The UT processes personal data. Therefore, the UT has to comply with the General Data Protection Regulation (GDPR) (the European privacy law).
It is possible that you will process personal data on behalf of the UT, for instance in scientific research. In those events, you also have to comply with the GDPR.
The main features of the GDPR are discussed below.
First you have to establish whether you are processing personal data.
Ask yourself: does the information you are processing lead back to a person?
- NO: in the event you cannot identify a person, even when you have additional information, the data is not personal data. Therefore, the GDPR does not apply.
- YES: in case it is possible to identify a person, the information will be considered personal data. The GDPR is applicable.
Personal data means any information relating to an identified or identifiable natural person (‘data subject’). It entails not only information that directly identifies a person (such as a name or identification number), but also information that can identify a person indirectly (for instance information where names are removed; additional steps need to be taken to be able to identify a person).
You have established that the information entails personal data. Are you going to do something with the personal data? If so, you are processing personal data.
Anything you do with personal data can be seen as processing, such as:
So, you are processing personal data. Now you need to determine whether you are doing this lawfully.
Is processing of personal data necessary:
- For the performance of a contract to which the data subject is party (or in order to take steps at the request of the data subject prior to entering into a contract)?
- For compliance with a legal obligation to which the UT is subject?
- In order to protect the vital interests of the data subject or of another person?
- For the performance of a task carried out in the public interest or in the exercise of official authority vested in the UT?
- For the purposes of the legitimate interests pursued by the UT or by a third party?
- Has the data subject given consent to the processing of his/her personal data for one or more specific purposes?
If you can answer at least one of the questions above with YES, you have a legal ground for processing. If not, you cannot lawfully process the personal data.
Processing of personal data is only lawful if at least one of the six legal grounds as mentioned in the GDPR applies.
You can lawfully process personal data. The GDPR has some important principles you need to take into account.
Lawfulness, fairness and transparency
The processing of personal data is necessary and cannot be done in another way that has less impact on the data subjects.
Data subjects need to be transparently informed about the fact that their personal data is being processed, for what purposes and whether their personal data will be transferred to other parties.
Personal data needs to be processed for specific, explicitly defined purposes.
You may only process personal data limited to what is necessary in relation to the purposes for which they are processed.
Personal data needs to be accurate and kept up to date.
Personal data must be deleted or rendered anonymous as soon as identification of data subjects is no longer necessary.
Integrity and confidentiality
Personal data must be protected by technical and organizational measures.
The GDPR amplifies the position of data subjects regarding the protection of their privacy. Data subjects have certain rights in relation to their personal data:
- Right of access;
- Right to be forgotten;
- Right of rectification;
- Right to data portability;
- Right to restriction of processing;
- Right not to be subject to a decision based solely on automated processing, including profiling;
- Right to object to processing;
- Right to be informed.
Processing of personal data must comply with the ‘privacy by design’ principle. This entails implementing technical and organizational measures to ensure that data protection principles are met in the determination of the means for processing and during the processing itself.
Another design principle that must be met is the ‘privacy by default’ principle. This principle relates to the measures that must be taken to protect data subjects’ privacy, by ensuring that only personal data necessary for the purpose of processing is used.
The GDPR explicitly requires transparency. This means the UT must be able to demonstrate compliance with the GDPR requirements. Transparency is also required for all data subjects: all information must be easily accessible and understandable.
Any new processing operation using a new technology or leading to high risks for data subjects must be preceded by a Data Protection Impact Assessment (DPIA).
The GDPR obliges every organization to keep processing documentation. For the UT this entails having a complete and up-to-date register of all processing of personal data in our organization. For any processing operation , the legal ground, the purpose limitation and the outsourced processing must be recorded.
The UT keeps two processing register: one for recurring operations within the UT and one for separate processing operations, for instance research. Processing operations can be included in the register using the registration tool.
The Dutch Data Protection Authority (Dutch DPA) is responsible for the supervision of compliance with the privacy laws. To fulfil this task, the Dutch DPA investigates possible violations, or, prior to commissioning, judges risky processing activities and codes of conduct. In addition, the Dutch DPA has an advisory role with respect to new laws and regulations and is tasked with informing organizations, for example in the form of policies. The Dutch DPA has international roles as a supervisor in cross-border processing and as a participant in international partnerships. Furthermore, the Dutch DPA is able to impose fines if organizations do not comply with the privacy laws.