Compliance with data protection regulations affects all procedures in which personal data are processed.

Personal data are any information relating to an identified or identifiable natural person. “Identifiable” refers to a natural person if they can be identified, whether directly or indirectly (such as through assignment of an identifier).

This means that “pseudonymized data” are also considered personal data: if the data can be assigned to a natural person by use of additional information (such as a “key”), then they are identifiable and the data is thereby personal.

Anonymized data, however, fall outside of the scope of the GDPR: Anonymized data is information that does not refer to an identified or identifiable natural person, or personal data that is anonymized by a method applied so that data subjects cannot or can no longer be identified, not even with the assistance of a key.

Processing is defined as any action in connection with personal data such as collecting, recording, saving, retrieving, deleting, or erasing this data. This applies whether or not the actions are performed with an automatic procedure.

It is also important to always comply with the rules for handling personal data whenever information about an identifiable person is processed in any way by Freie Universität Berlin.

Keeping records of data processing is an important part of the GDPR, which according to Article 30 GDPR must include all data processing procedures. This refers to internal documentation that must be submitted to the data protection supervisory authorities upon request.

Further Information about Records of Data Processing

You may ask the data protection officer to send you a checklist to use when introducing new processing activities.

Processing personal data requires a legal basis in accordance with the GDPR. This would include, for example, processing the data of a person:

• based on an employment relationship (Article 6.1.b GDPR)
• based on express consent by the person (Article 6.1.a GDPR)
• based on a scientific research interest (Article 89.2 GDPR, Section 17 BlnDSG)
• in order to carry out a course of study, teaching, or research (Article 6.1.e GDPR in conjunction with Article 6.1.1 and 6.1.4 BerlHG)
• in order to perform another duty of Freie Universität Berlin in accordance with Article 6.1.e GDPR in conjunction with Section 6.1.12 and Section 4 BerlHG

Other legal bases may apply. The purposes of data processing must be documented, including in the record of processing activities.

In addition, data subjects must be regularly informed in a Data Protection Notice about the data processing, its purpose, the legal basis for it, and any further information.

This Data Protection Declaration must be actively communicated to the person whose personal data are being gathered. You can request a template for a Data Protection Declaration from the Chief Data Protection Officer.

In certain research projects, interviews, and surveys, it may be necessary to obtain the consent of data subjects. Consent must be documented for verification purposes.

You can request a template for a Declaration of Consent from the Chief Data Protection Officer.

A Data Protection Impact Assessment is required when the use of the data is likely to pose a high risk for the rights of data subjects (when large amounts of sensitive data will be collected). Please contact the external data protection officer about such cases. A completed record of processing activities is a prerequisite for an evaluation of a Data Protection Impact Assessment.

Technical and organizational measures pursuant to Article 32 GDPR provide an appropriate level of protection. They must be referenced in the record of processing activities. For Freie Universität Berlin, as a rule, the general technical and organizational measures of Freie Universität Berlin IT Services (FUB-IT) apply.

Additional technical and organizational measures of contractors, who provide software, applications, and tools for example, may also be relevant for data processing. These measures must also be mentioned or referenced in the record of processing activities.

If a contractor has been entrusted with the processing of personal data, a Data Processing Agreement must be concluded in certain circumstances. You can request a template for a Data Processing Agreement from the Chief Data Protection Officer.

Retention periods determine how long various kinds of data may or must be retained. In general, personal data may be retained as long as necessary to complete the purpose of their processing or as long as specified in statutory retention periods or statutes of limitations. The reason for retention must be based on the record of processing activities. Certain best-practice rules may also be applicable. You can request retention periods guidelines from the Chief Data Protection Officer.

The existing policies of FUB-IT, for example, for safe handling of data and equipment, are still in force and must be complied with.

IT Security Guidelines (PDF, in German)

As soon as you begin planning a process in which personal data will be handled, please inform the external data protection officer with as much information as possible about the specific context. You can reach the data protection officer by email at datenschutz@fu-berlin.de.

The following information is important:

• Which personal data will be processed?
• Whose personal data will be processed?
• For what purpose are you processing data?
• Are you using a contractor or software?
• Will the data subjects be informed about the data processing?
• What data streams will take place?

Before storing the documents and concluding any contracts, a data protection review should be conducted by the data protection officer. At a minimum, you must provide the data protection officer with the final version of the following documents:

• A record of processing activities. This record states which data will be processed on which legal basis and for which purpose, as well as how long you may retain the data.
• A list of the technical and organizational measures for data protection (usually as an appendix or reference to the record of processing activities).
• If a new data process is to be introduced, about which the data subjects have not already been informed in the Data Protection Notice, this must be created or supplemented.
• If your data processing relies on consent of the data subjects under Article 6.1.a GDPR, you must have obtained it in a verifiable manner. For this you need a documented/documentable Declaration of Consent.
• A Data Processing Agreement in the case that you will use a service provider for the new process. A list of the technical and organizational measures of the service provider and a list of subcontractors is also required.
• If personal data are to be “sent” to a country outside the European Union (EU) or European Economic Area (EEA), so-called “third countries,” then compliance with the guarantees under Articles 44ff. of the GDPR must be assured. This can be done by using standard contractual terms, references to “adequacy decisions” of the European Commission, or other guarantees.

For example, a third-country transfer may take place if the server on which the relevant personal data are stored is located outside the EU or the EEA. It also counts as a third-country transfer when a service provider located in a third country can obtain access to the data (e.g., through remote maintenance).

• With the aid of the completed record of processing activities (see above), the external data protection officer determines whether a Data Protection Impact Assessment under Article 35 GDPR is necessary.
• Further documents such as a contractual agreement concerning shared responsibilities under Article 26 GDPR or the preparation of a Transfer Impact Assessment may be required after consultation with the data protection officer.

Compliance with the statutory duty of documentation under data protection laws is only possible when it is known where the documentation is stored. Storage of documents and contracts are the responsibility of the individual project leaders.

If you plan to commission a new service provider or software provider, it is usually recommended to inform the external data protection officer and provide as much information as possible about the specific project. If you are not sure whether the service provider you are considering can be relied upon to ensure data protection, please have the service provider send you a draft contract and have the data protection officer conduct a preliminary assessment before commissioning the service provider.

You will need a Data Processing Agreement when a service provider is commissioned to process personal data on behalf of Freie Universität Berlin.

Usually, Freie Universität Berlin will serve as the data controller for processing personal data. In terms of data protection, the data controller is the one who determines the purposes and methods of processing personal data either single-handedly or together with others. When Freie Universität Berlin determines the purposes and methods together with another entity, then there is a shared responsibility. A Shared Responsibility Agreement must then be concluded with that entity.

Commissioned processors are defined in the data protection regulations as those who process personal data on behalf of the data controller, in other words who do not determine the purposes and methods of processing themselves.

On behalf of Freie Universität Berlin, commissioned processors may process the personal data of website visitors, students, staff members, applicants, study participants, interested persons and other groups of people.

If a service provider or software provider can potentially access personal data when performing their services, then, according to the guidelines of the European Data Commission, this already constitutes a contracted processing relationship. This potential access must be secured by an agreement in accordance with data protection regulations.

The following information is important for the data protection officer:

• Which personal data will be processed by the service provider or software provider?
• Which groups of people are data subjects?
• Is this a larger project? Will large amounts of personal data be processed?
• Will personal data be transmitted to a service provider outside the European Union (EU) or the European Economic Area (EEA) such as the US?
• Does the service provider operate servers outside the EU or the EEA such as the US?
• Do you use new technologies such as AI?

Which documents will the data protection officer assess?

• Please fill out the template for a Data Processing Agreement, together with the relevant service provider if possible, and send it to the data protection officer.
• For comparison of the information therein it can be helpful to also send the service provider contract to the data protection officer.
• A list of the technical and organizational measures to protect personal data that will be implemented by the commissioned processor must also be attached to the Data Processing Agreement.
• The commissioned processor must also provide a list of subcontractors, if applicable.
• The context of the processing is also helpful: What will the service provider do for Freie Universität Berlin, and why?

After this, stay in contact with the data protection officer regarding any further adjustments to the agreement and consult about whether, for example, standard contractual clauses must be included.