General information on the EU General Data Protection Regulation

As of May 25 of this year, the General Data Protection Regulation (GDPR) will apply directly and in all member states of the European Union. The current data protection law is to be harmonized and replaced by a uniform European legal framework. However, the GDPR also contains a large number of opening clauses that give national legislators a certain amount of leeway with regard to the implementation of the regulation.

The Hessian Data Protection Act was revised at the end of April 2016 and supplemented to include freedom of information (HDSIG); in particular, it regulates issues relating to video surveillance and employee data protection.

In order to comply with the requirements of the GDPR, the universities in Hesse, as public bodies, must adapt and further develop existing structures and processes in a timely manner.

However, if data protection requirements are complied with to date, no fundamental changes in the handling of data at the university are to be expected, but there will be increased requirements for transparency and, in particular, for informing the data subjects, which are reflected, for example, in the h_da's new data protection declaration and the data protection declarations for consents, etc.

In areas in which data processing is only carried out to fulfill the necessary study operations, it must be checked above all whether the principle of "necessity" of data processing, which already exists, is also adhered to under the GDPR (privacy by design and by default).

• The scope of the information and disclosure obligations vis-à-vis students is extended (Art. 13-15 GDPR). According to Article 12 (1) of the GDPR, data subjects (in this case: students) must be informed about the processing of their personal data in a "precise, transparent, comprehensible and easily accessible form in simple and clear language".

• The other rights of the data subjects are also expanded compared to the previous law. One of the new features is the right to data portability (Art. 20 GDPR).

• The GDPR provides for extended documentation and proof obligations. This concerns, among other things, proof of compliance with the data protection principles (Art. 5(2) DS-GVO), the necessary technical and organizational measures (Art. 24 DS-GVO) and the use of suitable processors (Art. 28 DS-GVO). Further documentation obligations result from Art. 30 DS-GVO (maintenance of a processing directory) and Art. 33 DS-GVO (documentation of data protection incidents.

• Consent from employees is only effective under certain conditions (Section 23 HDSIG).

• If a processing operation is likely to pose high risks to the personal rights and freedoms of students, the university must in future carry out a data protection impact assessment (Art. 35 DS-GVO). The data protection impact assessment replaces the instrument of prior checking, which was previously regulated in Section 7 of the Hessian Data Protection Act. This is to be prepared by the controller; the data protection officer now only has an advisory function here. As part of the data protection impact assessment, the probability of occurrence and the severity of the possible risks must be evaluated, among other things, and measures to limit the risks must be examined. If necessary, the university must consult the supervisory authority beforehand (Art. 36 GDPR).

• Article 25 of the GDPR regulates the principles of "data protection by design and by default". Accordingly, the university must design its IT systems in such a way that the principles of Article 5 (1) of the GDPR (principles of processing personal data) are effectively implemented. This applies in particular to the requirement of data minimization. According to this, only as much data may be collected as is needed to fulfill the purpose. In addition, IT systems must be preset so that only the necessary personal data is processed.

• The instrument of commissioned data processing remains (Art. 28 GDPR). However, the role of the processor changes with regard to its own possible liability and liability to pay fines. Existing contracts should be reviewed as soon as possible to determine whether they need to be adapted as a result of the GDPR.

• In addition, Article 82 of the GDPR extends civil liability for data protection violations to include compensation for non-material damage.

• For the first time, a reporting and notification obligation is also introduced for public bodies (Art. 33 et seq. GDPR).

(Revised information from the Hessian Data Protection Commissioner)