- Ruhr-Universität Bochum

Frequently asked questions about the General Data Protection Regulation

(This page is based on the pages of the data protection officer of the University of Hanover and a supplement by Klaus Kock
https://www.uni-hannover.de/de/universitaet/organisation/beauftragte/datenschutz/DS-GVO/  — )

(kul)

When did the EU General Data Protection Regulation (GDPR) come into force?

The EU General Data Protection Regulation (GDPR) came into force on May 25, 2016 and was applied after a two-year transition period. The GDPR has been directly applicable since May 25, 2018 and compliance with it is monitored by the supervisory authorities and courts.

An information brochure with the European General Data Protection Regulation published in the Official Journal of the European Union on May 4, 2016 and the final version of the new Federal Data Protection Act as well as introductory explanations on the content of the General Data Protection Regulation is available on the website of the Federal Commissioner for Data Protection and Freedom of Information.

The new NRW Data Protection Act (DSG-NRW), which is decisive for some detailed regulations, has been in place since May 17, 2018.

Who does the GDPR apply to?

The GDPR applies to the entire Ruhr-Universität Bochum; the NRW State Data Protection Act supplements and specifies the GDPR in points where an opening clause is provided. Every body (institute, institution, faculty, etc.) that processes personal data must observe and comply with the GDPR.

When do I process personal data?

Personal data means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier. Such assignments are typically possible via a name, an identification number, location data, online identifier or other data. The data can be an expression of the physical, physiological, genetic, psychological, economic, cultural or social identity of this natural person.

First of all, there is no distinction between data that is more or less worthy of protection. The Federal Constitutional Court states that there is no such thing as “irrelevant” data. This means that a telephone number, for example, is no less worthy of protection than hair color.

Examples of personal data are data linked to names, email addresses, ID card numbers, student numbers, IP addresses or a unique ID in an IT system that is assigned to a person. The same applies to an interview recording (assignment via context, voice or content statements) or a questionnaire from which persons can be identified from the context and demographic data.

Which data protection regulations are changing?

The GDPR builds on the previously applicable data protection principles. As data protection in Germany was already at a high level, the changes are comparatively minor. For RUB, it will be particularly relevant to what extent and in what form the state legislator makes use of so-called opening clauses in the new data protection law of the state of NRW. No draft bill of the state data protection law has yet been published.

The following changes are particularly relevant:

  • The process description will be replaced by a record of processing activities. However, the register is no longer to be made accessible as a “public register”.
  • The data protection officer’s prior check under data protection law in all cases of personal data processing will be replaced by a data protection impact assessment for particularly risky data processing operations, which data controllers must prepare themselves.
  • The requirements for informed consent have been made more specific
  • The information and disclosure obligations have been expanded
  • There are reporting obligations in the event of data protection breaches.

When does the GDPR permit the processing of personal data?

Contrary to the impression that has often been created. Not all processing of personal data requires consent.

Article 6 of the GDPR regulates the permissibility of processing. The following legal bases are frequently found at universities:

  • Research is usually conducted at universities on the basis of (voluntary informed) consent. (Legal basis Art. 6 para. 1 letter a GDPR)
  • Data required for entering into and (mutual) fulfillment of contracts with data subjects can be found, for example, in employment contracts or offers to citizens and students, e.g. public events, conferences, etc. (legal basis Art. 6 para. 1 lit. a GDPR)
  • Certain data processing is necessary to fulfill legal obligations (e.g. university statistics, occupational health and safety, social security code, etc.) (legal basis Art. 6 para. 1 lit. c GDPR with reference to the respective legal obligation)
  • The university has been assigned the task of research and teaching as well as the associated tasks (e.g. examination administration) in the Higher Education Act. The processing of personal data required to fulfill such a task is also permitted under the GDPR. (Legal basis Art. 6 para. 1 letter e GDPR)

Informed consent must be ensured for every collection. However, this is not the same as consent.

 

Where can I find help with implementation?

The short papers of the data protection supervisory authorities offer initial assistance. Ruhr-Universität has licensed the Zendas service, which offers information on data protection specifically tailored to universities, and every employee can access further information there. All employees can contact the data protection officers with any questions relating to data protection.

In order to comply with the above-mentioned changes, the following specific requirements must be met, for which the corresponding aids are linked:

  • Firstly, the processing activities must be documented in the register (collection centrally, currently sent to the DPO) (see forms)
  • When collecting data, data subjects must be informed in accordance with the catalog from Art. 13 (DSK paper). This also includes, for example, a revised privacy policy. (See link under Forms)
  • For a few procedures, there is a requirement to carry out a data protection impact assessment. (See checklist under Forms)
  • Contracts for commissioned data processing must be revised (samples are available on request)
  • Information security must be implemented to an appropriate extent in accordance with the state of the art. (Implementation of the RUB security concept )
  • It must be organized that the rights of the data subjects can be exercised (in particular information)
  • It must be organized that breaches in the security of processing/data protection can be prevented.

 

Who is responsible for implementing the GDPR?

The data processing body is responsible for implementing the GDPR. At RUB, these are the respective process owners. For example, if an address list is kept in the secretariat X of Institute Y, Institute Y is the data controller and is responsible for reporting this processing activity. The same applies, for example, if surveys are carried out as part of a research project.

What is a record of processing activities and what content must it have?

According to Art. 30 GDPR, public bodies are obliged to keep a record of processing activities. According to Recital 82 of the GDPR, the purpose of the record of processing activities is, among other things, to enable the data protection supervisory authority (here: the State Commissioner for Data Protection of North Rhine-Westphalia?) to check “the processing operations concerned on the basis of these records”. All processing of personal data should therefore be documented in the register. A template is available. A system is being set up to support the recording and maintenance of the procedure directory for each employee.

Changes to the previous legal situation

In administration / teaching: Not only automated processing operations, but also adjacent processing operations of personal data must be recorded, e.g. files that are to be digitized at a later date or that are sorted according to certain criteria. Whenever filing is structured, these processes must be considered from a data protection perspective.

In research: The “processing of personal data for archiving purposes in the public interest, for scientific or historical research purposes and for statistical purposes” is, as before, privileged by the General Data Protection Regulation and the new State Data Protection Act. Above all, this means that special processing permissions are required.

Article 5(1)(b) of the GDPR initially standardizes a far-reaching lifting of the purpose limitation for data that was originally processed for other purposes. Further processing for the aforementioned purposes is not considered incompatible with the original purposes.

The legal basis for data processing for the aforementioned purposes can be largely regulated in the member states in accordance with Art. 89 GDPR. The same applies to the processing of particularly sensitive data (such as religious beliefs or health data) for these purposes in accordance with Art. 9 para. 2 lit. j GDPR. Appropriate data protection safeguards must be provided. The necessary technical and organizational measures may include, for example, pseudonymization and anonymization in the area of research. Exceptions to individual data subject rights are possible if they are likely to make it impossible or seriously impair the realization of the specific purposes. Sections 27 and 28 of the BDSGneu contain some specific regulations in this regard; it remains to be seen whether these or more extensive regulations will be adopted in the state data protection law applicable to RUB[3]

 

Implementation measures at the Ruhr University Bochum

Due to the accountability obligation under Art. 5 para. 2 GDPR, the record of processing activities must include all processing of personal data. Each institution and institute is responsible for reporting processing operations in which personal data is processed to the data protection officer. Furthermore, there is already an extensively developed information security concept that also covers many aspects of data protection.

Various templates and instructions are available for specific areas.

As organizational support, decentralized information security and data protection officers are to advise the individual institutions.

The following specific requirements therefore arise for compliance with the above-mentioned changes, for which the corresponding aids are linked:

  • First of all, the processing activities must be documented in the directory (collection centrally, currently sent to the DPO) (see forms)
  • When collecting data, data subjects must be informed accordingly. This also includes, for example, a revised privacy policy.
  • For a few procedures, there is a requirement to carry out a data protection impact assessment. (See checklist under Forms)
  • Information security must be implemented to an appropriate extent in accordance with the state of the art. (Implementation of the RUB security concept )
  • Contracts for the

Is there a special transitional period for existing data processing?

In principle, there is only a 2-year deadline, which ended on May 24, 2018. After this deadline, the provisions of the GDPR are binding. They are not only binding for new data processing after this deadline. Rather, it extends to all data processing at the university, i.e. old cases.

What is a processing activity?

According to Art. 4 GDPR, processing is any operation or set of operations which is performed on personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Any handling, including storage, is covered by the term processing. Processing activities summarize individual steps with a view to a single specific substantive purpose.

In practice, a distinction should be made between the various processing activities based on the purpose of the processing. The processing of personal data for a specific purpose or several purposes is therefore characteristic of a standardized procedure.

An office communication program alone does not constitute a processing activity because there is no reference to the processing of personal data. On the other hand, an office communication program and the files created with it, with which personal data is processed for a specific purpose, are a procedure that must be mapped in the list of processing activities. The purposes of processing can be, for example

  • Personnel file management / master data
  • Student administration
  • Examination administration
  • Recording working hours
  • Video surveillance or camera systems for research purposes
  • Application procedure
  • Procurement / purchasing
  • Application processing
  • Telephone data recording
  • Usage logging in IT
  • Research surveys
  • Organization of (public) events

Duty to provide information and privacy policy

 

At the time of data collection, data subjects must be informed in accordance with the catalog from Art. 13 of the GDPR (DSK paper).

Information must include the following points in particular

  • Name and contact details of the controller
  • Contact details of the DPO
  • Purposes of data processing and legal basis
  • In the case of balancing of interests, legitimate interests of the controller/third party
  • (Categories of) recipients (and authorized persons)
  • If applicable, intention of transfer to a third country and further related information

This information must be communicated directly at the time of collection in the case of input forms or declarations of consent.

In addition, the following information must be accessible.

  • Storage duration or criteria for determining the duration
  • Reference to data subject rights (right of access, rectification, erasure, restriction of processing, objection, data portability)
  • Reference to the right to withdraw consent and to the fact that the lawfulness of processing based on consent remains unaffected until withdrawal
  • Information on the right to lodge a complaint with the supervisory authority
  • Information as to whether the provision of the data is required by law or contract/is necessary for the conclusion of a contract and whether the data subject is obliged to provide the data and the consequences of failure to provide it
  • In the case of automated decision-making: meaningful information about the logic involved, the scope and intended impact of such processing
  • In the event of a change of purpose: information about the further purpose and all other information mentioned above.

This means that the information must be available on an additional website, for example, or in an enclosed information sheet.

If data subjects have already been informed, they do not need to be informed.

Data protection declarations also aim to fulfill these information obligations.

A corresponding data protection declaration has been drawn up for the central pages of the RUB. This can be adopted/linked for chairs and institutions if it is applicable. This means that no processing operations may be missing and the conditions mentioned must also be implemented. It can also be used as a basis for your own extensions. A further example can be found in the forms ( Forms).

What does “right of access” mean (Art. 15 GDPR)?

As under the previous legal situation, data subjects have the right to request information about personal data stored by a data controller by submitting an informal request and without giving reasons. The information can, for example, make it easier to assert further rights, such as the right to rectification, erasure or restriction of processing (“blocking”).

Further information on the scope of the right to information, the form and deadlines to be observed (usually 1 month) are set out in the Data Protection Conference’s short paper no. 6.

Breach of data protection – What now?

A wrong attachment sent to the world by email, a USB stick lost, unencrypted of course, the company computer stolen from the office during the winter break, important data stored in the free cloud overseas. There are many ways in which personal data can fall into unauthorized hands.

The GDPR stipulates a reporting obligation, the hurdles for which have been significantly lowered. In principle, every personal data breach must be reported to the competent supervisory authority unless it is “unlikely to result in a risk” to the data subject. However, weighing this up could prove to be a major challenge in everyday life, as it cannot be ruled out that such a risk exists in most incidents. It is therefore to be expected that the supervisory authorities will agree on this in more detail so that it becomes clear which criteria are used to assess the risk.

A data breach must be reported to the competent supervisory authority within 72 hours. The obligation to report data breaches must be taken seriously. The potential fine of 10 million euros alone makes the necessity clear.

Data protection and employment relationships

Who is to be considered an employee is regulated in the LPVG; in addition, deviating provisions may be found in the new Data Protection Act. In general, employees include

  • Employees, including temporary workers,
  • persons employed for their vocational training, […]

Personnel regulations in data protection law generally also apply to

  • Applicants for employment,
  • persons whose employment relationship has ended.

As a rule, the processing of employees’ data takes place for the mutual fulfillment of the employment contract. State law may stipulate more precisely in this regard; for example, the LBG NRW contains various regulations on personnel files, which previously also applied to non-civil servants.

If employees’ personal data is processed with their consent, this must be voluntary. The employer must inform the employee about the purpose of the data processing and their right to withdraw consent.

The processing of personal data including special categories of personal data of employees for the purposes of the employment relationship is permitted on the basis of service agreements.

The processing of sensitive data (special data pursuant to Art. 9 GDPR), e.g. health data, genetic data, political opinions or trade union membership, is permitted for employment relationships if it is necessary for the exercise of rights or the fulfillment of legal obligations under labor law, social security and social protection law and there is no reason to assume that the data subject’s legitimate interest outweighs the necessity of the processing. Sensitive data may be processed with the employee’s consent, which must explicitly refer to this data and also be voluntary.

Aktuelle Beiträge