Skip Navigation LinksTrinity College > LITC > Information Technology Services > Security and Policies > Trinity Data Security and Privacy Protection Exhibit A

Trinity Data Security and Privacy Protection Exhibit A

Trinity College European Union General Data Protection Regulation (EU GDPR) Policy

APPLICATION: This policy applies to all individuals who collect, use, or share college information. Those individuals include, but are not limited to, staff, faculty, those working on behalf of the college, and individuals authorized by affiliated institutions and organizations.

DATA PROTECTION OFFICER: Chief Information Security Officer


Trinity College seeks to ensure appropriate treatment and use of personal data in adherence with EU data protection laws.

Policy Statement


EU GDPR applies to personal data collected from or shared with individuals or organizations in the EU. EU GDPR does not apply to data shared or collected from EU citizens outside of the EU by non-EU entities; however, it does apply, as an example, to non-EU citizens while they are in the EU. College employees are required to be cognizant of data collected and maintained in order to comply with EU GDPR. The College’s policy is to rigorously maintain the privacy of all personal data collected, mindful of the additional requirements of the EU GDPR.

For the sake of this policy, personal data is any information that can identify or provide information about an individual that the college or authorized agents collect, use electronically or physically, or share with others.

The collection, use, and release of some of this information may be covered by other laws or regulations, including but not limited to the Family Educational Rights and Privacy Act (“FERPA”) and the Health Insurance Portability and Accountability Act (“HIPAA”).

Data Classifications

Personal data should be classified per Trinity College’s Data Security & Privacy Protection Policy and minimized or anonymized as much as possible.

Data Collection

Personal data should only be collected by authorized personnel where it is specifically needed for a legitimate college business requirement or to meet a statutory or regulatory requirement. The college strongly discourages the collection or retention of this information except where absolutely necessary and no other alternative exists.

For all personal data being collected, individuals must provide informed and affirmative consent to its collection, use, and sharing; and may revoke it at any time. The data being collected cannot be required or compelled and consent must be tracked and maintained. (e.g., who, when, how, to what)

Data Transparency, Integrity & Control

EU data subjects have the rights to receive copies of their data, correct inaccuracies, and request that the data be deleted. As an organization, Trinity can deny requests if it has a contractual or legal basis to maintain the data, or if the data is anonymized.

Data Sharing

Personal data can only be shared if it is legally required or explicitly approved by the data subject. As a condition to receiving such information, all recipients must agree to comply with the EU GDPR.

Protection of Personal Data

* All personal data must be protected per Trinity’s Data Security & Privacy Protection Policy

* All third-party contracts involving personal data must contain clauses requiring that the third parties to comply with GDPR where appropriate.

* Personal data breach notifications are handled per the security incident response procedure.

More information about the EU GDPR is available on the EU Data Protection website.

Policy Enforcement

Staff, faculty, or students found in violation of this policy may be adjudicated per their respective handbooks.

Questions, comments, or concerns regarding this policy or the protection of data should be directed to the Data Protection Officer at