Handling personal data within Ghent University

What is GDPR?

The GDPR is the abbreviation for the General Data Protection Regulation. This is the new privacy legislation that has been in force since May 25, 2018. The GDPR modernises privacy legislation and creates a uniform European legislative framework. It gives citizens/data subjects more control over the way their personal data is processed. The GDPR requires organizations to be transparent and accountable to citizens/data subjects about how and why they process personal data.

In addition, EU Member States may legislate for certain parts of the GDPR, such as for the exceptions to the rights of data subjects. For example, in Belgium, the Law on the protection of natural persons with regard to the processing of personal data was published in the Belgian State Gazette on 5 September 2018.

At Ghent University, the requirements of the GDPR have been translated into the Generic Code of Conduct for the Processing of Personal Data and Confidential Information and into the Regulations for the Correct Use of Ghent University's ICT Infrastructure.

What is personal data?

Personal data is any data relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly and/or indirectly.

Some examples of personal data are: name, address, e-mail address, photo, ID number, IP address, employee number, private or professional telephone number, login details, identification cookies, account number, resume, log data (including cafeteria, parking use, web use, surfing use), camera images, personnel files, salary data, professional expenses,

Special categories of personal data (sensitive personal data) are personal data that includes information about race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, data concerning a person's sex life or sexual orientation. If this information becomes publicly available, for example as a result of a data breach, this can have very adverse consequences for the data subjects.

Data of deceased persons, legal entities or animals fall outside the scope of the GDPR. However, other laws and regulations may apply to this data.

What is anonymized and pseudonymized personal data?

Pseudonymised personal data (referred to in the previous Privacy Legislation as 'encrypted data') are personal data (whether sensitive or not) that can only be linked to an identified or identifiable person by means of a non-public (secret) key. Pseudonymised personal data remains personal data protected by the GDPR.

In the case of anonymised personal data, the possibility of identification was 'irreversibly' removed by means of a processing technique. Anonymized personal data that can be traced back to the original individuals with reasonable effort is not anonymous data; these remain (pseudonymised) personal data to which the GDPR applies.

Please note, if you anonymize personal data yourself, you will of course work with identifiable personal data at the start and during the anonymization process. In other words, the act of anonymization is considered to be the processing of personal data, which means that the GDPR must be applied.

Anonymous data are data that do not relate to an identified or identifiable natural person or to personal data that have been made anonymous in such a way that the data subject is not or is no longer identifiable (by any person in any way). Anonymous data is not personal data and does not fall within the scope of the GDPR.

Please note: even if you only process anonymized or anonymous data, it is still important to evaluate the ethical aspects of the collection or processing of this data.

When do you process personal data?

Processing of personal data is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination,  blocking, erasing or destroying data.

For example, when you create an online registration form where students and staff members ('the data subjects') can register (first name, surname and email address) for an opening lecture at the start of the academic year, you process personal data. This also applies to online contact forms where students, staff members or external parties leave their contact details so that Ghent University services can contact them in the context of this service.

What are the basic principles of the GDPR?

The GDPR is based on six basic principles that you should take into account when processing personal data:

  • Lawfulness, fairness and transparency: you are obliged to process personal data in a transparent manner with respect for all applicable laws, regulations and rules
  • Purpose limitation (finality and proportionality): you may only process personal data for a specific purpose and the processing must be reasonable and proportionate to achieve this purpose
  • Data minimisation: you may only use the personal data that is necessary to achieve the objectives of the processing activity
  • Accuracy: the personal data you process must be accurate and (subject to reasonable efforts) kept up to date
  • Storage limitation: the personal data you process may not be kept longer than necessary
  • Confidentiality and integrity: as a Ghent University employee, you must handle personal data confidentially and take the appropriate measures to guarantee the confidentiality and integrity of this data.

How can you ensure that the processing of personal data is lawful?

The processing of personal data is only lawful if one of the six conditions or legal grounds of the GDPR is met. Each processing purpose must therefore be linked to a single legal basis. It is very important to indicate the applicable legal basis for the processing in the Register of Processing Activities (AVG-register) at the start of your processing activity.

The processing of personal data will be based on one of the following legal grounds:

  • The processing of personal data is necessary in the context of a legal obligation of Ghent University, on the basis of federal, decree or European legislation.
  • The processing is necessary for the performance of an agreement with the data subject(s), the person whose data is processed. Please note, this is not about the processing agreement.
  • The processing is necessary for the purposes of the legitimate interests of Ghent University or of a third party. In doing so, you must be able to demonstrate that a balance of interests has been made between the legitimate interest of the data processors and the interests of the persons whose data are processed (the data subjects).
  • The data subjects have given explicit consent for the processing of their personal data. According to the GDPR, consent as a legal basis must meet a number of conditions in order to be valid. In addition, data subjects also have various rights with regard to the processing of their personal data and the data subjects can, for example, withdraw their consent at any time on the basis of the GDPR. As a result, no further processing of the personal data already collected may take place. The data collected before the withdrawal of consent will not be affected by the withdrawal.
  • Certain processing activities of personal data may be part of the public interest, i.e. it leads to an increase in knowledge and understanding that benefits society (directly or indirectly).
  • In rather exceptional situations, the processing of personal data is based on the basis of the vital interests of the data subjects or another natural person. The vital interests come into play when a life-threatening situation arises in which the processing of personal data is crucial. We are thinking of a traffic accident in which a student needs urgent medical attention and can no longer give his consent, or in the context of a worrying disappearance.

What does my self-accountability entail?

As a staff member, you must take responsibility for the processing of personal data. This means that you must always comply with Ghent University's Generic Code of Conduct for the Processing of Personal Data and Confidential Information. In addition, you handle personal data in a conscious manner and think about the protection of the data in a timely manner. Finally, contact the Ghent University Data Protection Officer as soon as possible with privacy-related questions and dutifully take the necessary steps when you discover a data breach (see 'GDPR: what should I do in case of a data breach?’).

How do I secure my data correctly?

Taking appropriate technical and organisational measures is part of the self-accountability that you have as a Ghent University staff member. Before data processing, you should already think about how you will process and store the personal data securely. At all stages of data processing, you need to think about how this can best be done.

This allows you to check whether the personal data can be pseudonymised or anonymized, so that the data is not freely accessible and readable, but is protected by means of a "key" or "code". Take into account the purpose for which you need the data.

In addition, access to personal data must be limited to the persons who are strictly necessary. Anyone who does have access to personal data must ensure that they use a strong password and secure networks such as Athena, MS Office 365 cloud applications and eduroam-Wi-Fi. The use of encryption for storage or data transmission is highly recommended, especially when working with external cloud services. You can choose to encrypt one or a few files or to encrypt the entire system disk of your laptop or computer. For an overview of different encryption options, you can view the encryption toolbox and the accompanying encryption manual.

In addition to anonymisation, pseudonymisation and encryption, there are many other organisational and technical security measures that limit the risk for the data subjects, such as:

  • clean desk policy
  • key policy of offices
  • use of screen saver (Windows L-key) to lock the PC
  • storage of data files or documents on the UGent network drives or centrally offered storage options
  • use of secure data transmission systems (e.g. Belnet's Filesender)
  • use of secure data destruction procedures

Learn more about data security here.

How are you transparent towards the person(s) involved?

Informing the persons whose personal data are processed (the data subjects) is one of the basic principles of the GDPR ('transparency'). As an employee, it is also your job to ensure that this information is communicated to those involved in a concise, transparent, understandable and easily accessible form and in clear and simple language.

You can provide this information in various ways, such as through a news item, a mention on the website, a privacy statement, an information letter or a brochure. This information letter does not have to be signed by the data subjects, but it must be made available before the data processing starts.

For example, if you, as a Ghent University staff member, use an (online) contact form during the performance of your job to collect contact details of participants for an event, you will have to draw up an information document in which all necessary information is communicated to the data subjects before you start processing their personal data. The information must contain at least the following elements:

What should you think about when using mailing lists?

If you, as a Ghent University staff member, use a list of e-mail addresses (so-called mailing list) to which you regularly send messages, you must respect the rules of the GDPR. This applies to both internal and external communication.

No permission is required for internal communication in which Ghent University in general, or certain university services in particular, sends information where it is essential that the addressees take note of it.

For other internal communication, permission is required if the recipients have no interest or benefit in receiving the information and/or it concerns information in the political, philosophical, religious or trade union field.

When communicating externally with business recipients, as a staff member you do not need the consent of the recipients. For private recipients, however, active prior authorisation is required.

The recipients must always be informed about this communication and there must be an option to unsubscribe, both in internal and external communication. Of course, it is also important to effectively remove those who have unsubscribed from the mailing list and not to contact them again.

A possible formulation for the opt-out can be found below:

You receive this information on behalf of (indicate which department /faculty/... within UGent). If you no longer wish to receive this information, please click [unsubscribe]. If you have any questions, please contact [e-mail from the contact person responsible for managing the relevant file within the service concerned]. You can exercise your rights via [e-mail from the contact person responsible for managing the relevant file within the relevant service]. If you have any questions regarding privacy or your data, you can review the privacy statement or contact the Data Protection Officer of Ghent University via privacy@ugent.be."

How long can personal data be kept?

According to the GDPR, personal data may not be kept longer than is necessary to achieve the purposes for which they are processed (basic principle of 'storage limitation'). This means, for example, that you must delete the data of the participants after an event.

However, you may still need to keep the data for a longer period of time, such as if you are legally obliged to keep the data (e.g. tax or social legislation). In exceptional cases, personal data may be stored for a longer period of time on the basis of the (free) consent of the data subject.

What rights do the data subjects have?

When you process personal data, the data subjects (those whose personal data you process) have certain rights that they can exercise in relation to their personal data. You will notice that the rights of the data subjects depend on the applicable legal basis (see research tip: 'GDPR: how can I ensure that the processing of personal data is lawful?').

  • The data subject has the right to access his/her personal data. This means that he/she can ask to provide information about the personal data held about him/her. Data subjects may also request a copy of their personal data.
  • The data subject has the right to request the correction of his/her personal data if the data subject can demonstrate that the personal data is inaccurate, incomplete or outdated.
  • If the personal data is processed on the basis of the consent of the data subject, for example to send external newsletters, the data subject always has the right to withdraw this previously given consent.
  • The data subject may request the deletion of his/her personal data if it is no longer necessary for the purposes for which you collected it, if it was unlawful to collect it or if the data subject successfully exercised his/her right to withdraw consent or a right to object to the processing of his/her personal data. If any of these circumstances apply, the personal data must be deleted immediately, unless legal obligations or administrative or judicial orders prohibit the deletion of this personal data.
  • The data subject may also request that the processing of his/her personal data be restricted in the following circumstances:
    • while reviewing their request to correct personal data;
    • while you assess his/her objection to the processing of personal data;
    • if such processing was unlawful, but the data subject prefers a restriction to erasure;
    • if you no longer need their personal data, but the data subject needs it for the establishment, exercise or defence of legal claims.
  • If you process personal data for the purposes of Ghent University's own legitimate interests, the data subject has the right to object to this processing of his/her personal data.
  • If you have collected personal data on the basis of the consent or because it was necessary for the performance of a contract with the data subject, the data subject has the right to obtain a copy in a structured, commonly used and machine-readable format. This right only applies to the personal data that the data subject has provided to Ghent University.
  • If the processing of personal data is based on the consent of the data subject, an agreement or if the processing was carried out via an automated process, the data subject has the right to portability of his/her (digital) personal data. This transfer of data to another controller is only possible to the extent that this is technically feasible.

For more questions about these rights and how to guarantee them, you can contact the Data Protection Officer via privacy@ugent.be.

What do I do in the event of a data breach?

A data breach, occurs when personal data, whether unauthorised or unintentional, is disclosed, altered or lost. These are breaches that affect the confidentiality, integrity and availability of the processing of personal data, and may have an impact on the rights and freedoms of the data subjects.

When you identify such a data breach, it is important that you take action quickly. The following step-by-step plan is used within Ghent University:

  • As soon as you notice a data breach, contact the Information and Communication Technology Department (FD ICT) by e-mail (helpdesk@ugent.be). FD ICT helps you to stop the data breach, limit the damage and guide you through the further procedure.
  • If necessary, FD ICT will contact the Ghent University Data Protection Officer (DPO) who will advise whether or not to report to the supervisory authorities and/or to notify the data subjects.

Do I have to take cookies into account?

Cookies are small text or data files, trackers, pixels or plug-ins that can be placed on a device connected to the internet. The most well-known cookies are placed when you visit a website or use an application, so that this website or application can collect and store information about the user (e.g. language, personal preferences, surfing behavior).

This information can (in)directly lead to the identification of a natural person, as a result of which cookies collect personal data and you must apply the GDPR and the e-Privacy Directive. The legal basis depends on the type of cookies:

  • The processing of functional cookies, which are necessary for the functioning of the website or application, do not require the consent of the data subject.
  • The processing of non-functional or statistical cookies does require the prior, active consent of the data subject, unless the processing is necessary for the execution of an agreement.
    In concrete terms, you ask for the consent of the data subject via a cookie banner that is shown when using a website or application for the first time and that allows the data subject to give his/her consent to the placement of the cookies.

The consent of the data subject is subject to some strict conditions. For example, for reasons of transparency, you must provide the data subject with legally certain information about the processing of his/her personal data. You provide this information either directly in the cookie banner, or via a link to a cookie statement.

As a Ghent University employee, you must therefore also take into account the current cookie legislation.

What do I need to think about when I share data?

Given the broad concept of 'processing' within the GDPR, the sharing of personal data is also considered to be the processing of personal data under the application of the GDPR.

It may be necessary for you to share this personal data with various actors within or outside Ghent University. The personal data you collected may only be shared if the purposes of this original collection are compatible with the purposes of sharing it. For example, if you collect personal data for the purpose of student administration, you may not simply pass on this personal data to commercial parties as they pursue purposes that are presumably incompatible with the original purpose of the student administration.

If the data is shared with persons outside Ghent University, it may be necessary to draw up an agreement to record the content of the transfer and processing. It is therefore important to know which parties (can and may) have access to which personal data. For example, if you use an external survey tool, this tool will also process personal data and this is considered a transfer.

In addition to the above guidelines, the country in which the recipients, institutions or organisations are located may also impose certain requirements or conditions on the transfer of data.

If you have any questions about sharing and reusing personal data after reading this information, please contact the Data Protection Officer via privacy@ugent.be.

What is the AVG register and how is the processing of personal data registered at Ghent University?

The GDPR requires that all processing of personal data at Ghent University is registered and therefore documented in a 'register of processing activities', the AVG Register. This internal registration obligation replaces the former 'declaration obligation' to the Privacy Commission and is an essential tool for Ghent University and by extension Ghent University staff to comply with the accountability obligation.

Within Ghent University, this registration takes place via 2 filling in tools, respectively for the processing activities outside a research-related context and for the processing activities within a research-related context.

For processing activities outside research-related contexts, for example by the central and faculty administration, registration is done on the basis of IT applications at Ghent University. For each IT application that processes personal data, an application owner is appointed in consultation with the relevant dean, director and/or head. This application owner can either carry out the registration himself or appoint a contact person for this purpose. Both new and ongoing processing activities must be registered.

If you would like more information about the GDPR Registration at Ghent University, you can contact the Data Protection Officer via privacy@ugent.be.