One of the more important innovations of the GDPR lies in Article 13 GDPR – the information obligations. At the latest when collecting personal data, the higher education institution must provide the data subjects with at least the following information in plain and intelligible language:
- The name and contact details of the higher education institution,
- The contact details of the data protection officer
- The purposes for which the personal data are to be processed and the legal basis for the processing,
- The legitimate interests if the processing is based on Article 6(1)(f) DSGVO,
- If applicable, the recipients (or categories of recipients) of the personal data.
If personal data are to be transferred to a third country / international organisation (i.e. outside the scope of the GDPR):
- The intention to transfer the data,
- The existence or absence of an adequacy decision by the EU Commission,
- (or) in the case of transfers outside the EU pursuant to Article 46 or Article 47 or Article 49(1), second subparagraph, GDPR, a reference to the appropriate or adequate safeguards and the possibility to obtain this information.
If the collection does not take place from the data subjects themselves, the categories of personal data processed must be communicated (in accordance with Article 14 GDPR). However, it is also advisable to include information on the personal data processed in the data protection information/data protection notice provided in the event of collection from the data subjects (pursuant to Article 13 GDPR) in order to ensure the transparency of the processing. This should only be omitted if the data protection information is provided in direct connection with a data collection, e.g. if it is an annex to a form from which all processed data can be seen directly.
In addition, data subjects must be informed of the following at the time of data collection:
- The duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration,
- Whether the provision of the personal data is required by law or by contract or necessary for the conclusion of a contract, whether the data subjects are obliged to provide the personal data and the possible consequences of not providing it.
- The existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved and the scope and intended effects of such processing for the data subjects.
In addition, data subjects must be informed about the existence of the following rights:
- Right of access
- Rights to rectification, erasure and to restriction of processing,
- Right to object to processing,
- Right to data portability,
- Right to withdraw consent at any time without affecting the lawfulness of the processing carried out on the basis of consent until withdrawal,
- Right to lodge a complaint with a supervisory authority.
If personal data are to be processed for another purpose, data controllers shall already provide the data subjects with information on this other purpose, among other things, prior to further processing. The information does not have to be provided to the data subjects if they already have it.
To inform data subjects, the template in the Templates tab can serve as a framework, but must be adapted to the specific processing:
If own websites (e.g. blogs) are operated, reference can be made to the central Data protection statement of the university, if applicable, provided that no data processing other than that described there is carried out. This means that no different log data is processed, no cookies are set, no other services or plug-ins are integrated, etc. The data protection team will advise you on this. The data protection team will be happy to advise you in this regard.
If you want to use your own data protection declaration or check an existing data protection declaration for conformity with the GDPR, a checklist is available in the Templates tab.