GDPR FAQs

FAQs

What is the GDPR?

The GDPR is a data privacy regulation.  It applies to the processing of personal data related to:

  • Organizations operating within the EU, even if the data processing takes place outside of the EU.
  • The offering of goods and services to individuals in the EU.
  • The monitoring of behavious of individuals in the EU.

The regulation took effect on May 25, 2018.  The new legislation replaces existing EU data protection directives.  It is similar to existing regulations, but strengthens the rights of individuals and significantly increases fines for non-compliance.

Key GDPR Terms To Know

Data Controller

The entity determines the purposes and means of the processing of personal data.

Data Processor

The entity that processes personal data on behalf of the data controller.

Personal Data

Any information relating to a data subject, that can be used to identify the person, directly or indirectly.

Processing

Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, broadly defined to include collecting, organizing, structuring, storing, altering, retrieving, using, disclosing, transmitting, erasing or destroying that data.

Automated individual decision-making

The process of making decisions about an individual solely by automated means without any human involvement.

Profiling

Automated processing of personal data to evaluate certain things about an individual.  Profiling can be part of an automated decision-making process.

Does the GDPR apply only to data collected after May 25, 2018, or to all data ever collected about an affected individual?

The GDPR applies to all data ever collected about EU residents. Bowling Green State University will apply GDPR to all data we have about affected persons.

Do the GDPR guidelines apply to United Kingdom (UK) residents now and after the Brexit?

Yes, the GDPR applies to UK residents now and after the Brexit.

Who does the GDPR affect?

The GDPR not only applies to organizations located within the EU but also to those located outside of the EU if they offer goods or services to, process personal data or monitor behavior of, EU data subjects. The GDPR applies to all organizations that process and hold personal data of data subjects residing in the European Union and collected within the EU, regardless of the organization's location.

What rights will individuals have under the GDPR?
  1. The right to be informed
    A key transparency requirement under the GDPR, which states that individuals have the right to be informed about the collection and use of their personal data.
  2. The right of access 
    Commonly referred to as subject access. The right for individuals to obtain confirmation from the data controller on whether their personal data is being processed, the purpose of it, and how the personal data is stored, disclosed and transferred.
  3. The right to rectification
    The right for individuals to have inaccurate personal data rectified, or completed if it is incomplete.
  4. The right to erasure (right to be forgotten)
    The right for individuals to have personal data erased and further disseminated in certain circumstances.
  5. The right to restrict processing
    The right for individuals to request the restriction or suppression of their personal data in certain circumstances.
  6. The right to data portability
    The right that allows individuals to obtain and reuse their personal data for their own purposes across different services, in a safe and secure way, without affecting its usability. The right only applies to information an individual has provided to a data controller.
  7. The right to object
    The right for individuals to object to the processing of their personal data in certain circumstances, including an absolute right to stop their data being used for direct marketing.
  8. Rights in relation to automated decision making and profiling
    The right for individuals not to be subject to a decision based solely on automated processing, including profiling, which has legal or similarly significant effects on them.
What constitutes personal data under GDPR?

Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data. Examples of personal data include name, address, phone number, email address, date of birth, passport number, IP address (static or dynamic), MAC address, cookies, GPS data, financial & bank account information, license plate number.

What should I do if my department receives a GDPR related inquiry?

When receiving a GDPR related inquiry, the departmental GDPR contact person should refer the inquiry to the central administration by sending an email to gdpr@bgsu.edu and providing the relevant details. University central administration will coordinate and help the departments with responding to the inquiry.

Who should I contact if I have questions about GDPR?

Please direct all questions related to GDPR to the following email address gdpr@bgsu.edu.

Additional GDPR Resources

Updated: 06/28/2023 09:11AM