GDPR - General Data Protection Regulation
biul |
The GDPR (General Data Protection Regulation) is a European regulation on privacy rights. It entered into force on 25 May 2018.
Personal data = any information relating to an identified or identifiable person (article 4 GDPR)
NB: the rules for personal data protection do not apply to deceased persons.
Personal data processing = processing is any operation carried out on personal data.
Principles to respect (article 5 GDPR) when processing personal data :
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Data retention limitation
- Integrity and confidentiality
- Responsibility
Processing is lawful if it meets at least one of the following conditions :
- The data subject has given his or her consent to the processing.
- Processing is necessary to respect a contract to which the data subject is party or to carry out pre-contractual measures at the request of the data subject.
- Processing is necessary to fulfil a legal obligation to which the controller is subject.
- Processing is necessary to safeguard the vital interests of the data subject or of another person.
- Processing is necessary for the performance of a task carried out in the public interest
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
The consent : It is important to understand that consent is not always required ! However, when consent is the basis of the lawfulness of the processing, it must be freely given, specific, informed and unequivocal. It must be a clear affirmative act. There can therefore be no consent in cases of silence or inactivity. It can be withdrawn at any time.
Les données sensibles :
Some data are classified as “sensitive” or “special” = data relating to racial or ethnic origin, political opinion, philosophical or religious beliefs, trade union membership, genetic and biometric data, health data and sex life or sexual orientation.
In principle, the processing of such data is PROHIBITED except in the case of limited exceptions (listed exhaustively in Article 9 of the GDPR). One of these conditions is scientific research, provided that it is accompanied by appropriate safeguards (Articles 9 and 89 of the GDPR).
Transparency and information :
The GDPR requires the controller to provide a certain amount of information to the person whose data is being processed. This information is as follows :
- identity and contact information of the controller or his or her representative;
- contact information for the data protection officer, if there is one;
- the collected data;
- processing purposes and legal basis;
- recipients of the personal data;
- possible transfer to a third country or an international organisation;
- retention duration or criteria for determining it;
- existence of the data subject’s rights (access, rectification, erasure, restriction, opposition, portability + right to withdraw consent at any time);
- existence of the right to lodge a complaint with the supervisory authority;
- existence of automated decision-making.
The same applies when the data have not been collected from the data subject. HOWEVER, in the field of research, the person responsible for subsequent processing is exempted from the obligation to provide information when the provision of such information proves impossible or would require disproportionate efforts.
The data subject’s rights : Persons whose data is processed have different rights. However, these may be limited (access, rectification, limitation, opposition and deletion) if they render impossible or seriously impede the achievement of research objectives.
How long data is kept :
The minimisation principle of the GDPR requires that personal data should not be kept longer than necessary to achieve the stated purposes
Personal data may be stored for longer periods of time provided they are processed solely for the purpose of scientific research and:
- the research objectives can be reached via processing that does not allow or no longer allows for the identification of the persons concerned ;
- appropriate safeguards exist.
Data Protection Officer (DPO) :
If you have any questions about the RGPD, please contact Michèle Remy, RGPD Delegate at UCLouvain : privacy@uclouvain.be