Europe has made a clear statement in our rapidly changing world through the adoption of the GDPR. The current speed and scale in which personal data is collected, shared and linked calls for measures to protect our privacy. We share more and more data with organisations and companies, and oftentimes without being aware of the impact to our privacy. The GDPR compels us to think about this, both in our private lives and at work. The GDPR uses a number of principles to ensure the protection of personal data:
Ask yourself whether there is a legal basis for processing personal data.
Only process personal data that is strictly necessary for the purpose for which the processing is intended. Do not process personal data for a purpose other than that for which you requested/received them in the first place. If you still want to use them for another purpose, you will have to determine again whether you have a basis for this (e.g. consent).
Inform the persons concerned about the processing of his/ her data and why you are doing so. To do so, use simple and clear language in communicating this, and ensure that the information is correct, complete, clear and understandable. Many of TU Delft's activities are already communicated via the privacy statement on www.tudelft.nl. If your activity is not included in the statement, you can create a privacy statement which include the following information:
- The contact details of the person involved in case of questions or complaints;
- The (categories of) personal data that are processed;
- The purpose(s) for which you are going to use the personal data;
- Legal basis (e.g. consent);
- Who has access to the data and/or with whom the data is shared;
- Whether there is a transfer of personal data to countries outside the EEA (e.g. if a cloud application runs with a US supplier, such as Google or Amazon).
- Data retention period;
- The rights of data subjects (e.g. right of access, right of rectification, right to be forgotten, right to object);
- Whether there is automated decision-making or profiling.
- When in doubt, consult the privacy team via firstname.lastname@example.org);
Use clear and simple language in communicating with data subjects about the processing of their data. Make sure that the communication is correct, complete, clear, understandable and accessible to the data subject. The information must provide insight into:
- The purpose of the processing;
- The legal basis of the processing;
- Who are the recipients of the data;
- What the retention period is;
- Whether there is data transfer outside the EEA;
- What are the rights of the persons concerned;
- Whether there is automated decision-making;
- Who can be contacted for information.
Process only personal data that is necessary and relevant to achieve a purpose.
Do not retain personal data longer than is necessary for the purpose for which it is intended. Once you achieve the purpose and the data is no longer relevant, delete or obstruct the data. Do keep in mind that some data retention periods are determined by law, for example in the Archives Act or tax legislation. You may not keep a CV longer than four weeks after the end of the application procedure. With the consent of the person, you may keep a CV for a maximum of one year.
Ensure that others do not have access to personal data and to the hardware and software used for processing. Make sure that you have authorisation management (access provisioning rights) in place. Security tips and tricks:
- Do not put personal data on unsecured USB sticks.
- Dispose of hard copy documents using special containers. You can find such a container in every department.
- Keep your workstation/office tidy.
- Lock your PC when not in use.
- Use a secure network, such as Eduroam. Eduroam is the secure network of all Dutch universities. When a connection with Eduroam is not possible, then connecting to your own mobile hotspot is a safe alternative.
- Send work mail via your TU email. Do not use Hotmail, Gmail or Yahoo.
- Use BCC instead of CC. When you distribute e-mail addresses, you share personal data. Using BCC instead of CC will help you prevent unnecessarily distribution of e-mail addresses among the addressees.
- Enter into a data processing agreement with third parties that have access to TU Delft's personal data. For this purpose, use the TU Delft template of a processing agreement.
Do not store personal data in an application which has not been approved by the organisation, such as WeTransfer and Google Drive. Instead, use Surffilesender and Surfdrive (available for employeestypo3/). These applications are also suitable for sharing data with external parties. Ask your faculty IT manager for help setting up an account.
Avoid data transfers outside the European Economic Area (including in the cloud!).
Ask the privacy team for an advice. When purchasing new systems or cloud applications, check whether a DPIA (Data Protection Impact Assessment) is required by carrying out the pre-screening.
A data breach means that personal data has been lost, or that an unauthorized person potentially has access to the personal data. For example, the loss of a laptop or USB stick, an e-mail sent to the wrong person or authorisations that have not been properly arranged.
A data breach is not only IT-related: Losing a paper file including personal data, for example, is also a data breach. Immediately report a (potential) data breach via email@example.com.