‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
DPO. Among other duties: act as a contact point for requests from individuals regarding the processing of their personal data and the exercise of their rights
It isn’t clear if “scientific or historical research” applies to authority data, or if this data is stored for the “legal obligation”
1 – According to the law definition for “personal data”, it is, because it allows to identify a living person (a name string; a date of birth, an URI). “sensitive data” is less probably to be included. 2- Should the same rules apply to an authority file than a customer database, or even a library users’ file?
General Data Protection
Regulation (GDPR) and library
National Library of Spain
VIAF Council meeting
24th August 2018, Kuala Lumpur
Supersedes the Data Protection Directive 95/46/EC
Adopted in April 2016, enforced in 25 May 2018. It has 98 articles and 173 whereas clauses.
It’s a regulation, so it’s directly binding and applicable in Member States.
Extra-territorial applicability: it applies to all companies processing the personal data of
individual residing in the Union, regardless of the company’s location or where the data is
United Kingdom passed the Data Protection Act 2018, with equivalent regulations and
Strengthen citizens' fundamental rights in the digital age. Give control to
citizens over their personal data
Harmonize and simplify the rules throughout the European states
Personal data is any
information that relates to an
identified or identifiable
individual. (art. 4)
This Regulation does not apply to the personal
data of deceased persons. (whereas clause 27)
Processing means any operation on
personal data, such as collection,
recording, organization, structuring,
storage, retrieval, consultation, use,
disclosure by transmission,
dissemination or otherwise making
available… (art. 4)
GDPR for organizations
- Legal basis for processing (art. 6) (Can we process data?):
- Consent (explicit, clear and unambiguous)
- Legal obligation (legal deposit?)
- Public interest
- Organisation’s legitimate interest
- Processing of data must be (art. 5):
- According to, and only the data necessary, the stated specific
- Stored no longer than necessary.
- Accurate and up-to-date.
GDPR for public administration
- Personal data usually processed on the basis of a legal obligation or
- A Data Protection Officer is mandatory.
- Individuals may contact a public administration to exercise their rights
under the GDPR.
- Individuals have a right to object to the processing of personal data by
the public administration on grounds of public interest.
GDPR for citizens (Chapter III)
Citizens have the right to:
- demand information about the processing
- access the data
- asking for corrections of inaccurate data
- data erasure (formerly known as right to be forgotten)
- object to the processing of data
- receive personal data in a machine-readable format and send it to
- request that decisions based on automated processing are made
by natural persons.
Consent can be skipped if there is legal obligation or
public interest for collecting data
Data erasure or others are limited by:
Freedom of expression safeguards.
Archival exemptions (provided the institution has
the legal obligation to preserve).
Scientific or historical research.
Those limits are not automatic. Member states should
introduce them or not.
BIG QUESTIONS REMAINS
Considerations of authority data:
• Is it “personal data”? Could there be other
• What’s the legal framework for an authority file?
• Can the “public interest” or “legal obligation” be
invoked to skip consent?
• Can we deny “right to be forgotten” on those
• Can we freely distribute authority data (to VIAF,
Hide pseudonymous relationships
Deletion of resources
Deletion of authority record
VIAF is an aggregator of sources.
- Who has the responsability for data?
VIAF is a “third party”:
- Should reflect data policy of member institutions?
Case 1: an institution acknowledge an individual data rights. Should this extend to
VIAF or other libraries?
- Should VIAF policy influence data policy of member institutions?
Case 2: VIAF grants an individual data rights. Should this extend to libraries?
Some issues with VIAF
GDPR: legal text
European Union official webpage
IFLA leaflet on GDRP
National Library of Spain
Images : Biblioteca Digital Hispánica
Template and fonds: SlidesCarnival