Data Protection at the EUI
In light of the new rules applicable to EU Member States (Regulation (EU) 2016/679, GDPR) as well as the recent adoption of the new rules applicable to Union institutions, bodies, offices and agencies (Regulation (EU) 2018/1725), the EUI has revised its internal rules on data protection (PD 10/2019). This revision further improves in particular the following aspects of data protection at the EUI:
- Legal remedies in case of infringements of data subjects’ rights;
- Rules on data breaches;
- Protection of sensitive personal data in case of transfer to third parties.
EUI Data Protection Policy:
Decision of the President No. 10 of 18 February 2019 (EUI Data Protection Policy)
The internal regulation of the European University Institute (EUI) regarding Data Protection is drafted in accordance with the principles contained in the Convention establishing the EUI, signed on 19 April 1972, and with the Protocol on Privileges and Immunities annexed to it.
It also takes inspiration from the European Convention on Human Rights, the Charter of the Fundamental Rights of the European Union and the relevant European Union legislation (particularly, Regulation (EU) 2016/679, GDPR, and Regulation (EU) 2018/1725).
Extract from Charter of Fundamental Rights of the European Union
Article 8: Protection of personal data
1. Everyone has the right to the protection of personal data concerning him or her.
2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
What follows is a summary of the main aspects of the data protection policy at the EUI.
- Definitions & actors involved
- Purposes of processing personal data
- Principles of data processing
- Data subject rights & data protection complaints
- Confidentiality & security
- Transfer of data
Definitions & actors involved
What are personal data?
Any information relating to an identified or identifiable natural person (data subjects).
Who are identifiable natural persons?
Individuals who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity.
What is processing of personal data?
Certainly, a broad concept!
Any operation or set of operations which is performed upon personal data, whether or not by automated means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
What do we mean by the ‘data subject’s consent’?
The data subject’s consent shall mean any freely given, specific, informed and unambiguous agreement to have their personal data processed.
Who are the main actors in data processing and which are their roles?
The Secretary General has overall responsibility for the implementation of the Data Protection Policy and can nominate the Controllers in the EUI’s organisational entities.
Controller: the EUI or one of its organisational entities who determine the purposes and means of the processing of personal data by the EUI.
Who can be a Controller within the EUI?
The Secretary General, the Director of Service/Head of Unit or Department of the EUI
Responsibilities of controllers:
- Fair and lawful processing of data
- Management of data inside their units and implementation of data quality requirements
- Ensure and demonstrate compliance (keep records of processing activities)
- Carry out privacy impact assessments.
- Identification of persons in charge of processing (‘processors’) and notification to them about scope of processing operation they have to accomplish.
- Inform & allow Data Subjects to exercise their rights.
- Review data protection complaints in cooperation with the DPO.
- Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data processed.
Processor: natural or legal person within the EUI structure who processes personal data on behalf of the Controller.
External Processor: natural or legal person, public authority, agency or any other body (e.g. organisational entity of an event, Settlements Office of the Joint Sickness Insurance Scheme) external to the EUI that processes personal data on behalf of the EUI.
What are the other actors involved (apart from the data subject)?
- Recipient: a natural or legal person to whom data are disclosed
- Data Protection Officer (DPO): person nominated to ensure in an independent way respect for data protection principles within the EUI. The DPO’s main tasks, apart from an advisory function, consist in the provision of information and raising awareness, monitoring of compliance and assisting in the handling of complaints.
- Data Protection Committee (DPC): interservice and interdepartamental EUI Committee mandated to assist the President, the Secretary General and the DPO in fundamental issues concerning compliance with data protection provisions.
Purposes of processing personal data
The Institute can process personal data only for institutional purposes (e.g. educational activities, administrative and accounting activities, safety and security purposes, activities of academic and scientific research).
Principles of data processing
How should the EUI process personal data?
Personal data must be:
- Processed fairly and lawfully
- Collected for specified, explicit and legitimate institutional purposes (purpose binding principle)
- Adequate, relevant and not excessive in relation to the purpose (proportionality)
- Stored not longer than necessary (‘right to be forgotten’)
- Processed under the responsibility and liability of the Controller
What are the rules on lawful data processing?
Personal data may be processed only if:
- Data subject have given their unambiguous consent, or
- Necessary for the performance of an institutional task of the EUI or of a task carried out in the public interest or in the legitimate exercise of official authority
- Necessary for compliance with legal obligation of the Controller
- Necessary for the performance of a contract
- Necessary to protect the vital interests of the data subject or of a third party
Processing of ‘sensitive’ data
- What are ‘sensitive data’?
- Those revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, data concerning health and data relating to sexual identity.
- Special rules for processing sensitive data
Processing of those data is prohibited.
- Explicit Consent by the Data Subject
- Compliance with rights and obligations of the controller in field of employment law
- Protection of vital interests of the data subject or of another person
- Data manifestly made public or legal claims
- Purposes of preventive medicine, medical diagnosis, management of health-care services, provision of care or treatment.
What are the principles for carrying out a processing operation by a processor?
- Acting only on instructions of the controller
- Compliance with the Data Protection Rules of the EUI
- Respect for confidentiality and security according to the EUI’s Data Security Policy
When the processing operation is carried out by way of an external processor, the above principles shall be stipulated also in a contract or another binding legal act.
What are the principles for processing for research purposes?
- Data collected by the EUI for research purposes can be processed only for the scientific objectives for which they were collected.
- Such data may be publicly disclosed only if:
- the data subject has given consent or
- the data subjects have made the data public.
Data subject rights & data protection complaints
Data subjects have the right to:
- Be informed about whether, how, by whom and for which purpose their data are processed
- Rectification of inaccurate or incomplete personal data
- Erasure of data in case the processing by the EUI is or becomes unlawful
- Block the processing of data under specific conditions.
If data subjects believe that there has been a breach of the data protection principles of the President’s Decision No 10 of 18 February 2019, they can address a complaint to the Controller with simultaneous notification to the DPO at the following e-mail address: Data_Protection_Officer@EUI.eu
If the reply is not satisfactory, or it is not given within one month, the data subjects have the right to judicial remedies under the terms and conditions outlined in the President’s Decision 10/2019.
Confidentiality & security
- The Institute assures the confidentiality & security of the processing of personal data, for both paper or electronic files.
In that respect, processors, whether employed or contracted by the EUI, are bound by the duty of confidentiality and shall not process data except on instructions from the Controller.
They are also made aware of the security procedures they must follow when handling personal data.
- How is the security of personal data safeguarded?
- Through adequate technical and organisational measures (e.g. pseudonymisation or encryption of personal data)
- What is the purpose?
- To ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data processed.
- In particular:
- To prevent any unauthorized disclosure or access, accidental or unlawful destruction or accidental loss, or alteration, and to prevent all other unlawful forms of processing.
The Decision contains specific provisions in relation to the measures and risks specifically of the processing of personal data by automated means.
Transfer of data
Personal data can be transferred between the EUI and third parties including Contracting States, only for institutional purposes, and ONLY when all parties of the transfer have in place adequate safeguards for the protection of personal data.
- Requirements for data transfer:
- the data are necessary for the legitimate performance of tasks covered by the competence of the recipient, or
- the data are necessary for the performance of a task carried out in the public interest or subject to the exercise of public authority, or
- the data need to be transferred (burden of proof upon the recipient) and there is no reason to assume that the data subject’s legitimate interests might be prejudiced.
- Transfer of personal data to third parties such as the European Commission, the Settlements Offices of the Joint Sickness Insurance Scheme common to the institutions of the European Union (JSIS), Van Breda International, the Institute’s medical advisers, the Institute’s diagnostic laboratory falls within the standard institutional practices of the EUI.
Disclaimer: The summary above is provided for information purposes only and in no way replaces or substitutes the relevant regulatory documents of the EUI.