Data Privacy
Content
- Legal bases
- Personal data
- Legal bases for processing
- Protection mechanisms
- Deleting files
- Printing personal data
- General information
1. legal bases
The legal bases are
-
the
Regulation (EU) 2016/679* of the European Parliament and of the Council of
European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing
processing of personal data and on the free movement of such data, and repealing
Directive 95/46/EC (General Data Protection Regulation GDPR),
which has been in force since 25 May 2018, and
-
the
Hessian Data Protection and Freedom of Information Act
(HDSIG) in the version dated 3 May 2018, which supplements the
to the GDPR for the processing of personal data by the public
the public authorities of the state, municipalities and districts
applies.
The Federal Data Protection Act (BDSG) essentially applies
to federal authorities.
Top of page
2. personal data
The subject of data protection is personal data.
Personal data is any information relating to an identified or
identified or identifiable natural person (“data subject”)
(“data subject”)
(Art. 4 No. 1 GDPR).
A natural person is regarded as identifiable,
directly or indirectly, in particular by reference to an identifier
identifier such as a name, an identification number, location data,
to an online identifier or to one or more specific
special characteristics that express the physical, physiological, genetic, psychological
physical, physiological, genetic, mental, economic, cultural or social
social identity of that natural person,
can be identified.
Top of page
3. legal bases of the processing
Insofar as the processing of personal data requires the
the consent of the data subject is required, Art. 6 para. 1 lit. a GDPR serves as the legal basis.
In the processing of personal data necessary for the
fulfilment of a contract to which the data subject is a
person is a party to, Art. 6 para. 1 lit. b GDPR serves as the legal basis.
This also applies to processing operations that are
necessary for the performance of pre-contractual measures.
Insofar as the processing of personal data is necessary for the fulfilment
is necessary for compliance with a legal obligation to which the
Fulda University of Applied Sciences is subject to, Art. 6 para. 1 lit. c GDPR serves as the legal basis.
In the event that vital interests of the data subject or another natural
person or another natural person require the processing of personal
of personal data, Art. 6 para. 1 lit. d GDPR serves as the legal basis.
If the processing is necessary for the performance of a task carried out
necessary for the performance of a task carried out in the public
exercise of official authority vested in Fulda University of
Fulda University of Applied Sciences, Art. 6 para. 1 lit. e GDPR in conjunction with a relevant, specialised federal or
state law as the legal basis for the processing.
Top of page
4. protection mechanisms
-
the processing of personal data on publicly accessible
accessible workstations is prohibited.
-
workstations in offices must be specially protected
protected if personal data is processed on them.
are processed on them.
-
The office must be locked when it is
is left.
-
The login to the computer must be protected by a
secure password protected
be protected.
-
Starting the workstation computer
(boot process)
must be protected by a password (“BIOS password”, see
sections “Functions” and “Security”
in the German explanation of the
BIOS or better explained in the section
“Configuration” in the English explanation
for the BIOS).
This protection must also be effective if an
intruder can access the computer with his own
CDROM, DVD, a memory stick or something similar.
wants to start the computer. If the computer does not have
such password protection, the personal data may not be
personal data
encrypted on the hard disc.
stored on the hard disc.
-
The computer must either be secured against theft
against theft or it may only be operated with removable hard drives that are
stored in a burglar-proof cabinet at night.
-
On portable data carriers (hard disks in
notebooks, removable discs, CDROM, DVD, memory stick,
etc., personal data may be stored only encrypted.
-
On network drives of the university, the
Hessenbox and similar external storage media
sensitive personal research data may be stored in accordance with
Art. 9 GDPR, which regulates the processing of
which regulates the processing of special categories of personal data
only encrypted may be stored. The encryption of the data
is the responsibility of the person who stores the data on
data on these storage media.
- if the computer’s operating system supports the protection of
protection of personal data, the appropriate
protection mechanisms must be used.
Top of page
5. deletion of files
The normal command for deleting a file only deletes the
name of the file from internal system lists (e.g. the file directory),
while the file content is not destroyed. Memory areas
of deleted files can, under certain circumstances (with some
effort and appropriate knowledge) into readable files again.
readable files. Destroying the file contents is only possible with
special operating system commands (these commands are only provided by
provided by some operating systems) or special programmes.
programmes.
If a data carrier on which personal data is stored has been
is to be released for general operation or deleted, all file contents must first be destroyed.
Top of page
6. printing personal data
Personal data may only be printed out if the printout is personally
personally supervised.
Top of page
7. general notes
Any person who works with personal data,
should carry out their work particularly responsibly,
as all protection mechanisms only fulfil their purpose if they are
are taken seriously by those involved.
Finally, a few general tips:
-
do not leave any written documents lying around from which
that reveal your passwords.
-
do not allow any other person to work under your
work under your ID.
-
collect output lists and data carriers with personal data
personal data in person instead of sending them
send them.
-
do not leave portable data carriers (CDROM, DVD,
memory stick, etc.) with personal data lying around.
lying around, but lock the data carriers in a burglar-proof
in a burglar-proof cabinet before you leave the office.
leave the office.
-
store personal data on portable data carriers
data carriers only in encrypted form.
**Remember that you personally are primarily responsible
responsible for the protection of the data entrusted to you.
Top of page
Administrative regulations of the Hessian ministries
Content
- Overview
- Information security guideline for the Hessian state administration
1. overview
The administrative regulations are published on the page Hesse
Law - Legal and administrative regulations (https://www.rv.hessenrecht.hessen.de)
and can be read or downloaded there.
downloaded there.
top of page
2. information security guideline
for the Hessian State Administration
The Information Security Guideline for the Hessian State Administration
State Administration was issued by the Ministry of the Interior and for
Sport on 01 November 2021 and published on 22 November 2021 in the
State Gazette on 22 November 2021. Please select in the State Gazette on the left-hand side in the
2021 in the annual overview on the left, then in the table of contents
issue 47/2021 and then page 1517 if you want to read the publication.
want to read the publication.
The regulations of the Information Security Guideline for
the Hessian State Administration are based on, among other things
the Basic Protection Standards and the Guideline for Information Security in Public Administration.
public administration](https://www.it-planungsrat.de/fileadmin/beschluesse/2019/Beschluss2019-04_TOP12_Anlage_Leitlinie.pdf).
Top of page