General Data Protection Regulation

• 通用数据保护条例(GDPR)是欧盟的法律 into effect on May 25, 2018.
• GDPR是一项关于如何使用个人身份信息的隐私法.  Under the GDPR, certain rights are granted to people whose personal data (including 正在收集和处理特殊类别数据.  Moreover, certain legal responsibilities are imposed upon those entities controlling or processing personal data.

 

Yes, Article 23 allows member states to make derogations in special circumstances based on specific criteria.   

• Collect no more data than is necessary from an individual for the purpose for which it will be used; 
• Obtain personal data fairly from the individual by giving them notice of the collection and its specific purpose;
• 保留资料的时间不得超过为该指明目的所需要的时间;
• Keep data safe and secure; 
• 应个别人士的要求，向他们提供其个人资料的副本.

请参阅下面的视频，了解更多由长城制作的GDPR Street Journal- WSJ.

Although the GDPR is not a law passed in the U.S., it may be applicable to various activities that The University of Southern Mississippi engages in relative to processing, 储存或管理欧盟居民的个人资料(例如.e. those individuals residing in 当他们访问USM正在处理/存储/管理的系统时，欧盟 their data). 

Additionally, contracts that involve processing of data of individuals in the EU or EEA must contain certain protections.  If you are in the process of negotiating a contract that involves the collection, storage or transmission of data collected from 欧盟或欧洲经济区的个人，请联系 gdprrequestsFREEMississippi 并提供一份拟议合同的副本以及你的九游会国际 well as the timeline for finalizing the contract  Do not enter into a contract until 该合同已作为数据处理协议对GDPR条款进行了审查 是否需要在数据处理器之间包含某些规定(自然或 法人、公共机关、机关或其他处理个人事务的机构 数据代表控制器)和数据控制器(控制器确定 处理个人资料的目的及方法). 

Individuals in the EEA (includes the EU plus 3 countries- Iceland, Liechtenstein and Norway):

• Austria
• Belgium
• Bulgaria
• Croatia
• Republic of Cyprus
• Czech Republic
• Denmark
• Estonia
• Finland
• France
• Germany
• Greece
• Hungary
• Iceland
• Ireland
• Italy
• Latvia
• Liechtenstein
• Lithuania
• Luxembourg
• Malta
• Netherlands
• Norway
• Poland
• Portugal
• Romania
• Slovakia
• Slovenia
• Spain
• Sweden
• United Kingdom

GDPR rights only apply to those individuals located in the EU or EEA at the time their personal data is processed.

Any request to exercise rights under the GDPR will require that the individual provide documentation:

• verifying their identity, and
• verifying they were in the EU or EEA at the time their personal data was processed.   

If an individual is requesting rectification/correction of a record, information must 提交错误所在，从而证明纠正的合理性. 

NOTE:   Request by domestic students cannot be honored as the law is only applicable to those individuals who can verify through date-stamped documentation that they were 在他们的个人数据被处理时在欧盟. 

在GDPR的范围内，为这些行动存储或使用个人数据 or activities that:

• occur in the EU;
• involve reaching out to EU residents to initiate an offer for goods or services; or
• record EU resident's activity online or relate to the control or processing of data relative to EU
• residents (i.e. 在大学处理时居住在欧盟的个人 their personal data).

The GDPR takes a wide view of what constitutes "personal data", which includes each of the following:

Basic identity information such as:

• name
• address 
• ID numbers

as well as web data such as:

• location
• IP address
• cookie data and
• RFID tags

GDPR还定义了什么是特殊类别数据，这是必须的 为防止资料外泄而实施的额外保护措施: 

• race;
• ethnic origin;
• politics;
• religion;
• trade union membership;
• genetics;
• biometrics (where used for ID purposes);
• health;
• sex life; or
• sexual orientation.

If you are in the EEA at the time you access our systems, you may be able to assert certain rights relative to any of the personal data we are processing, but you will 必须出示你的身份证明以及你在欧盟的居住证明才能证明你的身份 rights under the GDPR.

• Right to be Informed
• Right to Access
• Right to Rectify
• Right to Erase/to be Forgotten
• Right to Restrict Processing
• Right to Data Portability
• Right to Object
• 与自动决策和分析有关的权利

Right of Access
数据主体可以获得以下信息:

• 确认其个人信息正在被处理;
  a copy of the information;
  supplementary information regarding processing that details each of the following:
  purpose of processing categories of personal data concerned recipients or categories of recipients that have obtained the data subject's personal data or to who will have said data disclosed to them
• 如果可能，数据将被存储的时间长度(i.e. data retention period), 或用于确定数据保留期限的标准，任何来源的列表 谁直接提供有关资料当事人的个人资料. 

Right to Rectification
 
A data subject can request that any inaccurate or incomplete personal data be corrected or that a supplemental statement is added.

• 大学可以决定不需要纠正，并将提供纠正 the data subject with an explanation as well as informing the data subject that they can complain to the Information Commissioner's Office to request a judicial remedy.
• If the University determines that rectification is warranted, we will contact each recipient who has obtained the data from us and advise them of the need for correction 除非这样做会导致不成比例的努力.  

Right to Erasure-Individual Rights
Individuals can exercise their right to be forgotten/erasure in the following situations: 

• 如果所持有的个人资料就其所作的目的而言已不再是必需的 was collected or processed;
• 如果同意被撤回并且同意是处理的唯一依据;
  if the individual objects to the processing of their data and no overriding legitimate ground for continued processing exist;
• Where data has been processed unlawfully;
• 如必须删除个人资料以履行法律义务.

Right to Restrict Processing 

In the following situations, an individual can request to block or suppress the processing of their data:

• if an individual contests the accuracy of the personal data, processing will be restricted 直到所述数据的准确性得到核实;
• if individual objects to the processing of their personal data (where processing was necessary to perform a public task or based on a legitimate interest, processing of data will stop for the duration of the investigation aimed at determining if the legitimate grounds override the individual's objection;
• if processing is unlawful, and the data subject requests restriction rather than erasure;
  如大学不再要求提供资料，但资料当事人要求 exercise or defend a legal claim.

Right to Data Portability 
An individual has the right to receive a copy of any personal data provided by him/her 以结构化、常用及机器可读的格式(例如.g. CSV).Categories.   以下类别的数据受可移植权的约束:

• data processed on the basis of consent (Article 6 (1) (a)) or explicit consent (Article 9 (2));
• data processed on a contract (Article 6 (1) (b); and
• data processed by automated means.

Other Information

• If feasible from a technical standpoint, data will be transferred directly to another controller based on the data subject's request.
• If the University cannot transfer the data to another controller directly, the data subject will need to arrange his/her own transfer.
• 应初次要求，我们将免费提供资料. 

Right to Object

• Individuals have the right to object to: 
• processing based on legitimate interests or performance of a task in the public interest/exercise of official authority; and
• 为科学/历史研究和统计目的而进行的处理.
• 在收到反对权请求后，处理必须停止，除非:
• the university can demonstrate that there are compelling legitimate grounds for processing, 凌驾于个人的利益、权利和自由之上;或者
• 该程序是为了确立、行使或辩护一项法律要求.
• If the right to object relates to the processing of data being processed for research 目的，个人必须根据自己的具体情况而定.
• Research being conducted for the public interest is not subject to having an individual exercise their right to object and those conducting research of that nature are not required to comply with the request. 

与自动决策和分析相关的权利

• Individuals have the right not to be subject to decision making based solely on automated processing, including profiling (i.e. use of personal data to make predictions about you).  完全通过自动化手段进行的决策不涉及人类 and instead is conducted using technological means using your personal data to base said decisions (e.g. use of an algorithm).  
• 但是，如果没有其他方法可以实现，则允许自动决策 the same goal to enter or perform a contract or you have given consent to said decision-making.   

• A reasonable fee may be charged for repetitive requests, manifestly unfounded requests, excessive requests or further copies (Rec. 59; Art.12(5), 15(3), (4)).
• 如果提交了对相同数据的多个请求，则可能需要付费.

• All rights listed below are available to individuals who can assert them under the GDPR是基于在欧盟国家居住或曾经居住 USM处理的数据，而他们是欧盟居民. 
• To process your request, we will need verification that you were an EU resident and of your identity.

• The erasure of your information shall be subject to the retention periods of applicable federal law and the Record Retention Schedule applicable to University records- for additional information click the button below:

INFORMATION ON RECORDS RETENTION PAGE

• Destruction of records shall be conducted in manner appropriate to preserve the confidentiality 相对于所述信息的敏感性、价值和重要性的程度 data to The University. 
  
  
• 如果您对记录保留有疑问，请联系Lorraine A. Stuart, Head of Special Collections at Lorraine.StuartFREEMississippi (601.266.4117)或档案管理专家杰西卡·克拉克(Jessica Clark) J.M.ClarkFREEMississippi (601.266.5776).

If the University made personal data public and is obligated to erase the data, The 大学可以拒绝个人行使其删除权:

• 行使言论及资讯自由的权利;
• 履行法律义务或履行公共利益任务 exercise of official authority;
• 基于公共利益的公共卫生理由;
• for archiving purposes in the public interest, scientific research, historical research or for statistical purposes; or
• to establish, exercise or defend a legal claim.  

• Requests will be processed within thirty days of submission unless said requests are 综合体，从而保证额外两个月的完成时间. 
• If a request is determined to be complex thereby requiring an additional two months for completion, the data subject will be notified.

• We will answer your request (in terms of providing the information requested or explaining 为什么我们不能这样做)或要求您在30天内提供更多信息. 
• 我们可能会将此过程延长至多两个月，在这种情况下，我们会通知您 of the extension within a month.
• The processing of this request is free of charge, but we reserve the right as allowed under GDPR Article 12(5), to charge an administrative fee under certain circumstances. 
• We may refuse to act, as allowed under GDPR Article 12(2) and 12(5) on requests if 证据不足、毫无根据或过分.

您提供的信息(包括您的身份和居住证明) (在欧盟)将仅用于验证您的身份和 居住权，确认您所要求的信息.

• 如果您能满足上面列出的验证要求，请查看 GDPR Privacy Notice below which includes information on how to submit a request to exercise rights under the GDPR.
• 有关上述权利的更多信息，请参阅“信息” Commissioner's Office website.

如果研究涉及个人数据的处理，则会受到影响 居住在欧洲经济区的人(无论他们是否是欧洲经济区公民):

• 与在欧洲经济区建立的组织一起进行
• involves personal information about individuals (collected, stored, shared, analyzed or archived) while they were/are in the EEA;Examples include- active recruitment of subjects 
• 监控个人在欧洲经济区的行为;
• involves transferring personal data out of the EEA; or
• 涉及使用受GDPR保护的个人信息 originally collected. 

GDPR第4(2)条将处理定义为“任何操作或一组操作” which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaption, or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction".

As defined by Article 4 of the GDPR, both the data controller and the processor are responsible for protection of personal data. 

The data controller is responsible for ensuring that the data is handled in compliance with GDPR.  根据第4条，数据控制者是“自然的或合法的 person, public authority, agency, or other body, which alone or jointly with others, determines the purpose and means of the processing of personal data"; and 

The data processor makes sure that the data is processed in adherence with the conditions set forth in the Data Processing Agreement.  By definition, the data processor is "a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the [data] controller".  

Personal data (i.e. 允许识别个人的信息) and sensitive data (i.e. 需要额外安全处理的一组特殊数据) 均受GDPR保护，包括但不限于以下示例:

Personal Data

• Name
• Email address
• Phone number
• 社会安全号码和其他识别号码，如军人身份证，司机 license, state identification card ,etc.
• Location data
• User names
• Online identifiers
• IP addresses
• Online cookie data
• Voice

Sensitive Personal Data

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Physical or mental health information
• Sex life and sexual orientation
• Genetic and biometric data

• 包含个人资料的涉及人类受试者的研究.
• 涉及动物的研究收集动物主人的个人信息 animals.  

Note: The protections provided by GDPR expand beyond the immediate subjects to include third parties. 

Typically, personal data is protected even if it was previously disclosed publicly 因为GDPR既涉及隐私，也涉及如何使用这些数据.

如果数据是匿名的，那么GDPR不适用于个人数据. However, to be considered anonymous, a key cannot exist that will make it possible to identify individuals. 因此，HIPAA去识别信息只被认为是假名化的 因为使用数据的键存在，允许数据被重新标识.

• Individuals located in the EEA.  个人是否是欧洲经济区公民并不重要 or EEA resident.  
• If a citizen of the EEA is located outside of the EEA while participating in a research study, GDPR will not apply as long as none of the organizations involved in the study 在欧洲经济区，数据没有传输到欧洲经济区. 

Generally, children under the age of 16 cannot consent to have their data processed (包括处理他们对研究的回应)，除非该等处理是 经对儿童负有父母责任的个人授权同意.  

NOTE: Member states can consider a child to be less than 16 but no younger than 13 years of age. (See Article 8 of the GDPR)

 

Although the General Data Protection Recital 27 indicates that GDPR does not apply to the personal data of deceased individuals, each EEA member state can issue rules relative to the processing of the personal data of deceased individuals.  一些欧洲经济区成员国已经通过了这样的规定.

If the data is fully anonymized before receipt and your team does not receive a key to reidentify, then GDPR does not apply.  

However, if you receive pseudonymized or personal data that has not been anonymized, 如果符合以下任何一项，则适用GDPR:

数据是由位于欧洲经济区的组织收集的;
collected from individuals while they were located in the EEA; or
transferred out of the EEA

• Yes, GDPR applies if the personal data is currently being processed, even if it was collected before the effective date if the data was collected by an organization located in the EEA;
• Collected from individuals located in the EEA; or
• Transferred out of the EEA. 数据最初是什么时候收集的并不重要， 只是它属于受GDPR约束的三个标准之一.

If you can exclude the collection, storage, etc. of personal data from the EEA without 对你的学习有不利影响，那么你可以应用旨在排除的方法 collection of such data such as:

使用一个问题来确定对你的调查研究做出回应的个人是否 in the EEA.  然后如果个人回答自我认同自己是在 欧洲经济区根据该标准停止了调查. 

如果你正在进行电话调查，一定要问一下你打电话的人是不是 如果你拨打的电话号码不是固定电话，你就可以在欧洲经济区找到他们 tied to a specific location.

如果您正在邮寄调查问卷，请不要将调查问卷邮寄给欧洲经济区的个人. 

1)只收集和处理最少量的个人资料. Collecting minimal amounts of personal data limits risks to privacy and lessens the risk of noncompliance. 

2) To the degree possible, avoid collecting sensitive information or special/sensitive personal data such as: 

• racial or ethnic origin
• political opinions
• religious or philosophical beliefs
• trade union membership
• physical/mental information
• sexual orientation and sex life
• Genetic and biometric data

3) Avoiding collection of information about criminal offenses or convictions as those can only be collected and processed if the research is being conducted under the control of an official authority of an EEA country or if the processing is authorized by EEA or the laws of a member state. 

4)如果不能匿名化数据，就使用假名.  Pseudonymization means that 您可以使用一个键来识别谁提供了数据，该键与 data set as well as being protected from both technical and administrative measures.  请记住，在没有授权的情况下反转假名代表一个 使资料当事人处于危险的个人资料泄露. 

 

大学的违约通知义务是什么?

In the event that there is a data breach involving covered personal data of students, employees, alumni, or vendors, the University will notify the appropriate supervisory authorities within 72 hours, where feasible, after becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of data subjects.

If the breach is likely to result in a high risk to their rights and freedoms, The University will also notify individual data subjects of a data breach regarding their personal data. 向数据主体发出的通知将包括违规的性质 并建议数据主体应采取的步骤，以减轻潜在的风险 adverse effects. 最初的通知可以是一般性的，作为补充信息 is known a supplemental notice will be issued.

How does the University handle data transfers?

As needed, The University may transfer personal data outside of the EU and may also 与第三方机构共享个人数据，无论是内部还是外部 EU. Where personal data is shared, The University will require that appropriate safeguards be implemented to protect the personal data. Safeguards include but are not limited To:要求第三方签署数据安全合同(i.e. Data Protection Agreements (DPAs), and anonymizing data.