The GDPR and Higher Education #3: Lawful Data Processing and Data Rights

As we discussed in our first and second blog posts, higher education institutions — including those in the United States — are impacted by the forthcoming European Union’s General Data Protection Regulation (“GDPR”).  We continue our conversation in this post, focusing on the actual processing of data and the rights of data subjects.

Lawfulness of Processing

The GDPR sets out six (6) possible legal bases for the processing of ordinary data.  Art. 6.  For universities, the two key bases are: (1) the consent of the data subject; and (2) what is necessary for the performance of a contract with the data subject. Each bases will be addressed below.

Before delving into the possible legal basis for processing data, it is important to note that the GDPR introduces and emphasizes key data management principles including transparency and accountability.  Art. 5.  The GDPR also emphasizes data minimization:  the practice of collecting the least amount of data needed to perform the task, action or service for which the data was initially collected.  Art. 5(1)(c).  Further, when data is collected for a lawful purpose under Article 6, it cannot be used for another purpose without finding another legal purpose for so doing. Art.5(1)(b).

It should be noted that processing of “special categories of personal data” is prohibited unless one of the enumerated exceptions under the GDPR applies.  Art. 9.  “Special categories of personal data” includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.  Art. 9(1).

Consent of the Data Subject

Data may be processed under the GDPR if “the data subject has given consent to the processing of his or her personal data for one or more specific purposes.” Art. 6(1)(a).  Consent is defined as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”  Arts. 4(11); 7(2-3).  Further, if the consent is given via a written declaration that concerns more than one matter, the request for consent must be “in an intelligible and easily accessible form, using clear and plain language.”  Art. 7(2). The GDPR also expressly requires that “[w]here processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.”  Art. 7(1).

Universities will need to assess when consent is obtained from data subjects who are giving data to the universities, and whether they have the proper mechanisms to document that consent (both from an administrative and technical perspective).   Further, these mechanisms need to include the ability of a data subject to withdraw consent, and for that withdrawal to be implemented across any data controllers’ and processors’ data systems.  Art. 7(3).

Necessary for the Performance of a Contract with the Data Subject

Data processing is permitted if the “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.”  Art. 6(1)(b).  Universities enter into a variety of different types of contracts with EU data subjects:  to provide education, academic opportunities, employment, etc.  The collection of personal data, for the performance of a contract, will allow the university to collect data on the EU citizen, such as applicant information.  However, universities will need to assess when this mechanism for processing data applies and ensure that the proper documentation is in place to show compliance.

Data Subject Rights

One of the most influential aspects of the GDPR is its enumeration of many rights associated with data; rights that have the full protection of the laws and court judgments within the European Union.  While some of these rights have already been developed through prior Court of Justice decisions (i.e., the right “to be forgotten” under the Google v. Spain decision), others will see expansion and broader enforcement under the GDPR.

The GDPR lays out the following rights for data subjects:

  • Right of access by the data subject (Art. 15);
  • Right to rectification (Art. 16);
  • Right to erasure (‘right to be forgotten’) (Art. 17);
  • Right to restriction of processing (Art. 18);
  • Right to data portability (Art. 20);
  • Right to object (Art. 21); and
  • Right not to be subject to a decision based solely on automated processing (Art. 22).

The GDPR requires data controllers to provide information related to data processing to data subjects “in a concise, transparent, intelligible and easily accessible form, using clear and plain language.”  Art. 12(1).  The GDPR requires that certain information be proactively provided to the data subject when personal data is collected, including identity and contact of the data controller, the purposes for the processing of the data, and the period or criteria for the duration of the data storage.  Art. 13 (1 – 2).  Even if the data controller is not obtaining the personal data from the data subject, the data controller still has an obligation to provide the data subject with certain information.  Art. 14.  Further, if a data controller receives a request related to any of the rights under the GDPR, it must provide information related to any action taken “without undue delay and in any event within one month of receipt of the request.”  Art. 12(3).

It is important for a university to recognize that these rights exist, and it must be prepared to act in an efficient manner to meet any requests of the data subjects.  Further, the university should be aware of all of the information that it must proactively provide a data subject at the time of the data collection to ensure that it is meeting the requirements of the GDPR. Finally, this information must be reviewed regularly to account for any administrative, legal, or technological changes.   Privacy is a fundamental right in Europe; as such, the rights enumerated in the GDPR need to be taken seriously at all stages of collection, processing, and storage.

* * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.