EU General Data Protection Regulation

EU GDPR

European Union General Data Protection Regulation Privacy Notice

This is the Georgia Institute of Technology’s (Georgia Tech) Office of the Registrar privacy and legal notice for compliance with the European Union General Data Protection Regulation (“EU GDPR”). For more information regarding the EU GDPR, please review Georgia Tech’s EU General Data Protection Regulation Compliance Policy.

Lawful Basis for Collecting and Processing of Personal Data

Georgia Tech is an institute of higher education involved in education, research, and community development. In order for Georgia Tech to enroll students in courses, issue grades, award degrees, and conduct other services related to enrollment and graduation, it must collect, use and process this personal data.

The lawful basis for the collection and processing of personal data by Georgia Tech’s Office of the Registrar falls under the following categories:

  • Processing is necessary for the purposes of the legitimate interests pursued by Georgia Tech or third parties in providing enrollment and readmission services for student education.
  • The data subject has given consent to the processing of his or her special categories of sensitive personal data for one or more specific purposes.

Types of Personal Data collected and why

In order for Georgia Tech to provide the enrollment services for student education as listed above, it needs to collect the following categories of personal data.

  • Name
  • Contact information including, without limitation, email address, physical address, phone number, and other location data
  • Unique personal identifiers and biographical information (e.g. date of birth)
  • Photograph taken by the BuzzCard Office and used for the student identification card
  • Details of your education qualifications
  • Information related to visa requirements, copies of passports and other documents to ensure compliance with State of Georgia and U.S. laws as well as with requirements of the University System of Georgia

The personal data collected by Georgia Tech’s Office of the Registrar will be shared as follows:

Georgia Tech Unit Purpose
Academic units on campus (academic advisors and other administrators on campus who interact with students) To support academic advising and to allow administrative staff and faculty within the academic units access to information they need to assist students make progress toward graduation.
Other Enrollment Services units on campus To support the Admissions Offices, the Office of Scholarships and Financial Aid, the Stamps President Scholars office, and other offices assist students through the process of admission, being awarded financial aid, and continuing enrollment.
Institute Housing, Bursar, Student Life, Disability Services, Capital Planning and Space Management, Stamps Health Services, BuzzCard, Campus Recreation Center, Library and Information Center To provide the information needed for students to live in campus housing, pay tuition and fees, be supported by the Dean of Students Office, be supported under ADA for their disabilities, be supported in the classroom through coordination with space management, receive health care on campus, be issued a student ID card for access to campus facilities, to access the Recreation Center, to utilize resources in the Library and Information Center.
Office of Undergraduate Education, Office of Academic Effectiveness, Center for 21st Century Universities To provide basic student contact, demographic, and enrollment information in support of conducting surveys, collecting information, and receiving input from Institute constituents in order to analyze and improve courses, programs, and effectiveness of campus offerings.
Third-Party Name Purpose
National Student Clearinghouse Provide information on enrollment and degree award to defer Federal student loans and notify Federal sources of degree award.
Third party contractors who provide services to students in relation to transcript orders and diplomas, Parchment and Jostens These third-party contractors do not interact with the public or anyone else at Georgia Tech other than the Registrar’s Office. The contracts include statements verifying compliance with FERPA.

Georgia Tech is a unit of the Board of Regents of the University System of Georgia (the “BOR”), and data is shared with the BOR and its employees.

FERPA

The Family Educational Rights and Privacy Act (FERPA) provides that “Directory Information” is information not generally considered harmful or an invasion of privacy if disclosed. Directory Information is considered public information, but the categories of information that comprise Directory Information also comprise “personal data” under the EU GDPR. Please review Georgia Tech's definition of Directory Information for further information, including how to prohibit the release of Directory Information.

If you have specific questions regarding the collection and use of your personal data, please contact the Office of Enterprise Data Management at eugdpr@edm.gatech.edu

If a data subject refuses to provide personal data that is required by Georgia Tech in connection with one of Georgia Tech’s lawful bases to collect such personal data, such refusal may make it impossible for Georgia Tech to provide education, employment, research or other requested services.

Where Georgia Tech gets Personal Data and Special Categories of Sensitive Personal Data

Georgia Tech receives personal data and special categories of sensitive personal data from multiple sources. Most often, Georgia Tech gets this data directly from the data subject or under the direction of the data subject who has provided it to a third party (for example, application for undergraduate admission to Georgia Tech through use of the Common App, application for readmission through the Office of the Registrar’s at https://registrar.gatech.edu/alumni/readmission). For any student who is submitting the application for readmission from an EU location, a consent form will also be required as noted on the Readmission website.

Individual Rights of the Data Subject under the EU GDPR

Individual data subjects covered by Georgia Tech’s EU General Data Protection Regulation Compliance Policy will be afforded the following rights:

  1. information about the controller collecting the data
  2. the data protection officer contact information
  3. the purposes and legal basis/legitimate interests of the data collection/processing
  4. recipients of the personal data
  5. if Georgia Tech intends to transfer personal data to another country or international organization
  6. the period the personal data will be stored
  7. the existence of the right to access, rectify incorrect data or erase personal data, restrict or object to processing, and the right to data portability
  8. the existence of the right to withdraw consent at any time
  9. the right to lodge a complaint with a supervisory authority (established in the EU)
  10. why the personal data are required, and possible consequences of the failure to provide the data
  11. the existence of automated decision-making, including profiling
  12. if the collected data are going to be further processed for a purpose other than that for which it was collected

Note: Exercising of these rights is a guarantee to be afforded a process and not the guarantee of an outcome.

Any data subject who wishes to exercise any of the above-mentioned rights may do so by filling such request with the Office of Enterprise Data Management at eugdpr@edm.gatech.edu

Cookies

Cookies are files that many websites transfer to users’ web browsers to enable the site to deliver personalized services or to provide persistent authentication. The information contained in a cookie typically includes information collected automatically by the web server and/or information provided voluntarily by the user. Our website uses persistent cookies in conjunction with a third party technology partner to analyze search engine usage and web traffic patterns. This information is used in the aggregate to monitor and enhance our web pages. It is not used to track the usage patterns of individual users.

Security of Personal Data subject to the EU GDPR

All personal data and special categories of sensitive personal data collected or processed by Georgia Tech under the scope of the Georgia Tech EU General Data Protection Regulation Compliance Policy must comply with the security controls and systems and process requirements and standards of NIST Special Publication 800-171 as set forth in the Georgia Tech Controlled Unclassified Information Policy.

Georgia Open Records Act

As a state university, Georgia Tech is subject to the provisions of the Georgia Open Records Act (ORA). Except for those records that are exempt from disclosure under the ORA, the ORA provides that all citizens are entitled to view the records of state agencies on request and to make copies for a fee. The ORA requires that Georgia Tech produce public documents within three business days. For more information on Georgia Tech’s ORA compliance, please visit the Open Records Act page on the Legal Affairs website.

Data Retention

Georgia Tech keeps the data it collects for the time periods specified in the University System of Georgia Records Retention Schedules:
https://www.usg.edu/records_management/schedules/

For examples of Student Records Retention Schedules, see:
https://www.usg.edu/records_management/schedules/934


Topics: Privacy