GDPR is a data protection and
privacy law in the European Union
(EU) and the European Economic Area
(EEA).
Overview
The General Data Protection Regulation (GDPR) is a set of rules that establishes broad protections for the personal data of citizens and residents of the European Union (EU) and the European Economic Area (EEA).[1] The GDPR applies to organizations, including non-profit corporations, that process the personal data of individuals in the EU, or process personal data in connection with offering goods or services to individuals in the EU.
Key Definitions
As defined by GDPR:
- “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law
- “Personal Data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
- “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
- “Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
Processing of Personal Data
Under the GDPR, only processing of personal data is lawful only if at least one of the following applies:
-
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Does academic research fall under the GDPR?
Research that includes the collection of personal data from participants in the EU may fall under the GDPR as there is no general exemption for research. However, organizations that implement appropriate safeguards, such as data minimization, may be exempt from certain requirements such as GDPR’s “right to be forgotten” (i.e., request that an organization delete your personal data).
[1] The European Union includes the following countries: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden. The European Economic Area includes the following countries: Iceland, Liechtenstein, and Norway. For convenience, we will refer to all the countries above as the “EU.”