The European Union’s General Data Protection Regulation (GDPR) is a sweeping new regulation addressing the handling of personal data and documentation of processes pertaining to personal data processing. GDPR applies to all organizations operating within the European Union (EU). The regulation came into force 24 May 2016, and became enforceable 25 May 2018.


The regulation is an essential step to strengthen individuals' fundamental rights in the digital age and facilitate business by standardizing rules for organizations and public authorities across different countries and supervisory authorities. A single law also does away with the fragmentation in different national systems and unnecessary administrative burdens.

Reaching compliance continues to be a major institutional project involving all units throughout the Webster University system. Fines for failing to comply with the GDPR provisions can be up to €20,000,000 or 4% of an institution's annual revenue (whichever is higher).


Webster University's Director of Global Technology, Risk, Compliance, and Privacy is based out of Vienna. Webster University's Global GRC and Privacy Operations Manager is based out of Athens. Webster University has designated on-site Privacy Managers at most of its international campuses and at all European sites.

Information about GDPR and understanding GDPR:


GDPR sets out seven key principles:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimization
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
  • Accountability.

For further details on this topic, see Article 5 GDPR, Principles relating to processing of personal data.

"Personal data" means any information relating to an identified or identifiable natural person ("data subject"). An identifiable person is one who can be identified, directly or indirectly, by reference to a particular identifier, such as:

  • A name
  • An identification number
  • Location data
  • Online identifier
  • One or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

For further details on this topic, see Article 4 GDPR, Definitions.

GDPR applies to all EU subjects, regardless of where they are studying. In practice, the processes Webster is putting in place to comply with GDPR apply to all campuses and all Webster constituents (e.g. prospective students, active students, employees, alumni), regardless of their country of citizenship.

In summary, all Webster campuses and operations must comply.

For further details on this topic, see Article 3 GDPR, Territorial scope.

The conditions for processing personal data under GDPR include:

  • Consent
  • Contract
  • Legal obligation
  • Vital interest
  • Public task
  • Legitimate interests

There are several consent conditions under GDPR:

  • Consent must be freely given, specific, informed and unambiguous.
  • Consent requires some form of clear affirmative action ("Opt-out" or silence does not constitute consent).
  • Consent must be demonstrable. A record must be kept of how and when consent was given.
  • Individuals have the right to withdraw consent at any time.

For further details on this topic, see Article 7 GDPR, Conditions for consent.

The GDPR provides the following rights for individuals:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling.

For further details on this topic, see Chapter III GDPR, Rights of the data subject.