Frequently Asked Questions

  • The European Union General Data Protection Regulation (“EU GDPR”) is a new and more stringent regulation governing the use of personal data.  It imposes new obligations on entities that control or process personal data about people who are located in the European Union.  This regulation applies both inside the European Union (“EU”) and outside of the EU, and applies to data about anyone in the EU, regardless of whether they are a citizen or permanent resident of an EU country.

    The regulation takes effect on May 25, 2018.

  • The EU GDPR covers any entity that processes personal data about EU citizens or residents in connection with the offer of goods and services in the EU or the monitoring of behavior in the EU. Jurisdiction is therefore established digitally rather than physically. We can evaluate various factors in establishing coverage, including currencies and languages used, how a website references the individual and the profiling of the individual.

    • Austria
    • Belgium
    • Bulgaria
    • Croatia
    • Cyprus
    • Czech Republic
    • Denmark
    • Estonia
    • Finland
    • France
    • Germany
    • Greece
    • Hungary
    • Ireland
    • Italy
    • Latvia
    • Lithuania
    • Luxembourg
    • Malta
    • Netherlands
    • Poland
    • Portugal
    • Romania
    • Slovakia
    • Slovenia
    • Spain
    • Sweden
    • United Kingdom
  • The EU GDPR applies to the control or processing of ‘personal data,’ which is defined by the regulation as:

    Any information relating to an identified or identifiable natural person (the data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that natural person.

    Examples of identifiers include (but are not limited to): name, photo, email address, identification number such as KSU ID#, KSU Account (User ID), physical address or other location data; IP address, mobile device identifiers or geo-location data about a subject. Unique biometric data, such as fingerprints and retinal scans, and genetic data are also included.

  • All personal data and sensitive personal data collected or processed by any Kennesaw State University Unit under the scope of the EU General Data Protection Regulation Compliance Policy must comply with the security safeguards and process requirements defined therein.
  • Yes. The Kennesaw State University EU General Data Protection Regulation Compliance Policy can be found in the university Policy Portal.

  • Individuals with questions about their personal data collected and processed by Kennesaw State University that is subject to the EU GDPR should contact the Office of Legal Affairs at

  • Individuals will be asked to sign a consent form by the department collecting their personal data. The form will be clear and easily understandable. Your consent must be freely given and is revocable at any time without detriment to you. If you should have any question about the form you should contact the Office of Legal Affairs.
  • Yes.  If the Cooperative Organization process personal data of persons located in the EU, then the EU GDPR applies to those collection and processing activities. The Cooperative Organizations should follow their respective compliance policies in regard to this data.
  • If you are planning a research project in any country in the EU (see for a complete listing) the study must first be approved by the KSU IRB ( Human subject research in the EU will now require two forms of consent, the KSU consent form and the GDPR consent form. The researcher is responsible for obtaining the required signatures and for the retention of both the IRB and EU consent forms. The IRB application and both forms are available at the KSU IRB website. In addition, when conducting research abroad, the researcher must obtain permission to collect data from someone in a position of authority who can provide a letter to the IRB indicating that local permission has been granted (e.g., the mayor, police chief, town official, etc).