On 25 May 2018, the General Data Protection Regulation (GDPR) will come into effect. This European regulation replaces the Dutch privacy legislation, i.e. the Personal Data Protection Act (Wbp). To read the full GDPR text, follow the link at ‘Legislation, University of Twente policy and codes of conduct’.
The Ministry of Justice and Security has drawn up a Manual GDPR (only available in Dutch) that explains its main topics.
The GDPR is in some aspects more precise than the Wbp. We will explain the main features of the GDPR below.
Processing shall be lawful only if one of the following legitimate bases applies:
- The data subject has given consent;
- execution of a contract to which the data subject is party;
- compliance with a legal obligation;
- protection of the vital interests of the data subject or someone else;
- fulfilling a task of public interest or official authority;
- promotion of the legitimate interests of the controller or a third party.
Personal data must be:
- Processed lawfully, fairly and in a transparent manner;
- processed for specific, explicitly defined purposes;
- limited to what is necessary in relation to the purposes for which they are processed (data minimization);
- accurate and kept up to date;
- deleted or rendered anonymous as soon as identification of data subjects is no longer necessary;
- protected by technical and organizational measures.
The GDPR amplifies the position of data subjects regarding the protection of their privacy. For instance, data subjects are afforded more rights, such as the right to erasure, to data portability, to restriction of processing and to the objection to processing. In addition, data subjects have the right not to be subject to a decision based solely on automated processing, including profiling. These rights supplement existing rights of access, rectification and removal.
Processing of personal data must comply with the ‘privacy by design’ principle. This entails implementing technical and organizational measures to ensure that data-protection principles are met in the determination of the means for processing and during the processing itself.
Another design principle that must be met is the ‘privacy by default’ principle. This principle relates to the measures that must be taken to protect data subjects’ privacy, by ensuring that only personal data necessary for the purpose of processing is used.
The GDPR explicitly requires transparency. This means the University of Twente must be able to demonstrate compliance with the GDPR requirements. Transparency is also required for all data subjects: all information must be easily accessible and understandable.
Any new processing using a new technology or leading to high risks for data subjects must be preceded by a Data Protection Impact Assessment (DPIA).
The GDPR obliges every organization to keep processing documentation. For the University of Twente this entails having a complete and up-to-date register of all processing of personal data in our organization. For any processing that has taken place, the legitimate basis, the purpose limitation and the outsourced processing must be recorded.
The GDPR requires notification of the processing of personal data, but makes an exception for ‘obvious’ processing, such as the processing of employee data or the registration of students in educational organizations. The University of Twente is thus required to maintain a record of all processing activities, which can be done in two ways:
- Description in a document
Processing of service departments and processes with a broad scope in the University of Twente are described in a document (template available to PCP's).
- Registration tool
The registration tool is used for the notification of processing activities without a broad scope in the University of Twente, including research in which personal data are processed.
The Dutch Data Protection Authority (Dutch DPA) is responsible for the supervision of compliance with the privacy laws. To fulfil this task, the Dutch DPA investigates possible violations, or, prior to commissioning, judges risky processing activities and codes of conduct. In addition, the Dutch DPA has an advisory role with respect to new laws and regulations and is tasked with informing organizations, for example in the form of policies. The Dutch DPA has international roles as a supervisor in cross-border processing and as a participant in international partnerships. Furthermore, the Dutch DPA is able to impose fines if organizations do not comply with the privacy laws.