EEA & UK General Data Protection Regulation (GDPR)
The General Data Protection Regulation (the GDPR or the Regulation) is a European law that expanded the privacy and security protections for individuals’ personal information. It regulates the collection, use, transfer, storing and other processing of personal information of individuals located in the EEA. The GDPR became effective on May 25, 2018. As of January 1, 2021, the United Kingdom (UK) will have completed its transition period to leave the European Union and the GDPR will then no longer apply to the UK. The UK government has, however, “said that it intends to incorporate the GDPR into UK data protection law from the end of the transition period – so in practice there will be little change to the core data protection principles, rights and obligations found in the GDPR.” The primary applicable law will be the UK Data Protection Act 2018 (the UK DPA).
The GDPR will very likely apply to your research if the research activities will:
- be conducted in association with an established organization in the EEA or UK,
- involve personal information collected from any person while they are in the EEA or UK,
- involve monitoring the behavior of persons while they are in the EEA or UK,
- involve transferring personal information out of the EEA or UK, or
- involve the secondary use of data that was protected by the GDPR or UK DPA when initially collected.
If you believe the GDPR or UK DPA may apply to your research, please submit the Researcher Global Privacy Questionnaire. For any other questions, please contact dataprivacy@tufts.edu.
What is the GDPR?
There are now two General Data Protection Regulations: in the European Economic Area (the EEA GDPR) and in the United Kingdom (as tailored by the Data Protection Act, the UK GDPR). Both the EEA GDPR and the UK GDPR regulate the collection, use, transfer, storing, and other processing of personal data of persons in their respective jurisdictions.
To which persons do the EEA GDPR and UK GDPR apply?
The EEA GDPR and the UK GDPR apply to all persons. There is no requirement that a person be a citizen or resident of a country that is a member of the EEA or of the UK.
To what countries does the EEA GDPR apply? What are the EU and the EEA?
The EEA GDPR applies to all 27 member countries of the European Union (EU). It also applies to all countries in the European Economic Area (the EEA). The EEA is an area larger than the EU and includes Iceland, Norway, and Liechtenstein. As of January 1, 2021, the UK is no longer a member of the EU and is no longer subject to the EEA GDPR. Switzerland has also adopted a privacy law analogous to the GDPR.
When do the EEA GDPR and the UK GDPR apply?
There are three types of situations that are subject to the EEA GDPR and UK GDPR:
- If a person is present in the EEA or the UK, any personal data collected from them in connection with the offering of a good or service is protected by that area’s GDPR, even if the organization offering the good or service is not established in that area. Protection for the personal data continues after the person leaves the EEA or the UK.
- Establishments in the EEA or UK. If personal data is collected or otherwise processed in the context of the activities of any establishment in the EEA or UK, then the personal data is protected by that area’s GDPR, even if the processing occurs outside the EEA or the UK.
- If a person is present in the EEA or UK, any personal data collected from them in connection with the monitoring of their behavior where the behavior takes place within the EEA or the UK.
To what data do the EEA GDPR and the UK GDPR apply?
The EEA GDPR and the UK GDPR apply to all "personal data,” which includes any information relating to a living, identified or identifiable person. Examples include name, SSN, other identification numbers, location data, IP addresses, online cookies, images, email addresses, and content generated by the data subject.
The EEA GDPR and the UK GDPR include more stringent protections for special categories of personal data. These are:
- Racial or ethnic origin
- Physical or mental health data
- Political opinions
- Sex life and sexual orientation
- Religious or philosophical beliefs
- Genetic and biometric data
- Trade union membership
The EEA GDPR and the UK GDPR also impose limitations on the processing of personal data relating to criminal convictions and offenses.
Tufts Global Privacy Statements, available on the Privacy Statements & Terms of Use page, include:
- Global Privacy Statement for Personal Data
- Privacy Statement for Prospective Students and Applicants
- Privacy Statement for Students
- Privacy Statement for Tufts-Sponsored Study Abroad Programs
- Privacy Statement for Job Applicants, Faculty, Staff, Consultants, and Other Persons Providing Services
- Privacy Statement for Alumni, Donors and other Tufts Supporters
- Privacy Statement for Research Participants
- Privacy Statement for Online Education and Non-Degree Educational Program Participants
The EEA GDPR and the UK GDPR provide individuals with rights relating to their Personal Data. For information about how to make a rights request under the EEA GDPR or the UK GDPR, see How to Make a Subject Access Request.
If an individual has made a request seeking to exercise their EEA GDPR or UK GDPR rights, whether in writing or verbally, please provide that information promptly, and in any event within 24 hours, to dataprivacy@tufts.edu.
See GDPR Frequently Asked Questions (FAQs) (PDF) for more answers to your EEA GDPR and UK GDPR questions.
The Restricted Institutional Data Handling Guidelines provide key rules for working with both EEA GDPR and UK GDPR data. The Guidelines include practical steps you can take to protect this sensitive information, as well as other Regulated Institutional Data.
For information on complying with the EEA GDPR and UK GDPR when working with mailing lists, see GDPR(+) Tasks for Tufts University Mailing Lists.
For information about complying with the EEA GDPR and UK GDPR for conferences to be held in the US, see GDPR Considerations for Tufts Conferences.
For information about the EEA GDPR, UK GDPR, and research at Tufts, go to Office of the Vice Provost for Research: EEA GDPR and UK GDPR. There you will find FAQs focusing on research, as well as other materials.
For more information, see:
- The European Economic Area General Data Protection Regulation (EEA GDPR) and the United Kingdom General Data Protection Regulation (UK GDPR) - Frequently Asked Questions
- GDPR.eu, a Guide to Compliance developed in conjunction with the EU
- UK Information Commissioner Officer Guide to the UK GDPR
Questions about EEA GDPR and the UK GDPR may be sent to dataprivacy@tufts.edu.