一般资料保护规例(GDPR)
.jpg)
GDPR概述
The General Data Protection Regulation is a 隐私 law that applies to the personal information collected in or from the European Union (EU), 或与欧盟提供的商品或服务有关, 或者涉及到对欧盟个人的监控.
那么,这对UWF有什么影响呢?
尽管这是一项欧盟法规,但它有可能对美国经济产生重大影响.S. 系统. There are three major categories of data that are most likely to be affected. These are; (1) data collected on students from the EU (e.g.(2)人力资源数据(如留学生).g.在海外生活或工作的员工或教员),以及(3)营销数据(e.g., data collected from a potential student living in the EU who is interested in UWF).
GDPR的主要原则
GDPR确立了七个关键原则:
Personal data must be processed lawfully, fairly and in a transparent manner
个人资料必须收集作指定用途, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
个人资料必须足够, relevant and limited to what is necessary in relation to the purposes for which they are processed
个人资料必须准确,如有需要,亦须保持最新
Personal data must be kept in a form which permits identification of data subjects no longer than is necessary for the purposes for which the personal data was processed
Personal data must be processed in a manner that ensures appropriate security of the personal data
控制器(见重要术语)负责, 并且必须能够证明符合GDPR原则
GDPR术语
以下条款是该规例的重要组成部分
个人资料
‘个人资料’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, 直接或间接, 特别是通过对标识符(如名称)的引用, 识别号码, 位置数据, 一个在线标识符或一个或多个特定于物理的因素, 生理, 遗传, 精神, 经济, 该自然人的文化或社会身份
处理
‘处理’ means any operation or set of operations which is performed on personal data or on sets of personal data, 无论是否通过自动化手段, 比如收藏, 记录, 组织, 构建, 存储, 适应或改变, 检索, 咨询, 使用, 通过传播披露, 传播或以其他方式提供, 对齐或组合, 限制, 擦除或销毁
同意
数据主体的“同意”是指任何自由给予的, 具体的, informed and unambiguous indication of the data subject’s wishes by which he or she, 通过声明或明确的肯定行动, signifies agreement to the processing of personal data relating to him or her
控制器/数据控制器
“控制人”指自然人或法人, 公共权力, 机构或其他组织, 单独的或与他人一起的, 确定处理个人资料的目的和方法
您作为数据主体的权利
At any point, while UWF is in possession of, or processing your personal data, you, 资料当事人,拥有以下权利:
进入权
作为资料当事人, you have the right to request a copy of the information that we hold about you.
改正权
作为资料当事人, you have the right to correct data that we hold about you that is inaccurate or incomplete.
被遗忘的权利
作为资料当事人, there are certain circumstances in which you can ask for the data we hold about you to be erased from our records.
限制加工的权利
Where certain conditions apply, you have the right to restrict the processing of your personal data.
可携性权
作为资料当事人, you have the right to have the data we hold on you transferred to another 组织.
反对权
作为资料当事人, you have the right to object to certain types of processing such as direct marketing.
反对自动处理的权利,包括分析
作为资料当事人, you have the right to be subject to the legal effects of automated processing or profiling.
司法覆核权
In the event that the 火博体育 ref使用 your request under any of the "rights of a data subject,“我们会给你一个理由.
UWF GDPR隐私声明
以下网站包含标准的UWF GDPR隐私声明. Please keep in mind that many departments have posted their own, unit-具体的 请注意s.
http://roomoman.net/go/legal-and-
常见问题
常见问题解答(常见问题)
- 收集个人资料必须有明确的目的, 它被大肆宣传, 这些数据不能用于任何其他目的
- 除非绝对必要,不要收集更多的数据
- 在收集个人资料时,必须通知消费者
- 个人资料只会按需要保留
- 删除不再需要的数据
- 有效保护所收集的所有个人资料
- 维护数据处理活动的文档
- 确保所有分包商和供应商遵守GDPR规则
任何部门, 办公室, 系统, 和/或收集的函数, 使用, or stores information in or from the EU 或与欧盟的个人有关, 属于规定范围,可能受到影响的.
First and foremost, you need to determine how exposed your area or function is to GDPR. 为了让事情顺利进行, 你应该从思考以下问题和陈述开始:
- Conduct an analysis of how your department/ 办公室/ function/ research interacts with the EU.
- 是否涉及个人资料?
- 你会以任何方式监控个人吗?
- 是否与欧盟的个人有任何金融交易?
- 你们收集信息的法律依据是什么?
- 你们的程序需要更新吗?
- 欧盟的人有哪些途径可以联系到你?
- 接触点是什么?
- 想想我们的供应商, 服务, 以及用于进入欧盟的内部和外部网站.
- 检查你的合同.
- Ask vendors and 3rd parties if they are GDPR compliant (or how they plan to become compliant)
The penalty for violations can range anywhere from a warning, a fine of 20 million Euros, or up to UWF年收入的4%.
GDPR将分析定义为“any form of automated processing of personal data consisting of the 使用 of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict certain aspects concerning that natural person’s performance at work, 经济形势, 健康, 个人喜好, 利益, 可靠性, 行为, 位置或移动”.
可能的影响和解决方案
The following table describes how certain areas might be impacted by GDPR and provides possible GDPR solutions. 请注意,这些“解决方案”不代表法律指导. This resource and web page and are only meant to inform and should be seen as tools to help aid in your understanding of the regulation.
| 业务流程 & 的潜在影响 | 可能的解决方案(内部讨论的建议) |
|---|---|
|
研究/技术转让: • Collaborations and agreements with EU professors or universities that involve collecting or sharing personal information |
•附加授予/合同条款, 扩展同意文件, IRB审查的具体考虑 •处理撤回同意的内部流程 •限制可识别数据的接收 Note that de-identified data is not GDPR, but if it can be re-identified (i.e.(有一个关键)那么就是GDPR |
|
欧盟/人力资源部的教职员工和学生: •与欧盟个人的通信包含个人信息, 或将居住在欧盟的教职员工/学生 |
•Notification, signed consents, 具体的 coverage of GDPR in University policy 与处理数据的第三方供应商进行协调 |
|
火博体育,经济援助,注册,在线教育: •包含学生个人信息的信件, transcripts or financial information being sent from EU students or parents |
•Notification, signed consents, 具体的 coverage of GDPR in University policy 与处理数据的第三方供应商进行协调 •一般公告中的一般GDPR通知 |
|
Study Abroad (including exchange programs and students doing research in EU): •包含学生个人信息的信件 regarding individuals who are on programs in the EU |
•Notification, signed consents, 具体的 coverage of GDPR in University policy 与处理数据的第三方供应商进行协调 •一般公告中的一般GDPR通知 |
|
第九条/附注: •Tracking and reporting incidents in the EU (particularly where one party is not a student) |
•在可能的情况下签署同意书. Notification, signed consents, 具体的 coverage of GDPR in University policy •预先记录潜在冲突的方法 •一般公告中的一般GDPR通知 |
|
大学晋升/发展/校友: •收集, 存储, 以及在欧盟境内或境外分享个人和财务信息, 或与欧盟的个人有关 |
•在实际情况下签署同意,内部流程响应请求. 隐私政策中的GDPR 与处理数据的第三方供应商进行协调 |
|
风险管理: •Sharing and receiving personal information, including with International SOS |
•签署同意,隐私声明. 与处理数据的第三方供应商进行协调 |
|
国际学生: •Discussions with students or parents who are in the EU regarding personal information or visa information |
•Notification, signed consents, 具体的 coverage of GDPR in University policy 与处理数据的第三方供应商进行协调 •一般公告中的一般GDPR通知 |
|
机构的通信: •Publicly available stories or pictures of faculty, staff or students in the EU |
•在实际情况下同意 •审核和响应下架请求的内部流程 |
|
信息技术: •指定个人作为GDPR的POC. |
•违规后针对欧盟个人的特定扫描/程序 •审核和响应下架请求的内部流程 |
额外的GDPR资源
The following are resources that should help provide you with a better understanding of the regulation; 具体的ally, 它和U有什么关系.S. 高等教育机构.