EU General Data Protection Regulation

The EU GDPR will be directly applicable in all EU countries from 25 May 2018. In addition to the EU GDPR, the BDSG-new (DSAnpUG-EU) and the NDSG-new must also be observed.

Important changes from the perspective of process owners or employees who are entrusted with the processing of personal data:

• Article 13/14: Duty to provide information
  • The GDPR extends the obligations to provide information when collecting data. Compared to consent under the NDSG, the following points have been added
    • Contact details of the data protection officer. Recommendation:
      University of Oldenburg
      - The Data Protection Officer -
      Ammerländer Heerstr. 114 - 118
      26129 Oldenburg
      Email:
      Phone: 0441-798 4196
      uol.de/datenschutz/
    • The legal basis for processing. With consent: Art. 6 para. 1 lit. a GDPR
    • Additional information on transmissions, if applicable
    • The duration of storage
    • If applicable, revision of the cancellation policy and reference to rectification
    • The existence of a right to lodge a complaint with a supervisory authority
  • If the data processing is not based on informed consent, the information obligations generally still apply and the scope of the additions may be correspondingly greater!
  • Sample templates for Art. 13 GDPR and Art. 14 GDPR are available to fulfil the information obligations. Which template you need to use depends on the source from which you collect personal data. If the data is collected from the data subject (e.g. by interviewing them, filling out a questionnaire, etc.), the Art. 13 template must be used. If the data is obtained from a source other than the data subject (e.g. website, telephone directory, residents' registration office, other authority, etc.), the Art. 14 template must be used. The data protection officer will be happy to answer any questions you may have about both the correct template and the templates themselves.
• Article 25: Data protection by design and by default (privacy by design, privacy by default)
• Article 28: Processors
  • The existing contracts for commissioned data processing (ADV) must be reviewed and supplemented with regard to the changed framework conditions.
• Article 30: Record of processing activities
  • The previous form for the description of procedures will be revised and the previous directory of procedures in accordance with the NDSG will be replaced. The procedure for this is currently in preparation.
• Article 33: Notification of personal data breaches
  • In the event of a personal data breach, this should be reported immediately to the head of the authority or the data protection officer. The further procedure for this is currently being prepared.
• Article 35: Data protection impact assessment
  • The data protection impact assessment replaces the previous prior check in accordance with the NDSG. The need for an impact assessment is determined as part of the procedure notification in accordance with Article 30. The controller (operator/initiator) of the procedure is responsible. The data protection officer advises the controller.

This list does not claim to be exhaustive. It is intended to serve as a guide and as a checklist to identify any acute need for action with regard to the GDPR.

Please also note the information in the section Directory of processing activities!

If you have any questions, please contact the data protection officer.