Data Protection Policy of Diaconia University of Applied Sciences

The Executive Group of Diaconia University of Applied Sciences (hereafter Diak) has approved this data protection policy on 27 February 2018 as a binding set of guidelines which applies to the staff and students of Diak.

General

Data protection refers to the protection of personal data and other confidential or sensitive data concerning a person.

The Data Protection Policy of Diaconia University of Applied Sciences defines what is meant by data protection and how it is implemented.

Diaconia University of Applied Sciences complies with the EU’s General Data Protection Regulation (2016/679) and the provisions of other related laws and standards.

This policy applies to all personal data held by Diak and their processing, regardless of where data are processed and by what means and arrangements.

Diak ensures compliance with this data protection policy and legislation and will monitor the currency of the policy and revise it as and when necessary.

Statements

Diak will maintain a privacy policy statement concerning its data processing practices as required by law.

The implementation of the principles is described in the privacy policy statements of Diak’s individual operational areas.

Principles and implementation of the processing of personal data

The following principles must be adhered to in the processing of personal data:

  1. Lawfulness, fairness and transparency
  2. Purpose limitation
  3. Data minimization
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality

Steps to implement the principles include the following:

  1. the processing of personal data has a lawful basis
  2. data subjects are provided with sufficient information about the processing of personal data
  3. students and employees who process personal data have completed data protection training
  4. data subjects are provided with effective means to exercise their rights, and their requests are responded to without delay
  5. risks relating to the processing of personal data are assessed from the point of view of the data subject; risks are minimised, for example, by means of pseudonymisation; and, if risks are deemed high, an impact assessment concerning data-processing is carried out
  6. only strictly necessary personal data are processed
  7. the accuracy of data is ensured
  8. data processing activities are documented
  9. data processing practices are reviewed regularly
  10. the principle of integrated data protection is adhered to

Diak must be able to demonstrate that the above principles concerning the processing of personal data are adhered to. Adherence to the principles is described in an annual data statement.

As an employer, Diak must ensure that all its employees understand and adhere to the principles and implement detailed processing rules and protection of special-category data (sensitive data).

Access to personal data is restricted to employees who have a legitimate need to view the data and only within the scope of the duties in question. Personal data cannot be disclosed without the individual’s consent, unless required by law.

Integrated data protection

Employees of Diak who are responsible for the specification and design of new or significantly modified systems that process personal data must give due attention to data protection and carry out necessary impact assessments.

Research, study and other projects may also require a data protection impact assessment, if the processing of personal data causes a risk to data subjects.

In research, data protection impact assessments are an essential part of the research ethics assessment process.

Responsibilities

Diak monitors compliance with data protection legislation by internal monitoring, audits, guidance and instruction. Diak produces guidelines for the necessary technical and organisational measures to be implemented by the institution’s functions.

Rights of data subjects

Diak will safeguard the rights of data subjects in accordance with the law. A data subject can request access from the controller to personal data concerning him or her, request rectification or erasure of his or her data, and restrict or block the processing of his or her data. Right to erasure does not apply to personal data which the institution processes on the basis of its statutory task, public interest or another legal obligation.

Data subjects have a right to file a complaint with the oversight authority.

Data subjects may have a right to have their personal data transferred to another system in the case of certain types of personal data.

Measures

Diak will train all its employees in the basic concepts and measures of data protection and offer more in-depth training where required.

Diak has a named data protection officer.

The data protection officer responds to questions relating to the data protection policy, compliance with the GDPR and other data protection legislation at Diak, and the processing of personal data at Diak.

In addition, the data protection officer is responsible for

a) monitoring compliance with this data protection policy;
b) liaising with the oversight authority; and
c) upon request, providing advice about data protection impact assessments and monitoring and developing data protection practices.

Database-specific queries are dealt with by the contact desks specified in the privacy notifications and statements.

Communications to staff, data subjects and stakeholders

Information about this data protection policy and possible changes to it is published in Diak’s internal communication channels.

The Data Protection Policy of Diaconia University of Applied Sciences is effective until further notice. It is a public document and available on Diak’s external and internal websites.