Personal data protection
The General Data Protection Regulation, full title: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data. The primary purpose of this regulation is to harmonize legislation on the protection of personal data and to strengthen the rights of data subjects, in other words to more effectively regulate how personal data is handled. The regulation came into effect on 25 May 2018.
The protection of natural persons concerning the processing of their personal data is a fundamental right. The regulation establishes the rules for the protection of natural persons in connection with the processing of personal data and the rules allowing for the free movement of personal data.
Personal data is any information about a person, which the controller or other person can directly or indirectly use to identify them. Personal data therefore constitutes any and all information about an identified or identifiable natural person. An identifiable natural person is someone who can be directly or indirectly identified, namely by reference to a certain identifier, for instance their name, address, date of birth or one or more specific aspects of the physical, genetic, psychological, economic, cultural or social identity of that natural person.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
The rules for the protection of personal data concern any subject which processes personal data in ways covered by the general data protection regulation. The regulation divides such subjects into personal data controllers and processors.
A controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
A processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (their activity is therefore based on a contract with a specific controller).
A data protection officer (DPO)
– informs and advises the controller or the processor including their employees who carry out the processing
– monitors compliance with the GDPR
– cooperates in the creation of data protection impact assessments
– cooperates with the supervisory authority (the Office for Personal Data Protection)
– acts as the contact point for the supervisory authority
– data subjects may contact them
– is bound by secrecy or confidentiality
School counselling facilities process the personal data of their clients (incl. their legal guardians) and employees. In most cases this is required to comply with the law (the applicable legal regulation) – the processing of personal data is therefore only carried out to the degree required by the relevant regulation and explicit consent of the data subjects is not required. If however the school counselling facility is processing personal data based on provided consent above and beyond the legal requirements, this consent may be revoked at any time.
The GDPR establishes the rights of a data subject:
– the right of access to personal data, which is being processed concerning the subject (Article 15)
– the right to rectification of any inaccurate or incomplete personal data being stored (Article 16)
– the right to erasure (“right to be forgotten”) if the personal data are no longer necessary in for given purpose or were processed unlawfully (Article 17)
– the right to restriction of processing, if the data subject contests the accuracy of the data, the processing is unlawful or the controller no longer needs them (Article 18)
– the right to data portability to another controller (Article 20)
– the right to object in cases of a public or legitimate interest (Article 21)
– the right to lodge a complaint with a supervisory authority – the Office for Personal Data Protection – if the data subject considers that the processing of their personal data infringes the regulation (Article 77)