Can I use a private device to send and receive e-mail relating to the University of Twente?
Yes, but the device must be properly secured. It must be properly password protected, it should not be shared with others and your laptop’s hard disk must be encrypted.
What should I do if I lose my device containing personal details of the University of Twente (through loss or theft)?
You should immediately report this to email@example.com. Specify whether the hard disk was encrypted and whether the device was properly password protected.
How will a no deal-Brexit impact the transfer of personal data with a party in the United Kingdom (UK)?
Short answer (explanation below): there are specific rules under the GDPR for the transfer of personal data to a third country. Most likely, the best solution would be to put in place standard contractual clauses for data protection.
Explanation: After the Brexit, the UK will be seen as a third country under the General Data Protection Regulation (GDPR). The transfer of personal data to a third country is allowed, in case the European Commission has adopted an adequacy decision, which would recognise the UK’s data protection regime as essentially equivalent to those in the EU. However, any such adequacy decisions will not be in place before the UK leaves the EU. Therefore, one of the other instruments as included in the GDPR will need to be used for the transfer of personal data.
Most likely, the best solution will be to put in place standard contractual clauses with the UK party. These contracts offer the additional adequate safeguards with respect to data protection that are needed. In some cases, it is possible to make use of a derogation like explicit consent.
What can be done at this point?
At this point, it is not clear yet whether or not a withdrawal agreement will be in place. You can however make some necessary preparations. Start with identifying what processing activities will imply a personal data transfer to the UK. Further, determine whether you can put in place standard contractual clauses with the UK party and make sure it can be implemented by 31 October 2019. Furthermore, make sure that it will be indicated in internal documentation that transfers will be made to the UK. Also, privacy notices will need to be updated accordingly to inform individuals.
Should you have any more questions or concerns, please contact your Privacy Contact Person or the Data Protection Officer (firstname.lastname@example.org).
What is the difference between anonymization and pseudonymization?
When personal data is pseudonymized, you secure the data in a way that the data is no longer directly retraceable to an individual. Certain elements from the personal data may be deleted or the data can be coded, in which case the key can be stored in another location. Pseudonymization is a security measure. When personal data is pseudonymized, they are still personal data. The data may no longer be directly retraceable, but indirectly you can still identify an individual with the pseudonymized data. Therefore, you have to comply with the GDPR.
When personal data is anonymized, you can no longer trace back to an individual, even in case you would have additional data. In this case, the data are no longer personal data and the GDPR does not apply.
IMPORTANT NOTE: the anonymizing of personal data is a way of processing personal data; until the moment the data is fully anonymized, it still is personal data. Only after anonymizing, the GDPR no longer applies.
How can I anonymize PDF documents?
Be careful when anonymizing PDF documents. Drawing tools, used to draw a box over the sensitive information, don't usually hide the information. These boxes are easily removed to reveal the original information. The University advises to use Acrobat Pro. Acrobat Pro has the Redact tools to remove or redact sensitive images and text. Redacted and removed information will not be retrievable in the saved document.
More information is available on the Adobe site.