Overview
The European Union’s General Data Protection Regulation (GDPR) is a sweeping new regulation addressing the handling of personal data and documentation of processes pertaining to personal data processing. GDPR applies to all organizations operating within the European Union (EU). The regulation took effect May 24, 2016, and became enforceable May 25, 2018.
The regulation is an essential step to strengthen individuals' fundamental rights in the digital age and facilitate business by standardizing rules for organizations and public authorities across different countries and supervisory authorities. A single law also does away with the fragmentation in different national systems and unnecessary administrative burdens.
Reaching compliance continues to be a major institutional project involving all units throughout the Webster University system. Fines for failing to comply with the GDPR provisions can be up to €20 million or 4% of an institution's annual revenue, whichever is higher.
Webster University's Director of Global Technology, Risk, Compliance and Privacy is based in Vienna. Webster University's Global GRC and Privacy Operations Manager is based in Athens. Webster University has designated on-site Privacy Managers at most of its international campuses and at all European sites.
Information About GDPR and Understanding GDPR
- The Q-and-A below provides an overview and answers to common questions about GDPR.
- The newsroom GDPR tag provides links to Webster Today updates on GDPR topics.
- For more detail, you may also review the EU legislation (PDF).
- EU residents and citizens who wish to exercise their rights to personal data access, rectification and erasure should visit Personal Data Access.
Frequently Asked Questions
GDPR sets out seven key principles:
- Lawfulness, fairness and transparency.
- Purpose limitation.
- Data minimization.
- Accuracy.
- Storage limitation.
- Integrity and confidentiality (security).
- Accountability.
For details on this topic, see Article 5 GDPR, Principles Relating to Processing of Personal Data.
"Personal data" means any information relating to an identified or identifiable natural person, known as the data subject. An identifiable person is one who can be identified, directly or indirectly, by reference to a particular identifier, such as:
- A name.
- An identification number.
- Location data.
- Online identifier.
- One or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
For details on this topic, see Article 4 GDPR, Definitions.
GDPR applies to all EU subjects, regardless of where they are studying. In practice, the processes Webster is putting in place to comply with GDPR apply to all campuses and all Webster constituents (e.g., prospective students, active students, employees, alumni), regardless of their country of citizenship.
In summary, all Webster campuses and operations must comply.
For details on this topic, see Article 3 GDPR, Territorial Scope.
The conditions for processing personal data under GDPR include:
- Consent.
- Contract.
- Legal obligation.
- Vital interest.
- Public task.
- Legitimate interests.
There are several consent conditions under GDPR:
- Consent must be freely given, specific, informed and unambiguous.
- Consent requires some form of clear affirmative action ("opt-out" or silence does not constitute consent).
- Consent must be demonstrable. A record must be kept of how and when consent was given.
- Individuals have the right to withdraw consent at any time.
For details on this topic, see Article 7 GDPR, Conditions for Consent.
The GDPR provides the following rights for individuals:
- The right to be informed.
- The right of access.
- The right to rectification.
- The right to erasure.
- The right to restrict processing.
- The right to data portability.
- The right to object.
- Rights in relation to automated decision making and profiling.
For details on this topic, see Chapter III GDPR, Rights of the Data Subject.