Responsibility for data protection
Personal data of students, employees and other persons who are in contact with the university must be protected. The university must ensure that the provisions of the General Data Protection Regulation (GDPR) are complied with. For example, personal data may only be processed if this is done lawfully, transparently and for a specific purpose. In addition, technical and organizational measures must be taken to protect the data from loss, unauthorized access or misuse. In the research environment in particular, it is important that data may only be passed on to third parties if the data subject has consented or if there is another legal basis. The focus is on the data subjects and their rights. Since September 1, 2024, Dennis Winkler has been supporting the university in the implementation of data protection measures as Data Protection Manager. He talks to Ines Perl about his tasks, the data protection measures and why there is a data protection officer and a data protection manager at the university.
There is already a data protection officer at OVGU, so why do we need a data protection manager now?
The scope and complexity are constantly increasing due to the increasing digitalization of work processes, all of which must be implemented in compliance with data protection regulations. The potential risks for individuals are also increasing. A large number of regulations and legal requirements, which are constantly changing, lead to a high workload. A few years ago, the university already had a data protection manager who very successfully implemented processes at OVGU. The position had been vacant for some time and so we, the data protection officer Rita Freudenberg and I as her deputy, had to take on many additional tasks that are not part of the actual duties of data protection officers. As a result, the workload was high and time was short. I now have a full-time employee who can deal intensively with all data protection issues at the university. And so the separation between monitoring and implementing data protection has been re-established.
The new Data protection manager Dennis Winkler (Photo: Jana Dünnhaupt)
What are the main tasks of a data protection manager compared to a data protection officer?
Data protection officers and data protection managers complement each other, but have different tasks and roles. A data protection manager provides support with operational tasks and coordinates the practical implementation of data protection in day-to-day business. This includes, for example, the development and implementation of guidelines, i.e. specific measures and processes to ensure data protection on a day-to-day basis. However, this also includes raising employee awareness of data protection, analysing potential risks, identifying potential data protection gaps and drafting strategies to minimize these risks. Another task is the proper documentation of data protection measures and data protection incidents. This also includes keeping a register of processing activities carried out at the university.
The data protection officer, on the other hand, is primarily responsible for monitoring compliance with data protection regulations, advising the university as the responsible body on data protection issues, coordinating communication with our state data protection authority and conducting training courses. It therefore has an advisory and monitoring mandate and is independent and not subject to instructions. It is effectively a neutral auditor and advisor.
| The data protection manager provides support in the day-to-day implementation of data protection, risk management and process optimization, and the data protection officer is responsible for advising, training, monitoring and complying with legal requirements as well as communicating with the supervisory authorities. |
One of your main tasks is to support the implementation of data protection measures. What measures are these, for example?
On the one hand, these are technical measures. The data protection manager pushes for their implementation in collaboration with the information security officer. These include, for example, encryption to ensure confidentiality, the introduction of systems to restrict access, data backup to prevent data loss or the requirement for anonymization and pseudonymization.
Other measures include organizational measures. Data protection guidelines must be developed that regulate the handling of personal data and thus provide employees with clear guidelines. Everyone who works with personal data is also responsible for data protection. They may not be held responsible in the end, but this can also happen if a breach is culpable.
Another measure in which I can provide support is documentation, such as keeping a register of processing capabilities. The cooperation of the many data protection coordinators at the university is essential for this. The data protection manager provides support in carrying out data protection impact assessments for high-risk processing of personal data in order to identify risks and take measures to minimize them.
They also develop contingency plans in the event of a data leak or other data breach, including informing data subjects, all of course in close cooperation with the Data Protection Officer.
However, I would also like to mention one measure: The university needs a 'deletion concept' that specifies how long which data may and must be kept and when it must be deleted. This is important in order to comply with the principle of data minimization.
(Photo: Roman/ pixabay)
Are there legal requirements for the appointment of a data protection officer and are there comparable requirements for the data protection manager?
Yes, there are legal requirements for the appointment of a data protection officer, whereas there are no binding legal requirements for the role of the data protection manager in this form. The General Data Protection Regulation requires organizations and companies that regularly and systematically process personal data on a large scale to appoint a data protection officer. Public bodies such as OVGU, as a public corporation, are required to appoint such an officer. The data protection officer is independent and is not subject to any instructions with regard to their data protection-related tasks. They may not be disadvantaged due to the fulfillment of their tasks. The data protection officer must have the necessary expertise to ensure compliance with data protection regulations. Articles 37 to 39 GDPR describe the requirements for the appointment, tasks and duties of a data protection officer.
Ensure practical implementation of data protection regulations in everyday life
There are no legal requirements for the data protection manager as defined by the GDPR. A data protection manager is usually appointed voluntarily by the organization to ensure the practical implementation of data protection regulations and data protection guidelines on a day-to-day basis. He or she complements the work of the data protection officer by planning the operational and technical measures to ensure data protection and assisting in their implementation.
What specific concerns can employees or students turn to you as data protection manager?
I see myself as an important point of contact for employees and students when it comes to specific concerns about data protection. Employees can come to me if, for example, they have questions about how to apply the data protection guidelines correctly in their daily work or if they need support with specific issues. Employees may have questions about how long they need to retain certain personal data and when or how it should be deleted in order to comply with legal requirements.
I am happy to offer my help with the introduction of new IT systems due to the ongoing digitalization of administration or with questions regarding the processing of personal data in research projects.
Students can also contact me at any time. I can support them, for example, if they have to work with personal data themselves for final theses and have to create documents for this purpose, e.g. for surveys etc.
| The data protection manager is the central point of contact for operational and technical data protection issues, while the data protection officer has more of a supervisory and advisory role. |
What are the biggest challenges for OVGU in implementing data protection measures?
The university faces a number of challenges when implementing data protection measures. These arise from the complexity of university operations, the diverse data processing procedures and the special requirements that universities have due to their research activities. Very different categories of data are processed at the university. From student data - enrolment, grades, examination results - to employee data and research data. Protecting all this data in different contexts is a major challenge. Universities often work with external partners and research institutions, which makes the processing and exchange of data more complex. Compliance with data protection regulations must be ensured in these collaborations, especially in the case of commissioned processing. The exchange of data in connection with EU GREEN currently poses a particular challenge.
Another important point is the balance between the General Data Protection Regulation and the freedom of research. Research projects that use personal data, e.g. from social science surveys, must be carried out in compliance with data protection regulations without unnecessarily hindering scientific work. In research, the anonymization and pseudonymization of personal data is often crucial to ensure data protection. This requires technical and organizational measures to ensure that data cannot be traced back to individuals.
OVGU processes and stores a large amount of data on IT systems, which makes it an 'attractive' target for cyberattacks. Implementing effective security measures such as encryption, firewalls, secure networks and regular security updates is a constant challenge.
Comply with data protection regulations even in cross-border projects
OVGU is internationally networked and participates in many cross-border projects that require the processing of personal data across national borders. The specific requirements of the GDPR and other international data protection laws must be taken into account here.
When managing students in exchange programs or communicating with international partner universities, it must be ensured that data protection regulations are also complied with when transferring data abroad.
Data protection regulations, in particular the GDPR, are subject to ongoing development and interpretation by courts and supervisory authorities. OVGU must continuously adapt to new legal requirements and recommendations, which requires additional resources and flexibility.
Digitalization has also picked up speed at OVGU and is intended to help simplify processes. However, more and more data is being collected and analyzed. How does this fit in with data protection?
Collecting and analyzing more and more data is not in conflict with data protection as long as data protection regulations are observed and measures are taken to protect personal data. The principle of data minimization must also be observed in the course of digitalization. This means that only the data that is required for a specific purpose is collected and processed. For example, only necessary information should be accessed in digital administrative processes and unnecessary data processing should be avoided.
Personal data may only be processed for the purpose for which it was originally collected. In the context of digitalization, this means that the university must clearly define why certain data is being collected and that this data may not be used for other purposes without a legal basis. When introducing new digital systems, data protection must be incorporated into the design of the systems from the outset. This means that technical and organizational measures must be taken to ensure the protection of personal data. When developing or purchasing software, it should therefore always be checked whether it enables data protection-friendly configurations.
Digitalization at OVGU can certainly be in line with data protection if the data protection principles and legal requirements are observed. By using 'privacy by design' and establishing a secure technical and organizational framework, the university can implement digital processes that are both efficient and data protection-compliant.
Many thanks for the interview.