Data Protection and GDPR | Webster University

Data Protection and GDPR

GDPR images with locksThe European Union’s General Data Protection Regulation (GDPR) is a sweeping new regulation addressing the handling of personal data and documentation of such processes, applies to all organizations operating within the EU. It outlines several rights of the individual for explicit consent on how personal data can be used, processed, transmitted, as well as how any such data must be protected. The regulation entered into force on 24 May 2016 and applies since 25 May 2018.

The regulation is an essential step to strengthen individuals' fundamental rights in the digital age and facilitate business by clarifying rules for companies and public bodies in the digital single market. A single law will also do away with the current fragmentation in different national systems and unnecessary administrative burdens.

Reaching compliance continues to be a major institutional project involving all units throughout Webster system. As part of compliance, an institution must document the processes it has in place for collecting, using and managing personal data, and maintain records of consent for such data. Fines for failing to comply with the GDPR provisions can be up to €20,000,000 or 4% of an institution's annual revenue (whichever is higher).

Each of Webster's European Campuses has a designated on-site Privacy Manager. Webster University's Privacy Senior Director and Information Security Senior Director and based at Webster University's main campus in St. Louis, Missouri.

Privacy Notices

Information about GDPR and understanding GDPR:

What are the GDPR principles?

GDPR sets out seven key principles:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimization
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
  • Accountability.

For further details on this topic, see Article 5 GDPR, Principles relating to processing of personal data.

How is personal data defined?

"Personal data" means any information relating to an identified or identifiable natural person ("data subject"). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as:

  • a name,
  • an identification number,
  • location data,
  • online identifier,
  • or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

For further details on this topic, see Article 4 GDPR, Definitions.

Does this only apply to Webster's campuses in the EU?

GDPR applies to all EU subjects, regardless of where they are studying. In practice, the processes Webster is putting in place to comply with GDPR apply to all campuses and all Webster constituents (e.g. prospective students, active students, employees, alumni), regardless of their country of citizenship.

In summary, all Webster campuses and operations must comply.

For further details on this topic, see Article 3 GDPR, Territorial scope.

When are we allowed to process personal data?

The conditions for processing personal data under GDPR include:

  • Consent
  • Contract
  • Legal obligation
  • Vital interest
  • Public task
  • Legitimate interests.

What is required for consent?

There are several consent conditions under GDPR:

  • Consent must be freely given, specific, informed and unambiguous.
  • Consent requires some form of clear affirmative action. ("Opt-out" or silence does not constitute consent)
  • Consent must be demonstrable. A record must be kept of how and when consent was given.
  • Individuals have the right to withdraw consent at any time.

For further details on this topic, see Article 7 GDPR, Conditions for consent.

What rights does the individual have under GDPR?

The GDPR provides the following rights for individuals:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling.

For further details on this topic, see Chapter III GDPR, Rights of the data subject.