Betriebsrat für das wissenschaftliche Personal
The General Data Protection Regulation and its effects on the work of the Staff Council
Most of you will have heard about the General Data Protection Regulation (GDPR) and May 25, the day it entered into force. But what does the GDPR mean for the day-to-day work of the Academic Staff Council (Betriebsrat für das wissenschaftliche Personal)?
Based on the rights of participation enshrined in the Austrian Labor Relations Act (Arbeitsverfassungsgesetz), the Academic Staff Council constantly works with the personal data of WU academic staff members. Our use of these data as part of the Staff Council’s various rights to check and control the activities of the university management qualifies as data processing within the meaning of the GDPR. The Academic Staff Council has taken a number of steps to make sure that its work is compliant with the GDPR and that the personal data processed are subject to appropriate protection and has prepared data security guidelines that have now been adopted. Under these guidelines, individual members of the Academic Staff Council are obligated to exercise due care when dealing with personal data of WU employees. They also require that such personal data may only be disclosed to those Staff Council members that are responsible for the matter at hand as part of their specific responsibilities. As of May 25, 2018, the Academic Staff Council also keeps its own record of processing activities, listing all instances of data processing that involve the personal data of WU employees.
The Academic Staff Council acts as a processor of personal data and has to adhere to the regulations of the GDPR in this capacity, but it is also concerned with the GDPR in other ways: The Academic Staff Council also works with WU, the employer, to make sure that the existing operational agreements (Betriebsvereinbarungen) covering aspects related to the processing of personal data comply with the new data protection regulations. These agreements exist because protecting the personal data of WU employees was already one of our top priorities well before the GDPR came into effect. The process of reviewing these operational agreements to make sure they meet the current legal requirements is still ongoing. Austria’s national legislation for implementing the GDPR poses additional challenges because it waters down several aspects about which the GDPR is very clear. Some of you may have followed the debates about these issues first-hand.
We have been working with the WU Legal Affairs Office to review the existing operational agreements, and the first amendments have already been adopted. Any amendments to individual operational agreements will be published in the WU Bulletin and, after their official publication, they will also be made available on the Academic Staff Council’s web pages.
For the context of our daily work as WU researchers, it is particularly important to note that WU, in its capacity as an employer, provides information materials and guidelines on a few “hot topics” regarding the GDPR. This includes the following topics:
Declarations of consent: For which of our activities as teachers and researchers at WU do we have to request consent from data subjects? Is consent required in connection with regular courses? And if yes, for which aspects? Do I have to ask for consent in connection with my own scholarly work, or my supervision of academic work done by students? And if yes, how do I have to go about it?
Obligations to provide information: Many regard the right of data subjects to request access to and information about their personal data as one of the key achievements of the GDPR. However, this also entails the obligation to provide information to data subjects. Comprehensive guidelines will be prepared on how to fulfill this obligation.
Newsletters / mailing lists: We use mailing lists as important communication channels in a wide variety of different situations. The use of newsletters and mailing lists is the third topic to be addressed by comprehensive information materials and practical guidelines announced by WU.
We do not see May 25, the day when the GDPR entered into force, as a turning point that changed everything. Instead, that day provided an important opportunity to take a close look at the processes we use here at WU and check them for compliance with the applicable data protection regulations. For us as members of the Academic Staff Council, the entry into effect of the GDPR comes as an important reminder to maintain our high standards of diligence when we are dealing with the personal data of our colleagues at WU.