

If you answered no to either Question 1 or 2, GDPR likely does not apply. No further action is required at this time. 

If you answered yes to both Questions 1 and 2, GDPR likely applies. Continue to Question 3. 

3.  Is the data related to offering goods or services to data subjects in the EU? (yes or no)

4.  Is the data being used to monitor the behavior of individuals physically located in the EU? (yes or no) [e.g., website usage tracking, physical location tracking, etc.] 

If you answered no to both Questions 3 and 4, GDPR likely does not apply. No further action is required at this time. 

If you answered yes to either question 3 or 4, GDPR likely applies. 

If GDPR Likely Applies
 
1. Complete the GDPR Data Survey (Trinity login required)

2. Ensure that appropriate contracts are in place 

Wherein Trinity is contracting for services involving the processing of EU GDPR data or sharing EU GDPR data with third parties, Trinity should ensure that a contract/agreement is in place for the protection of data with a requirement/provision similar to the following to comply with GDPR. (please consult the General Counsel for the latest information) 

Third Party acknowledges and agrees that, through its services hereunder, it will or may process personal data as defined by the General Data Protection Regulations of the European Union (“EUGDPR”). The subject matter and duration of that data processing is defined in Exhibit A to this Agreement. Third Party hereby commits to the confidentiality obligations of the EUGDPR and to take all security measures required pursuant to Article 32 thereof. Third Party warrants and agrees not to use a vendor or subcontractor without Trinity’s express written consent and agrees to assist Trinity with its EUGDPR obligations related to security, data breach notification and data protection impact assessments pursuant to the EUGDPR. At Trinity’s request, Third Party will return to Trinity all EUGDPR personal data unless otherwise required by applicable law. Third Party will, upon request by Trinity, make information available to Trinity evidencing Third Party’s compliance with Article 28 of the EUGDPR." 

3. Acquire consent to collect and use GDPR related data 

The EU GDPR requires an informed affirmative action to provide consent for Trinity to process GDPR related data. An example of an appropriate consent for data processing is as follows: 


Please review Trinity College's data security and privacy protection policy, which is available on our website here. We are requesting your consent to collect and process the following information of yours: [list data points here] by checking off each line and signing below.

___ I acknowledge that I received and read this privacy notice and associated links. 

___ I consent to the collection and processing of the my data as listed above. 

___ I consent to the sharing of my information in accordance with Trinity's Data Collection, Usage, and Sharing 

_________________________ 
Print Name 

_________________________                 ____________ 
Signature                                                         Date 

You have the right to withdraw this consent at any time. The withdrawal of your consent will not affect the lawfulness of processing that occurred prior to the withdrawal. In order to withdraw your consent, please contact DPO@trincoll.edu. If you withdraw your consent to this processing activity, we will continue to process your personal data for other purposes consistent with this notice. 


Related Policies or Notices 
Data Security and Privacy Protection Policy (a general statement on how the College uses and protects data) 
Website Privacy Policy (a general statement about data collection by the Trinity website) 

Additional Information 
More information about the EU GDPR is available on the EU Data Protection Website 

Questions, Comments, or Concerns? 

Please email Trinity’s Data Protection Officer at DPO@trincoll.edu.