European Union

General Data Protection Regulation (GDPR) FAQ

(1) What is the EU GDPR and when does it take effect?

The European Union General Data Protection Regulation (GDPR) is a Regulation governing the collection, use, and protection of personal data.  Under the GDPR, the data protection principles set out the main responsibilities for organizations including Florida State University (FSU).

This regulation applies to personal data collected and communications of personal data both within the borders of the European Union (“EU”) and personal information sent from within the EU borders to Florida State University (FSU) units in the United States as well as the Republic of Panama.  The Regulation provides specific personal data protections regardless of whether the person is an EU citizen or permanent resident of an EU country.

The Regulation takes effect May 25, 2018.

(2) What information is subject to the EU GDPR?

The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organizations collect information about people.  Personal data is any information relating to an identified or identifiable person either directly or indirectly. Examples of how a person may be identified at FSU include but are not limited to: name, photo, email address, phone number, identification information such as FSUID, FSU email and address or other location data, computing device IP address or other online identifier, and one of more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.

The GDPR also applies to any personally identifiable information collected or data sets received from the EU used in research projects within FSU campus units.

Personal data that has been anonymized can fall within the scope of the GDPR depending on how difficult it is to re-identify an individual through the anonymized information. 

(3) What are several requirements to establish consent under GDPR?

Requirements to establish consent under GDPR:

1. Consent must be freely given, specific, informed and unambiguous.
2. Consent requires some form of clear affirmative action. ("Opt-out" or silence does not constitute consent)
3. Consent must be demonstrable. A record must be kept of how and when consent was given.
4. Individuals have the right to withdraw consent at any time.

(4) What are the Florida State University security standards and requirements for EU GDPR Data?

All personal data and sensitive personal data collected or processed by any Florida State University unit under the scope of the GDPR must comply with the security controls and systems and process requirements and standards of the university’s 4-OP-H-5 Information Security Policy and 4-OP-H-12 Information Privacy Policy.

(5) If I have questions about my personal data that is subject to the EU GDPR, who should I talk to?

Individuals with questions about their personal data collected and processed by Florida State University that is subject to the GDPR should direct their communication to GDPR@fsu.edu.

(6) Does GDPR apply to Florida State University’s Direct Support Organizations (Foundation, Alumni Association, Boosters, Etc.)?

Yes.  If the Direct Support Organizations collect and process personal data of persons located in the EU, GDPR applies to those collection and processing activities.  The Direct Support Organizations should follow their compliance policies with regard to this data.