Is the university ready for the GDPR?
Authors: Bruce Whitfield Affiliate professor for CopyrightX Harvard course for Bulgaria and Dencheva Yordanova Associate professor, Bulgarian academy of science
Готов ли е университетът за GDPR?
Автори: Брус Уитфилд, Асоцииран преподавател за курса CopyrightX към университета харвард, САЩ за България и Силвена Денчева Йорданова Доцент, Българска Академия на Науките
Abstract. GDPR is the new regulation that has come into force since 25 May 2018. It concerns all organizations that gather personal data. It has a very big impact on learning institutions such as schools, colleges and universities. The paper presents main issues that concern universities, hospitality organizations and their compliance with the GDPR. It highlights how universities and hospitality organizations can get ready for the GDPR. It also gives examples from hospitality organizations that do not comply with the new GDPR and tells what fines for non-compliance with the legislation are.
Резюме. Новата регулация за защита на личните данни влезе в сила от 25 май 2018 година. Тя засяга всички организации, които събират и обработват лични данни. Много голямо влияние има върху образователните институции като училища, колежи и университети. Целта на настоящата статия е да представи основните въпроси, засягащи съвместимостта на университетите с новите изисквания на закона за защита на личните данни. Статията хвърля светлина как университетите, организации от сферата на хотелиерството могат да се подготвят своите политики според новия регламент. В статията има примери за организации от сферата на хотелиерството, което не са съвместили практики си с новият закон за защита на личните данни, както и какви са санкциите за неспазване на законодателството
The new regulation for data protection has come into force since 25th May 2018. Now all organizations must have adapted their policies and strategies to be in full compliance with the changes in the regulation regarding data protection. Many companies are avoiding or trying to escape from it, thinking that it does not concern them at all. However, it concerns all organizations that gather personal data. It means that it affects all kind of businesses, starting from production to service industries, as all of them are gathering special data.
The paper focuses on the principles of the new regulation and how it affects the institutions, using the examples of universities and hospitality organizations. It is the law that replaces the Data Privacy Directive from 1995 regarding the European privacy law.
It affects all businesses that process personal data for special purposes. In this regard, all schools, colleges and universities, hotels, tour-operators, etc. that operate with personal data and are located in EU countries are affected by the GDPR.
The main principle is that organizations do not own personal data information. They just use it, collect it for legal and specific purposes and they need to have the consent of the data subject or some other basis for using it.
The main principles of the GDPR concerning personal data, according to act 5 are:
- All personal data shall be used lawfully, fairly and transparently to the data subject. It means that all subjects of data ( staff, students) should be aware what kind of personal data information is stored by the university. If the university gathers some personal data, they must inform the data subjects what is the legal purpose for its collection.
- Exclusively for specific, explicit and legitimate purposes. It means that data subjects need to be constantly informed that the university collects these data for specific purposes. Every time different information needs to be collected by students or staff in the university, they must be informed for the purpose and legal interest of doing this.
- The collection of personal data by universities should be adequate and minimized. In other words, it is better if the university collects minimum personal data for its students and staff, especially sensitive data.
- The personal data records should be kept up-to-date. It is strongly recommended that some personal data regarding staff, for example, potential staff(cv, resumes, reference letters of applicants) to be deleted or minimized;
- The personal data should be retained no longer than is necessary. It means that the university should inform the data subjects what data is collected and for the period they are going to keep it. Otherwise the subjects of data have the right to object to universities or other organizations that their personal data is not protected.
- Data must be protected with the appropriate security protection. The universities should provide adequate protection of the personal data, so that it can not be hacked by third parties without the consent of the data subjects1
Who are the data subjects, according to the GDPR?
The data subjects in the case of universities are:
- All students (bachelor, master, doctoral level), prospective, current and alumni;
- Employees (potential, current and former)
- Agents( partnering universities and other institutions to whom data is transferred for specific legal purposes)
What is meant by personal data? According to the GDPR, personal data is all the information related directly or indirectly to a natural person. It means that personal data includes:
- Information to identify the person such as name, telephone, address, marital status, gender, nationality, passport ID, place and date of birth;
- Sensitive personal data. It is more specifically regulated as it concerns religion, sexual orientation, health data, political orientation, racial origin, etc. the university is better to avoid collecting such sensitive data2
- Anonymous personal data. Data such in which the data subject can not be identified.
- Pseudonymous personal data. Data in which the data subject is encrypted by certain password or pseudonym. GDPR encourages use of encryption of personal data. For example, the bank accounts of the staff to which the salaries are transferred should be encrypted regarding the names of people and their corresponding account3
GDPR places a serious importance of the data subject’s rights. The subject of data, which in the case of university can be student, staff or faculty, has the following rights:
- Right to access personal data. It means that the university should be able to provide an access to the data of subjects immediately to them;
- Right to edit personal data;
- Right to be forgotten upon request. If the student withdraws his documents from the university upon graduation, he has the right to be forgotten so that his personal data information will be deleted.
- Right to restrict or to object. If the student does not want to receive a newsletter from university, she has the right to object to In this case, the university should provide opt-in and opt-out options for the data subject;
- Right to transparency or refusal of automated decision making.
The main focus of GDPR is processing of personal data based on the consent of the data subject. To the extent possible, the data subject should be asked to give consent. The consent is an agreement between the data subject and the university in this case. The consent must be:
|–||Freely given. The university must ask the consent from the data subject before any use of personal data.|
|–||Specific. Any time the university is processing personal data, they must ask for the consent for the specific purpose. To rely on explicit consent for special categories of personal data, the same basic requirements as those for consenting to the processing of regular personal data apply4|
However, the requirements for explicit consent extend beyond that, which means that implied consent is not acceptable and the ‘clear affirmative actions’ that meet the requirements for ordinary consent are not sufficient. The major difference is that ‘explicit’ consent must be affirmed in a clear statement.
By explicit consent is meant:
|||A signature from the data subject|
|||A tick in an unchecked box by the data subject to say ‘I consent’|
|||An oral statement ‘Yes, I agree’|
|Even in written context, not all consent will be explicit5|
The next part in the data processing with personal data is the Data protection officer. This is the person who will be hired by any organization operating with records of personal data. The DPO is responsible to ensure compliance with the GDPR. The DPO can be an internal leader of the company or external consultant. The DPO consults with the management team and stands between the organization and the Commission for personal data protection. Larger organizations, public authorities, hotels or hospitality organizations processing more than 10 000 records of personal data are obliged to hire a DPO. In order to avoid conflicts of interest, the DPO can be outsourced.
The GDPR is the first attempt to comprehensively codify personal data as a new form of intellectual property. In the age of the GDPR, all personal data should be thought of, and treated as, intellectual property. Just as with other forms of IP, a legal basis is required to use that IP, such as permission of, or a contract with, the owner.
In addition to the consent basis for processing discussed above, there are a number of other bases which may be more useful for other types of organizations and businesses. These other bases will be discussed here in the context of their applicability to the hospitality industry.
Processing of personal data presents some unique difficulties for individuals and businesses operating in the hospitality industry sector. The majority of the discussion about the GDPR revolves around consent based processing and it is the basis most commonly used, since it provides for the broadest use of personal data. However, for processors in the hospitality industry, such as hotels, consent provides a problematic basis for processing.
For example, hotels in most member states of the EU are required to collect and maintain a wide variety of data. If a guest chooses to stay at a hotel, information is usually collected on identity, date of birth, permanent address, etc. Once the guest registers, consent for the processing of this data cannot be revoked and the guest does not have the right to be forgotten, at least until the statutory requirements for the processing have expired.
In addition, if consent is the sole basis for processing, ease of revocation is a requirement for continued processing. It must be as easy to revoke consent as it was to give it, and in general, a data subject should be able to revoke consent in the same manner it was given. However, since data is often collected at a hotel at the front desk upon check in, it would be impractical to require a guest to return to the hotel to revoke consent.
For these and a number of other reasons, consent is an impractical basis for much of the data processed by the hospitality industry. Fortunately, Article 66 provides several other bases for processing, some of which are better suited to meet the processing requirements of hotels and similar businesses. We will discuss three of those bases in-depth here because of their relevance.
Section 1 of Article 6 states that:
Processing shall be lawful only if and to the extent that at least one of the following applies:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
Subsection (a) provides the basis for data processing based solely on consent. It is the most often used, since it allows for any type of processing.
Subsections (b) through (d) provide the three other bases which will be discussed in further detail.
- Subsection (b) provides for processing based on performance of obligations under a contract. Examples might include processing a guest’s credit card information or saving personal data in order to hold a room reservation.
- Subsection (c) provides for processing based on a legal obligation with which the controller must comply. A typical example would be the collection and maintenance of personal data regarding hotel guests in order to comply with national legislation.
- Subsection (d) provides for processing of data for the benefit of the data subject, or for the benefit of a third person. An example would be the use of security cameras in hotels, and video footage maintained by hotels for security purposes.
It should be noted that none of the above bases would relieve a data processor of any of the general obligations imposed by the GDPR- mandatory disclosure to the subject that data is being collected, necessity of a legitimate purpose, the requirement to have a DPO, etc. These obligations were discussed in detail in the introductory section above and will still be applicable even if subsection (a) is not the basis for processing.
Under Article 4, a ‘controller’ is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. A ‘processor’ is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
A controller has a duty to make sure that processors comply with all GDPR requirements and that data is being processed in complete compliance with the controller’s policies.7
For example, Airbnb would be considered a controller for any processing of personal data for users of their service. A property owner who rents an apartment to a guest through Airbnb could be considered a processor, and Airbnb would still be responsible for making sure that the property owner complies with the GDPR and Airbnb’s policies.
Personal data is often transferred by a controller to other parties in order to provide rooms, transport or other services, but the controller is nonetheless responsible for all compliance as long as the third party is processing the information at the direction or request of the controller.
For the Performance of a Contract
Data processing is permissible where “necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.” However, necessity is strictly interpreted and the processing must be absolutely instrumental to the contract. Furthermore, all processing must be disclosed to the data subject and the purpose of the processing must be clear and concise in order for the contract to be binding.8
Even if the processing is instrumental to the contract, there are still a number of pitfalls about which the parties must be concerned. For example, any international transfers of data must receive an “adequate level of protection” in the foreign country. Under the Data Privacy Directive of 1995 (Directive 95/46/EC), international transfers could be made pursuant to a number of available derogations (exceptions). However, GDPR restricted the use of these derogations to situations where the transfer is absolutely necessary and there are no other measures available.9
In addition, all disclosures pursuant to a contract must be in clear and plain language in order for any consent to be valid.10 Processors must also consider the possible consequences of any intended further processing and the existence of appropriate safeguards.11
Furthermore, processing in excess of that needed for contract performance would be a violation. For example, hospitality industry businesses routinely share data with affiliates in order to enable them to suggest services to the customer. Such processing would invalidate the contract unless there is prior disclosure.12
Despite these restrictions, contract based processing would allow much of the data collected by hotels to be processed and maintained.
Compliance with a Legal Obligation
For processing to be legitimate under this category, there must be a specific legal requirement binding on the controller. However, only processing of data necessary for compliance with the legal obligation is allowed.
This would be very useful for hotels, allowing them to maintain significant information related to guests at the hotel. However, it would not allow the hotel to use the data for marketing purposes and it would not allow them to process data unrelated to the legal obligation, such as the marketing preferences of the guest.
Benefit of Data Subject or Third Party
This category allows for much more extensive processing than compliance with a legal obligation. Benefit of the data subject could allow for processing of payment information, transfer of data to third parties for hospitality services, and a wide variety of other purposes. In addition, the use of data for such tasks as payment processing through a bank card would trigger legal obligations which would allow for further processing and for maintaining the data.
It could also be used to address one of the most difficult areas for the hospitality industry- security cameras. As long as there is full disclosure regarding the processing, the use of cameras and recordings for the purpose of security would be justified under this category. This would take care of most of the on-premises security cameras used at hotels, resorts, etc.
However, a problem would arise when the cameras are being used for the benefit of the controller instead of other persons, and where the recording is done surreptitiously. For example, property owners providing vacation rentals to guests through Airbnb’s services, or brokers such as booking.com, often use security cameras to ensure that the premises are not damaged by the guests. Such processing is not done for the benefit of the data subject, or a third person, but for the benefit of the processor. In addition, such cameras are often used by property owners without the guests’ knowledge or consent.
As controllers, Airbnb and Booking.com are required to ensure compliance with the GDPR and the controller’s policies. If property owners use such cameras without disclosure, this would be a clear violation of the GDPR. Furthermore, it could possibly invalidate the contract, rendering processing of data pursuant to the contract illegitimate. “Spying” on guests, whether for marketing purposes or in order to ensure compliance with company rules, should be eradicated or organizations will be subject to crippling penalties under the GDPR.
Despite these restrictions and the potential pitfalls, these three categories would permit processing of most of the personal data needed by hotels. Identity, addresses, nationality, phone numbers, security camera footage, and a variety of other information could be collected and maintained. A guest would not be able to revoke consent or ask for the information to be deleted until all legal obligations and requirements for contract performance had expired.
Of course, information such as data obtained for marketing purposes would not be essential for any of these three bases- contract, legal obligation, or benefit of data subject. Any data which does not qualify for treatment under one of those bases would have to be separated out and treated differently. The only basis for processing of such data would be pure consent and, as such, would be subject to the regulations on consent described above.
Unfortunately, many data processors wrongly believe they are in compliance with the GDPR. They have read an article or watched a tutorial about it and have been lulled into a false sense of security. The GDPR regulations are extremely complex and the generally available instructional materials are woefully misleading about compliance.
For example, most of the YouTube videos are only five to ten minutes long and discuss consent based processing. They do not give an accurate picture of the strict requirements applicable to all processing of data. Nor do they discuss the other bases for processing of data. For example, transfer of data to countries outside of the EU is a particularly complex topic and compliance is extremely difficult. Fines for non-compliant transfers of data can be up to twenty million euros or four per cent of the worldwide receipts of the organization.13 The public tutorials do not even mention the issue.
Articles 78-83 impose a wide variety of penalties on controllers and processors who are not in compliance. Article 83 imposes fines of up to ten million euros or two per cent of worldwide revenues for most violations, and fines of up to twenty million euros or four per cent of the worldwide receipts for the more egregious violations. In addition, a controller is liable for damages caused by any processing which infringes the regulations.14
Under Article 79, data subjects whose rights have been violated have the right to bring a lawsuit against the infringer. Member States must provide the mechanism for such suits, as proceedings against a controller or a processor shall be brought before the courts of the Member State.” To date, little attention has been given to these particular provisions, but as more Member States provide the required procedures for such suits, litigation against infringers will undoubtedly proliferate.
Introduction of the new policies can and should be done only with the support of the management, stakeholders and employees. In this regard, it is mandatory that training is provided to them. They must be introduced to the new obligations they have resulting from the new regulation, as well as their responsibilities for protecting personal data. These include the possibility that they may commit criminal offences if they deliberately try to access or disclose these data without authority, the dangers of people trying to obtain personal data by deception (eg by pretending to be the individual whom the data concerns, or enabling staff to recognise ‘phishing’ attacks), or by persuading your staff to alter information when they should not do so; and restrictions you place on the personal use of your systems by staff.15
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) Official Journal of the European Union, Vol. L119 (4 May 2016), pp. 1-88
- Pedro, Filipa Carmo (2016) Privacy in the Smartphone Age. Tilburg University, master’s thesis, p. 35
- Pedro, Filipa Carmo (2016) Privacy in the Smartphone Age. Tilburg University, master’s thesis, p. 40
- Alston&Bird (2018) Roadmap to the GDPR, International Data Transfers, https://files.alston.com/files/docs/Roadmap-to-the-GDPR-International-Data-Transfers.pdf , 16
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) Official Journal of the European Union, Vol. L119 (4 May 2016), pp. 1-88, Article 7, section 2
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) Official Journal of the European Union, Vol. L119 (4 May 2016), pp. 1-88, Article 6, section 4
- Pedro, Filipa Carmo (2016) Privacy in the Smartphone Age. Tilburg University, master’s thesis, p. 56
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) Official Journal of the European Union, Vol. L119 (4 May 2016), pp. 1-88, Article 83
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) Official Journal of the European Union, Vol. L119 (4 May 2016), pp. 1-88, Article 82