Implementing the new GDPR: what does it mean for Universities? Case study Alumni Portal Cosimo Monda Director - European Centre on Privacy and Cybersecurity Maastricht University Twitter: @ecpcmaastricht
European Centre on Privacy and Cybersecurity (ECPC) Focus: Research & Professional Training and Education in the fields of privacy, cybersecurity, data protection, fundamental rights, transparency and confidentiality, IT, data security, and more
Training & Professional Education @ ECPC ECPC-A Jump and Start Certificate ECPC-B DPO Certificate Professional University Diploma Professional Master Degree
SPECIAL OFFER SURF CONFERENCE SPECIAL OFFER SURF CONFERENCE REGISTER BEFORE 17 FEBRUARY TO BENEFIT FROM AN ADDITIONAL 50 EUR DISCOUNT Reduction code: UM92739
SPECIAL OFFER SURF CONFERENCE REGISTER BEFORE 1 MARCH TO BENEFIT FROM AN ADDITIONAL 75 EUR DISCOUNT Reduction code: UM92739
The Reform of the EU data protection framework: Key changes and what to expect
General Data Protection Regulation (GDPR) 2012 April 2016 4 May 2016 25 May 2018 Start of reform process to replace Directive 95/46/EC GDPR negotiations are finalized GDPR is published in the Official Journal of the EU start of countdown GDPR enters into force (after 2 years + 20 days of publication) applicable in 2018 the GDPR is set to replace the Wet bescherming persoonsgegevens (Wbp), which implemented Directive 95/46/EC in The Netherlands
Applicable Law Rules Broader territorial reach than the current regime - GDPR applies where processing takes place in the context of the activities of an establishment of a controller or processor in the EU - GDPR applies to controllers outside the EU when processing activities relate to: - offering goods or services to data subjects in the EU - monitoring the behavior of data subjects in the EU - No longer apply making use of equipment 9
E-Privacy Regulation 14 December 2016 10 January 2017 2017/2018 25 May 2018 (?) Leak of the Commission draft for the e-priv. Reg. to replace e-priv. Directive Official publication of the Commission draft for the e-priv. Reg. (differs from previous leak) Trilogues/ formal reading by EP/Council e-priv. Reg. applies (Art. 29(2) official COM draft) The E-Priv. Reg. will replace the Telecommunicatiewet, which implemented the e-priv. Dir. in The Netherlands
What will change with the GDPR?
Key terms & concepts in the GDPR Term Controller Processor Consent Main establishment of the Controller Personal data Data subject Special/sensitive data Pseudonymization Definition in GDPR retained retained amended new retained new amended new
Substantive Principles Lawfulness, fairness, and transparency Purpose limitation - incompatible further processing still prohibited - criteria for assessing compatibility identified - further non-consensual uses allowed in certain cases - where required by law; or - scientific or historical research or statistical purposes Data minimization Accuracy - including erasure and rectification without delay Storage limitation
Lawfulness of processing Legitimate interest - still a valid legal basis to process non-sensitive data - balanced against the interests and fundamental rights and freedoms of the individual extra protection for children - reasonable expectations of the individual concerned - no legal basis for public authorities
Lawfulness of processing Valid CONSENT - specific and informed, - Unambiguous, statement or clear affirmative action opt-in - freely given; Other available grounds for lawfulness
Profiling Restrictions where profiling has: - legal consequences; or - significantly affects the individual Only allowed in exceptional cases - necessary for the performance of a contract - authorized by EU or Member State law - explicit consent Profiling with special data prohibited unless explicit consent or substantial public interest backed by EU or Member State law
Accountability (I) Responsibility of controllers Ability to demonstrate GDPR compliance Implement data protection by design and by default - restrictive privacy settings: e.g. data must not be made public by default Appointment of DPO with significant powers and independence - mandatory for public bodies - national law may specify more situations for mandatory DPO appointment
Accountability (II) Data protection impact assessment prior to processing - mandatory for controllers for high risk processing Data Security - enhanced obligations for controllers and processors Data Breach Notification to the competent SA without undue delay
Data Subjects Rights General points Controllers must facilitate the exercise of rights No undue costs for data subjects Set time to respond to data subjects requests Right to fair processing of information Right to access Right to rectify Right to restrict processing Right to object to processing Right to erasure ( right to be forgotten ) Right to data portability
Enforcement Substantially higher fines Supervisory Authorities have more powers - investigative powers (audits, access to data, and premises) - authorization and advisory powers (Codes of Conduct, BCRs) - corrective powers (order to comply, ban on processing, suspension of data flows, fines)
Case Study: Alumni Database Christopher Mondschein Twitter: @ecpcmaastricht
Frequently Asked Questions 1. Is the university allowed to keep the data of its alumni in a database without having gathered their consent? 2. Is the university allowed to contact alumni via electronic means to inform them of activities, news, etc.? 3. Is the university allowed to create an Alumni Portal with the data it has on its alumni? What is the applicable legal basis for the processing of this data? 4. Must the university remove the alumni s personal data form the database/alumni Portal after a certain period of time?
1. Storing Alumni Data Legitimate interest: - Art. 8(f) Wet bescherming persoonsgegevens - Art. 29 WP Opinion 6/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC - In future: Article 6(1)(f) GDPR & Recital 47 GDPR Balancing Test
1. Storing Alumni Data Balancing Test: processing is necessary for the purposes of legitimate interest of the controller or third party unless these interests are overridden by the interests or fundamental rights and freedoms of the data subject (esp. right to privacy)
1. Storing Alumni Data Reasoning: - University should know who its former students are, when they graduated, etc. - Part of public task to maintain records of graduates - The data is not publicly accessible Remember: data subject rights applicable
2. Communication with Alumni Communication via electronic means (e.g. email) falls under Telecommunicatiewet and Wbp sending emails requires prior specific consent; opt-in + clear and specific consent cannot be assumed by failure to act consent can be withdrawn at any time GDPR and e-priv. Reg. applicable in future
3. Alumni Portal Legal basis: - unambiguous consent - Legitimate interest Opt-in In practice: - Alumni enter the portal and receive the terms & conditions and the privacy policy; they must tick a box to agree (box is not pre-ticked) - Alumni agree and then publish the information they wish to be available on them in the portal only this information is available (privacy by default) - Periodic reminder to check if data is accurate
4. Removal of Personal Data from the Database/Alumni Portal Database - Legal requirement to store minimum information regarding the graduation assess what the minimum data is (in line with data minimization principle) - Remove from mailing list upon request Alumni Portal - Remove all personal data upon request
Do s When contacting alumni, clearly identify the university, provide a contact point and provide information how to opt out in every mailing Gather consent - Consent must be recorded - Opt-in consent, e.g. via unchecked box along with all relevant information Keep up-to-date records Respond to objections by updating the database; unsubscribe individuals if they request it Respond within 30 days to requests by data subjects
Don ts X Do not send emails without having obtained specific prior consent X Do not send emails asking for consent X Do not ignore data subjects requests to be removed from the mailing list X Do not ignore data subjects requests to access their information
Be Prepared Allocate sufficient budget to tackle the data protection reform in your organization Appoint a DPO Review your governance structure Review privacy policies Prepare response mechanism for data subject requests Start implementing privacy by design and by default Revise informed consent form & have up-to-date information for data subjects requests for information
Accountability Rights of the data subject Data protection by design & by default Simplified Data Processing Cycle Legitimate basis Data protection impact assessment Information to the data subject
Thank You! EUROPEAN CENTRE ON PRIVACY AND CYBERSECURITY Website: www.maastrichtuniversity.nl/ecpc Cosimo Monda Director Email: Cosimo.monda@maastrichtuniversity.nl Christopher Mondschein Email: Cosimo. c.mondschein@maastrichtuniversity.nl Twitter: @ecpcmaastricht