Data protection and its safeguarding are key concerns for TU Wien, with any information relating to an identified or identifiable individual (‘data subject’) particularly worth protecting. These include address details, email addresses, date of birth, social security number, student registration number, as well as examination data and salary information.
GDPR is coming into force
While up until now, regulations on protecting personal data have predominantly been part of national data protection laws, from 25 May 2018, the EU General Data Protection Regulation (GDPR) will enter into force. This regulation will introduce uniform rules for the ways in which companies and public bodies process personal data across the whole of the EU. The application of the GDPR will result in stricter legal requirements for information security, IT security and data protection at TU Wien. It will also lead to significant increases in both liability risks and severity of punishment in the event of any breach of statutory obligations. TU Wien is using the GDPR as an opportunity to implement uniform data protection guidelines across the university via technical data security measures and organisational provisions. In order to do so, the university launched a project in the spring of last year focusing on the provisions of the GDPR so as to provide legal certainty for TU Wien in the area of data protection. The aim of the project is to implement the legal guidelines for data protection in a workable way and, in doing so, to create added value for the everyday handling of personal data. The Rector's Office at TU Wien adopted a corresponding data protection policy and data protection organisation structure in January, which will be available in the near future on www.tuwien.ac.at/files (page not yet active).
Who handles what?
As a result of the GDPR, TU Wien is obliged, among other things, to keep a record of all the processes in which personal data is handled, known as the ‘record of processing activities’ (Verzeichnis der Verarbeitungstätigkeiten – VdV). The VdV is an essential cornerstone of GDPR compliance, particularly in terms of observing evidence and accountability obligations, (prompt) fulfilment of the rights of those affected, and data protection impact assessment. The directory will keep a record of all activities involving the processing of personal data. The project team is currently focussing its efforts on drafting the VdV, collecting and carefully recording all processing activities relating to personal information. The team's knowledge and valuable insight into the data and processes of the individual organisational units, and TU Wien in general, have provided invaluable support on this project and will continue to do so.
Assistance and training
An e-learning course on GDPR is being developed in cooperation with other universities within the framework of the IG Data Protection Association and should be available in April 2018. Supplementary in-depth training courses are also scheduled for data protection coordinators, while guidance and assistance on protecting personal data in daily working life will be provided for all TU Wien staff. These will be made available in good time in advance of the GDPR coming into force.