General Data Protection Regulation

This statement is intended to be a brief overview of the General Data Protection Regulation EU 2016/679 (GDPR).  It is not a substitute for legal advice or a description of all the requirements for compliance with the GDPR.  Members of the University community with specific questions about the Regulation are encouraged to contact the Office of Legal Services or the Privacy Office.

The focus of the GDPR is the collection and use of personal information of persons residing within the European Union and it represents an overall expansion of these individuals’ privacy rights.

The GDPR applies only to the processing of personal information when:

1. the establishment performing the processing is within the European Union

2. an establishment not within the European Union is offering goods or services to data subjects in the European Union; or

3. an establishment not within the European Union is monitoring the behaviour of persons within the European Union.

Right to Erasure (article 17, GDPR)

Residents of the European Union have a right to request erasure of their personal data retained by a public institution, including McMaster University. Individuals who wish to make a request for the deletion of their information (retained by McMaster University) must complete a request form and verify their identity and EU residency. To make this request, contact the privacy office at privacy@mcmaster.ca.

However, in certain circumstances, where erasure would adversely affect the freedom of expression, contradict a legal obligation, act against the public interest in the area of public health, act against the public interest in the area of scientific or historical research, or prohibit the establishment of a legal defense or exercise of other legal claims, the university may not be able to erase information requested for deletion (in compliance with article 17(3) of the GDPR).