General Data Protection Regulation
Pursuant to Article 30 of the EU General Data Protection Regulation (GDPR) 2016/679, all activities involving the processing of personal data must be recorded in a record of processing activities.
The German-language data protection portal for Hamburg universities provides extensive data protection information regarding research. Article 30 (1)–(5) are particularly relevant for researchers and survey participants, and can be found here:
Article 30 GDPR: Record of processing activities
Record of processing activities
(1) Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:
a) the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer; b) the purposes of the processing; c) a description of the categories of data subjects and of the categories of personal data; d) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations; e) where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49 (1) (2), the documentation of suitable safeguards; f) where possible, the envisaged time limits for erasure of the different categories of data; g) where possible, a general description of the technical and organizational security measures referred to in Article 32(1).
(3) The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.
(4) The controller or the processor and, where applicable, the controller’s or the processor’s representative, shall make the record available to the supervisory authority on request.
(5) The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organization employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9 (1) or personal data relating to criminal convictions and offenses referred to in Article 10.
Source: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679 (last updated: 20 November 2018)
Research and the data processing associated with it must be conducted in accordance to the GDPR. This requires 2 steps:
- Register your data processing activity using the online VVT+ form on the Sharepoint page of the information security officer of Universität Hamburg: http://uhh.de/rrz-vvt
- Fill out the risk analysis and documentation form, and keep it with your files so that you can present it to the information security officer on request.
You will find the most significant information on satisfying the legal data protection provisions, along with the documents to be filled out, on Universität Hamburg’s German-language integrated information security and data protection page.