HWR Berlin must ensure that individuals affected by the processing of their personal data can exercise their rights under Chapter III of the GDPR, in particular:
Right of access (Art. 15 DSGVO).
Data subjects may request information from the university as to whether the university is processing personal data relating to them and, if so, request information on the data stored. As a rule, the HWR must then provide the data subject with the processed data and other information specified in Art. 15(1) and (2) DSGVO within one month at the latest (Art. 12(3) DSGVO).
IT systems should offer the possibility for individuals to output the data stored about them in as legible a form as possible. When procuring or programming IT systems, care must be taken to ensure that the systems can be used to implement the obligation to provide information. Operators of IT systems must ensure that they are able to comply with the data subject’s right to information within one month in the event of a request.
If a data subject makes a request for information, this must be forwarded to the data protection officer.
Paper Data Protection Conference The data subject’s right to information
Right to rectification (Art. 16 GDPR)
Every person has the right to have inaccurate personal data relating to him or her corrected by the university and incomplete data records completed. This presupposes that the person can exercise his or her right of access, because only then will he or she be able to identify inaccurate or incomplete data relating to him or her.
Right to erasure (Art. 17 GDPR)
The right to erasure of personal data may relate to data processed unlawfully – in particular due to a (now) lack of legal basis. For data processed by the university by means of consent, the right to erasure has an effect together with the right to revoke consent. The revocation removes the consent as a legal basis.
If the higher education institution has published or disclosed to other data controllers personal data subject to a right of erasure, it is obliged to inform all recipients and those who have set hyperlinks to the published data on the Internet of the obligation to erase (“right to be forgotten”).
Paper Data Protection Conference Right to erasure / “right to be forgotten”
Right to restriction of processing (Art. 18 DSGVO)
The right to restriction of processing applies when
1. The data should actually be erased, but the data subject needs the data for the enforcement of legal claims, or erasure is refused by the data subject. The triggering event may be a cessation of necessity for the achievement of the purpose of the processing or the realisation of unlawful processing.
the accuracy of the data is contested by the data subject or the data subject has lodged an objection pursuant to Art. 21 (1) of the GDPR. In these cases, the data will be temporarily blocked until the university has verified the accuracy of the data or weighed the university’s legitimate grounds for processing against those of the data subject.
2. The restriction of processing must be implemented immediately, and processing of the blocked data may no longer be carried out. The restriction of processing only concerns the selected personal data. All data not subject to restriction of processing may continue to be used for the respective processing purposes.
Right to data portability (Art. 20 GDPR)
The right to data portability is intended to enable data subjects to change providers or service providers in a simplified manner by providing a right against the previous provider to take the customer data held there to a new provider or service provider in a portable format.
The right to data portability only applies to data processed on the basis of consent or a contract between the university and the data subject. In the area of its mission, the HEI will usually act on the basis of a legal mission statement and obligation to process data, which is why the right to data portability does not apply to these areas.
Right to object (Art. 21 GDPR)
In the case of processing of personal data which is carried out on the basis of Art. 6 Para. 1 lit. e or f GDPR, the persons concerned have a right of objection in accordance with Art. 21 GDPR , whereby the reasons arise from the particular situation of the respective person. If an objection is lodged, it is the university’s responsibility to weigh up the interests of the particular situation of the data subject against the compelling reasons of the HWR that merit protection. In doing so, the university’s reasons must outweigh the interests, rights and freedoms of the data subject, or the processing serves to assert, exercise or defend legal claims.