- What are personal data?
- What are special categories of personal data?
- Who is the data subject?
- What is data processing?
- What is data minimization?
- What is the "pseudonymization" of the data?
- In what situations is it lawful to treat personal data?
- What is the function of the Data Protection Officer?
- The students have asked why the IPB needs to know all the information asked from them. What should I answer?
- Applicants to CTESP, masters and other programs (e.g. non-degree courses) ask what we do with their personal data if their application is not accepted. What should I answer them?
- Have teaching and non-teaching staff asked about the need to collect their personal data?
- What should be done when one knows that the data collected and processed are in the possession of third parties?
- What data is legitimate to process?
- How to ask for consent?
- Can I publish a list of grades?
- I regularly send personal data from students, employees or applicants to entities outside the IPB. Can I continue to do this?
- Can I send emails to mailing lists of teachers, employees and students through the institutional email?
- Can I send emails to generic mailing lists that I have at my institution?
- What to do for emails that already exist in the mailing lists??
- Can I have personal data from students, staff and candidates on my personal computer?
- What basic security rules should I follow to ensure the protection of personal data temporarily stored on my personal computer?
In accordance with article 4 (1) of the RGPD, personal data means 'any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person'.
[↑ Topo]2. What are special categories of personal data?
Article 9 of the GDPR applies even more stringent restrictions to the processing of special categories of personal data, defined as: 'Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.'. All these data have additional processing restrictions.
Biometric data are defined as 'means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data ' (article 4 (14) of the GDPR).
Data concerning health are defined as 'personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his/her health status ' (article 4 (15) of the GDPR).
[↑ Topo]3. Who is the data subject?
It is the person to whom the personal data relate.
[↑ Topo]4. What is data processing?
Data processing are all operations performed on the data that are entrusted by the data subject. Access to data is considered as processing. Its safeguard in file, the creation of copies, consultation, publicity, etc. is also data processing.
[↑ Topo]5. What is data minimization?
It means that the personal data collected must be limited to what is necessary in relation to the purposes for which they are processed.
[↑ Topo]6. What is the 'pseudonymization' of the data?
It is the action by which there is no longer a link between the owner and the data. In a simpler way it can be said that it consists of the removal, modification or replacement of individual characteristics by coded representations to ensure that personal data cannot be attributed to an identified or identifiable natural person.
[↑ Topo]7. In what situations is it lawful to treat personal data?
In order for the processing to be lawful, personal data must be processed on the basis of consent provided by the data subject or other legitimate basis provided for by law either in this Regulation or in another act under Union law or Member State referred to in this Regulation, including the need to fulfil the legal obligations to which the controller is subject or the need to execute contracts in which the data subject is a party or in order to carry out the pre-contractual arrangements that the data subject requests. 8. What is the function of the Data Protection Officer?
[↑ Topo]9. The students have asked why IPB needs to know all the information asked from them. What should I answer?
Most of these data are required to respond to official surveys such as RAIDES. In order to fulfil this demand the educational institutions keep this information during the period of the student's stay and for another two years after his or her last enrolment.
[↑ Topo]10. Applicants to CTESP, masters and other programs (e.g. non-degree courses) ask what we do with their personal data if their application is not accepted. What should I answer them?
Applicants who do not become students, either because they were not accepted, either because they give up before they start, or because the procedure runs out at the end of the application, have their personal data deleted at the end of the period required to guarantee the deadlines for complaint, with the exception of billing data, if there was a payment, which are only deleted after the legal deadline.
[↑ Topo]11. Have teaching and non-teaching staff have asked about the need to collect their personal data?
All personal data collected by the organic units of the IPB are compulsory within the scope of employment in the public service.
[↑ Topo]12. What should be done if one knows that the data collected and processed are in the possession of third parties?
The GDPR has very clear measures for these cases. There are deadlines for reporting it to the Data Protection Officer, who will have to inform the National Data Protection Commission within 72 hours after the knowledge that the data has been compromised. If the breach could significantly affect the data subject, it may be necessary to report it to him.
[↑ Topo]13. What data is legitimate to process?
Processing shall be lawful only if and to the extent that at least one of the following applies:
a)The data subject has given consent to the processing of his/her personal data for one or more specific purposes;
- b) Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- c) Processing is necessary for compliance with a legal obligation to which the controller is subject;
- d) Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- f) Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
The request for consent should be understood as the last resort. In other words, only data that are strictly necessary for legitimate processing without a request for consent must be always requested.
[↑ Topo]14. How to ask for consent?
Consent must be given individually for each treatment explicitly and affirmatively.
[↑ Topo]15. Can I publish list of grades?
Yes, but only in the places indicated for that purpose and with the appropriate restrictions. The student grades are personal data and therefore are not public. However, in the interests of transparency, grades may be known to evaluation colleagues.
[↑ Topo]16. I regularly send personal data from students, employees or applicants to entities outside the IPB. Can I continue to do this?
As a rule, all exchanges of personal data with third parties to the IPB must be communicated to the Data Protection Officer of the Institution. It must be highlighted that such transmission of personal data is legitimate provided that there is a legal obligation to do so or has obtained permission from the data subjects to do so. In general, personal data submitted under enquiry procedures for national statistical purposes (e.g. RAIDES, REBIDES) are.
[↑ Topo]17. Can I send emails to mailing lists of teachers, employees and students through the institutional email?
You can. The contract with students, employees and teachers allows its use for professional or academic purposes. This is not true for the purpose of disclosing non-professional or non-academic events.
[↑ Topo]18. Can I send emails to generic mailing lists that I have at my institution?
You can, but only if you have the informed consent of the holder of the email.
[↑ Topo]19. What to do for emails that already exist in the mailing lists?
There are several ways to get informed consent. One of the most common is sending emails asking the owner to confirm that they want to receive emails for the specific purposes indicated in the email. It should be noted that the specific purposes to which the emails to be sent should be indicated, e.g. the dissemination of cultural events promoted by the institution, or the dissemination of news. It must also state explicitly that non-response should be considered as non-authorization.
[↑ Topo]20. Can I have personal data from students, staff and candidates on my personal computer?
Yes, provided it is for the strict fulfilment of professional duties. The personal data of the students, employees or applicants must remain in the personal computers the time needed to accomplish the legitimate task, after which they must be deleted. During the time they remain on the personal computer, the employee must ensure that his/her computer complies with all basic safety rules. Optionally, the user can encrypt the files with personal data.
[↑ Topo]21. What basic security rules should I follow to ensure the protection of personal data temporarily stored on my personal computer?
Without prejudice to others, the following rules shall be ensured:
The computer access password must have a minimum length of 8 characters, must be memorable so that it does not have to be written elsewhere, but it must not be the result of a word or set of words.
The computer must have all the latest security updates.
If the computer has personal data its use should be restricted to third parties.