Large amounts of personal data are produced and processed at universities. This affects students, applicants, lecturers, employees as well as external cooperation partners or speakers. The aim of the GDPR is to protect this data.
The abbreviation GDPR stands for the European General Data Protection Regulation, which has provided a Europe-wide framework for handling personal information since 2018. Institutions and companies are obliged to organize data processing in accordance with the GDPR.
What Does GDPR Mean?
The letters GDPR stand for the word “General Data Protection Regulation”. This word in turn stands for a regulation of the European Union that aims at the processing of personal data. In particular, it stands for the protection of personal data and the guarantee of the free movement of data. This regulation not only obliges companies and service providers in the EU, but also institutions such as schools or universities.
GDPR means that the processing of personal data is compatible with the GDPR. If online service providers are GDPR-compliant, this means that they adhere to the following 7 principles:
- Lawfulness, fairness, transparency (active consent to data processing must be obtained);
- Purpose of the collected data (no further processing);
- Data minimization (reduction of the data collected to a minimum);
- Accuracy (of lawfully collected data);
- Storage limitation (no identifiability of specific persons through forms of storage);
- Integrity and confidentiality (ensuring data security);
- Accountability (in case of non-compliance).
When Does the GDPR Apply?
The magic word is “personal data”. So whenever information about a specific or identifiable person is involved, the GDPR applies.
The processing of this data ranges from the collection to the use and destruction of this information.
What Technical Measures Do I Use to Protect the Data Collected?
Will/was the data passed on to third parties? E.g. for order processing – please note the “joint and several liability” of you and the third-party provider who processes the data for you (when selecting providers in the future, also pay attention to GDPR compliance).
The classic – and sometimes quickly forgotten – data collection takes place, for example, in the telephone book (name, address, date of birth of the person), as an address stored in the system to create invoices or orders, for orders, etc.
But also the data of your employees, customer order data, customer bank details for debiting orders, etc. Depending on the industry, more or less relevant data is generated. What they all have in common, however, is that the GDPR applies to EVERYONE.
According to the latest case law, this also applies to the IP address. It is to be considered “personal data”. By comparing the IP address with the data of the Internet provider, the person can be found. It is therefore also important to document the recording of IP addresses.
And it is important to note: Consent to data collection and use must be present and must be stored and documented by the company.
Alternatively, the collection must be justified by the order (Articles 6 and 7 GDPR).
It is forbidden to carry out any type of data processing that is not covered by the consent of the data subject. This can only be revoked by legal permission. This means, for example, that you must have secured the consent of the recipient before sending newsletters.
Principles of the GDPR
Pseudonymization of the Data
The GDPR provides incentives for the anonymization of data. This means that, ideally, information can no longer be assigned to the people it came from. This can be achieved, for example, by replacing names with pseudonyms or only transmitting data in encrypted form.
Legal Basis for Data Processing
Data collection and processing must be based on a legal basis. This can be achieved through a legitimate interest in the collection, for example for educational or research purposes, through the consent of the users or to fulfill a contractually agreed service.
Transparency & Control
The GDPR defines the right to be forgotten and the right to export and transfer data to a responsible person.
Third Countries
The GDPR applies to providers that are based abroad and process data of people within the EU. However, enforcing the GDPR with foreign providers can be difficult, which is why EU-internal providers should be preferred.
Information
Users have the right to know what data is stored about them and how it is used.
Conclusion
The GDPR has an honorable goal: protecting our data. It is not without reason that people say these days: the Internet never forgets. That is why our data on the Internet is particularly sensitive. This is all the more precarious when it also involves the particularly sensitive data of children and young people. Even if the implementation of the GDPR also brings with it some restrictions – such as not being able to use the widely used tools – we can still be grateful that it exists. It may be a little too bureaucratic and inscrutable, but ducking away – as is so often the case – does not help here, because: Ignorantia legis non excusat (ignorance is no excuse).
