European Economic Area General Data Protection Regulation (GDPR)


What is the GDPR?

The GDPR was adopted by the European Parliament and became effective on May 25, 2018. It regulates the collection, use, transfer, storing, and other processing of personal data of persons in the European Economic Area (EEA).

Why did the EU adopt the GDPR?

Protecting how personal data is used and otherwise processed is considered a fundamental human right in the EU. It is even included in the Charter of Fundamental Rights of the EU.

To which persons does it apply?

The GDPR applies to all persons. There is no requirement that a person is an EEA citizen or an EEA resident.

To what countries does the GDPR apply? What are the EU and the EEA?

The GDPR applies to all 28 member countries of the European Union (EU). It also applies, or will soon apply, to all countries in the European Economic Area (the EEA). The EEA is an area larger than the EU and includes Iceland, Norway, and Liechtenstein. 

The UK is expected to substantially follow the GDPR even after Brexit.

Switzerland is in the process of adopting laws analogous to the GDPR.

When does the GDPR apply?

There are three types of situations that are subject to the GDPR:

  1. If a person is present in the EEA, any personal data collected from them in connection with the offering of a good or service is protected by the GDPR, even if the organization offering the good or service is not established in the EEA. Protection for the personal data continues after the person leaves the EEA.
  2. Establishments in the EEA. If personal data is collected or otherwise processed in the context of the activities of any establishment in the EEA, then the personal data is protected by the GDPR, even if the processing occurs outside the EEA.
  3. If a person is present in the EEA, any personal data collected from them in connection with the monitoring of their behavior where the behavior takes place within the EEA.

To what data does the GDPR apply?

The GDPR applies to all "personal data,” which includes any information relating to an identified or identifiable person. Examples include name, SSN, other identification numbers, location data, IP addresses, online cookies, images, email addresses, and content generated by the data subject.

The GDPR includes more stringent protections for special categories of personal dataThese are: 

  • Racial or ethnic origin
  • Physical or mental health data
  • Political opinions
  • Sex life and sexual orientation
  • Religious or philosophical beliefs
  • Genetic and biometric data
  • Trade union membership      

The GDPR also imposes limitations on the processing of personal data relating to criminal convictions and offenses.

Privacy Statements

Tufts makes available European Economic Area (EEA) privacy statements on the Privacy Statements & Terms of Use page, including:

  • EEA Privacy Statement
  • EEA Privacy Statement for Prospective Students and Applicants
  • EEA Privacy Statement for Students
  • EEA Privacy Statement for Tufts-Sponsored Study Abroad Programs in the EEA
  • EEA Privacy Statement for Job Applicants, Faculty, Staff, Consultants, and Other Persons Providing Services
  • EEA Privacy Statement for Alumni and Donors
  • EEA Privacy Statement for Research Participants


The General Data Protection Regulation (GDPR) for the EEA provides individuals with rights relating to their Personal Data. For information about how to make a rights request under the GDPR, see How to Make a Subject Access Request under the GDPR.

If an individual has made a request seeking to exercise their GDPR rights, whether in writing or verbally, please provide that information promptly, and in any event within 24 hours, to

Frequently Asked Questions

See GDPR Frequently Asked Questions (FAQs) (PDF) for more answers to your GDPR questions.

Working with Information that is Protected by the GDPR

The GDPR Data Handling Guidelines provide key rules for working with GDPR data. The Guidelines include practical steps you can take to protect this sensitive information, as well as other Regulated Institutional Data.

For information on complying with the GDPR when working with mailing lists, see GDPR(+) Tasks for Tufts University Mailing Lists.

For information about complying with the GDPR for conferences to be held in the US, see GDPR (General Data Protection Regulation) Considerations for Tufts Conferences Occurring in the US with Promotion in or Attendees from the European Economic Area (EEA).

More Information

For more information about the GDPR, see:

Who to Contact

Questions about GDPR may be sent to