Generelle Information zur EU-Datenschutzgrundverordnung
As of May 25 of this year, the General Data Protection Regulation (GDPR) will apply directly and in all member states of the European Union. The current data protection law is to be harmonized and replaced by a uniform European legal framework. However, the GDPR also contains a large number of opening clauses that give national legislators a certain amount of leeway with regard to the implementation of the regulation.
The Hessian Data Protection Act was revised at the end of April 2016 and supplemented to include freedom of information (HDSIG); in particular, it regulates issues relating to video surveillance and employee data protection.
In order to comply with the requirements of the GDPR, the universities in Hesse, as public bodies, must adapt and further develop existing structures and processes in a timely manner.
However, if data protection requirements are complied with to date, no fundamental changes in the handling of data at the university are to be expected, but there will be increased requirements for transparency and, in particular, for informing the data subjects, which are reflected, for example, in the h_da's new data protection declaration and the data protection declarations for consent, etc.
In areas in which data processing is only carried out to fulfill the necessary study operations, it must be checked above all whether the principle of "necessity" of data processing, which already exists, is also adhered to under the GDPR (privacy by design and by default).
Essential changes of the DSGVO and the HDSIG are summarized below
- The scope of the information and disclosure obligations vis-à-vis students is extended (Art. 13-15 GDPR). Pursuant to Art. 12 (1) of the GDPR, data subjects (i.e., students in this case) must be informed about the processing of their personal data in a "precise, transparent, comprehensible and easily accessible form and in plain and clear language".
- The other rights of data subjects are also expanded compared to the previous law. Among other things, the right to data portability (Art. 20 DS-GVO) is new.
- The GDPR provides for extended documentation and verification obligations. This concerns, among other things, proof of compliance with data protection principles (Art. 5(2) DS-GVO), the necessary technical and organizational measures (Art. 24 DS-GVO) and the use of suitable processors (Art. 28 DS-GVO). Further documentation obligations arise from Art. 30 DS-GVO (maintenance of a processing directory) and Art. 33 DS-GVO (documentation of data protection incidents.
- Consents of employees are only effective under certain conditions (Section 23 HDSIG).
- If a processing operation is likely to pose high risks to the personal rights and freedoms of students, the university must in future conduct a data protection impact assessment (Art. 35 DS-GVO). The data protection impact assessment replaces the instrument of prior checking, which was previously regulated in Section 7 of the Hessian Data Protection Act. This is to be prepared by the controller; the data protection officer now only has an advisory function here. As part of the data protection impact assessment, the probability of occurrence and the severity of the possible risks must be evaluated, among other things, and measures to limit the risks must be examined. If necessary, the university must consult the supervisory authority beforehand (Art. 36 DS-GVO).
- Art. 25 DS-GVO regulates the principles of "data protection by design and by default". Accordingly, the university must design its IT systems in such a way that the principles of Art. 5(1) DS-GVO (principles of processing personal data) are effectively implemented. This applies in particular to the requirement of data minimization. According to this, only as much data may be collected as is needed to fulfill the purpose. In addition, IT systems must be preset so that only the necessary personal data is processed.
- The instrument of commissioned data processing remains (Art. 28 DS-GVO). However, the role of the commissioned processor changes with regard to its own possible liability and obligation to pay fines. Existing contracts should be reviewed as soon as possible for any need for adaptation triggered by the GDPR.
- In addition, Article 82 of the GDPR extends civil liability for data protection violations to include compensation for non-material damage.
- For the first time, a reporting and notification obligation is also introduced for public bodies (Art. 33 ff DS-GVO).
(Revised information of the Hessian Data Protection Commissioner)