Guidelines for International Data Transfers¶
The General Data Protection Regulation (GDPR) regulates the transfer of Personal Data collected from individuals located inside the European Union (EU) to countries outside the European Economic Area (EEA), including the United States. Because The New School is located outside the European Union, the way in which these regulations apply to the university’s Processing of Personal Data can be complex.
Any university department that is:
- Collecting Personal Data directly from individuals located inside the EU and sending that data to a third party located in the United States
- Collecting Personal Data directly from individuals located inside the EU and sending that data to a third party located in any other non-EEA country
- Sending previously-collected Personal Data from inside the United States (e.g., from Banner or Workday) to a third party located outside the United States (this applies to any Personal Data, regardless of how or from whom it was collected)
must consult with the Information Security and Privacy Office to ensure that proper legal agreements, privacy notices, and information security controls are in place prior to going “live” with the Processing activity.
The above does not apply to transfers of Personal Data between The New School (New York) and Parsons Paris, provided such transfers do not involve the use of third-party intermediaries.
|Jul 2020||D. Curry||
Parts of this guideline are adapted from the University of Edinburgh’s guidance regarding transferring personal data from the University to a country outside the UK, the contents of which are used with permission.