The regulation on the protection of personal data regulates, in each of the schools, especially if the tool is well structured, the organizational measures and the internal processes of implementation of EU Regulation n. 679/2016 (RGPD) for the purposes of processing personal data for institutional purposes in the Institute.
But what exactly is meant by institutional functions? By institutional functions we mean those:
- Provided for by law, by the Three-Year Plan of the Educational Offer (PTOF), by regulations and by general administrative acts;
- Exercised in implementation of conventions, agreements as well as on the basis of programming and planning tools provided for by current legislation;
- Carried out for the exercise of the organisational, administrative and financial autonomy of the institute;
- In execution of a contract with the interested parties, if stipulated in relation to its institutional purposes and tasks.
How does data processing take place?
The owner guarantees that the data processing, for the protection of natural persons, takes place in compliance with fundamental rights and freedoms, as well as the dignity of the interested party, with particular reference to confidentiality, personal identity and the right to data protection personal data, regardless of their nationality or residence. The owner, within the scope of his functions, manages the archives and databases respecting the rights, fundamental freedoms and dignity of persons, with particular reference to confidentiality and personal identity. For the purposes of protecting the rights and freedoms of natural persons with regard to the processing of personal data, all processes, including administrative procedures under the responsibility of the data controller, must be managed in accordance with the provisions of the Code, the RGPD, and the Regulation, a model, outstanding, we attach to this article. The proposed example is the one created, masterfully, by the “Crosia Mirto” State Comprehensive Institute of Crosia Mirto in the province of Cosenza led with exceptional managerial and organizational competence by the Headmaster Dr. Rachele Anna Donnici.
What is meant by personal data
The principles of the RGPD are fully implemented in the internal legal system of the owner, as a result of which the personal data are:
- Treated in a lawful, correct and transparent manner in relation to the interested party (“lawfulness, correctness and transparency”);
- Collected for specified, explicit and legitimate purposes, and not further processed in a way that is incompatible with those purposes; further processing of personal data for archiving purposes in the public interest, scientific or historical research or statistical purposes is not considered incompatible with the initial purposes (“purpose limitation”);
- Adequate, pertinent and limited to what is necessary with respect to the purposes for which they are processed on the basis of the “data minimization” principle;
- Accurate and, if necessary, updated; all reasonable measures must be taken to promptly cancel or correct inaccurate data with respect to the purposes for which they are processed on the basis of the “accuracy” principle;
- Stored in a form that allows identification of data subjects for a period of time not exceeding the achievement of the purposes for which they are processed; personal data may be stored for longer periods provided that they are processed exclusively for archiving purposes in the public interest, scientific or historical research or statistical purposes in accordance with Article 89(1) GDPR, subject to the implementation of measures technical and organizational requirements required by this regulation to protect the rights and freedoms of the interested party on the basis of the principle of “limitation of conservation”;
- Processed in such a way as to ensure adequate security of personal data, including protection, through appropriate technical and organizational measures, against unauthorized or unlawful processing and against accidental loss, destruction or damage on the basis of the principles of “integrity and confidentiality” ;
- Configured by minimizing the use of personal data and identification data, so as to exclude their processing when the purposes can be pursued through anonymous data or with the use of appropriate methods that allow the data subject to be identified only in case of need (“principle of necessity”).
- The owner is responsible for compliance with the principles set out above, and is able to prove it based on the principle of accountability.
The legal documents
- Code regarding personal data (Legislative Decree n.196/2003);
- Guidelines and recommendations of the Guarantor;
- EU GDPR 679/2016 of the European Parliament and of the Council, of 27 April 2016, concerning the protection of natural persons with regard to the processing of personal data, as well as the free movement of such data and which repeals Directive 95/46/EC;
- Law 25 October 2017, n. 163 (art.13), containing the delegation for the adaptation of national legislation to the provisions of the RGPD (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of individuals with regard to the treatment
of personal data, as well as on the free movement of such data and repealing Directive 95/46/EC;
- Legislative Decree no. 101/2018 of adaptation of the internal regulation to the RGPD;
- Statements by the Article 29 Data Protection Working Party (WP29) – 14/EN;
- Guidelines on Data Protection Officers (DPOs) – WP243 Adopted by the Art. 29 Working Party on 13 December 2016;
- Guidelines on the right to “data portability” – WP242 Adopted by the Art. 29 Working Party on 13 December 2016;
- Guidelines for the identification of the lead supervisory authority in relation to a specific Data Controller or Data Processor – WP244 adopted by the Art. 29 Working Group on 13 December 2016;
- Guidelines concerning the assessment of the impact on data protection as well as the criteria for establishing whether a treatment “may present a high risk” pursuant to regulation 2016/679 – WP248 adopted by the Art. 29 Working Party on 4 April 2017;
- Guidelines elaborated by the Art. 29 Group on the application and definition of administrative sanctions – WP253 adopted by the Art. 29 Working Group on 3 October 2017;
- Guidelines developed by the Art. 29 Group on automated decision-making and profiling – WP251 Adopted by the Art. 29 Working Group on 6 February 2018;
- Guidelines drawn up by the Art. 29 Group on data breach notification – WP250 Adopted by the Art. 29 Working Group on 6 February 2018;
- WP29 opinion on purpose limitation – 13/EN WP 203;
- International standards relating to the protection of personal data;
- Internal regulations, approved by the owners and/or managers.
Protection of personal data at school: what is meant. Download example of regulation – Horizon School News