EU General Data Protection Regulation

• U of A
• Graduate School and International Education
• International Education
• EU General Data Protection Regulation

Consistent with the newly implemented European Union General Data Protection Regulation (“GDPR”), the University has updated its policies on how it collects, stores, and processes certain types of personal data. Read the University’s GDPR Policy in its entirety for more information.

The GDPR, which went into effect May 25, 2018, places additional obligations on organizations that control or process personally identifiable information about persons in the European Union. The GDPR is designed to protect the privacy of data concerning individuals that is collected or processed in or transferred out of the EU, and to regulate the data privacy practices of entities that offer goods and services in the EU. Furthermore, the GDPR applies to entities both inside and outside the EU, and the regulations apply to data about anyone present in the EU, regardless of whether they are a citizen or permanent resident of an EU country.

This page provides summary information on the types of data used by the University, the legal grounds for the use of such data, and the rights of individuals concerning the data.  Further details, as well as a description of protective measures undertaken by the University, data retention, and breach notification are available in the GDPR Policy.

Types of Personal Data the University Collects

In order to provide services to students and employees, administer its programs, perform contractual obligations, and meet legal requirements, the University may collect, process, and transfer various types of personal data, including but not limited to: name; application information; attendance; academic records; employment records; contact information, including phone numbers, email addresses, and mailing addresses; and date of birth. 

The University may also collect certain categories of sensitive data. Sensitive data is personal data revealing ethnic origin, health, criminal convictions and offenses, and other sensitive matters. The University makes every effort to process sensitive data only with data subjects’ consent; however, in some circumstances, health information may be required under state or federal law in order for the University to provide services, or in the interest of public health and safety.

Rights as a Data Subject

Subject to limitations established by legal requirements, University of Arkansas policies, and regulatory guidelines, individuals whose data is covered by the GDPR have the right to:

• Access their personal data that we process;
  • To rectify inaccuracies in personal data that we hold about them;
  • To have their details removed from systems that we use to process their personal data;
  • To restrict the processing of their personal data in certain ways;
  • To obtain a copy of their personal data in a commonly used electronic form;
  • To object to certain processing of their personal data by us; and
  • To request that we stop sending them direct marketing communications.

The University will act to fulfill such rights as promptly and as fully as possible.

Consent Forms

In the event that consent is requested for the University to process an individual’s data, consent may be recorded by submitting the appropriate form for students or employees.

Contact Information

In addition to contacting the offices that maintain the relevant records, data subjects may contact the UA following offices with questions they have regarding the University’s policies and to exercise their rights:

Additional Information Regarding GDPR

• The text of the GDPR
• Data subjects can also contact the appropriate Data Protection Authorities regarding GDPR