Deutsch Intern
  • 50-jähriges Jubiläum des Rechenzentrums
Information Technology Centre

GDPR

Sins and commandments in data protection

Data protection was reformed with the General Data Protection Regulation.

Some sins against data protection

  1. Believing that IP addresses, hardware addresses or cookies are not personal data!
  2. Processing personal data without having a purpose for doing so!
  3. Transferring or granting access to personal data to third parties without a reason!
  4. Not informing data subjects about the processing when collecting data directly!
  5. Not documenting your own regular data processing!
  6. Not taking appropriate protective measures for personal data!
  7. Conceal data protection incidents!

Some data protection imperatives

  1. Encrypt personal data as far as the purpose of use permits!
  2. Critically check which personal data is really required for processing!
  3. Provide clear and transparent information!
  4. Seek advice from your data protection officer if you have any questions!
  5. Take a detailed look at the risks of your processing procedures!
  6. Design your processes with data protection in mind right from the start!
  7. Establish data protection rules of procedure or a data protection concept!

 

Data protection and information security are legally binding and must be consistently implemented and practised on a daily basis. In addition to documentation, clear responsibilities, technical and organisational measures and raising employee awareness are crucial.

The staff unit provides support with tried-and-tested recommendations that enable legally compliant and manageable implementation.

Enrolment process

  • Data protection information
  • Enrolment statutes

Recruitment process

  • Data protection information
  • Dealing with e-mail applications
  • Commitment to confidentiality and data protection secrecy

Portals such as intranet or learning platforms

  • Data protection information
  • Data protection-friendly default settings
  • Data security

Website

  • Updating the privacy policy
  • Privacy-friendly search
  • Defensive publication of employee data
  • Social media guidelines
  • Encryption
  • Check website analyses
  • Two-click solution for social media plugins

Providing sufficient resources to implement data security, in particular server rooms

Taking organisational measures

  • Data protection rules of procedure
  • House rules
  • Emergency plans
  • Contract management
  • Centralised comprehensive hardware and software asset management

Appointment of a committee to oversee implementation

Ensuring sufficient resources and competences for the data protection officer

Notification of the data protection officer to the responsible supervisory authority

Organisational and ultimate responsibility for data protection compliance

Establishing processes for the granting of data subject rights

Establishing processes for reporting data protection incidents

Organising and, if necessary, holding training courses and awareness-raising measures

Advice on all data protection issues for members and lecturers of the university as well as those affected

Assessing data protection risks and selected remedial measures

Opinions on contracts for order processing, processing activities and data protection impact assessments

"Monitoring"/better to monitor sth. of compliance with data protection regulations

Co-operation with the supervisory authority

Not:

  • Drawing up the records of processing activities
  • Carrying out data protection impact assessments

Demanding the implementation of data protection from the university management

(If required) Appointing a committee to monitor implementation in your area

Organisational and ultimate responsibility for your area with regard to data protection compliance

Specify or implement processes for reporting data protection incidents at the institution

Specify or implement process introduction for the granting of data subject rights of the organisation

Check applications for compliance with data protection

Provision of information and data for data subjects

Documentation of processing activities in a register

Involving the data protection officer and staff council

Implementation of data security

Clean desk

  • Locked office
  • Tidy desk
  • Switch off the PC after work
  • Activate screen lock when leaving the office briefly
  • Lock away documents with personal data after use

Dispose of paper and data storage media in accordance with data protection regulations

Report data protection incidents to at least your line manager

Comply with the golden rules of IT security

Obtain authorisation before using new services (line manager, data protection officer, purchasing department, staff councils)

Report IT security incidents to the system manager and IT support at the data centre

Ensuring data protection principles, in particular collecting only necessary personal data and data minimisation

Data protection guarantees if data is processed by a controller based outside the European Economic Area

Data protection guarantees if data is stored by a controller based outside the European Economic Area

Order agreements that fulfil at least the legal requirements