The General Data Protection Regulation (GDPR) strengthens citizens' rights in the digital age and harmonizes data protection rules across the EU, enforcing rights regarding personal data and establishing legal bases for its processing. It applies to all companies handling the personal data of individuals in the EU, mandates a data protection officer for public administrations, and outlines citizens' rights to access, correct, and erase their data. Key considerations include the definitions of personal and sensitive data, legal obligations, and the balance between public interest and individual rights.

1. General Data Protection
Regulation (GDPR) and library
authority data
Ricardo Santos
National Library of Spain
Prepared for:
VIAF Council meeting
24th August 2018, Kuala Lumpur

2. GDPR Facts
Supersedes the Data Protection Directive 95/46/EC
Adopted in April 2016, enforced in 25 May 2018. It has 98 articles and 173 whereas clauses.
It’s a regulation, so it’s directly binding and applicable in Member States.
Extra-territorial applicability: it applies to all companies processing the personal data of
individual residing in the Union, regardless of the company’s location or where the data is
processed .
United Kingdom passed the Data Protection Act 2018, with equivalent regulations and
protections
2

3. Goals
Strengthen citizens' fundamental rights in the digital age. Give control to
citizens over their personal data
Harmonize and simplify the rules throughout the European states
3

4. “
Personal data is any
information that relates to an
identified or identifiable
individual. (art. 4)
This Regulation does not apply to the personal
data of deceased persons. (whereas clause 27)
4

5. “
Processing means any operation on
personal data, such as collection,
recording, organization, structuring,
storage, retrieval, consultation, use,
disclosure by transmission,
dissemination or otherwise making
available… (art. 4)
5

6. GDPR for organizations
- Legal basis for processing (art. 6) (Can we process data?):
- Consent (explicit, clear and unambiguous)
- Legal obligation (legal deposit?)
- Public interest
- Organisation’s legitimate interest
6
- Processing of data must be (art. 5):
- According to, and only the data necessary, the stated specific
purposes.
- Stored no longer than necessary.
- Accurate and up-to-date.

7. GDPR for public administration
- Personal data usually processed on the basis of a legal obligation or
public interest.
- A Data Protection Officer is mandatory.
- Individuals may contact a public administration to exercise their rights
under the GDPR.
- Individuals have a right to object to the processing of personal data by
the public administration on grounds of public interest.
7

8. GDPR for citizens (Chapter III)
Citizens have the right to:
- demand information about the processing
- access the data
- asking for corrections of inaccurate data
- data erasure (formerly known as right to be forgotten)
- object to the processing of data
- receive personal data in a machine-readable format and send it to
another controller.
- request that decisions based on automated processing are made
by natural persons.
8

9. Exceptions
& Limits
Consent can be skipped if there is legal obligation or
public interest for collecting data
Data erasure or others are limited by:
Freedom of expression safeguards.
Archival exemptions (provided the institution has
the legal obligation to preserve).
Scientific or historical research.
Those limits are not automatic. Member states should
introduce them or not.
9

10. BIG QUESTIONS REMAINS
Considerations of authority data:
• Is it “personal data”? Could there be other
“sensitive data”?
• What’s the legal framework for an authority file?
• Can the “public interest” or “legal obligation” be
invoked to skip consent?
• Can we deny “right to be forgotten” on those
grounds?
• Can we freely distribute authority data (to VIAF,
for instance)?
10

11. Claimings accepted 
Data correction.
Hide pseudonymous relationships
Hide dates
BNE experiences
Claimings rejected 
Deletion of resources
Deletion of authority record
11

12. VIAF is an aggregator of sources.
- Who has the responsability for data?
VIAF is a “third party”:
- Should reflect data policy of member institutions?
Case 1: an institution acknowledge an individual data rights. Should this extend to
VIAF or other libraries?
- Should VIAF policy influence data policy of member institutions?
Case 2: VIAF grants an individual data rights. Should this extend to libraries?
Some issues with VIAF
12

13. GDPR: legal text
European Union official webpage
IFLA leaflet on GDRP
More info
13

14. 14
Thanks!
Ricardo Santos
National Library of Spain
ricardo.santos@bne.es
Images : Biblioteca Digital Hispánica
Template and fonds: SlidesCarnival