University of Pittsburgh logo
  1. OSP Teams
  2. Clinical & Corporate Contract
  3. Negotiations

GDPR - General Data Protection Regulations

  1. What is GDPR?
    GDPR regulates the protection of personal data and the privacy of individuals living in the European Union (EU)
  2. Who does GDPR apply to?
    GDPR is applicable to any organization, regardless of location, that processes personal data of individuals living inside the 27 member countries of the European Union, as well as Iceland, Norway, and Liechtenstein.  These countries include: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden.
  3. What Data protection safeguards and obligations are included in GDPR?
    1. A documented legal basis for collecting and processing the personal data of EU subjects
    2. Minimization of collection and processing of data
    3. Protection of personal data collected or processed
    4. Conducting risk and privacy assessments, implantation of mitigation plans, and continuous monitoring of risks.
    5. Breach notification policy that requires the notification to authorities of breaches within 72 hours.
  4. What are the 7 key principles of the Privacy Landscape:
    1. Lawfulness, Fairness and Transparency
    2. Purpose Limitations
    3. Data Minimization
    4. Accuracy
    5. Storage Limitations
    6. Integrity and Confidentiality
    7. Accountability
  5. What Rights are afforded to the Data Subjects?
    1. Right to be informed through transparent communications and information
    2. Right of access
    3. Right of rectification
    4. Right to erasure/right to be forgotten
    5. Right to restrict processing
    6. Right to data portability
    7. Right to object
    8. Right to not be subject to automate decision-making.
  6. What other regions are subject to Global Data Transfer Contracts?
    1. Association of Southeast Asian Nations
    2. Council of Europe 
    3. European Economic Area
    4. Latin American Data Protection Boards
    5. Individual jurisdictions that include: Abu Dhabi Global Market, Argentina, Brazil, China, Dubai International Financial Centre, Guernsey, Hong Kong, Jersey, Moldova, New Zealand, Peru, Serbia, Switzerland, Turkey, United Kingdom, Uruguay.
  7. Where can I go for help at Pitt?
    The Pitt Privacy Office within the Office of Compliance, Investigations and Ethics.  The Pitt Privacy Office collaborates with other University entities to support compliance with all privacy regulations.
  8. What services are provided at the Pitt Privacy Office?
    1. Consulting across the University related to privacy and the proper access and use of sensitive information
    2. Support compliance efforts related to privacy regulation compliance
    3. Guide and manage incident response
    4. Assist with privacy policy development
    5. Support privacy-related training.
  9. Who should I contact at the Pitt Privacy Office if I have questions?
    Email: privsec@pitt.edu
    Website: https://www.compliance.pitt.edu/pitt-privacy-office