This presentation by Jonas Holm was part of the "Research Data Support Meets Disciplines: Opportunities & Challenges" workshop at LIBER's 2017 Annual Conference in Patras, Greece. For more information, see www.libereurope.eu

1. GDPR
- Thoughts on the
EU Data Protection
regulation, research and
libraries
Jonas Holm
Legal counsel
Stockholm University
Chair, LIBER Legal Working Group
jonas..holm@su.se

2. Disposition
Legal issues for research libraries
A legal backdrop to integrity law
Data protection and personal data -key principles
EU Data protection reform
GDPR Key Findings
Implications for libraries
Questions

3. Legal issues
for research
libraries
Contracts / Licensing
Exceptions and limitations to copyright
E-books
Open Access
Preservation of copyright protected works
Data protection
Open Science / Open research data
Making available copyright protected works
Publishing
Big data – Data mining
Legal deposit
Public access to information and secrecy
Availability for people with disabilities
Digitization

4. A legal backdrop to integrity law
European Convention on Human Rights
EU charter on fundamental rights
National legislation
The right to be forgotten

5. Data protection – what is personal data?
”Each data concerning an identified or identifiable person
that is alive”
An identifiable person is a person that directly or
indirectly can be identified through use of the data.
Data privacy does not include deseased indivduals.

6. What constitutes sensitive personal data?
Race or ethnical heritage
Political views
Religious or philosophical views
Labour union membership
Health
Sexual orientation
Biometric information concerning a person

7. Current (past) legal framework
on Data protection in the EU
Data Protection Directive 95/46/EC
National data protection legislation
Unharmonized application throughout the union

8. EU Data Protection Regulation (GDPR)
Direct application in all
members states from May
25th
2018.
National inquires into the
application underway.
National legislation will
follow

9. Key Changes through the GDPR
Overall goal is to protect all EU citizens from data privacy
breaches in an increasingly data driven world.
Increased territorial scope (extra-territorial
applicability)
Jurisdiction of the GDPR is extended to all entities
processing data of EU citizens, regardless of where the
entity is located

10. Consent and purpose based data processing
All data processing has to be based on informed,
intelligable and specific consent from subjects.
Processing of research data containing personal data has
to be purpose specific, not for general research databases!
Consent can be withdrawn!

11. Breach notification
Under the GDPR, breach notification will become
mandatory in all member states where a data breach is
likely to “result in a risk for the rights and freedoms of
individuals”.
This must be done within 72 hours of first having become
aware of the breach.

12. Right to Access and Right to be forgotten
Right for data subjects to obtain from the data controller
confirmation as to whether or not personal data
concerning them is being processed, where and for what
purpose. Further, the controller shall provide a copy of
the personal data, free of charge, in an electronic fromat
Entitles the data subject to have the data controller erase
his/her personal data, cease further dissemination of the
data, and potentially have third parties halt processing.

13. Privacy by Design
Inclusion of data protection from the onset of the
designing of systems, rather than an addition.
Article 23 GDPR

14. Data Protection Officers
Data controllers must appoint DPO's who:
- Must be appointed on the basis of professional qualities and, in
particular, expert knowledge on data protection law and practices
- May be a staff member or an external service provider
- Contact details must be provided to the relevant Data Protection
Agency
- Must be provided with appropriate resources to carry out their
tasks and maintain their expert knowledge
- Must report directly to the highest level of management
- Must not carry out any other tasks that could results in a conflict
of interest.​

15. Penalties
Under GDPR organizations in breach of GDPR can be
fined up to 4% of annual global turnover or €20
Million.
This is the maximum fine that can be imposed for the
most serious infringements e.g.not having sufficient
customer consent to process data or violating the core of
Privacy by Design concepts. There is a tiered approach to
fines e.g. a company can be fined 2% for not having their
records in order (Article 28)

16. Implications for libraries
To what extent will the GDPR apply to processing of
personal data in the activities at research libraries and to what
extent does research libraries hold responsibilites for the data
processing?
Due diligence inventory!
- Does high risk projects from a data protection view exist
today?

17. Implications for libraries, cont.
Personal data in infrastructure for library loans and use of
electronic resources
Personal data when digitizing and making available library
collections.
Does research publications publicized at research libraries or
in house university publishers contain personal data?
Personal data in infrastructure for library loans and use of
electronic resources
Personal data when digitizing and making available library
collections.
Does research publications publicized at research libraries or
in house university publishers contain personal data?

18. Implications for libraries, cont.
Does research data published open access or in databases
according to open science policies contain personal data?
Is TDM (Text and Data Mining) activities or other big data
processing (such as the use of algorithms) carried out at the
research library?
Does that material contain personal data?

19. Thanks!
jonas.holm@su.se