...
Each university is responsible for ensuring the legal basis for data processing (e.g. informed consent of their students ) prior to exchanging their personal information with partner institutions through EWP.
Data controller’s responsibility to assess GDPR-compliance
Each university is responsible for assessment of GDPR-compliance when implementing services for student mobility (including the EU-products).
The following subjects should be assessed:- The
- The purpose of the data processing.
...
- The legal basis for the data processing (including the need of Data Processing Agreement).
...
- The obligation to inform the data subjects (students) about the processing (Privacy Statement).
...
- Solutions and procedures for rectification, erasure or restricting of the data processing.
...
- Risk assessment of the data processing.
- Data Data protection measures and procedure for discrepancy processing.
Data protection measures in the EWP infrastructure
Further efforts involving the European Commission and National Authorities are underway to ensure that the data minimization is systematically applied to the EWP data dictionaries, which are based on the official templates set out by EU.