European Union General Data Protection Regulation (EUGDPR)

The European Union General Data Protection Regulation (“EUGDPR”) was adopted in 2016 and becomes effective on May 25, 2018.  Information concerning the EUGDPR can be found here:  https://www.eugdpr.org/eugdpr.org.html.  Guidance issued by authorities within the EU to aid in the interpretation of the EUGDPR can be found here:  https://ec.europa.eu/info/law/law-topic/data-protection_en.  Penalties for non-compliance can be up to $20 million EU dollars.

The EUGDPR replaces the Data Privacy Directive 95/46/EC and is designed to harmonize data privacy laws across the European Union (“EU”).  The EUGDPR is designed to protect the privacy of data concerning a natural person that is collected or processed in, or transferred out of, the EU, and to regulate entities that offer goods or services in the EU.  The EUGDPR defines personal data to include any information related to an identified or identifiable person which may include but is not limited to a name, reference number, identification number, location data, online identifier, email address, IP address, or one or more factors specific to a physical, physiological, genetic, mental, economic, cultural or social identity of a person. Therefore, the EUGDPR has broader protections that U.S. and N.J. laws.

The EUGDPR requires personal data to be processed lawfully, fairly and in a transparent manner, limited only to that data which is necessary, maintained for accuracy, stored only for the length of time required or needed, and safeguarded from unauthorized disclosure. 

The legal bases under the EUGDPR which permit Montclair State University to collect and process personal data include but are not limited to the following:  1) the data subject has given consent to the processing for a specific purpose; 2)  the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract; 3) the processing is necessary for compliance with a legal obligation to which the University, as controller of the data, is subject; 4) the processing is necessary in order to protect the vital interests of the data subject or another natural person, 5) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the University; or 6) processing is necessary for the legitimate interests pursued by the University or by a third party, except where such interests are overridden by the interest of the fundamental rights and freedoms of the data subject which require protection of the personal data.

The EUGDPR requires consent, and the ability to revoke consent, whenever personal data includes race, ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life, or sexual orientation (“Sensitive Data”). Consent must be obtained unless the EUGDPR permits Sensitive Data to be collected and processed without consent. 

The University may be subject to the EUGDPR if it recruits students or employees in the EU, conducts marketing in the EU, participates in student or faculty exchange programs within the EU, conducts fundraising targeted to the EU, conducts research with human subjects in the EU, or  engages in other activities within the EU.  Therefore, Privacy Notices have been adopted by each affected unit of the University to describe the personal data collected, the applicable legal basis, the purposes for which data is used, safeguards imposed, the retention period, and a point of contact for an individual to exercise his/her rights under the EUGDPR. The University’s Privacy Notices can be found as follows:

Individuals who wish to exercise their rights under the EUGDPR should contact the email identified in the applicable Privacy Notice.  In addition, current students may exercise their rights under the EUGDPR by following the process established by the University’s Registrar at:  https://www.montclair.edu/policies/student/eugdpr/.

Consent may be recorded by using the on-line form created by the Division of Advancement at:  https://montclairconnect.org/consent-form. Another consent template for use in the EU is available and should be modified depending upon the nature of the use. Click the following link to view the consent template: https://www.montclair.edu/policies/university/eugdpr/consent/. Consent to the collection and processing of personal data must be explicit, and individuals must be provided the ability to revoke consent in as easy a manner as consent was given. 

The EUGDPR requires the implementation of appropriate data protection measures taking into account the nature, scope, context and purposes of processing.  Data protection should be by design and default, using data minimization, pseudonymization and encryption where appropriate, taking into consideration the risks presented by processing, accident or unlawful destruction, loss, alteration, and unauthorized disclosure. 

The University often uses third party systems to store and process personal data. Third party providers must either be a member of the U.S. Privacy Shield, or complete and execute the University’s Data Security Addendum which can be found at: https://www.montclair.edu/media/montclairedu/financetreasurer/forms/procurementforms/Data-Protection-Addendum-MSU-rev-5-8-18-clean.pdf.  The University’s Data Security Addendum includes the model clauses approved for use under the EUGDPR.  Completed and executed Data Security Addendums should be returned to Procurement Services for counter-signature and retention.

An EU higher education institution that wishes to share personal data with the University must execute a Data Sharing Agreement which can be found at: https://www.montclair.edu/policies/university/eugdpr/data-transfer/

Personal data collected by the University from or within the EU is stored in accordance with the Record Retention Schedule adopted by the State of New Jersey, Department of the Treasury, Division of Revenue and Enterprise Services – Record Management Services that is applicable to 4 Year Colleges and Universities, and other applicable U.S. Laws.  The State Record Retention Schedule can be found at: http://www.nj.gov/treasury/revenue/rms/pdf/s510000.pdf. University employees may not destroy records until after a request to destroy is submitted to and approved by the State of New Jersey through Artemis after the applicable retention period expires.  You should contact University Counsel at 973/655-5225 to become a user of Artemis and to schedule training.

The EUGDPR includes a protocol for investigating, responding to and reporting the unauthorized disclosure of personal data.  Any employee who suspects a data breach should report it to the University Help Desk by contacting:  https://www.montclair.edu/oit/tech-solutions-center/help-desk/.  The Help Desk will respond by following the University’s Data Breach Response Protocol.