General information on the EU General Data Protection Regulation

From May 25 of this year, the General Data Protection Regulation (GDPR) will apply directly in all member states of the European Union. The current data protection law is to be harmonized and replaced by a uniform European legal framework. However, the GDPR also contains a large number of opening clauses that give national legislators a certain amount of leeway with regard to the implementation of the regulation.

The Hessian Data Protection Act was revised at the end of April 2016 and supplemented to include freedom of information (HDSIG); in particular, it regulates issues relating to video surveillance and employee data protection.

In order to comply with the requirements of the GDPR, universities in Hesse, as public bodies, must adapt and further develop existing structures and processes in a timely manner.

However, no fundamental changes in the handling of data at the university are to be expected if the data protection requirements are complied with to date, but there are increased requirements for transparency and, in particular, for the information of those affected, which are reflected, for example, in the new data protection declaration of h_da and the data protection declarations for consents, etc.

In areas in which data processing is only carried out to fulfill the necessary study operations, it must be checked above all whether the already existing principle of the "necessity" of data processing is also complied with according to the GDPR (privacy by design and by default).

• The scope of the information and disclosure obligations towards students has been extended (Art. 13-15 GDPR). According to Art. 12 para. 1 GDPR, data subjects (i.e. students in this case) must be informed about the processing of their personal data in a "precise, transparent, comprehensible and easily accessible form in simple and clear language".
  
  
• The other rights of data subjects have also been extended compared to the previous law. One new right is the right to data portability (Art. 20 GDPR).
  
  
• The GDPR provides for extended documentation and verification obligations. This concerns, among other things, proof of compliance with data protection principles (Art. 5 para. 2 GDPR), the necessary technical and organizational measures (Art. 24 GDPR) and the use of suitable processors (Art. 28 GDPR). Further documentation obligations arise from Art. 30 GDPR (keeping a processing register) and Art. 33 GDPR (documentation of data protection incidents.
  
  
• Consent from employees is only effective under certain conditions (Section 23 HDSIG).
  
  
• If processing is likely to pose a high risk to the personal rights and freedoms of students, the university must in future carry out a data protection impact assessment (Art. 35 GDPR). The data protection impact assessment replaces the instrument of prior checking, which was previously regulated in Section 7 of the Hessian Data Protection Act. This is to be prepared by the controller; the data protection officer only has an advisory role here. As part of the data protection impact assessment, the probability of occurrence and the severity of possible risks must be assessed and measures to limit the risks must be examined. If necessary, the university must consult the supervisory authority beforehand (Art. 36 GDPR).
  
  
• Art. 25 GDPR regulates the principles of "data protection by design and by default". Accordingly, the university must design its IT systems in such a way that the principles of Art. 5 para. 1 GDPR (principles of processing personal data) are effectively implemented. This applies in particular to the principle of data minimization. Accordingly, only as much data may be collected as is required to fulfill the purpose. In addition, IT systems must be preset in such a way that only the necessary personal data is processed.
  
  
• The instrument of commissioned data processing remains (Art. 28 GDPR). However, the role of the processor changes with regard to potential liability and the obligation to pay fines. Existing contracts should be reviewed as soon as possible for any need for adjustment triggered by the GDPR.
  
  
• In addition, Art. 82 GDPR extends civil liability for data protection violations to include compensation for non-material damage.
  
  
• For the first time, a reporting and notification obligation has also been introduced for public bodies (Art. 33 ff GDPR).

(Revised information from the Hessian Data Protection Commissioner)