The General Data Protection Regulation, referred to simply as the “GDPR”, is Regulation (EU) 2016/679 of the European Parliament and of the Council dated 27 April 2016. It concerns the protection of natural persons regarding the processing of personal data and on the free movement of this data.
The GDPR covers the processing of ‘personal data’ that relates to ‘data subjects’ by or on behalf of a ‘data controller’. ‘Personal data’ is defined as any information that relates to an identified or identifiable natural person (the ‘data subject’). An identifiable natural person is anyone that can be identified, either directly or indirectly, by reference to anything that can ultimately identify them. This includes a name, an identification number, location data, an online identifier or to data that relates to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The ‘data controller’ bears the responsibility to prove that it is properly following the guidelines and regulations regarding the acquisition and management of personal data. These Regulations include the following principles regarding the handling of personal data:
- Lawfulness, fairness and transparency: Personal data must be processed lawfully, fairly and in a transparent manner.
- Purpose limitation: Personal data must be collected for specific, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
- Data minimisation: Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
- Accuracy: Personal data must be accurate and, where necessary, kept up to date. Personal data that is known to be inaccurate is to be erased or rectified without delay.
- Storage limitation: Personal data must not be kept in a form which permits identification of data subjects for longer than is necessary.
- Integrity and confidentiality: Personal data must be processed in an appropriately secure manner including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, by the use of appropriate technical or organizational measures.
- Accountability: The data controller is responsible for, and has to be able to demonstrate compliance with, the principles stated above.
In addition to the principles listed above, data controllers must also meet at least one the following criteria:
- Obtain consent: The data subject must give clear consent to the processing of his or her personal data for one or more specific purposes.
- Performance of a contract: Data processing is necessary for the performance of a contract with or on behalf of the data subject. For associations, membership and the delivery of services can be considered a contract. “Necessary” is a key element here however. Regulators and the courts are likely to interpret this narrowly and convenience is not the same as a necessity!
- Compliance with a legal obligation: Data processing is necessary for compliance with a legal obligation to which the data controller is subject.
- Vital interests: Data processing is necessary in order to protect the vital interests of the data subject or of another natural person.
- Public interest: Data processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority vested in the controller. To meet this requirement it is likely to be in the interest of the public in the relevant Member State – US public interest will not be sufficient.
- Legitimate interests: processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
BIBM have a Registry where all processes of data management are described.
A distinction is made between “Internal data” and “external data”
- “internal data” are personal data of data subjects provided to BIBM by its members for the performance of the duties of the association towards its members (exchange of information, invitation to events organised or co-organised by BIBM etc...); these data will be dealt with criteria n.2 – enforcement by the General Assembly of an “Internal regulation” that defines the use of data from members
- “external data” are the personal data of all the other data subjects that are relevant for the legitimate interests pursued by BIBM, as defined in its statutes or that give express consent to their treatment by BIBM. These data will be dealt with criteria 1 and 6 – the list of practical steps is described below.
Internal regulation to deal with personal data – “Internal data”
An internal regulation, approved by the BIBM General Assembly, applies to data provided by BIBM members (“Internal Data”). This regulation is available to BIBM members on simple request to the BIBM Secretariat.
The Processing of Data provided by Members in the field of the Association Objectives (see statutes) is considered to fall under the “Performance of a Contract” between BIBM and its members.
Internal regulation to deal with personal data - “External data”
This internal regulation applies to data provided and collected by other means than the provision by BIBM members (“External Data”).
- GDPR requires organisations to protect natural persons whilst processing their personal data;
- BIBM wishes to establish a system to comply with such Regulation based on the acquisition, storage, management and deletion of personal data;
- The Processing of Data other than those provided by Members in the field of the Association Objective (see statutes) can be done either through “express content” or pursuing the “Legitimate Interests” of the association.
The processing of such personal data is considered to comply with the above-mentioned regulation if the following 4 points are achieved:
Personal Data may be acquired and processed by BIBM in the fields of its legitimate interests in the following ways only:
- By obtaining consent (e.g. subscription to the newsletter);
- By acquisition of publicly available data on the internet (e.g. directories of the European Commission or Parliament);
- By receiving a business card;
- By receiving an e-mail.
Personal Data are stored in the computers of the BIBM Secretariat; all computers are password protected. No external Contact Management System is presently employed. The e-mail provider database is also claiming compliancy with the GDPR provisions.
The Secretariat engages to use the personal data acquired for the achievement of the scope of the Association, as indicated in its statutes.
The Secretariat will delete the personal data of people asking for it within 5 working days from the moment it is made aware about it. Requests shall be sent to firstname.lastname@example.org