Campus Labs Position on GDPR (as of post on July 10, 2018)

  1. Privacy Shield. Currently, Campus Labs is in the process of obtaining a Privacy Shield compliance certification. Privacy Shield is required for compliance with the General Data Protection Regulation (“GDPR”) when personal data (as defined in the GDPR) is transmitted and/or stored outside of the EU.

  2. GDPR Compliance. The GDPR applies to all-natural persons when they are present in the EU. Identification of data subjects (as defined in the GDPR) is the responsibility of the institution. Furthermore, with regards to GDPR compliance, Campus Labs is the data processor and the institution is the data controller. The legal basis for the collection and processing of personal data is the responsibility of the institution.

  3. Response to GDRP Requests:
    • Campus Labs shall provide reasonable and timely assistance to institution to enable institution to respond to:
      • any request from a data subject to exercise any of its rights under the GDPR (including its rights of access, correction, objection, erasure and data portability, as applicable); and
      • any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the personal data.
    • In the event that any such request, correspondence, inquiry or complaint is made directly to Campus Labs, Campus Labs shall promptly inform institution providing full details of the same.


  4. Covenant to Pursue Additional GDPR Compliance Efforts. Campus Labs is currently reviewing product enhancements and features to help ensure our ability to support institution’s needs as well as the compliance requirements applicable to Campus Labs and institution as processor and controller, respectively, under the GDPR.

  5. In the case of an on-prem Course Evaluations solution, the institution assumes the role of Data Controller and Data Processor. When requested, Campus Labs will provide support to the institution in complying with any GDPR request.