Topic 1: The European General Data Protection Regulation (GDPR)

In 2018, the European Union issued the world’s strictest personal information protection law, known as the General Data Protection Regulation (GDPR). It provides a legal framework for how organizations collect, process, and store personal information and outlines individuals’ rights over their personal data. It is mandatory for all entities operating in the European Union or handling personal information related to EU citizens and businesses to comply with the GDPR. The GDPR applies to all types of personal data, from medical records stored on a computer database to video footage taken of customers visiting a store. This includes giving them access to view, amend and delete it.

The GDPR is regulated by Data Protection Authorities located in each EU member state. The list can be found at the following link:

The main principles of GDPR are:

  1. lawfulness, fairness, and transparency
  2. purpose limitation
  3. data minimization
  4. accuracy
  5. storage limitation
  6. integrity and confidentiality
  7. Accountability principle

The educational institution is accountable for controlling and processing all the personal data that takes place within the framework of its research and education activities.

Example of what data protection mean:

  • A university should encourage to set students’ profile settings in the most privacy-friendly setting by, for example, limiting from the start the accessibility of the users’ profile so that it isn’t accessible by default to an indefinite number of persons.

GDPR emphasizes two roles: a data controller determines the means and purposes of data processing, and a data processor handles the data on behalf of the controller. Different legal responsibilities apply to each of these parties.

The school will typically be the “controller”, so it must secure a clear contract with the “processor”. A processor can take various forms: from a photographer to an online learning platform, or a piece of software. Any operation these entities perform on data counts as processing, even if it’s automated: collecting it, storing it, retrieving it, destroying it, etc.