June 15, 2018
Bulletin interne de l'Institut Pasteur
Focus on the General Data Protection Regulation: Part 2 – Personal data
The General Data Protection Regulation, or GDPR, came into force on May 25. Most of you will be only too aware of the regulation already, given the flurry of activity it has generated on the web in recent weeks!
But what exactly do we mean by personal data?
Personal data is any information that can be used to directly or indirectly identify an individual. It goes without saying that a person's first/last name and email address are data that can be used as a direct means of identification. But more broadly, personal data also include login details, location data, an ID number, a photo showing a face, a telephone number, a postal address or initials associated with a date of birth. By cross-referencing this information, a person's identity can be pinpointed.
Some data fall into specific categories, such as health data, biometric data, genetic data and data about a person's ethnic origin.
The GDPR strengthens the applicable legislation for processing these personal data.
The EU regulation identifies three people involved in processing personal data who have specific rights and responsibilities:
-
The controller, in other words the person who determines the purposes and means of data processing: the Institut Pasteur, via any scientist or administrative staff member using a file or database containing personal data. If the responsibility is shared, the term used is "joint controllers". This may occur, for example, in a joint research project between the Institut Pasteur and the CNRS.
-
The processor, or the person who carries out data processing on behalf of a controller: this may be a supplier or service provider (e.g. a CRO, hosting service provider, etc.).
-
The data subject: this may be you if you share personal data, especially with your employer. It may also be a third party: patients, study participants, suppliers, donors, candidates, etc.
What is processing?
An operation or set of operations performed on personal data, such as collection, storage, use, consultation, erasure, destruction, etc.
If you have any questions or requests, please contact: rgpd@pasteur.fr