Data Protection Policy F&Qs

Data Protection Policy F&Qs

Data Protection Policy - Facts and Questions

EBU Luxembourg

Data Protection Policy of the European Business University
Version of 02.03.2020

Dates of approval or advice:
• Approved by University Council and Governance
• Last updated: 02.03.2020

Employees at the European Business University (hereafter “EBU”) collect and process large amounts of personal data in the course of their research, scholarship of students and administrative tasks.
This Policy (hereafter “the Policy”) forms part of EBU’s commitment to safeguarding personal data processed by its staff and personal data concerning its staff. Processing as used here has a very broad definition and includes activities such as the collection, storage, consultation, modification, disclosure (including publication), and destruction of data.
European and Luxembourg regulations on the protection of natural persons with regards to the processing of personal data and the free movement of such data (hereafter referred to as the “Data Protection Rules”) apply with respect to the processing of all such personal data.
The purpose of the Policy is to provide rules and guidance in order to ensure compliance with the Data Protection Rules. Controllers and processors such as EBU have a duty to strictly comply with the Data Protection Policy.
Each staff member, principal investigator of a research project, head of department in the central administration or administrative staff member within a faculty or interdisciplinary centre has a fundamental obligation to protect personal data and to comply with the Data Protection Policy in the performance of his/her tasks.
The terms used in the Policy are defined in the Appendix.

The objectives of this Policy are the followings:
• Assist EBU staff in identifying personal data processing at an early stage and provide guidance;
• Ensure that proper procedures are in place for the processing and management of personal data;
• Inform and educate employees of their responsibilities when storing and processing personal data and ensure that they adopt appropriate measures;
• Reassure individuals that their personal data is processed in accordance with the Data Protection Policy, which stipulate that their personal data is at all times secure safe from unauthorised access, alteration, misuse or loss;
• Ensure that other organisations with which University data shares personal data also meet compliance requirements;
• Guarantee that any existing or future system implemented by EBU to process personal data is assessed to determine whether it represents any risk to individuals’ personal data and whether it involves appropriate technical and organisational measures;
• Ensure that University staff members contact the Data Protection Officer in a timely manner regarding any issues related to the protection of personal data; and
• Ensure that University staff members document the processing of personal data in order to guarantee compliance with the Data Protection Rules

The Data Protection Policy applies to all personal data and any associated sensitive data, regardless of format (electronic, paper, audiovisual, etc.), collected and processed by EBU in the conduct of its research, learning and administrative activities within the central administration, faculties and interdisciplinary centres.
The Policy applies to all University employees, whether permanent or temporary, and external staff such as contractors, consultants, service providers, adjunct teaching staff, visiting professors/researchers, guest professors and affiliated professors (hereafter referred to as “staff”). This Policy applies to those members of EBU that are salaried or not, including PHD Students self-financed.
EBU is the controller, processor or recipient of personal data processed in the course of research projects, learning activities and administrative tasks, such as the personal data of the following data subjects:
• Natural persons who participate on a voluntary basis in research projects and consent to the collection and processing of their personal data;
• Natural persons whose personal data is collected indirectly for the purposes of a research project;
• Natural persons who have applied for or been awarded funding for research or related scientific activities including events, seminars and workshops;
o Past, current and prospective employees;
o Past, current and prospective students; and
o Suppliers, consultants, external business partners and other third parties with whom EBU communicates.

The processing of personal data is regulated by the Luxembourg Data Protection Act of 2 August 2002, by the European Data Protection Directive 95/46/EC, replaced by the European Union (hereafter “EU”) General Data Protection Regulation (GDPR) on 25 May 2018, and by any new Luxembourg data protection legislation adopted to implement the GDPR.
This legal framework was developed to protect the freedom and fundamental rights of individuals, especially their private life, in relation to the processing of their personal data.
In Luxembourg, the Commission Nationale pour la Protection des Données (CNPD, National Commission for Data Protection) is responsible for enforcing these rules for controllers and processors located in Luxembourg.
Further material and references can be found on the CNPD website and on relevant European Union websites or by consulting EBU Data Protection Officer (hereafter “DPO”).

EBU adheres to the following principles:
5.1. Fair collection and processing
• Personal data is collected and processed only to the extent that it is needed to fulfil research, learning or administrative needs (hereafter “University needs”) or legal requirements.
• Personal data held is accurate and kept up to date.
• The retention of personal data is appraised and risk assessed in light of University needs and legal requirements and appropriate data retention schedules are applied. The storage duration of personal data should be determined at the outset of the project. If the definition of the storage period is not possible, criteria should be used to determine the period at a later stage.
• Personal data is processed respecting the rights of the subjects concerned.
• Staff must inform the DPO of any intended new purposes for processing personal data. No new purpose for processing data beyond the scope for which the original consent was granted may be permitted unless the subject has consented to this new purpose or the consent form provides for explicit consent for further research.
• University staff and data subject are specifically informed regarding the use of their information and how their legitimate objections will be addressed. If legally required, the consent of the subject(s) is obtained and documented whenever personal data is collected.
• Personal data is used only in ways that ensure the confidentiality of that data (including appropriate anonymisation or pseudonymisation whenever required and technically feasible).
• Staff have access to personal data only to the extent that it is required to perform their tasks.

Security of personal data is a legal requirement to which EBU is fully committed:
• EBU has approved policies and procedures to ensure the security of information/data contained in buildings, offices, etc.
• EBU implements policies for the security of its IT systems and for the physical security of both IT systems and manual/paper files. This applies to personal data held at EBU, its transmission and its disposal.
• By default, EBU complies with the basic rule that access to personal data will be limited to individuals only on a need to know basis.
• The security and confidentiality of personal data processed by an external processor or partner is controlled via service agreements, collaboration agreements, data sharing agreements or data processing agreements including a data protection clause and/or a data protection policy. The DPO should be consulted about such agreements if necessary.
• Staff shall report any potential data breaches to EBU’s service portal as soon as they become aware of them, within 24 hours if possible and no more than 48 hours after discovering the breach. The service desk will inform the DPO of any cases of personal data breaches. Confirmed data breaches shall be documented by the Chief Information Security Officer (hereafter “CISO”) and the DPO. A dedicated procedure shall be implemented to address any personal data breaches and a register of personal data breaches shall be maintained.
• Any attempt to identify research project participants by University staff will be considered a breach of the Policy, unless research project participants have given their express written consent that they may be identified and contacted.
• Any disclosure or transmission of sensitive or personal data to unauthorised persons and the sending of sensitive or personal data by email without appropriate safeguards such as encryption or another equivalent measure is a breach of the Policy.
• The use of private email addresses by staff to send or receive personal or sensitive data will be considered as a breach of the Policy.
• University staff must take measures to protect and secure any documents containing personal information and inform recipients about the appropriate measures that will be taken.
• Use of personal data on non-University-controlled equipment is the responsibility of the user. The security settings of such equipment should be regularly checked by the user in accordance with recognised protection techniques.
• Responsibility for protecting the confidentiality of personal data extends to any individual(s) and institutions to which information is transmitted. EBU shall include provisions in relevant contracts (i.e. service agreements, collaboration agreements and data sharing agreements) stating that any personal data supplied by EBU is done so on the understanding that the recipient will keep it secure and confidential and use it only for the agreed purpose.
• Pseudonymised data is also considered as personal data. Processing of pseudonymised data must therefore comply with the principles of the Policy.

A Personal Data Protection Register (hereafter “the Register”) shall be maintained by the DPO for the purposes of identifying and recording personal data processed at EBU, in collaboration with principal investigators, heads of department in the central administration and administrative staff members in faculties and interdisciplinary centres. In particular, the Register will document where personal data is held, how it is processed, who processes it, what the legal grounds for processing it are, who has access to the data and the measures in place to ensure security and confidentiality. Each principal investigator, head of department in the central administration and administrative staff member in a faculty or research centre is responsible for informing the DPO of any personal data processed under his/her responsibility in due time to complete the Register. Completion of the Register may be delegated to a colleague or to the Data Protection Coordinator of the department. The Register is kept at the disposal of the CNPD.

The sharing of personal data should comply with the following rules:
• Procedures for sharing personal data by any electronic means must ensure that the risks of unforeseen breaches of information security are kept to a minimum. General guidance is provided in EBU information security policies and specific advice can be requested from the CISO.
• Where a contract is concluded with another organisation for services involving the disclosure or sharing of personal data, it should explicitly lay out the data protection requirements and standards, including confidentiality and security.
• Personal data cannot be transferred outside the EU or European Economic Area (EEA) unless the country or territory in question ensures a suitable level of protection for personal data, or unless it is transferred with the consent of the data subject if appropriate or with an appropriate and legally admissible safeguard. The DPO must be informed about any transfer of data outside the EU and EEA and will provide advice about appropriate safeguards.
• Personal data in any format may not be shared with a third party unless there is a legal ground and/or an appropriate agreement is in place, and without consent from the data subject if consent is required.
• In some cases, the removal of personal identifiers (name, surname, initials, etc.) alone may be insufficient to protect the identity of a data subject(s) such as a study participant or employee. If anonymisation is to be relied upon as the condition for disclosure without consent, it requires the removal of any information that may allow identification of the data subject by any reasonable means.

EBU makes every reasonable effort to control the processing of personal data and to implement protective measures commensurate with the level of risk of its personal data processing activities. If it is engaged in activities posing a high risk for the data subject, a Data Protection Impact Assessment (hereafter “DPIA”) must be performed in collaboration with the DPO and the CISO. A DPIA is a procedure designed to describe any data processing, assess the necessity and proportionality of such processing, help manage the risks resulting from the processing of personal data and safeguard the freedoms of natural persons in this regard.
In other words, a DPIA is a process for developing and demonstrating compliance where personal data processing is likely to result in high risks for the rights and freedoms of the data subjects concerned. A DPIA should help to assess the risk related to the processing of personal data and determine the measures which need to be implemented to mitigate this risk.
A DPIA shall in particular be required in the case of:
• A systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
• Processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences; or
• A systematic monitoring of a publicly accessible area on a large scale.
EBU will implement the DPIA methodology and template via a dedicated procedure in compliance with the GDPR.

Data subjects are entitled to exercise their rights, especially the right of access, in accordance with but not limited to the following principles:
• All data subjects have a right of access to their own personal data; EBU undertakes to assist data subjects and provide information on how to request or access their personal data held by EBU.
• Informed Consent Forms must include a contact address for data subjects to use if they wish to submit a Subject Access Request, withdraw their consent or request additional information.
• Subject Access Requests are handled and relevant information is delivered to the data subject within a reasonable time frame. This time frame should be no more than one month, in compliance with the Policy.
• A data subject’s personal data is not disclosed to him/her until his/her identity has been verified.
• A Subject Access Request is only available for the personal data of the requestor. Requests for access to personal data of third parties should not be fulfilled unless the data subject has given his/her formal consent.
• Requests from the police to access information from a University database containing personal data require prior consultation with the DPO, who will check the legality of the request and consult the Head of Legal Affairs.

Data subjects also enjoy other rights: the right to be informed, the right to have personal data regarding him/her rectified, the right to be forgotten (also known as the right to erasure), the right to restrict the processing of personal data and the right to object.

To further strengthen the control over his/her own data, where the processing of personal data is carried out by automated means, the subject(s) should also be allowed to receive personal data regarding him/her, which he/she has provided to a controller in a structured, commonly used, machine-readable and interoperable format that enables data portability.

EU Member States are authorised by the GDPR to provide, under specific conditions and subject to appropriate safeguards for data subjects, specifications and derogations with regard to the information requirements and rights to rectification, to erasure, to be forgotten, to restriction of processing, to data portability and to object when processing personal data for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes. These derogations apply where personal data are processed for scientific or historical research purposes or statistical purposes, in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes and such derogations are necessary for the fulfilment of those purposes.
Data protection laws in Luxembourg and other EU countries will provide derogations from the data subject’s rights under the conditions laid down in the GDPR. These data protection laws will provide information about the appropriate safeguards to be implemented depending on the nature, scope, context and purposes of the data processing as well as any risks, of varying likelihood and severity, for the rights and freedoms of natural persons. Appropriate safeguards may include pseudonymisation techniques, prior impact analysis, encryption, access restrictions, awareness raising and data management plans.
It can be difficult to obtain specific consent for the processing of personal data for research purposes. In many cases the exact purpose of personal data processing for scientific research at the time of data collection is not fully known. Data subjects should therefore be allowed to give broader consent to certain areas of scientific research in accordance with recognised ethical standards.
If in doubt, the DPO is available to offer guidance and advice.
EU Member States should reconcile the rules governing freedom of expression, including academic expression, with the right to the protection of personal data pursuant to the GDPR. Data processing may be subject to derogations or exemptions notably on general principles, to protect the rights of the data subject (for example the right of information) and for the transfer of personal data to third countries.
By way of derogation to the general data protection principles provided under the GDPR, the processing of personal data for the purpose of academic expression will be allowed in EU Member States under the conditions laid down in the legislative measures adopted.
For example, EU Member States may allow for the processing of personal data relating to criminal convictions and offences and remove the restrictions on transfers of personal data to third countries. Member States may also allow a derogation to the right of information where personal data have been collected indirectly, under specific conditions.
If in doubt, the DPO is available to offer guidance and advice.
The retention of personal data shall be documented and justified. The retention of personal data is appraised and risk assessed in light of EBU’s needs and legal requirements, with the application of appropriate retention schedules. Personal data may be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected and processed. The data subject shall be informed of the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period.
All personal data processing shall be clearly documented to confirm compliance with the Policy; such compliance must be demonstrate during audits performed by the CNPD or other auditors and checks performed by the DPO.
Overall responsibility for data protection remains with the Rectorate and/or the Administrative Director, in accordance with the Law on the Organisation of the European Business University. Each staff member should also take responsibility for complying with the Policy. Individuals with specific responsibilities include the following:
1) The Data Protection Officer (DPO) has a strategic role in data protection. The role of the DPO is to perform the following tasks at EBU:
• Develop data protection policies and best practices in research, education and central administration activities;
• Provide staff training on data protection;
• Provide advice, guidelines and procedures on processing personal data;
• Collaborate with the supervisory authority and act as a point of contact;
• Inform EBU management of data protection requirements, advise on annual improvement plans and agree and present an annual Data Protection Report to the management team;
• Provide assistance for EBU in the performance of DPIAs; and
• Implement and maintain EBU ’s Personal Data Protection Register as controller or processor based on information provided by principal investigators, heads of department in the central administration and administrative staff members in faculties and interdisciplinary centres.
2) The Chief Information Security Officer (CISO) is a strategic partner of the DPO in ensuring compliance with the Policy.
The CISO is responsible for monitoring, documenting and communicating on information security, including handling breaches, and for compliance of the IT network with recognised information security standards. He/she collaborates with the DPO on data protection matters and reports any personal data breaches brought to his/her attention to the DPO.
3) Heads of department in the central administration, administrative staff members in faculties or interdisciplinary centres and principal investigators are responsible for:
• Ensuring that their staff understand how data protection principles apply to their day-to-day work through training and monitoring, and monitoring compliance within their own areas of responsibility;
• Ensuring that Data Protection Coordinators have been appointed for their department , or interdisciplinary centre, and that they are provided with appropriate training and guidance with the support of the DPO and the CISO;
• Ensuring appropriate technical and organisational measures are taken within their department to comply with EBU Data Protection Policy and prevent personal data breaches;
• Informing the DPO of any personal data processing within their faculty, interdisciplinary centre, or department and of any changes in the nature and procedures of that processing;
• Ensuring compliance with CNPD procedures for new research projects or other data processing activities related to administration or teaching, informing the DPO where needed and completing the information to the Personal Data Protection Register;
• Reporting any breach of personal data to the CISO and the DPO via EBU’s service portal within 24 hours, if possible, and no more than 48 hours after discovering the breach;
• Implementing a DPIA if needed with the support of the DPO and the CISO; and
• Supporting the DPO with any requests from the CNPD or foreign data protection authorities and audits by the CNPD or any other body (internal or external).
4) Data Protection Coordinators are the point of contact for the DPO and the CISO concerning data protection in the faculties, interdisciplinary centres, or departments. They are required to
• Raise awareness about data protection within their department, faculty or research centre in collaboration with the DPO and the CISO;
• Disseminate information about data protection; and
• Enhance the compliancy of the Policy. Such tasks can also be carried out by another person in the department.
5) The Ethics Review Panel (ERP) collaborates with the DPO regarding research projects submitted to the ERP for matters concerning data protection issues, as appropriate.
6) Authorised users – those authorised (and trained) to use particular data systems or collections in accordance with University policy and procedures.
Anonymisation: the process of rendering personal data anonymous in such a manner that the data subject is not or is no longer identifiable.
Controller: a natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by national or EU laws or regulations, the controller or the specific criteria for its nomination may be provided by national or EU law.
Data subject consent: any freely given, specific and informed indication of the data subject’s wishes by which he/she or his/her legal, judicial or statutory representative signifies his/her agreement to personal data relating to him/her being processed. This consent must be documented through an Informed Consent Form.
Genetic data: any data concerning the hereditary characteristics of an individual or a group of related individuals.
Health data: any information concerning the data subject’s physical or mental health, including genetic information.
Personal data: any information of any type, regardless of the medium, including images and audio or video material, relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number or one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity.
Personal data breach: a breach of security related to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed.
Pseudonymisation: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. One example of pseudonymised data is data which has had its personal identifiable information (name, surname) replaced with a code to prevent data subject identification.
Processor: a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.
Recipient: a natural or legal person, public authority, agency or any other body to which personal data are disclosed, whether a third party or not. Authorities that may receive personal data in the framework of a legal enquiry shall not be regarded as recipients.
Sensitive personal data or special categories of data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of data concerning health or sex life, including the processing of genetic data. Sensitive personal data are subject to a stricter legal regime.
Third party: any natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or the processor, are authorised to process personal data. In the public sector, a third party refers to a ministry, an administration, a public institution, a regional authority or a public service other than the controller or processor.
Third country: a country that is not a Member State of the European Union or the European Economic Area. The GDPR states that personal data can only be transferred to countries outside the EU and the EEA when an adequate level of protection is guaranteed. The GDPR requires that data transfers should not be made to non-EU/non-EEA countries that do not ensure adequate levels of protection. However, exceptions (or “derogations”) to this rule may be applicable.
The European Commission may determine whether a country outside the EU or EEA offers an adequate level of data protection and adopt an adequacy decision with regard to that country. The effect of such a decision is that personal data can flow from the 28 EU countries and three EEA member countries (Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary. The Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (limited to the Privacy Shield framework) as providing adequate protection.

FAQ on the Data Protection Policy of the European Business University
1. Why do we need a Data Protection Policy at the European Business University?
The aim of this Policy is:
• to provide guidance and rules for employees to facilitate compliance with the General Data Protection Regulation (GDPR), which comes into force on 25 May 2018;
• to document EBU’s rules on data protection;
• to align EBU’s approach with the GDPR, which places greater emphasis on the principle of accountability within organisations.
2. What is the scope of the Data Protection Policy?
The Policy concerns all personal and sensitive data processed by EBU (regarding health, political opinions, union membership, criminal offences, etc.) in any of the following contexts:
• Research;
• Teaching;
• Administrative tasks.
3. Who has to comply with the Data Protection Policy?
All University employees (whether permanent or temporary), PhD students including self-funded, as well as external staff such as contractors, consultants, service providers, visiting and affiliate professors and researchers have to comply with the Policy.
4. What are the main principles of the Data Protection Policy?
The Policy is based on principles that facilitate compliance with data protection legislation. It contains guidelines on:
• Fair collection and processing;
• Security;
• Data sharing;
• Data retention and deletion.
It also includes new obligations introduced by the GDPR:
• Establishment and maintenance of a University Personal Data Protection Register;
• Risk-based approach;
• Documentation of compliance with the GDPR.
5. What provision is made for the rights of data subjects?
The Policy focuses on incorporating new rights and strengthening existing rights.
The Policy includes a section on adaptations in the fields of research and academic expression in line with the GDPR and the future national law.
6. Are roles and responsibilities defined in the Policy?
The roles and responsibilities of key players are clearly laid down in the Policy.
7. Who is responsible for compliance with the GDPR?
The Data Protection Officer (DPO), Chief Information Security Officer (CISO) and other key stakeholders are on the front line when it comes to data protection, but compliance with the GDPR is not just an IT or legal issue; everyone has a part to play.
8. Has EBU appointed a Data Protection Officer (DPO)?
Yes. In its capacity as a public institution, EBU is obliged to appoint a DPO.