SlideShare ist ein Scribd-Unternehmen logo

Sharing personal data and the GDPR - how can it be done - Francisco Romero Pastrana & Dorien Huijser - SRD23

S
SURFevents

The document discusses how to properly share personal data according to GDPR regulations. It outlines four key steps: 1) define the purpose for sharing, 2) protect the data being shared through measures like anonymization, 3) inform the individuals behind the data about the processing, and 4) document the sharing and processing to demonstrate compliance. It provides guidance on determining lawful bases for processing, ensuring valid consent is obtained, protecting sensitive data, informing data subjects of their rights, and conducting privacy risk assessments to design a safe data processing procedure.

Technologie
1 von 28
Downloaden Sie, um offline zu lesen
Sharing personal data and the GDPR Dorien Huijser & Francisco Romero Pastrana https://uu.nl/privacyhandbook https://geo-data-support.sites.uu.nl/personal-data/ 23 May 2023
• Data Privacy Handbook • How to share personal data? • Privacy scan • Discussion Today
Data Privacy Handbook Knowledge base on handling personal data in research UU Researchers & Support staff Centralise info & translate for research Open source, open license: https://uu.nl/privacyhandbook RDM Support i.c.w. privacy & faculty data stewards
https://uu.nl/privacyhandbook
Feedback = welcome 👉 Feedback via GitHub: • Issue • GitHub Discussions • Pull Request “I have no GitHub account!” • Every page: • Or email info.rdm@uu.nl Contributing guidelines Style guide
• Define purpose for sharing • Protect data being shared • Inform people behind data • Document it How to share personal data?
• Define purpose for sharing • Protect data being shared • Inform people behind data • Document it How to share personal data?
https://utrechtuniversity.github.io/dataprivacyhandbook/legal-basis.html You must have a reason (purpose) for sharing personal data * And receiver must also have a reason There are only 6 legitimate reasons (called lawful basis) to process personal data in the GDPR: Have a clear and legitimate purpose
➢ To fulfill a contract or provide a service • You need the customer home address to deliver a pizza ➢ To comply with a legal obligation • Obligation to process salary data is mandated by tax law ➢ To protect an individual's vital interests • The right to life takes precedence over data protection ➢ To perform a task in the public interest • University interest in conducting research is recognized by Dutch law. ➢ To pursue a legitimate interest • Balances your interests with the individual's interest – fraud prevention ➢ Because the individual has given consent • Individuals can exercise their right to informational self-determination ➢ Previously collected data can be further used for other purposes* • But only for 'compatible' purposes – subject to certain conditions, or • For scientific research purposes – also subject to conditions Legal reasons to process personal data: Have a clear and legitimate purpose https://utrechtuniversity.github.io/dataprivacyhandbook/legal-basis.html
➢ To fulfill a contract or provide a service • You need the customer home address to deliver a pizza ➢ To comply with a legal obligation • Obligation to process salary data is mandated by tax law ➢ To protect an individual's vital interests • The right to life takes precedence over data protection ➢ To perform a task in the public interest • University interest in conducting research is recognized by Dutch law. ➢ To pursue a legitimate interest • Balances your interests with the individual's interest – fraud prevention ➢ Because the individual has given consent • Individuals can exercise their right to informational self-determination ➢ Previously collected data can be further used for other purposes* • But only for 'compatible' purposes – subject to certain conditions, or • For scientific research purposes – also subject to conditions Legal reasons to process personal data: Have a clear and legitimate purpose https://utrechtuniversity.github.io/dataprivacyhandbook/legal-basis.html
https://utrechtuniversity.github.io/dataprivacyhandbook/share-reuse-legal-basis.html Example Organic food preferences of all students in the Netherlands? • Data sharing request • Received data: processed based on public interest * Survey: Do UU students like organic food? • Survey data collection: public interest* • Information: • start of survey • through the project website • External data sharing request: • website is updated • data is minimized • data sharing agreement is signed • Data is shared based on 'further processing ..."* * can also be based on consent
✓ Freely given: Real choice and not coerced. ✓ Specific: To specific fully described processes ✓ Informed: Fully informed and updated ✓ Unambiguous and an affirmative action: Keep records ✓ Can be revoked: As easy to withdraw as to give To ensure that consent is legitimate, it must be: https://utrechtuniversity.github.io/dataprivacyhandbook/informed-consent-forms.html Ensuring consent is legitimate
✓ The public interest is identified: specific law/official authority involved. Likely based on the “Education Act”- Wet op het hoger onderwijs en wetenschappelijk onderzoek) ✓ The necessity of the processing is identified: - Processing is necessary: no other way to achieve the purpose, or it would require a disproportionate effort. - Processing is proportionate: the scope (amount of people), extent (amount of data) and intrusiveness is kept to a minimum necessary ✓ The interests of the data subjects do not override your stated interest: - Nature of the interest: individual's expectations and (potential) interests - Impact and safeguards: positive/negative impact on individuals, implemented measures to address it. https://geo-data-support.sites.uu.nl/personal-data/privacy-review/7-privacy-review Ensuring 'Public Interest' is legitimate
✓ Only for data reuse: Can't be used for newly collected data. ✓ Originally lawfully collected: Originally collected using consent/public interest ✓ Comply with Art 89(1): Safeguards: data minimization, de-identification ✓ Strictly for scientific purposes: Can't be used for anything else ✓ Informed: Provide information to data subjects as much as possible To ensure 'further processing for scientific research purposes' is legitimate, it must be: https://utrechtuniversity.github.io/dataprivacyhandbook/legal-basis.html Ensuring ‘Further processing' is legitimate
'Special categories' of personal data have additional restrictions Genetic, biometric and health data, personal data revealing racial and ethnic origin, political opinions, religious or ideological convictions, trade union membership This data can only be used if: • Explicit consent - an express statement of consent • Substantial public interest* - necessary for humanitarian purposes, including for monitoring epidemics • Archiving, statistical, historical or scientific research purposes* – subject to strict safeguards • Manifestly made public by data subject • Necessary for Employment and Social Security Purposes • Vital interests • Defense of legal claims • Medicinal / health system purposes / public health https://utrechtuniversity.github.io/dataprivacyhandbook/special-types-personal-data.html#special-categories-of-personal-data What about sensitive personal data?
https://utrechtuniversity.github.io/dataprivacyhandbook/pseudonymisation-anonymisation.html The importance of Art. 11 • Broadly speaking, 2 types of personal data: • Identified: Readily attributed to a specific individual - has a name or ID • De-identified: Can't be readily attributed – has no name or ID. Art 11 applies • Advantages of de-identified personal data • Compliance with Art 89 demonstrates data minimization, shows that processing does not permit the identification of the data subject. • Some rights no longer apply – Since you can't identify specific individuals, you can't respond to their data access request, rectification, deletion, etc. – unless they provide additional information enabling their identification • Consent withdrawal, right to object will likely have no effect. • Further processing for scientific research is likely allowed, and providing them information directly is likely not necessary • Personal data breach notifications are likely not needed • It is easier to justify storing data for 10 years or more to safeguard the scientific record
• Define purpose for sharing • Protect data being shared • Inform people behind data • Document it How to share personal data?
https://utrechtuniversity.github.io/dataprivacyhandbook/privacy-by-design.html The collection of personal data should, from the outset, be limited to what is appropriate, relevant and necessary for the purpose pursued. Identify the risks associated with the processing, and implement suitable measures that adequately reduce those risks Design a safe processing
• Only share minimum necessary amount of data • Identify the people behind data: who are they, why do data recipients need their data? • Identify and justify processed data: why do data recipients need each type of data? • Anonymize/pseudonymize as much as possible • Restrict data access, Encrypt data, identify who has data access and why • Keep data safe and accurate – avoid data breaches • Use safe tools • Do not keep data unless necessary – justify and enforce storage periods • Ensure compliance: legally binding transfer agreements • International data transfers? https://utrechtuniversity.github.io/dataprivacyhandbook/design-strategies.html Design a safe processing
https://utrechtuniversity.github.io/dataprivacyhandbook/risk-assessment-how.html Design a safe processing Identify potential risks from sharing data: • Consider potential risk scenarios • Imagine if all safeguards fail: list potential damages and impact level • Considering implemented safeguard, estimate likelihood of damage • Risk level = Impact level x likelihood
• Define purpose for sharing • Protect data being shared • Inform people behind data • Document it How to share personal data?
People must be able to determine the scope and consequences of the processing and must know their data protection rights and how to exercise them. How to provide information: ✓ Understandable, transparent and clear ✓ Easily accessible and timely ✓ Intelligible and concise → Use different channels and a layered approach What information to provide: ✓ Why do data recipients need their data – explain their project ✓ Who is responsible for the process, and who has data access – describe the team ✓ Describe the processing – how data is kept safe and minimized. What are the risks? ✓ Describe how data is (re)used by other scientific projects – update as necessary ✓ What rights do they have, and how they can exercise them. ✓ Contact info: Responsible of the process, their DPOs, and the (Dutch) national data protection authority. https://utrechtuniversity.github.io/dataprivacyhandbook/privacy-notices.html Inform people and give them control
https://utrechtuniversity.github.io/dataprivacyhandbook/data-subject-rights.html Inform people and give them control Passive Data Subject Rights : Always implemented in your project • Information – Individuals must be provided with information about the process • Profiling – To not be subject to automated individual decision making, including profiling • Notification obligation – Notify rectification/erasure/restriction requests to other data recipients • Effective remedy – To submit a complaint (to DPO or national) or seek remedy in a law court • Compensation – to receive compensation for suffered material or non-material damages Active Data Subject Rights : Individuals take steps to exercise them • Access – can request copies of their personal data • Rectification – can request correction of inaccurate/incomplete information • Erasure – can request erasure of their personal data • Restrict processing – can request to stop or limit the use of personal data • Data portability – To have or transfer data in universally machine-readable format • Object – To object to the collection, use, and storage of personal data • Withdraw consent – Unconditional stop of processing when consent was the legal basis
• Define purpose for sharing • Protect data being shared • Inform people behind data • Document it How to share personal data?
https://utrechtuniversity.github.io/dataprivacyhandbook/privacy-scan.html Document it! Ensure that you can demonstrate your compliance efforts – UU Geo faculty Privacy Scan What is included in the Privacy Scan? 1. The project's purpose 2. Data subjects 3. The categories and purposes of personal data 4. The processing of personal data 5. Information provided to data subjects 6. How data subjects can exercise their data subject rights 7. The lawful basis for processing 8. Measures to ensure compliance by processors and/or joint controllers 9. Planned transfers of personal data to other countries outside the EU 10. How you will obtain and deal with data subjects’ views of the study 11. Preliminary risk assessment
https://utrechtuniversity.github.io/dataprivacyhandbook/privacy-scan.html Document it! Ensure that you can demonstrate your compliance efforts – UU Geo faculty Privacy Scan What is included in the Privacy Scan? 1. The project's purpose 2. Data subjects 3. The categories and purposes of personal data 4. The processing of personal data 5. Information provided to data subjects 6. How data subjects can exercise their data subject rights 7. The lawful basis for processing 8. Measures to ensure compliance by processors and/or joint controllers 9. Planned transfers of personal data to other countries outside the EU 10. How you will obtain and deal with data subjects’ views of the study 11. Preliminary risk assessment
• Define purpose for sharing • Protect data being shared • Inform people behind data • Document it How to share personal data?
Questions?

Empfohlen

Preparing Research Data for Sharing
Preparing Research Data for SharingPreparing Research Data for Sharing
Preparing Research Data for Sharing
London School of Hygiene and Tropical Medicine
 
Legal and ethical considerations for sharing research data
Legal and ethical considerations for sharing research dataLegal and ethical considerations for sharing research data
Legal and ethical considerations for sharing research data
OpenAIRE
 
Media_644046_smxx (1).pptx
Media_644046_smxx (1).pptxMedia_644046_smxx (1).pptx
Media_644046_smxx (1).pptx
MichelleSaver
 
Preparing research data for sharing
Preparing research data for sharingPreparing research data for sharing
Preparing research data for sharing
London School of Hygiene and Tropical Medicine
 
The Privacy Law Landscape: Issues for the research community
The Privacy Law Landscape: Issues for the research communityThe Privacy Law Landscape: Issues for the research community
The Privacy Law Landscape: Issues for the research community
ARDC
 
3A – DATA PROTECTION: ADVICE
3A – DATA PROTECTION: ADVICE3A – DATA PROTECTION: ADVICE
3A – DATA PROTECTION: ADVICE
CFG
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business Advisors
Harrison Clark Rickerbys
 
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
Harrison Clark Rickerbys
 

Empfohlen

Preparing Research Data for Sharing
Preparing Research Data for SharingPreparing Research Data for Sharing
Preparing Research Data for Sharing
London School of Hygiene and Tropical Medicine
 
Legal and ethical considerations for sharing research data
Legal and ethical considerations for sharing research dataLegal and ethical considerations for sharing research data
Legal and ethical considerations for sharing research data
OpenAIRE
 
Media_644046_smxx (1).pptx
Media_644046_smxx (1).pptxMedia_644046_smxx (1).pptx
Media_644046_smxx (1).pptx
MichelleSaver
 
Preparing research data for sharing
Preparing research data for sharingPreparing research data for sharing
Preparing research data for sharing
London School of Hygiene and Tropical Medicine
 
The Privacy Law Landscape: Issues for the research community
The Privacy Law Landscape: Issues for the research communityThe Privacy Law Landscape: Issues for the research community
The Privacy Law Landscape: Issues for the research community
ARDC
 
3A – DATA PROTECTION: ADVICE
3A – DATA PROTECTION: ADVICE3A – DATA PROTECTION: ADVICE
3A – DATA PROTECTION: ADVICE
CFG
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business Advisors
Harrison Clark Rickerbys
 
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
Harrison Clark Rickerbys
 
Hivos and Responsible Data
Hivos and Responsible DataHivos and Responsible Data
Hivos and Responsible Data
Tom Walker
 
Use of data in safe havens: ethics and reproducibility issues
Use of data in safe havens: ethics and reproducibility issuesUse of data in safe havens: ethics and reproducibility issues
Use of data in safe havens: ethics and reproducibility issues
Louise Corti
 
Librarian RDM Training: Ethics and copyright for research data
Librarian RDM Training: Ethics and copyright for research dataLibrarian RDM Training: Ethics and copyright for research data
Librarian RDM Training: Ethics and copyright for research data
Robin Rice
 
Privacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be TellingPrivacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be Telling
Rebecca Leitch
 
Privacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be TellingPrivacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be Telling
Security Innovation
 
Prepare Your Firm for GDPR
Prepare Your Firm for GDPRPrepare Your Firm for GDPR
Prepare Your Firm for GDPR
MyComplianceOffice
 
Working with Personal and Sensitive Research Data 12/11/20
Working with Personal and Sensitive Research Data 12/11/20Working with Personal and Sensitive Research Data 12/11/20
Working with Personal and Sensitive Research Data 12/11/20
IzzyChad
 
Course 5: GDPR & Big Data by Sari Depreeuw
Course 5: GDPR & Big Data by Sari DepreeuwCourse 5: GDPR & Big Data by Sari Depreeuw
Course 5: GDPR & Big Data by Sari Depreeuw
Betacowork
 
Webinar: An EU regulation affecting companies worldwide - GDPR
Webinar: An EU regulation affecting companies worldwide - GDPRWebinar: An EU regulation affecting companies worldwide - GDPR
Webinar: An EU regulation affecting companies worldwide - GDPR
panagenda
 
Aleksandra kuczerawy privacy issues in future internet - seserv se workshop...
Aleksandra kuczerawy privacy issues in future internet - seserv se workshop...Aleksandra kuczerawy privacy issues in future internet - seserv se workshop...
Aleksandra kuczerawy privacy issues in future internet - seserv se workshop...
ictseserv
 
Data privacy & social media
Data privacy & social mediaData privacy & social media
Data privacy & social media
Prof. Jacques Folon (Ph.D)
 
Data Protection GDPR Basics
Data Protection GDPR BasicsData Protection GDPR Basics
Data Protection GDPR Basics
Elizabeth Dunne B.L. PC.dp
 
Data Ethics Framework 2.pptx
Data Ethics Framework 2.pptxData Ethics Framework 2.pptx
Data Ethics Framework 2.pptx
UgurKaplancali
 
What does GDPR mean for your business?
What does GDPR mean for your business?What does GDPR mean for your business?
What does GDPR mean for your business?
BrightPay Payroll and Auto Enrolment Software
 
HKGCC_Luncheon_20160413
HKGCC_Luncheon_20160413HKGCC_Luncheon_20160413
HKGCC_Luncheon_20160413
Dr. Wilfred Lin (Ph.D.)
 
Big Data Expo 2015 - Data Science Innovation Privacy Considerations
Big Data Expo 2015 - Data Science Innovation Privacy ConsiderationsBig Data Expo 2015 - Data Science Innovation Privacy Considerations
Big Data Expo 2015 - Data Science Innovation Privacy Considerations
BigDataExpo
 
Gdpr demystified - making sense of the regulation
Gdpr demystified - making sense of the regulationGdpr demystified - making sense of the regulation
Gdpr demystified - making sense of the regulation
James Mulhern
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Financial Poise
 
RCR 4 Data Management Introduction System Information
RCR 4 Data Management Introduction System InformationRCR 4 Data Management Introduction System Information
RCR 4 Data Management Introduction System Information
lumaeducation
 
Constraintsand challenges
Constraintsand challengesConstraintsand challenges
Constraintsand challenges
jyotikhadake
 
SURF Lego - SURFwired - Edwin Verheul - NWD23
SURF Lego - SURFwired - Edwin Verheul - NWD23SURF Lego - SURFwired - Edwin Verheul - NWD23
SURF Lego - SURFwired - Edwin Verheul - NWD23
SURFevents
 
SURF lego- campusdiensten - iotroam - Thomas Esman - NWD23
SURF lego- campusdiensten - iotroam - Thomas Esman - NWD23SURF lego- campusdiensten - iotroam - Thomas Esman - NWD23
SURF lego- campusdiensten - iotroam - Thomas Esman - NWD23
SURFevents
 

Weitere ähnliche Inhalte

Ähnlich wie Sharing personal data and the GDPR - how can it be done - Francisco Romero Pastrana & Dorien Huijser - SRD23

Course 5: GDPR & Big Data by Sari Depreeuw
Course 5: GDPR & Big Data by Sari DepreeuwCourse 5: GDPR & Big Data by Sari Depreeuw
Course 5: GDPR & Big Data by Sari Depreeuw
Betacowork
 
Aleksandra kuczerawy privacy issues in future internet - seserv se workshop...
Aleksandra kuczerawy privacy issues in future internet - seserv se workshop...Aleksandra kuczerawy privacy issues in future internet - seserv se workshop...
Aleksandra kuczerawy privacy issues in future internet - seserv se workshop...
ictseserv
 
What does GDPR mean for your business?
What does GDPR mean for your business?What does GDPR mean for your business?
What does GDPR mean for your business?
BrightPay Payroll and Auto Enrolment Software
 
Big Data Expo 2015 - Data Science Innovation Privacy Considerations
Big Data Expo 2015 - Data Science Innovation Privacy ConsiderationsBig Data Expo 2015 - Data Science Innovation Privacy Considerations
Big Data Expo 2015 - Data Science Innovation Privacy Considerations
BigDataExpo
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Financial Poise
 

Ähnlich wie Sharing personal data and the GDPR - how can it be done - Francisco Romero Pastrana & Dorien Huijser - SRD23 (20)

Hivos and Responsible Data
Hivos and Responsible DataHivos and Responsible Data
Hivos and Responsible Data
 
Use of data in safe havens: ethics and reproducibility issues
Use of data in safe havens: ethics and reproducibility issuesUse of data in safe havens: ethics and reproducibility issues
Use of data in safe havens: ethics and reproducibility issues
 
Librarian RDM Training: Ethics and copyright for research data
Librarian RDM Training: Ethics and copyright for research dataLibrarian RDM Training: Ethics and copyright for research data
Librarian RDM Training: Ethics and copyright for research data
 
Privacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be TellingPrivacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be Telling
 
Privacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be TellingPrivacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be Telling
 
Prepare Your Firm for GDPR
Prepare Your Firm for GDPRPrepare Your Firm for GDPR
Prepare Your Firm for GDPR
 
Working with Personal and Sensitive Research Data 12/11/20
Working with Personal and Sensitive Research Data 12/11/20Working with Personal and Sensitive Research Data 12/11/20
Working with Personal and Sensitive Research Data 12/11/20
 
Course 5: GDPR & Big Data by Sari Depreeuw
Course 5: GDPR & Big Data by Sari DepreeuwCourse 5: GDPR & Big Data by Sari Depreeuw
Course 5: GDPR & Big Data by Sari Depreeuw
 
Webinar: An EU regulation affecting companies worldwide - GDPR
Webinar: An EU regulation affecting companies worldwide - GDPRWebinar: An EU regulation affecting companies worldwide - GDPR
Webinar: An EU regulation affecting companies worldwide - GDPR
 
Aleksandra kuczerawy privacy issues in future internet - seserv se workshop...
Aleksandra kuczerawy privacy issues in future internet - seserv se workshop...Aleksandra kuczerawy privacy issues in future internet - seserv se workshop...
Aleksandra kuczerawy privacy issues in future internet - seserv se workshop...
 
Data privacy & social media
Data privacy & social mediaData privacy & social media
Data privacy & social media
 
Data Protection GDPR Basics
Data Protection GDPR BasicsData Protection GDPR Basics
Data Protection GDPR Basics
 
Data Ethics Framework 2.pptx
Data Ethics Framework 2.pptxData Ethics Framework 2.pptx
Data Ethics Framework 2.pptx
 
What does GDPR mean for your business?
What does GDPR mean for your business?What does GDPR mean for your business?
What does GDPR mean for your business?
 
HKGCC_Luncheon_20160413
HKGCC_Luncheon_20160413HKGCC_Luncheon_20160413
HKGCC_Luncheon_20160413
 
Big Data Expo 2015 - Data Science Innovation Privacy Considerations
Big Data Expo 2015 - Data Science Innovation Privacy ConsiderationsBig Data Expo 2015 - Data Science Innovation Privacy Considerations
Big Data Expo 2015 - Data Science Innovation Privacy Considerations
 
Gdpr demystified - making sense of the regulation
Gdpr demystified - making sense of the regulationGdpr demystified - making sense of the regulation
Gdpr demystified - making sense of the regulation
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...
 
RCR 4 Data Management Introduction System Information
RCR 4 Data Management Introduction System InformationRCR 4 Data Management Introduction System Information
RCR 4 Data Management Introduction System Information
 
Constraintsand challenges
Constraintsand challengesConstraintsand challenges
Constraintsand challenges
 

Mehr von SURFevents

TruSSD - Trust in Sharing Sensitive Data | Lucas van der Meer - SRD23
TruSSD - Trust in Sharing Sensitive Data | Lucas van der Meer - SRD23TruSSD - Trust in Sharing Sensitive Data | Lucas van der Meer - SRD23
TruSSD - Trust in Sharing Sensitive Data | Lucas van der Meer - SRD23
SURFevents
 
Quantum cryptography for researchers - Teodor Strömberg - SRD23
Quantum cryptography for researchers - Teodor Strömberg - SRD23Quantum cryptography for researchers - Teodor Strömberg - SRD23
Quantum cryptography for researchers - Teodor Strömberg - SRD23
SURFevents
 
Bridging the gap: hosting Linked Open Data for researchers - Driek Heesakkers...
Bridging the gap: hosting Linked Open Data for researchers - Driek Heesakkers...Bridging the gap: hosting Linked Open Data for researchers - Driek Heesakkers...
Bridging the gap: hosting Linked Open Data for researchers - Driek Heesakkers...
SURFevents
 
The CAFE community: a local, inclusive programming community for researchers ...
The CAFE community: a local, inclusive programming community for researchers ...The CAFE community: a local, inclusive programming community for researchers ...
The CAFE community: a local, inclusive programming community for researchers ...
SURFevents
 

Mehr von SURFevents (20)

SURF Lego - SURFwired - Edwin Verheul - NWD23
SURF Lego - SURFwired - Edwin Verheul - NWD23SURF Lego - SURFwired - Edwin Verheul - NWD23
SURF Lego - SURFwired - Edwin Verheul - NWD23
 
SURF lego- campusdiensten - iotroam - Thomas Esman - NWD23
SURF lego- campusdiensten - iotroam - Thomas Esman - NWD23SURF lego- campusdiensten - iotroam - Thomas Esman - NWD23
SURF lego- campusdiensten - iotroam - Thomas Esman - NWD23
 
AI zal je baan niet vervangen, maar iemand die AI gebruikt wel - Marco van de...
AI zal je baan niet vervangen, maar iemand die AI gebruikt wel - Marco van de...AI zal je baan niet vervangen, maar iemand die AI gebruikt wel - Marco van de...
AI zal je baan niet vervangen, maar iemand die AI gebruikt wel - Marco van de...
 
De dagelijkse puzzel van netwerkbeheer en monitoring - Jan Martijn Metselaar ...
De dagelijkse puzzel van netwerkbeheer en monitoring - Jan Martijn Metselaar ...De dagelijkse puzzel van netwerkbeheer en monitoring - Jan Martijn Metselaar ...
De dagelijkse puzzel van netwerkbeheer en monitoring - Jan Martijn Metselaar ...
 
Endpoint Security- Dwars doormidden - Thijs van Tilborg- NWD23
Endpoint Security- Dwars doormidden - Thijs van Tilborg- NWD23Endpoint Security- Dwars doormidden - Thijs van Tilborg- NWD23
Endpoint Security- Dwars doormidden - Thijs van Tilborg- NWD23
 
Forum Groningen - een ontmoetingsplaats voor iedereen - Richard de Vries- NWD23
Forum Groningen - een ontmoetingsplaats voor iedereen - Richard de Vries- NWD23Forum Groningen - een ontmoetingsplaats voor iedereen - Richard de Vries- NWD23
Forum Groningen - een ontmoetingsplaats voor iedereen - Richard de Vries- NWD23
 
Grenzeloos musiceren - Bert Kremer - NWD23
Grenzeloos musiceren - Bert Kremer - NWD23Grenzeloos musiceren - Bert Kremer - NWD23
Grenzeloos musiceren - Bert Kremer - NWD23
 
Topspeed wifi bij de F1 Dutch GP - Raymond Hendrix - NWD23
Topspeed wifi bij de F1 Dutch GP - Raymond Hendrix - NWD23Topspeed wifi bij de F1 Dutch GP - Raymond Hendrix - NWD23
Topspeed wifi bij de F1 Dutch GP - Raymond Hendrix - NWD23
 
Ontwikkelingen in internationale research en education-infrastructuur - Bram ...
Ontwikkelingen in internationale research en education-infrastructuur - Bram ...Ontwikkelingen in internationale research en education-infrastructuur - Bram ...
Ontwikkelingen in internationale research en education-infrastructuur - Bram ...
 
SURF Cybersecurity met hoge snelheid - Jasper Hammink - NWD23
SURF Cybersecurity met hoge snelheid - Jasper Hammink - NWD23SURF Cybersecurity met hoge snelheid - Jasper Hammink - NWD23
SURF Cybersecurity met hoge snelheid - Jasper Hammink - NWD23
 
SURF Lego - Architecture - Peter Boers- NWD23
SURF Lego - Architecture - Peter Boers- NWD23SURF Lego - Architecture - Peter Boers- NWD23
SURF Lego - Architecture - Peter Boers- NWD23
 
SURF Lego - Campusdiensten - Maurice van den Akker- NWD23
SURF Lego - Campusdiensten - Maurice van den Akker- NWD23SURF Lego - Campusdiensten - Maurice van den Akker- NWD23
SURF Lego - Campusdiensten - Maurice van den Akker- NWD23
 
SURF Lego - Netwerkdiensten - Sander Klemann - NWD23
SURF Lego - Netwerkdiensten - Sander Klemann - NWD23SURF Lego - Netwerkdiensten - Sander Klemann - NWD23
SURF Lego - Netwerkdiensten - Sander Klemann - NWD23
 
SURF, Hoe laat is het - Sander Klemann - NWD23
SURF, Hoe laat is het - Sander Klemann - NWD23SURF, Hoe laat is het - Sander Klemann - NWD23
SURF, Hoe laat is het - Sander Klemann - NWD23
 
TruSSD - Trust in Sharing Sensitive Data | Lucas van der Meer - SRD23
TruSSD - Trust in Sharing Sensitive Data | Lucas van der Meer - SRD23TruSSD - Trust in Sharing Sensitive Data | Lucas van der Meer - SRD23
TruSSD - Trust in Sharing Sensitive Data | Lucas van der Meer - SRD23
 
Quantum cryptography for researchers - Teodor Strömberg - SRD23
Quantum cryptography for researchers - Teodor Strömberg - SRD23Quantum cryptography for researchers - Teodor Strömberg - SRD23
Quantum cryptography for researchers - Teodor Strömberg - SRD23
 
Bridging the gap: hosting Linked Open Data for researchers - Driek Heesakkers...
Bridging the gap: hosting Linked Open Data for researchers - Driek Heesakkers...Bridging the gap: hosting Linked Open Data for researchers - Driek Heesakkers...
Bridging the gap: hosting Linked Open Data for researchers - Driek Heesakkers...
 
Interactive and collaborative AI for biodiversity monitoring and beyond - JWK...
Interactive and collaborative AI for biodiversity monitoring and beyond - JWK...Interactive and collaborative AI for biodiversity monitoring and beyond - JWK...
Interactive and collaborative AI for biodiversity monitoring and beyond - JWK...
 
The CAFE community: a local, inclusive programming community for researchers ...
The CAFE community: a local, inclusive programming community for researchers ...The CAFE community: a local, inclusive programming community for researchers ...
The CAFE community: a local, inclusive programming community for researchers ...
 
Responsible AI: the epistemology of using machine learning as a research meth...
Responsible AI: the epistemology of using machine learning as a research meth...Responsible AI: the epistemology of using machine learning as a research meth...
Responsible AI: the epistemology of using machine learning as a research meth...
 

Kürzlich hochgeladen

Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 

Kürzlich hochgeladen (20)

MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 

Sharing personal data and the GDPR - how can it be done - Francisco Romero Pastrana & Dorien Huijser - SRD23

  • 1. Sharing personal data and the GDPR Dorien Huijser & Francisco Romero Pastrana https://uu.nl/privacyhandbook https://geo-data-support.sites.uu.nl/personal-data/ 23 May 2023
  • 2. • Data Privacy Handbook • How to share personal data? • Privacy scan • Discussion Today
  • 3. Data Privacy Handbook Knowledge base on handling personal data in research UU Researchers & Support staff Centralise info & translate for research Open source, open license: https://uu.nl/privacyhandbook RDM Support i.c.w. privacy & faculty data stewards
  • 5. Feedback = welcome 👉 Feedback via GitHub: • Issue • GitHub Discussions • Pull Request “I have no GitHub account!” • Every page: • Or email info.rdm@uu.nl Contributing guidelines Style guide
  • 6. • Define purpose for sharing • Protect data being shared • Inform people behind data • Document it How to share personal data?
  • 7. • Define purpose for sharing • Protect data being shared • Inform people behind data • Document it How to share personal data?
  • 8. https://utrechtuniversity.github.io/dataprivacyhandbook/legal-basis.html You must have a reason (purpose) for sharing personal data * And receiver must also have a reason There are only 6 legitimate reasons (called lawful basis) to process personal data in the GDPR: Have a clear and legitimate purpose
  • 9. ➢ To fulfill a contract or provide a service • You need the customer home address to deliver a pizza ➢ To comply with a legal obligation • Obligation to process salary data is mandated by tax law ➢ To protect an individual's vital interests • The right to life takes precedence over data protection ➢ To perform a task in the public interest • University interest in conducting research is recognized by Dutch law. ➢ To pursue a legitimate interest • Balances your interests with the individual's interest – fraud prevention ➢ Because the individual has given consent • Individuals can exercise their right to informational self-determination ➢ Previously collected data can be further used for other purposes* • But only for 'compatible' purposes – subject to certain conditions, or • For scientific research purposes – also subject to conditions Legal reasons to process personal data: Have a clear and legitimate purpose https://utrechtuniversity.github.io/dataprivacyhandbook/legal-basis.html
  • 10. ➢ To fulfill a contract or provide a service • You need the customer home address to deliver a pizza ➢ To comply with a legal obligation • Obligation to process salary data is mandated by tax law ➢ To protect an individual's vital interests • The right to life takes precedence over data protection ➢ To perform a task in the public interest • University interest in conducting research is recognized by Dutch law. ➢ To pursue a legitimate interest • Balances your interests with the individual's interest – fraud prevention ➢ Because the individual has given consent • Individuals can exercise their right to informational self-determination ➢ Previously collected data can be further used for other purposes* • But only for 'compatible' purposes – subject to certain conditions, or • For scientific research purposes – also subject to conditions Legal reasons to process personal data: Have a clear and legitimate purpose https://utrechtuniversity.github.io/dataprivacyhandbook/legal-basis.html
  • 11. https://utrechtuniversity.github.io/dataprivacyhandbook/share-reuse-legal-basis.html Example Organic food preferences of all students in the Netherlands? • Data sharing request • Received data: processed based on public interest * Survey: Do UU students like organic food? • Survey data collection: public interest* • Information: • start of survey • through the project website • External data sharing request: • website is updated • data is minimized • data sharing agreement is signed • Data is shared based on 'further processing ..."* * can also be based on consent
  • 12. ✓ Freely given: Real choice and not coerced. ✓ Specific: To specific fully described processes ✓ Informed: Fully informed and updated ✓ Unambiguous and an affirmative action: Keep records ✓ Can be revoked: As easy to withdraw as to give To ensure that consent is legitimate, it must be: https://utrechtuniversity.github.io/dataprivacyhandbook/informed-consent-forms.html Ensuring consent is legitimate
  • 13. ✓ The public interest is identified: specific law/official authority involved. Likely based on the “Education Act”- Wet op het hoger onderwijs en wetenschappelijk onderzoek) ✓ The necessity of the processing is identified: - Processing is necessary: no other way to achieve the purpose, or it would require a disproportionate effort. - Processing is proportionate: the scope (amount of people), extent (amount of data) and intrusiveness is kept to a minimum necessary ✓ The interests of the data subjects do not override your stated interest: - Nature of the interest: individual's expectations and (potential) interests - Impact and safeguards: positive/negative impact on individuals, implemented measures to address it. https://geo-data-support.sites.uu.nl/personal-data/privacy-review/7-privacy-review Ensuring 'Public Interest' is legitimate
  • 14. ✓ Only for data reuse: Can't be used for newly collected data. ✓ Originally lawfully collected: Originally collected using consent/public interest ✓ Comply with Art 89(1): Safeguards: data minimization, de-identification ✓ Strictly for scientific purposes: Can't be used for anything else ✓ Informed: Provide information to data subjects as much as possible To ensure 'further processing for scientific research purposes' is legitimate, it must be: https://utrechtuniversity.github.io/dataprivacyhandbook/legal-basis.html Ensuring ‘Further processing' is legitimate
  • 15. 'Special categories' of personal data have additional restrictions Genetic, biometric and health data, personal data revealing racial and ethnic origin, political opinions, religious or ideological convictions, trade union membership This data can only be used if: • Explicit consent - an express statement of consent • Substantial public interest* - necessary for humanitarian purposes, including for monitoring epidemics • Archiving, statistical, historical or scientific research purposes* – subject to strict safeguards • Manifestly made public by data subject • Necessary for Employment and Social Security Purposes • Vital interests • Defense of legal claims • Medicinal / health system purposes / public health https://utrechtuniversity.github.io/dataprivacyhandbook/special-types-personal-data.html#special-categories-of-personal-data What about sensitive personal data?
  • 16. https://utrechtuniversity.github.io/dataprivacyhandbook/pseudonymisation-anonymisation.html The importance of Art. 11 • Broadly speaking, 2 types of personal data: • Identified: Readily attributed to a specific individual - has a name or ID • De-identified: Can't be readily attributed – has no name or ID. Art 11 applies • Advantages of de-identified personal data • Compliance with Art 89 demonstrates data minimization, shows that processing does not permit the identification of the data subject. • Some rights no longer apply – Since you can't identify specific individuals, you can't respond to their data access request, rectification, deletion, etc. – unless they provide additional information enabling their identification • Consent withdrawal, right to object will likely have no effect. • Further processing for scientific research is likely allowed, and providing them information directly is likely not necessary • Personal data breach notifications are likely not needed • It is easier to justify storing data for 10 years or more to safeguard the scientific record
  • 17. • Define purpose for sharing • Protect data being shared • Inform people behind data • Document it How to share personal data?
  • 18. https://utrechtuniversity.github.io/dataprivacyhandbook/privacy-by-design.html The collection of personal data should, from the outset, be limited to what is appropriate, relevant and necessary for the purpose pursued. Identify the risks associated with the processing, and implement suitable measures that adequately reduce those risks Design a safe processing
  • 19. • Only share minimum necessary amount of data • Identify the people behind data: who are they, why do data recipients need their data? • Identify and justify processed data: why do data recipients need each type of data? • Anonymize/pseudonymize as much as possible • Restrict data access, Encrypt data, identify who has data access and why • Keep data safe and accurate – avoid data breaches • Use safe tools • Do not keep data unless necessary – justify and enforce storage periods • Ensure compliance: legally binding transfer agreements • International data transfers? https://utrechtuniversity.github.io/dataprivacyhandbook/design-strategies.html Design a safe processing
  • 20. https://utrechtuniversity.github.io/dataprivacyhandbook/risk-assessment-how.html Design a safe processing Identify potential risks from sharing data: • Consider potential risk scenarios • Imagine if all safeguards fail: list potential damages and impact level • Considering implemented safeguard, estimate likelihood of damage • Risk level = Impact level x likelihood
  • 21. • Define purpose for sharing • Protect data being shared • Inform people behind data • Document it How to share personal data?
  • 22. People must be able to determine the scope and consequences of the processing and must know their data protection rights and how to exercise them. How to provide information: ✓ Understandable, transparent and clear ✓ Easily accessible and timely ✓ Intelligible and concise → Use different channels and a layered approach What information to provide: ✓ Why do data recipients need their data – explain their project ✓ Who is responsible for the process, and who has data access – describe the team ✓ Describe the processing – how data is kept safe and minimized. What are the risks? ✓ Describe how data is (re)used by other scientific projects – update as necessary ✓ What rights do they have, and how they can exercise them. ✓ Contact info: Responsible of the process, their DPOs, and the (Dutch) national data protection authority. https://utrechtuniversity.github.io/dataprivacyhandbook/privacy-notices.html Inform people and give them control
  • 23. https://utrechtuniversity.github.io/dataprivacyhandbook/data-subject-rights.html Inform people and give them control Passive Data Subject Rights : Always implemented in your project • Information – Individuals must be provided with information about the process • Profiling – To not be subject to automated individual decision making, including profiling • Notification obligation – Notify rectification/erasure/restriction requests to other data recipients • Effective remedy – To submit a complaint (to DPO or national) or seek remedy in a law court • Compensation – to receive compensation for suffered material or non-material damages Active Data Subject Rights : Individuals take steps to exercise them • Access – can request copies of their personal data • Rectification – can request correction of inaccurate/incomplete information • Erasure – can request erasure of their personal data • Restrict processing – can request to stop or limit the use of personal data • Data portability – To have or transfer data in universally machine-readable format • Object – To object to the collection, use, and storage of personal data • Withdraw consent – Unconditional stop of processing when consent was the legal basis
  • 24. • Define purpose for sharing • Protect data being shared • Inform people behind data • Document it How to share personal data?
  • 25. https://utrechtuniversity.github.io/dataprivacyhandbook/privacy-scan.html Document it! Ensure that you can demonstrate your compliance efforts – UU Geo faculty Privacy Scan What is included in the Privacy Scan? 1. The project's purpose 2. Data subjects 3. The categories and purposes of personal data 4. The processing of personal data 5. Information provided to data subjects 6. How data subjects can exercise their data subject rights 7. The lawful basis for processing 8. Measures to ensure compliance by processors and/or joint controllers 9. Planned transfers of personal data to other countries outside the EU 10. How you will obtain and deal with data subjects’ views of the study 11. Preliminary risk assessment
  • 26. https://utrechtuniversity.github.io/dataprivacyhandbook/privacy-scan.html Document it! Ensure that you can demonstrate your compliance efforts – UU Geo faculty Privacy Scan What is included in the Privacy Scan? 1. The project's purpose 2. Data subjects 3. The categories and purposes of personal data 4. The processing of personal data 5. Information provided to data subjects 6. How data subjects can exercise their data subject rights 7. The lawful basis for processing 8. Measures to ensure compliance by processors and/or joint controllers 9. Planned transfers of personal data to other countries outside the EU 10. How you will obtain and deal with data subjects’ views of the study 11. Preliminary risk assessment
  • 27. • Define purpose for sharing • Protect data being shared • Inform people behind data • Document it How to share personal data?