Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR), came into force on 25 May 2018, repealing Directive 95/46/EC. In addition, on 7 December 2018, came into effect Organic Law 3/2018, on 5 December, on personal data protection and digital right guarantee (LOPDGDD).
In compliance with the GDPR, the following key concepts concerning data protection are to be kept in mind when processing personal data held by the UAB in the exercise of its competences and for its own purposes:
Personal data: any information about identified or identifiable natural persons. The following are some examples.
- Full name.
- National identity document (DNI), passport, university ID number (NIU) or any other ID document.
- Postal or email address.
- Date of birth.
- Computer's IP address.
- Physical characteristics.
- Geolocation details.
Special categories of personal data: personal data revealing information considered to be of a particularly sensitive nature, warranting additional protection. The following are some examples:
- Racial or ethnic origin.
- Political opinions.
- Religious or philosophical beliefs.
- Trade union membership.
- Genetic data.
- Biometric data.
- Data concerning health.
- Sex life.
- Sexual orientation.
Biometric data: Personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm his unique identification, such as facial images or dactyloscopic data.
Data subject: natural person who owns the data.
Processing: any operation carried out with the data. The following are some examples:
- Communication by transmission.
- Collation or comparison.
Data transfer: disclosure of information to any person other than the data subject.
International data transfer: any disclosure of data to addressees who do not belong to the European Union.
Profiling: any type of automated data processing that consists of using the data to assess certain personal characteristics of a natural person and, in particular, to analyze or predict professional behavior, financial situation, health, personal preferences, interests, trustworthiness, personal behavior, location or movements.
Filing system: any organized and structured set of personal data.
Controller: the natural or legal person who, alone or jointly with others, decides on the purpose and content of the data and on their processing.
UAB is the controller of all data processing for GDPR purposes. Moreover, at the UAB this role falls to heads of areas, services, offices or administrative units that manage filing systems centrally, as functional controllers. In the case of databases linked to research projects, the controller is usually the project's principal investigator (PI).
Processor: the natural or legal person who processes personal data on behalf of the controller. These are companies or natural persons with whom the UAB has a contract or agreement in place for the provision of a service or supplies, and who need to access personal data on UAB files in order to perform their contractual duties.
Consent: freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. The GDPR puts an end to tacit consent, so silence on the part of the data subject can never be interpreted as consent. For the processing of special data categories, consent must be explicit.
Security measures: technical and organisational measures to ensure the security of the data, especially their confidentiality, availability and integrity. The following are some examples:
- Up-to-date records of authorized staff and their duties in relation to personal data.
- Procedure for registering and reporting security violations.
- Procedure for backing up and recovering data.
- Procedure for assigning and managing passwords.
- Monitoring and registering access.
- Unintelligible storage of active passwords.
- Mechanisms to prevent unauthorized persons from gaining access.
- Procedure and authorization for removing media.
- Encryption, pseudonymisation or anonymisation of data.
- Security procedures in the electronic transmission of data.
Personal data breach: any incident involving the destruction, loss or accidental or illicit alteration of personal data, or unauthorized access to or disclosure of these.