Table of Contents
Introduction
Please share all documents and links that might be of interest to other organizations. You can share something by:
- Clicking 'edit' and inserting a link (ctrl+K) under the relevant header on this page;
- If you insert a link, please give a short introduction to the content of the page you are referring to and why you think it is relevant.
- You can also share documents by uploading them to the relevant file lists, which can be found under each header.
- If you have uploaded a document, or shared a link, please mail the mailing list to let them know that there is a new addition to the wiki. If you want feedback on your documents, please let people know how you want to receive their input.
Please note that these pages are not yet restricted. The pages will soon be only visible for the members of the Task Force, at what time you can share more sensitive documents and information. If you want to be part of the Task Force, please contact Charlie van Genuchten: charlie.genuchten@geant.org.
GDPR Knowledge Exchange
Links
Summary Press Release State of the Union 2017: A framework for the free flow of non-personal data in the EU
On Tuesday 19 September the European Commission presented a press release, outlining the main regulatory goals of the proposal for a legal framework for the free flow of non-personal data in the European Union. This is the beginning of a long legislative process that may have an impact on GÉANT and our community. This information has been circulated within GÉANT, and I have been advised to forward this to you all.
As the main elements of the proposal, the press release underlines:
- The establishment of the principle of free flow of non-personal data across borders
This means that Member States would no longer be able to oblige organisations to locate the storage or processing of data within their borders. Restrictions would only be justified for reasons of public security.
- The establishment of the principle of data availability for regulatory control
This principle would enable competent authorities to exercise their rights of access to data wherever it is stored or processed in the EU.
- EU codes of conduct
The proposal envisages the development of EU codes of conduct to remove obstacles in switching between service providers of cloud storage and to porting data back to users' own IT systems. The proposal for a Regulation on a framework for the free flow of data in the European Union was presented on 13 September 2017. It aims to establish the scheme of free, cross-border flow of data within the EU. The key elements of the proposal include the following:
- Subject matter and scope (Articles 1-2)
Article 1 clarifies that the future Regulation would aim to ensure the free movement of non-personal data within the EU and lay down rules relating to data localisation requirements, the availability of data to competent authorities and data porting for professional users. The Regulation would be applicable where the storage or other processing of non-personal data is provided as a service to users residing in the EU, or carried out by a natural or legal person residing or having an establishment in the EU.
- Principle of the free movement of data (Article 4)
This key article establishes the principle of free movement of non-personal data in the EU. It prohibits any data localisation requirement, unless it is justified on grounds of public security.
- Data availability for competent authorities (Article 5)
Article 5 aims to ensure data availability for regulatory control by competent authorities. Therefore, users would not be able to refuse to provide access to data, required by competent authorities on the basis that such data is stored or further processed in another Member State.
- Codes of conduct (Article 6)
Article 6 obliges the Commission to encourage service providers and professional users to develop and implement codes of conduct detailing the information on data porting.
- Single points of contact and Committee (Articles 7-8)
This institutional part of the proposal establishes bodies that would support the functioning of the free-flow of data. Article 7 obliges Member States to designate single points of contact, which would be required to cooperate with each other and with the Commission when it comes to the application of the future Regulation.
Next Steps
The European Parliament's Committee responsible for the proposal is expected to nominate a Rapporteur to prepare the Parliament's draft position in the coming months.
The Council will also work on the proposal in order to reach a Council's internal agreement.
Once the European Parliament and the Council reach their positions on the proposal, they will carry out 'trilogue' negotiations, assisted by the Commission, with a view to reaching an agreement on the proposal.
The Member States ministers are expected to discuss the topic of free flow of data at the EU Digital Summit, scheduled for 29 September 2017.
Documents
Please upload your documents on GDPR Knowledge Exchange
Compliance and Frameworks
Links
UK Information Commissioner on consent and alternatives and Jisc blog post on the draft guidance
SURFnet model processor agreement
Documents
Please upload your documents on Compliance and Frameworks
Impact and Risk Assessment
Links
Article 29 WP final guidance on DPIAs which references approvingly the UK Information Commissioner on Privacy Impact Assessment
Documents
Please upload your documents on Impact and Risk Assessment
Privacy by Design
Links
Documents
Please upload your documents on Privacy by Design
(Shared) Services
Links
Blog posts on on how we are categorising Jisc services and how to determine the appropriate legal basis
How we are providing future-proof (we hope) privacy notices for Jisc services
Peer-reviewed papers on how GDPR applies to incident response and big data, including learning analytics
Documents
Please upload your documents on (Shared) Services