Data Protection Obligations of the University
About
- Key Terminology of GDPR
- Personal Data Incident & Breach Management
- Data Protection Principles & Applications
- Six Legal Bases for Processing – GDPR Article 6
- Data Subject Rights
- Processing Special Category Personal Data – GDPR Article 9
- International Data Transfers
- Personal Data & Scientific Research
- Research Using Health Related Personal Data
- Data Privacy & Security Training
- Data Protection and its Scope
- Data Protection Obligations of the University
- Role of the DPO
Data Protection Obligations of the University
The GDPR places direct data processing obligations on businesses and organisations at an EU-wide level. According to the GDPR, an organisation can only process personal data under certain conditions. For instance, the processing should be fair and transparent, for a specified and legitimate purpose and limited to the data necessary to fulfil this purpose. It must also be based on at least one of six legal grounds/basis.
As a University UCD needs to collect and use personal data (information) about its staff, students and other individuals, who it comes into contact with. The purposes of UCD processing data include the organisation and administration of courses, examinations, research activities, the recruitment and payment of staff, compliance with statutory obligations, etc.
The University acts as ‘Data Controller’, where UCD faculty, staff, or other individuals representing the University, have a high degree of control over the ‘why’ and ‘how’ of the personal data processing. As Data Controller the University automatically takes on full responsibility for who they share the data with, including assessing in advance, whether such sharing might put personal data at risk.
Additionally, if UCD, as data controller, decides to avail of the services of an external third-party supplier/provider, i.e. uses a ‘data processor’ that operates under strict instructions of UCD, UCD takes on responsibility for the processor's GDPR compliance as well. The law requires that UCD clearly sets out such a relationship in a controller Processor contract
Note: All faculty, staff, or students of UCD, who independently i.e. in a non-UCD capacity, collect and/or control the content and use of personal data, are individually responsible for compliance with the legislation for those data sets.
Compliance with GDPR and its accountability requirements needs comprehensive, business specific documentation, both internal and external, about how personal data are collected, processed, and stored by the organisation. Accountability demonstrates that the organisation takes GDPR and the privacy rights of individuals seriously.
Failure to comply with data protection legislation can have very serious consequences. Apart from damage to the University’s reputation, substantial fines can apply. In addition to fines levied by the Data Protection Commission, under GDPR an individual, i.e. a data subject, has the right to take legal actions against an organisation and its members for failing to comply with GDPR.