Q1. The GDPR applies to the processing of personal data of data subjects.  Who is covered by the GDPR - as a data controller, data processor, or data subject?

Article 3 of the GDPR establishes its “Territorial scope.”  The GDPR applies to:

  • “[T]he processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.”
  • “[T]he processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
  • the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
  • the monitoring of their behaviour as far as their behaviour takes place within the Union.”
  • “[T]he processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.”

Q2. Does the GDPR apply to individuals who are in the EU on a temporary basis, for example enrolled in a study abroad program?

Yes, the GDPR applies to “the processing of personal data of data subjects who are in the Union.”

Q3. The GDPR establishes obligations for data controllers and data processors. What is the difference? If third party vendors are selling products to university students, would they be considered controllers in that instance or still processors?

A data controller is the entity that determines the purposes and means of the processing of personal data.  A data processor is an entity that processes personal data only on behalf of and on the instructions of the controller (e.g., service providers). 

Data controllers are subject to significantly more legal obligations under the GDPR than processors.  Processors have some legal requirements, but most obligations will be contractual. 

Q4. What must a controller do to engage a data processor under the GDPR? Can a third party deliver PII to the school under this regulation?

Controllers must enter into written agreements with processors that establish the “subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller,” among other provisions established by Article 28 of the GDPR.

Q5. The GDPR requires that processing of personal data be done in accordance with a legal basis.  What are the legal bases for processing personal data under the GDPR?

Article 6 sets out the legal bases for processing personal data under the GDPR, but they include:

  • Consent;
  • Processing necessary for the performance of a contract;
  • Processing necessary for compliance with a legal obligation;
  • Processing necessary to protect the vital interests of the data subject or of another natural person; and
  • Processing necessary for the legitimate interests of the controller.


It is important to note that consent may be revoked by the data subject.

Q6. At what level of the institution is the legal basis for processing personal data determined? Is the legal basis for processing PII per office or institutional? In other words, can there be blanket consent for all institutional operations, or is it only applicable for specific offices?

 Controllers must identify the legal basis for each processing activity in which they are engaged. 

Q7. With Brexit, is the United Kingdom covered by the GDPR?

The UK Government has signaled its intention to implement the GDPR.  The UK Information Commissioner’s Office continues to release guidance on complying with the GDPR.  Click here for more information.

Q8. Have U.S. legislators implemented legislation to align with the GDPR? I am still uncertain about how the EU will fine a US college.

No, but pursuant to Article 3 of the GDPR, the “processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union,” may be subject to the GDPR. 

Q9. What is the “right to be forgotten” and how does it work? What constitutes as a "legitimate" record that can be forgotten? Are there circumstances in which a request to be forgotten cannot be executed?

Article 17 of the GDPR provides data subjects with the “right to erasure” or the “right to be forgotten.”  The right is not absolute and the GDPR establishes the conditions under which a data subject can access this right. 

Among other conditions, the data controller must erase and prevent the processing of personal data at an individual’s request:

  • If no longer necessary for original purpose for which it was collected;
  • If the data subject withdraws consent;
  • When the data subject objects to further processing and there is no overriding “legitimate interest” to continue processing;
  • When data have been unlawfully processed;
  • When necessary to comply with a legal obligation under Union or Member State law to which the controller is subject; and
  • When related to the offer of “information society services” (e.g., online platforms) to a child. 


The information contained in this FAQ is not legal advice. If you have a legal issue related to EU Privacy or Data Protection, please contact a licensed attorney for guidance specific to your situation.

European regulatory authorities are slowly releasing guidance on the GDPR, which will help instruct how organizations can come into compliance.