Tutors and GDPR

All use of personal data is defined as ‘processing’ – such as collection, organisation, storage, disclosure or deletion. 

Personal data  is defined as any kind of information in which a physical person can be identified, either directly or indirectly. The following includes the types of personal data that will most often be relevant to process in connection with study start: 

General personal data 
Name, email, address details, mobile phone number and payment details

Sensitive personal data
Health conditions, sexual relations or sexual orientation, ethnic origin and political or religious beliefs 

Confidential information 
Civil registration number 

You may process all types of information as long as it is relevant to your work. Remember to take diligent care of all types of information but that confidential and sensitive personal data must be taken particular care of. Therefore, think twice about printing a list of allergies or leaving your computer open to others. Remember to store emails containing confidential and sensitive information only in Outlook and not on your PC desktop.

Remember the following and you are well on your way:

• Collect only the personal data that is strictly necessary for solving your tasks. This will typically be name and contact information.
• Use the BCC field when sending emails to multiple recipients so that those who receive the mail cannot see who else you have sent it to.
• Store the information securely (e.g. in your mail) and delete the information/emails when you no longer need it/them (including in ‘sent mail’ and ‘deleted mail’). If you receive an email from a private email address, reply to the SDU email address. 
• Only print if strictly necessary. Restricting printing reduces the risk of unauthorised persons accessing information they are not permitted to access. 
• Remember that your duty of confidentiality also includes personal data. However, information may be shared internally within the steering committee as long as it is necessary in your work.

Publication of images and video of recognisable persons on the internet and on social media is regarded as electronic processing of personal data. Therefore, it is also covered by the GDPR. This also applies in closed Facebook groups. 

When taking pictures/video, always: 

• Make sure the image/video is harmless (this is an overall evaluation)
• Take into account the nature of the image, the context in which the image appears and the purpose of its publication

This means that the people in the images should not reasonably feel exposed, exploited or offended. This will be an overall evaluation, but two people kissing will not usually be regarded as harmless. It is an intimate situation that can be offensive to publish. The same applies to visitors in a nightclub or similar. 

Before taking pictures/video, it is always a good idea to ask permission or allow people to step out of the picture. Disclose where you intend to publish the picture. If some of the participants do not wish the image to be published on Facebook, for example, you should respect their wishes.