Search
Menu
Je me connecte

University of Louvain Libraries and Learning Centers

Search

University of Louvain Libraries and Learning Centers

GDPR - General Data Protection Regulation

biul |

The General Data Protection Regulation (GDPR) is a European regulation on privacy rights. It entered into force on 25 May 2018.

Personal data = any information relating to an identified or identifiable natural person (article 4 GDPR).

An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural, social … identity of a natural person (article 4.1.)

Indirect identifiers, or combinations thereof, may also lead to identification and are therefore also personal data (Idem).

NB: the rules for personal data protection do not apply to deceased persons.

Personal data processing = any operation carried out on personal data.

This broad concept covers data collection as well as their recording, oranisation, modification, transfer, storage, use, consultation, disclosure, destruction, etc. (article 4.2.)

Some personal data are classified as “sensitive” or "special":

Sensitive data = data relating to racial or ethnic origin, political opinion, philosophical or religious beliefs, trade union membership, genetic and biometric data, health data and sex life or sexual orientation. 

In principle, the processing of such data is PROHIBITED except in the case of limited exceptions (listed exhaustively in Article 9 of the GDPR). One of these conditions is scientific research, provided that it is accompanied by appropriate safeguards (Articles 9 and 89 of the GDPR).

The processing of sensitive data may only take place if the following two conditions are met:
- the processing is validly based on one of the legal bases specified in Article 6 of the GDPR (see below);
- one of the exceptions mentioned in Article 9 of the GDPR applies to the processing in question.

Anonymous, anonymised and pseudonymised data :

Data is anonymous when it cannot or can no longer be linked to an identified or identifiable person by anyone.

Pseudonymisation means that personal data can no longer be attributed to a specific person without additional information (art. 4.5.)

Anonymous or anonymised data are not covered by the GDPR. However, pseudonymised data is covered by the GDPR ! This is because the de-identification is reversible : identifying data subjects is still possible, just more difficult.

How to assess whether your data contain personal data? Check here !

(Illustration : The Turing Way Community, & Scriberia. (2020). CC-BY 4.0. Zenodo. https://doi.org/10.5281/zenodo.4323154)

Principles to respect when processing personal data (article 5 GDPR):

  • Lawfulness, fairness and transparency : with a legal basis (cf. infra); not obtained or processed unfairly or by deception; specific information is provided to data subjects;
  • Purpose limitation (finality and proportionality): collected for specified, explicit and legitimate purposes. The purpose is clear and unambiguous;
  • Data minimisation : relevant and limited to what is necessary for the purposes;
  • Accuracy: data must be accurate and, where necessary, kept up to date without delay;
  • Storage limitation (limited retention) : data may not be kept in a form which permits identification of data subjects longer than necessary for the purposes;
  • Integrity and confidentiality: ensure appropriate security of data; protect them against unauthorised or unlawful processing and against accidental loss, destruction or damage by means of appropriate technical or organisational security measures (in particular : encryption, anonymisation, pseudonymisation, ...);
  • Responsibility / Accountability : you must be able to demonstrate that all these principles have been respected in the processing of personal data.

Processing is lawful (legal bases) if it meets at least one of the following conditions (article 6) : 

  • The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  • Processing is necessary for the performance of a contract to which the data subject is party or for the performance of contractual measures taken at the request of the data subject; 
  • Processing is necessary for compliance with a legal obligation to which the controller is subject;
  • Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  • Processing is necessary for the performance of a task carried out in the public interest;
  • Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless the interests or fundamental rights and freedoms of the data subject which require the protection of personal data prevail, in particular where the data subject is a child.

In order to be implemented, all data processing must be based on one of these legal bases. In research, the legal bases “public interest”, “consent”, and to some extent “legitimate interest of the controller or a third party” are usually most suitable (Utrecht University - Data Privacy Handbook : legal bases).

The rights of the data subjects :

Persons whose personal data is processed have different rights (articles 12 - 23):

  • Right to information (know how your data is used)
  • Right of access (access your data)
  • Right to rectification (correct, complete)
  • Right to erasure/to be forgotten
  • Right to restrict processing
  • Right to data portability (retrieve and reuse your data)
  • Right to object (refuse the use of your data)

You have to provide data subjects with a contact point where they can exercise their rights. You can use a generic or named address.

In a research context, certain rights may be restricted in well-defined circumstances, namely where the exercise of those rights is likely to make impossible or seriously compromise the achievement of the research objectives.

How long data can be kept ?

The storage limitation principle of the GDPR requires that personal data should be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Afterwards they have to be removed.

Personal data may be stored for longer periods of time provided they are processed solely for the purpose of scientific research and:

  • the research objectives can be reached via processing that does not allow or no longer allows for the identification of the persons concerned ;
  • appropriate safeguards exist (technical and organisational measures).

Record your personal data processing activities :

The GDPR requires that the processing of personal data within UCLouvain be documented and recorded in a processing activities register.

Data Protection Officer (DPO) :

If you have any questions about the RGPD, please contact Michèle Remy, RGPD Delegate at UCLouvain : privacy@uclouvain.be

 

(Sources : UCLouvain, Vade mecum on the application of the GDPR and its framework law in the field of research ; Utrecht University, Data Privacy Handbook)

 

Consent is not always required. However, when consent is the basis of the lawfulness of the processing, it must be freely given, specific, informed and unequivocal. It must be a clear affirmative act. There can therefore be no consent in cases of silence or inactivity.

The best time to request for consent is before the data are collected. The data subject may withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent carried out prior to the withdrawal.

Note that minors cannot legally give their consent to the processing of their personal data. 

When using consent, you should be able to demonstrate that the data subject was informed and has given consent, and for which purpose(s) they gave their consent  (Utrecht University - Data Privacy Handbook : legal bases). 

Source : UCLouvain Vade mecum

More information about consent :
- Data Privacy Handbook;
- CNIL (in french) 

Informing the people whose data is being processed is one of the fundamental principles of the GDPR . It is always required, for all legal bases (so not only when you use informed consent).

 

The information you provide should be : clear and understandable, easily accessible, via multiple channels (when appropriate) and layered (when appropriate).

 

The GDPR distinguishes between the information to be provided when personal data is collected directly from the data subject (primary data) and that to be provided when personal data has not been collected from the data subject (secondary data, reuse) (articles 13 and 14).

 

If you collect personal data directly from the data subject (whether through a questionnaire, survey or interview, ...), you must provide the following information: 
- identity and contact details of the controller or his or her representative;
- contact details of the data protection officer, if there is one;
- the collected data;
- the purposes of the processing for which the personal data are intended; 
- the legal basis;
- recipients of the personal data, if any;
- possible transfer to a third country or an international organisation;
- the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
- the existence of the data subject’s rights (the rights of access, rectification, erasure, restriction of processing, opposition, portability, right to withdraw consent at any time);
- the existence of right to lodge a complaint with the supervisory authority;
- the existence of automated decision-making.

This information must be provided at the time the personal data is obtained.

 

If the personal data you are using in your research have not been collected directly from the data subjects (=> you reuse personal data from another source), you must inform them, within a month after obtaining their data, of this processing and the source from which you obtained it. There are, however, some exceptions to this information requirement in the case of further processing (art. 14.5 and rec. 62). 

 

(Source : UCLouvain Vade mecum ; Utrecht University Data Privacy Handbook)

Pseudonymisation : 

The process of replacing a person's direct identifiers (first name, last name, etc.) with indirectly identifying information (alias, file number, etc.). Pseudonymisation is a security measure or safeguard that reduces the linkability of your data to your data subjects.

 

Pseudonymisation is a reversible measure. This is why pseudonymised data remains personal data. Their processing remains subject to the obligations of the GDPR.

 

Anonymisation : 

The process of removing all identifying information about a person from a dataset. Anonymisation is an irreversible measure. Anonymised data are no longer personal data. Therefore, they are no longer subject to the GDPR.

 

European data protection authorities define three criteria that ensure that a dataset is truly anonymous: individualization, correlation, and inference (CNIL, we translate).

Be aware that anonymisation involves a loss of information. It limits the future use of the data. These constraints must be considered from the beginning of the project. However, data anonymization is a key process for open data :  it opens possibilities for reusing data that were initially prohibited due to the personal nature of the data used (Idem).

 

In practical terms :

There are several techniques to pseudonymise and anonymise data. In France, the CNIL (french data protection authority) lists different techniques :

- Pseudonymisation : techniques based on the creation of basic pseudonyms and those based on cryptographic techniques (encryption);
- Anonymisation : randomisation and generalisation techniques.
Amnesia is a free, open-source solution proposed by OpenAIRE.

 

Source : 
DoRANum, https://doi.org/10.13143/SJQQ-HC40 (we translate)

More information : 
- Utrecht University, Data Privacy Handbook

- AEPD, 10 misunderstanding related to anonymisation