Wesleyan Data Security & Privacy Protection:  Exhibit A

European Union General Data Protection Regulation (EU GDPR) Policy

APPLICATION:  This policy applies to all individuals who collect, use, or share university information.  Those individuals include, but are not limited to, staff, faculty, those working on behalf of the university, and individuals authorized by affiliated institutions and organizations.
DATA PROTECTION OFFICER:  Chief Information Security Officer



Wesleyan University seeks to ensure appropriate treatment and use of personal data in adherence with EU data protection laws.

Policy Statement


EU GDPR applies to personal data collected from or shared with individuals or organizations in the EU.  EU GDPR does not apply to data shared or collected from EU citizens outside of the EU by non-EU entities; however, it does apply, as an example, to non-EU citizens while they are in the EU.  University employees are required to be cognizant of data collected and maintained in order to comply with EU GDPR. The University’s policy is to rigorously maintain the privacy of all personal data collected, mindful of the additional requirements of the EU GDPR.

For the sake of this policy, personal data is any information that can identify or provide information about an individual that the university or authorized agents collect, use electronically or physically, or share with others. 

The collection, use, and release of some of this information may be covered by other laws or regulations, including but not limited to the Family Educational Rights and Privacy Act (“FERPA”) and the Health Insurance Portability and Accountability Act (“HIPAA”).


Data Classifications

Personal data should be classified per Wesleyan University’s Data Security & Privacy Protection Policy and minimized or anonymized as much as possible.


Data Collection

Personal data should only be collected by authorized personnel where it is specifically needed for a legitimate university business requirement or to meet a statutory or regulatory requirement. The university strongly discourages the collection or retention of this information except where absolutely necessary and no other alternative exists.

For all personal data being collected, individuals must provide informed and affirmative consent to its collection, use, and sharing; and may revoke it at any time.  The data being collected cannot be required or compelled and consent must be tracked and maintained. (e.g., who, when, how, to what)


Data Transparency, Integrity & Control

EU data subjects have the rights to receive copies of their data, correct inaccuracies, and request that the data be deleted.  As an organization, Wesleyan can deny requests if it has a contractual or legal basis to maintain the data, or if the data is anonymized.


Data Sharing

Personal data can only be shared if it is legally required or explicitly approved by the data subject. As a condition to receiving such information, all recipients must agree to comply with the EU GDPR.


Protection of Personal Data

All personal data must be protected per Wesleyan’s Data Security & Privacy Protection Policy
All third-party contracts involving personal data must contain clauses requiring that the third parties to comply with GDPR where appropriate.
Personal data breach notifications are handled per the security incident response procedure. 


More information about the EU GDPR is available on the EU Data Protection website.


Policy Enforcement

Staff, faculty, or students found in violation of this policy may be adjudicated per their respective handbooks.

Questions, comments, or concerns regarding this policy or the protection of data should be directed to the Data Protection Officer at DPO@wesleyan.edu.