Transfer of Personal Information Between Countries

Carnegie Mellon University (CMU) is a global institution with operations, campuses, partnerships, and instructional sites in multiple countries. These include the United States (main campus), Qatar, Rwanda, Portugal (partner program in the EU), and other locations noted in CMU’s global presence. Because of this international footprint, CMU may need to transfer personal information across national borders for various legitimate reasons. This page explains why these data transfers occur and how we ensure they are done lawfully and securely, in line with CMU’s commitment to privacy and the standards set in our Privacy Notice.

Why Does CMU Transfer Personal Information Internationally?

Academic Programs and Student Services: We have degree programs and campuses on multiple continents. For example, a student enrolled at CMU-Africa in Rwanda might participate in an exchange at our Pittsburgh campus, or a Qatar campus student might interact with systems hosted in the United States. In such cases, personal information (like academic records or enrollment data) may be shared between countries to support the student’s education and campus services.

Research Collaborations: CMU faculty, students, and staff frequently collaborate on research projects with international partners. This can involve sharing research data and participant information between CMU in the U.S. and institutions abroad, or between our own campuses (e.g. data from a research study at CMU-Qatar shared with main campus researchers in the U.S.) in order to advance joint projects.

University Administration and Operations: CMU centralizes certain administrative functions. For instance, if you apply to CMU from outside the U.S., your application and personal details will be transmitted to our U.S. systems for processing. Likewise, alumni or personnel records from branch campuses may be stored on secure servers in the United States. We also use trusted third-party service providers (such as cloud hosting services) which might be located in various countries. When we use service providers outside your home country, we ensure an appropriate legal framework is in place to protect personal information. 

Global Partnerships and Exchanges: Beyond our own campuses, CMU engages in student exchange programs and partnerships around the world. If you participate in a dual-degree program (for example, with a partner university in Portugal or another EU country) or an international exchange, we will transfer the minimum necessary personal information (such as transcripts or enrollment status) to the partner institution, and vice-versa, to facilitate your program.

How We Safeguard Your Information During International Transfers

CMU takes the security and privacy of personal information seriously, especially when it is transferred across borders. We have implemented technical, organizational, and legal safeguards to protect your data:

  • Strong Security Measures: Whenever personal information is transmitted between countries, we apply industry-standard security measures such as encryption and secure transfer protocols to prevent unauthorized access. For example, data exchanged between our campuses is sent over encrypted channels. Our IT systems employ access controls so that only authorized CMU personnel (with a genuine need to know) can access personal information.
  • Limited and Purposeful Transfers: We only transfer personal information internationally when it is necessary for a specific purpose related to our academic, research, or administrative services. We minimize the data shared – only the information needed for the task is transferred. Additionally, CMU does not sell or rent personal information to third parties abroad; we share it only with trusted CMU entities or service providers as described in our Privacy Notice.
  • Vendor Agreements and Data Processing Addenda: When we use external service providers in another country (such as cloud services, learning management systems, or payment processors), we contractually require them to safeguard personal information to CMU’s standards. These contracts include data protection terms to ensure your information receives an equivalent level of protection, no matter where the provider is located. For example, if we utilize a software tool hosted in the EU or Asia, our agreement with that provider will oblige them to protect your data and use it only for CMU’s authorized purposes, consistent with our Privacy Notice.
  • Training and Policies: CMU has internal policies and training in place to ensure our staff and faculty handle personal data consistently and securely worldwide. CMU personnel must abide by our privacy and security policies when accessing or transmitting personal information. We treat privacy as a core value of our global operations, and we regularly remind our community of the dos and don’ts of handling personal data (for example, using secure university systems rather than personal email to send student information).
  • Accountability: No matter where personal information about you travels, CMU remains accountable for its protection. Our Data Protection Officer and University leadership oversee compliance with privacy laws in regions where we operate. We also maintain records of data processing and conduct privacy impact assessments when launching new initiatives, to evaluate and mitigate any privacy risks of international data exchange.

Legal Frameworks for Cross-Border Data Transfers

Laws differ from country to country, but CMU complies with applicable data protection requirements in the jurisdictions where we operate. Below is an overview of how we address international personal information transfers in key regions, and the legal tools we use to ensure these transfers are lawful and protected:

European Union (EU) / European Economic Area (EEA) and United Kingdom

The EU’s General Data Protection Regulation (GDPR) imposes strict rules on transferring personal data outside the EU/EEA. In compliance with GDPR, CMU uses approved legal mechanisms to transfer European personal information internationally. The primary tools we rely on are the European Commission’s Standard Contractual Clauses (SCCs). These are standardized agreements that bind the receiving party (e.g., CMU in the U.S.) to protect the data to GDPR standards. By incorporating SCCs into our contracts between, say, our EU partners and CMU in the U.S., we ensure that personal data continues to benefit from a high level of protection when transferred out of Europe. In practice, this means that if you are located in the EU and your data is transferred to CMU in the United States, CMU has committed, via these contractual clauses, to safeguard your information as if EU privacy laws apply to it.

The European Commission may also decide that certain countries provide adequate data protection, a decision which allows personal data to flow from the EU to those countries as freely as within the EU. CMU takes advantage of these “adequacy decisions” where applicable. For example, if we were transferring data to a partner or service provider in a country deemed “adequate” by the EU (such as Canada, Japan, Switzerland and others), that transfer can occur without additional safeguards because the EU considers that country’s privacy laws essentially equivalent to its own. (Notably, in July 2023 the EU also determined that certain U.S. organizations provide adequate protection if they participate in the new EU-U.S. Data Privacy Framework. Where appropriate, CMU will utilize such frameworks or future adequacy arrangements to streamline data flows from the EU.)

Qatar (CMU-Qatar Campus)

CMU operates a campus in Doha, Qatar. Qatar has a comprehensive data protection law – Qatar’s Personal Data Privacy Protection Law (PDPPL) of 2016 – which was the first of its kind in the Middle East. Under Qatari law, personal information must be handled according to key principles similar to those in GDPR. Transferring personal data out of Qatar is permitted, but only under certain conditions ensuring adequate protection. 

At CMU-Qatar, we comply with these requirements. If we need to send personal information from Qatar to another country (for example, sharing Qatari student records with the main campus in the U.S.), we will do so only in line with Qatari law. The PDPPL and its guidelines for “adequate levels of data protection” to be in place for any cross-border transfer. Practically, this means we will either transfer data to countries that have strong privacy laws or use contracts and security measures to protect the data. For instance, CMU-Qatar may rely on agreements that mirror the protections of Qatar’s law when transferring data to the U.S., and we perform risk assessments as needed. Qatari regulators have emphasized modern security solutions over strict data localization.

Rwanda (CMU-Africa Campus)

CMU’s Africa campus in Kigali, Rwanda, operates under Rwanda’s Law No. 058/2021 of 13/10/2021 relating to the Protection of Personal Data and Privacy, having a required compliance date of 10/13/2023. 

Other Countries and Regions

Beyond the specific jurisdictions above, CMU engages with people around the world – from applicants in India or China, to research collaborators in Brazil, to online learners in Canada and beyond. We strive to comply with applicable data transfer rules in whatever country your data comes from. For example, if you are in a country with its own data protection law (such as India’s law, China’s Personal Information Protection Law (PIPL), Brazil’s LGPD, etc.), CMU will adhere to the requirements of that law when handling personal information about you. This may involve implementing specific measures like obtaining your consent for certain transfers, conducting security assessments, or honoring data localization rules. CMU continuously monitors international privacy developments to ensure our practices remain up-to-date and compliant.

If you don’t see your country listed in the sections above and you are curious or concerned about how personal information about you would be treated, please reach out to us. We can provide individualized information. In many cases, the protections we’ve described (encryption, contractual safeguards, limiting transfers, etc.) apply universally, even if not explicitly mandated by a given country’s law. Our goal is to provide a consistent level of privacy protection globally.