Skip to content
[New School IT logo]

Guidelines for International Data Transfers

The General Data Protection Regulation (GDPR) regulates the transfer of Personal Data collected from individuals located inside the European Union (EU) to countries outside the European Economic Area (EEA), including the United States. Because The New School is located outside the European Union, the way in which these regulations apply to the university’s Processing of Personal Data can be complex.

Any university department that is:

  • Collecting Personal Data directly from individuals located inside the EU and sending that data to a third party located in the United States
  • Collecting Personal Data directly from individuals located inside the EU and sending that data to a third party located in any other non-EEA country
  • Sending previously-collected Personal Data from inside the United States (e.g., from Banner or Workday) to a third party located outside the United States (this applies to any Personal Data, regardless of how or from whom it was collected)

must consult with the Information Security and Privacy Office to ensure that proper legal agreements, privacy notices, and information security controls are in place prior to going “live” with the Processing activity.

Note

The above does not apply to transfers of Personal Data between The New School (New York) and Parsons Paris, provided such transfers do not involve the use of third-party intermediaries.

Document history
Date Author Description
Jul 2020 D. Curry
  • Initial publication

Parts of this guideline are adapted from the University of Edinburgh’s guidance regarding transferring personal data from the University to a country outside the UK, the contents of which are used with permission.