Universities produce and process large amounts of personal data. This affects students, applicants, teaching staff, employees and external cooperation partners or lecturers. The aim of the DSGVO is to protect this data.
The term DSGVO stands for the European General Data Protection Regulation, which has provided a Europe-wide framework for handling personal data since 2018. Institutions and companies must organise their data processing in line with the DSGVO.
Especially when using external services, like video conferencing tools, that generate large amounts of personal data in the form of names, voices and video recordings, it is important to check whether and to what extent the principles of the DSGVO are implemented by the provider.
Principles of the DSGVO
Anonymisation of data
The DSGVO encourages the anonymisation of data. This means that, ideally, information can no longer be matched to the person it originates from. This can be achieved, for example, by replacing names with pseudonyms or encrypting the data.
Legal basis for data processing
The collection and processing of data must have a legal basis. This can be achieved through a legitimate interest, for example education or research purposes, through user consent or to fulfil a service that has been contractually agreed.
Transparency and control
The DSGVO defines the right to be "forgotten" and the right to export and transfer data to another responsible party.
Non-EU countries
The DSGVO also applies to providers and institutions based abroad but process data of individuals within the EU. However, it can be difficult to ensure that foreign providers comply with the DSGVO. Therefore EU-internal providers should be preferred.
Right to be informed
Users have the right to know what personal data is collected and how it is used.
DSGVO checklist
- Transparency in data collection and processing
What data is processed and how is it used? Does the provider give clear information about this? - Data minimisation
The sharing of personal data should be minimised. Information like original names should only be used when necessary. The automatic saving of information, such as chat communication or whiteboard content, should be deactivated if possible. - Encryption
If possible, data should only be transmitted in encrypted form. (e.g. through end-to-end encryption) It should be checked if providers offer this option. - Third countries
Can the provider be replaced by an EU-internal? If not, can the server location be limited to the EU? - Consent
Before recording or publishing video conferences, videos and images of people, the affected person must have clearly agreed. Such data should only be stored internally at BURG or locally. - Obligation to delete
Data that is no longer needed must be deleted.
Sources
Information of the ministery of economics and clima protection
The original DSGVO