Tuesday, 14. July 2020
More

    GDPR – practical examples

    Must Read

    Should school classes start later?

    The American Academy of Pediatrics recommended in August 2014 that middle and high schools should not commence before 8:30...

    Proposal for new balanced timetable

    Maternell: Monday - Friday from 9.00 to 14.00 Primary: Monday and Wednesday from from 9.00 to 16.30, Tuesday, Thursday and Friday from 9.00 to 14.00. Secondary: Monday, Wednesday and Friday from from 9.00 to 16.30, Tuesday and Thursday from 9.00 to 14.00.

    Low registration and transferrals out of European School Mamer

    The rate of registration of new children to European school Lux II is so low that the school now wants to radically change the rules of registration, ‘forcing parents with kids in the DE, FR and EN sections to send their kids to Lux II, except in certain circumstances.’

    Does GDPR apply only to data that is processed, or intended to be processed, by automatic means?

    The GDPR covers the processing of personal data in two ways:

    • personal data processed wholly or partly by automated means (that is, information in electronic form); and
    • personal data processed in a non-automated manner which forms part of, or is intended to form part of, a ‘filing system’ (that is, manual information in a filing system).

    Does GDPR cover any data about any individual?

    Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

    If individuals cannot be identified then the GDPR does not apply.

    Is data recorded about the number of times a user accesses a website personal data?

    Yes, if user is identifiable. If they are then the GDPR would regard this as personal data as the person:

    • can be identified or who are identifiable, directly from the information in question; or
    • who can be indirectly identified from that information in combination with other information

    Analytical data collected about the visitors to a website would also be classed as personal data if identifying information, such as the users’ IP addresses, were collected. This is because it is possible to trace an individual household through an IP address.

    Is a data controller an individual, organisation, or corporation, who decides the purposes and manner in which personal data is processed?

    Yes. The GDPR says that a controller is indicated if:

    1. We decide to collect or process the personal data.
    2. We decide what the purpose or outcome of the processing will be.
    3. We decide what personal data should be collected.
    4. We decide which individuals to collect personal data about.
    5. We obtain a commercial gain or other benefit from the processing, except for any payment for services from another controller.
    6. We are processing the personal data as a result of a contract between us and the data subject.
    7. The data subjects are our employees.
    8. We make decisions about the individuals concerned as part of or as a result of the processing.
    9. We exercise professional judgement in the processing of the personal data.
    10. We have a direct relationship with the data subjects.
    11. We have complete autonomy as to how the personal data is processed.
    12. We have appointed the processors to process the personal data on our behalf.

    Can data processor be held legally responsible for the processing of personal data undertaken for a data controller?

    No, since GDPR says “Individuals and supervisory authorities can hold both controllers and processors to account if they fail to comply with their responsibilities under the GDPR.”

    A call centre operator is engaged to provide customer services for another company. The call centre staff have access to the customer database in accordance with strict, written contractual arrangements. Is the call centre the data controller for the purposes of the GDPR?

    No, the call centre operator makes use of an existing customer database and therefore has no control over what data is collected or who the data is collected from. “If you exercise overall control of the purpose and means of the processing of personal data – i.e. you decide what data to process and why – you are a controller.”

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    Latest News

    School will probably re-start on 25.05.

    This week both European schools in Luxembourg are deciding should they reopen doors or not. As...

    Communication on the impact of COVID-19 outbreak in European Schools

    On 27.03.2020 another communicatoin was sent by the Secretary General of the European Schools, Mr. Giancarlo Marcheggiano. It has...

    Communication from the Secretary General 23.03.2020

    A communication from the Secretary General of the European Schools, Mr. Marcheggiano, with 2 accompanying documents. It is now...

    The challenges of a 21st-century education

    For several decades, the nuances of the teaching-learning process have guided the research work of social scientists. The different pedagogical approaches have...

    GDPR – practical examples 2

    Can a statutory authority discharge its obligations in regard to data protection by outsourcing the collection, storage and processing of personal...