Photos, names, postal addresses, IP addresses, student ID numbers: Every day, a multitude of personal data are collected via a wide range of media and used for a variety of tasks in research and administration. In this context, Ulm University and its employees are subject to the provisions of the European General Data Protection Regulation (GDPR) as well as the Federal State Data Protection Act of Baden-Württemberg (LDSG BW). We are happy to answer any legal questions around this topic.
ZENDAS, the central data protection office responsible for all higher education institutions in Baden-Württemberg, assists the University in material and technical-organisational matters of data protection. Their homepage also provides comprehensive information on the topic of data protection.
EU General Data Protection Regulation (EU-GDPR)
On 25 May 2018, the EU General Data Protection Regulation (GDPR) comes into effect in all member states of the European Union as a measure to create uniform standards of data protection within the EU. While the known basic principles of the 'old' German data protection law remain in place, the GDPR creates a new legal framework which expands the rights of data subjects. The new legislation tightens the technical requirements and with that the aspect of data security. It furthermore standardises the provisions for the transfer of data into third countries.
In addition to the GDPR, Ulm University is also subject to the Federal State Data Protection Act of Baden-Württemberg (LDSG BW). On 6 June 2018, the Landtag (state parliament of Baden-Württemberg) decided the new LDSG, which came into effect on 12 June 2018.
1. When does the GDPR come into effect?
The GDPR has come into effect on 25 May 2016, however, there was a two-year transition period. From 25 May 2018, the GDPR comes into application as directly enforceable law and is from this date verifiable for courts and supervisory authorities. For Ulm University, the "opening clauses" of the GDPR are complemented for the most part by the Federal State Data Protection Act (LDSG BW).
2. Who is subject to the GDPR?
Within Ulm University, the GDPR applies to every "body" (institution, institute, faculty, CUA) that processes personal data.
3. When am I processing personal data?
As defined in art. 4 GDPR, personal data are all information that refer to an identified or identifiable natural person. Identifiable means a natural person who can be identified directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or specific characteristics. Specific characteristics can be an expression of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
No distinction is made between "important" and "unimportant" data.
Examples of personal data are names, (email) addresses, date of birth, student ID number, social security number, photos, IP addresses, licence plate number...
4. Which data protection provisions change?
The changes are relatively minor due to the continuation of the already established basic data protection principles in Germany. In essence, it comes down to the following changes and required actions:
- Data processing requires a legal basis. The lawfulness of data processing is regulated in art. 6 GDPR and must be reassigned to these facts.
- The conditions for informed, free consent (art. 6 GDPR) to a data processing activity and the conditions for the withdrawal of consent (art. 7 GDPR) have been concretised, i.e. all previously used consents must be reviewed.
- The register of processing operations has been replaced by the record of processing activities (art. 30 GDPR). Accordingly, all controllers are obliged to maintain a record of all data processing activities under their responsibility. The GDPR stipulates that this includes all processing activities on behalf of the controller also, i.e. existing registers of processing operations must be updated and adapted, missing records must be created.
- The rights to information and access for the data subject have been extended, i.e. at the time of data collection the data subject must be provided with additional information (e.g. legal basis, time limits for the storage and deletion of data). In case of further processing for a different purpose, the data subject must be provided with information again, i.e. (online) forms or privacy policies must be created or revised.
- The obligation to notify data breaches to the supervisory authority was extended. Any incidence posing a risk to the rights and obligations of the data subject must be notified to the supervisory authority within 72 hours. Employees who become aware of a data breach must report the incidence to the data protection officer in the Central University Administration, department I-2 Legal and Organisational Affairs immediately.
- Contracts for commissioned data processing (art. 28 GDPR) continue to be mandatory for the processing of data on behalf of the University. Existing contracts must be revised to meet the standards of the new legislation.
- The data subject has the right to data portability with regards to the data they provided. The controller has to implement technical measures to ensure that the data can be made accessible to the data subject in a commonly used technical format. This obligation must be taken into account at the time of data collection.
- Regarding the programming, procurement or use of software it must be ensured that the software complies with the provisions of art. 25 GDPR. "Privacy by Design" means in this context "data protection through technical design". A data protection system across the entire life cycle of personal data that is compliant with the GDPR requires the implementation of state-of-the-art technical and organisational measures that cover every step from conception to monitoring/processing. This shall prevent data protection breaches from the outset. "Privacy by Default" refers to the principle of data avoidance and data economy. Every individual data collection shall be reduced to a minimum. Moreover, the circle of persons with authorised access shall be limited and all data pseudonymised and encrypted, if possible. The last point is particularly important when data are being analysed by data processing service providers or in a cloud. Data-protection-friendly defaults are to be established.
5. Who is responsible for the realisation of compliance with the GDPR?
Responsible according to the Regulation is the controlling body, i.e. Ulm University. Within the University, responsibility lies with the controllers of each processing procedure, i.e. for the maintenance of an address list within an institute that would be the director of the institute, for the collection of data in a research project it would be the responsible project manager.
6. What are processing activities?
"Processing" as defined in art. 4 GDPR means any operation or set of operations which is performed on personal data or on sets of personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data. The term processing thus refers to any handling of personal data, including their storage. Processing activities constitute individual steps relating to a single specific purpose.
7. What to do in case of a data breach?
The wrong document attached to an email, a lost USB stick, stolen laptop, data stored in a cloud in the USA, a Trojan in an email... Data can go astray in a myriad of ways. The GDPR stipulates that these breaches must be notified to the responsible supervisory authority within 72 hours. To help us comply with this provision we ask you to immediately report any data breaches to the CUA, dept. I-2 Legal and Organisational Affairs via the respective online form. If you furthermore fear damage to the IT security of the University (Trojans etc.), please also notify the kiz (Communication and Information Centre) via their Help Desk immediately.
8. Who is meant by "processor"?
Processor means a "natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller" (art. 4 para. 8 GDPR). The processor processes the personal data only within the scope of the controller's instructions. The processor is obliged to put into place appropriate technical and organisational measures for the protection of these data. This obligation must be documented in a written agreement with original signatures.
- General information about the GDPR
- Online lecture: Alles neu macht der Mai - einige Aspekte der EU-DSGVO
Lectures from other universities:
Lawfulness of processing - art. 6 GDPR
According to the GDPR, the processing of personal data is permitted only if the processing is regulated by a legal basis, or if the data subject has given their effective consent to the use at the time of data collection. If you wish to collect data for a research project or administrative purposes, make sure that there is a legal basis for the collection and use of these data for this specific purpose. If this is not the case, you need to obtain the data subjects' consent. A template is provided here. According to art. 4 no. 11, art. 7 GDPR, the following seven rules apply to the obtaining of effective consent:
1. Form of consent
The declaration of consent does not necessarily have to be in written form (i.e. with original signature). It can be declared in the form of an oral statement, electronically or in text form (i.e. without original signature) also. When choosing the form of consent, please note that the burden of proof of the data subject's consent to the processing of their personal data lies with the user of the data. It is therefore advisable to document the consent.
The declaration of consent must be clearly intelligible and worded unambiguously. Visual elements may be used to improve intelligibility. Optically, the declaration of consent must be clearly distinguishable from other matters.
2. Awareness at the time of consent
Prior to giving consent, the data subject must receive information on which specific personal data their consent refers to as well as the specific purpose of the processing. Any passing on to third parties must be listed.
3. Voluntary nature of the consent
The data subject has to give their consent at their own free will. This means that the data subject must have true freedom of choice and must be able to deny consent without suffering any disadvantage. The data subject must be made aware that they have the right to deny their consent.
4. Specificity and purpose of consent
The declaration of consent must specify unambiguously what exact data are processed and for what purpose. A universal and generalised declaration is not sufficient. The use of collected data for other purposes is prohibited in principle. The more significant the encroachment into the personality right (Right of Publicity), the greater degree of detail is required in the declaration of consent.
5. Unambiguity of the declaration of consent
When the data subject agrees to the declaration of consent, they must understand that they are giving their consent. This can be indicated by using the title "consent"(Einwilligung) or by using the term "consent" or "agreement" (Zustimmung).
6. Option to withdraw consent
The data subject must be able to withdraw their consent at any time. This must be stated clearly in the declaration of consent. Denial of the right to withdraw is prohibited.
The withdrawal does not necessarily have to be declared in the same form as the consent. However, the declaration of withdrawal must not be made more difficult than the declaration of consent or entail additional obstacles. It shall be as easy to withdraw as to give consent. Address and contact information for the submission of the declaration of withdrawal must be provided.
7. Own data
The data subject can only give consent to the use of their own personal data. For the use of the data of several persons, each person must give their consent individually.
Records of processing activities - art. 30 GDPR
According to art. 30 GDPR, Ulm University is obliged as a public entity to maintain a record of all processing activities (in german: Verzeichnis von Verarbeitungstätigkeiten; short: VVT) under its responsibility. This obligation also comprises any processing activities carried out by Ulm University on behalf of others. The VVT replaces the previous register of processing operations (in german: Verfahrensverzeichnis; short: VVZ) according to § 11 LDSG (old version).
Processing as defined in art. 4 GDPR means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
The term processing thus refers to any handling of personal data, including their storage.
The term processing activities summarises in this context operational steps with regard to an individual specific purpose, for instance the collection and use of student data in a campus management system.
Within Ulm University, departmental and technical contact persons who wish to establish a system have the responsibility to ensure that the processing activities begin only after a VVT was created and approved by the relevant departments. The processing of employee data usually also requires the approval of the Staff Council.
With regards to systems for which a VVZ was created in the past, it is necessary to adapt this register to the current legal requirements. These systems therefore also require the creation of a VVT.
Processor - art. 28 GDPR
"Commissioned data processing" (ADV) as defined by the GDPR is the processing of personal data via a service provider by order of the controller (i.e. by order of Ulm University). An ADV is, for instance, when personal data are hosted on external servers, IT systems maintained by third parties or data storage media disposed of by another company.
According to art. 28 GDPR, such an ADV is only permitted if the controller has ensured that the processor has taken suitable technical and organisational measures to protect the rights of the data subjects. In principle, this must be documented in an agreement in written form between the controller and the processor.
Should you wish to use a service provider or establish a Software as a Service (SaaS), an agreement in written form is required which regulates the data protection responsibility on top of general matters such as payment and liability. Your contact persons in dept. I-2 Legal and Organisational Affairs are happy to answer any questions around this topic and can help you write an ADV agreement.
Notification of a data breach – art. 33, 34 GDPR
Did you lose your laptop, smartphone or a USB stick? Did you send an email to the wrong addressee including an attachment containing personal data? Did your PC get hacked? In today's IT world, these and other 'data breaches' are part of daily life.
It is important for you to know that according to art. 33, 34 GDPR such data breaches can entail two reporting obligations:
a) Notification to the responsible supervisory authority within 72 hours (art. 33 GDPR)
The data breach must be notified to the responsible supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it. Supervisory authority for Ulm University is the State Commissioner for Data Protection and Freedom of Information Baden-Württemberg (LfDI BW).
Exempt from the notification obligation are data breaches which "are unlikely to result in a risk" for the data subject. As there are currently no principles for interpretation or parameters given by the LfDI BW for when such a risk can be excluded, notification is advisable when in doubt.
The breach shall not be notified later than 72 hours of having become aware of it. This "becoming aware" refers to any and every employee of Ulm University, not only persons with overarching responsibility such as the Chief Financial Officer/President or the data protection officers.
b) Notification to the data subject (art. 34 GDPR)
Beyond the notification to the LfDI BW, the GDPR also stipulates a notification to the data subject. This notification, however, is required only if the breach presents a high risk to the rights and freedoms of a natural person. Notification to the data subject may be omitted if:
- measures to control the damage were taken which eliminate the risk, or
- technical and organisational measures are in place which make access to the personal data impossible (e.g. encryption).
Please note: From 25 May 2018 on, please notify all data breaches that you become aware of immediately to the contact persons in dept. I-2 of the Central University Administration via the provided online form. If you are unable to provide all details instantaneously, please submit the notification anyway and provide further information as it becomes available. Please DO NOT send the notification directly to the LfDI BW. The notification must be send to the data protection officers only, who will initiate the forwarding and necessary documentation.
If you fear damage to the IT security of the University (Trojans etc.), please also inform the kiz (Communication and Information Centre) via their Help Desk immediately.
Department Legal and Organisational Affairs
+49 (731) 50-25185
CISO of Ulm University
Department Legal and Organisational Affairs
+49 (731) 50-25183
Data protection officer of Ulm University
Notifiaction of a data breach to art. 33, 34 GDPR