Policy Corporate Governance General Data Protection Regulation (GDPR) Procedure

General Data Protection Regulation (GDPR) Procedure

Print Friendly and PDFPrint Friendly


This procedure describes the specific administrative arrangements in relation to the European Union’s (EU) General Data Protection Regulation (GDPR) and should be read in conjunction with the Information Privacy Policy and Information Privacy Statement - Collection, Use and disclosure of personal information.


This procedure applies to the personal data of all natural persons within the European Union (EU) or European Economic Area (EEA) and have specific rights afforded under the GDPR.


Except as otherwise specified below, the meaning of terms used in this procedure are as per the Information Privacy Policy. Other terms used in this procedure may also be found in the Policy Glossary


  1. In addition to the protections under the Information Privacy Act 2009 (Qld) and the Information Privacy Principles, if you are a EU or EEA resident you have a number of additional rights under the GDPR including the right to request access to, a copy of, correction of, restriction in the use of, erasure of or transfer to another data controller in an accessible format of personal information in accordance with all applicable laws, and subject to the limitations outlined in the GDPR.
  2. For individuals outside the EU/EEA and for data that was not collected within the EU/EEA, the erasure of your information shall be subject to the retention periods of applicable State and Federal law.
  3. If you have provided consent to the use of your information, you have the right to withdraw consent without affecting the lawfulness of the University's use of the information prior to receipt of your request. Please note we may not be able to grant your request in all circumstances.
  4. JCU will assist data subjects that are EU/EEA residents to exercise these rights, unless we have compelling and legitimate legal grounds not to (e.g. a legal obligation under Australian legislation, or if the Personal Data has been fully anonymised).
  5. To exercise any of the above rights, complete the form at Appendix 1 and return it to the Privacy and Data Protection Officer at secretariat@jcu.edu.au

Related policy instruments

Information Privacy Policy

Information Privacy Statement - Collection, Use and disclosure of personal information


Appendix 1 – GDPR Form - Information Access, Amendment and Other Rights

Related documents and legislation

Information Privacy Act 2009 (Qld)

Right to Information Act (Qld) 2009

Privacy Act 1988 (Cth)

European Union’s General Data Protection Regulation


Approval Details

Policy DomainCorporate Governance
Policy Sub-domainRisk, Assurance, Regulatory and Compliance

Policy Custodian

Vice Chancellor

Approval Authority


Date for next major review


Revision History


Approval date

Implementation date






Procedure established to provide for EU GDPR obligations

Chief of Staff


Information, privacy, personal information, data breach, GDPR

Contact person

Chief of Staff, Vanessa Cannon