Data protection law, often referred to simply as data protection, defines the framework for handling personal data. It clarifies whether, to what extent and by whom data that can be attributed to a specific natural person may be processed. On our pages on data protection law, we would like to offer you an overview of the essential principles, rules and challenges of data protection law. Further information, sample documents and forms can be found in BayernCollab:
Portal of Bavarian art universities for data protection and information security (internal)
As an introduction to the topic, you will find information on the basics of data protection below.
Background
Data protection is not just about protecting data as such, but also about protecting the fundamental rights of individuals.
The processing of personal data has become an integral part of our everyday lives. However, the more personal data third parties have about a person and consequently know about them, the more predictable and therefore influenceable that person becomes for them. It is therefore essential that personal data is handled in a transparent, confidential, secure, conscientious and, above all, data protection-compliant manner.
The primary aim of data protection is therefore to protect the right to informational self-determination as part of the general personal rights of the persons concerned – because data protection is the protection of fundamental rights. At the same time, this protection should be reconciled as far as possible with the interests of data processors (e.g. research, public relations, event planning, etc.).
Personal Reference
Personal data is any information relating to an identified or identifiable individual.
Examples of the type of information that enables direct or indirect identification of an individual and may therefore be considered personal data include:
- First name, last name, telephone numbers of customers, stakeholders, employees, suppliers;
- Identification numbers, such as a person's customer number, employee number,
- Booking reference;
- Email addresses, location data;
- A person's browser history;
- A person's purchase history and receipts;
- Photos, videos and audio recordings containing images or sounds of individuals.
This personal data can be used to identify a person directly or indirectly:
- For example, if your organisation processes a person's first or last name, this personal data enables the direct identification of that person.
- For example, if your company processes a person's customer number or booking reference, this personal data may enable the indirect identification of that person.
- Any type of information processed in relation to the directly or indirectly identified person (e.g. preferences, habits) is also considered personal data.
The following are not considered personal data:
- anonymous data
- purely factual data (e.g. the purchase price or maximum speed of a car).
Special categories of personal
Some types of personal data, commonly referred to as sensitive data, belong to special categories that enjoy greater protection. According to Art. 9 GDPR, sensitive data includes information about:
- a person's health;
- a person's sex life or sexual orientation;
- a person's racial or ethnic origin;
- a person's political opinions, religious or philosophical beliefs;
- a person's biometric and genetic data;
- trade union membership.
The processing of a person's sensitive data is generally prohibited, except in special circumstances that justify the processing (e.g. explicit consent).
Processing
The processing of personal data includes any type of activity (processing) that is carried out on or with personal data, whether automated or not.
Examples of processing operations include the collection, recording, organisation, use, modification, storage and disclosure of personal data relating to natural persons.
Although the GDPR mainly refers to the automated processing of personal data, manual processing operations are also subject to the GDPR from the moment the paper files are systematically organised, e.g. arranged alphabetically in a filing cabinet.
Legal Bases
Data protection is a universal human right that is regulated in detail by the European General Data Protection Regulation (GDPR) and the Bavarian Data Protection Act (BayDSG).
Whenever personal data is to be processed, data protection regulations must be observed. Data protection regulations, i.e. regulations containing provisions on the processing of personal data, the rights of data subjects and other accompanying ‘organisational’ requirements, can be found ‘everywhere’ (EU law, federal law, state/university law).
Data protection regulations are sometimes ‘hidden’ in individual paragraphs (or individual sentences) in specialist laws, sometimes in separate sections of a specialist law and sometimes in separate (data protection) laws.
The relevant regulations in data protection law in the university context are essentially:
- the European General Data Protection Regulation (GDPR), which has been applicable throughout Europe since 25 May 2018
- in the Free State of Bavaria, the Bayerische Datenschutzgesetz (BayDSG)
- other so-called sector-specific laws (e.g. Bayerisches Hochschulinnovationsgesetz (BayHIG), die Sozialgesetzbücher
Principles
What principles must always be observed when processing personal data?
When processing the personal data of individuals, the university must comply with the following key principles of the GDPR.
Lawfulness (Art. 5(1)(a) GDPR)
Any processing of personal data requires a legal basis or, where permissible, the consent of the data subject (Art. 6, Art. 9 GDPR where applicable).
Purpose limitation (Art. 5(1)(b) GDPR)
Personal data may only be collected for specified purposes and may not be further processed for purposes other than those for which it was collected.
Data minimisation (Art. 5(1)(c) GDPR)
Data processing must be appropriate to the purpose and limited in terms of content and time to what is necessary, e.g. required information vs. additional information.
Good faith (Art. 5(1)(a) GDPR)
The processing of personal data may only be carried out in a ‘fair’ manner. Typical cases of ‘unfair’ processing are hidden data processing, such as hidden video cameras or software for spying on users.
Transparency (Art. 5(1)(a) GDPR)
Personal data must be processed in a manner that is comprehensible to the data subject, i.e. clarification of the ‘W questions’ (who? what? for what purpose? where? how long?).
Accuracy (Art. 5(1)(d) GDPR)
Personal data must be accurate and up to date; ‘incorrect’ data must be corrected or deleted.
Storage limitation (deletion/blocking) (Art. 5(1)(e) GDPR)
If personal data is no longer required, it must be deleted unless statutory retention obligations prevent deletion. As long as the retention period is still in effect, the data will not be deleted but will be blocked for further use by the controller.
Integrity and confidentiality (Art. 5(1)(f) GDPR)
Personal data must be treated securely and confidentially. In particular, unauthorised persons must not have access to it and must not be able to use either the data or the devices used to process it. Appropriate technical and organisational measures must be taken to ensure this (in accordance with Art. 32 GDPR).
Accountability (Art. 5(2) GDPR)
The university must be able to demonstrate to supervisory authorities that it complies with all the requirements of the GDPR. For this reason, you must document in detail the legal, technical and organisational measures you have taken to ensure data protection. Documentation means that you must systematically store and archive the relevant documents, receipts and other materials in written or electronic form so that you have them immediately to hand in an emergency. These documentation obligations also include, for example, keeping a record of processing activities.
DPO
The Data Protection Officer (DPO) is the point of contact for all questions relating to the handling of personal data within the respective art college. Any employee may contact the DPO without going through official channels.
The Data Protection Officer performs the tasks specified in Art. 39 (1) GDPR. These include, in particular:
- Informing and advising the university management and employees who process personal data regarding their obligations under the GDPR and other data protection regulations of the European Union and national law
- Monitoring compliance with data protection regulations, e.g. GDPR, BayDSG
- Advising on data protection impact assessments and monitoring their implementation in accordance with Art. 35 GDPR
- Cooperating with the supervisory authority, the Bavarian State Commissioner for Data Protection (BayLfD)
The data protection officer has no authority to issue instructions to the university management or to individual employees/officials. At the end of the consultation and/or monitoring process, therefore, only a recommendation is made as to how data protection requirements could be complied with. The employees/officials seeking advice and also the university management (decision-makers) are free to follow this advice or to disregard it. Responsibility for compliance with data protection regulations lies with the persons authorised to make decisions in each individual case, not with the data protection officer. Their responsibility lies in the proper fulfilment of the tasks specified in Art. 39 (1) GDPR.
Contact the Data Protection Officer (DPO)
If you have any questions regarding data protection, please contact the data protection officer at HFF Munich: datenschutz@hff-muc.de