The Romanian Association of Privacy and Data Protection Specialists in Romania (ASCPD) expresses its concern regarding statements made in the public space, belonging to Prime Minister Ludovic Orban, in which he uses the term "bazaconie” ("naughtiness”) to answer a question at the press conference held on of 02.10.2020, a question that had as a subject the invocation of GDPR by teachers.
It is not clear from Prime Minister Ludovic Orban's statement what he meant when he used the term "bazaconie" ("naughtiness”) and there are two ways in which we can interpret this unfortunate statement.
When it comes to “ teachers invoking the GDPR to avoid online lessons ”, we should all acknowledge that there are good reasons why these teachers worry about protecting students' personal data, most of them students being minors, but also of teachers and parents. Teachers complain that the school moved online in a hurry, without clear rules, without personal data protection measures, using insecure and vulnerable applications.
We present you ten examples of practices encountered in Romania in the process of tele-education that violate EU Regulation 2016/679, generating considerable risks to the fundamental rights and freedoms of all actors involved in online education:
- Use of poorly secured communication platforms, with dozens of security incidents transferring data to the US, in breach of the CJEU decision in case C 311/18, on the invalidation of the Privacy Shield.
- Use of own, unsecured terminals of teachers and students, without antivirus, without passwords and use of internet sources (often domestic), without security;
- Lack of adequate training for teachers for the use of online platforms that has led to security incidents;
- Transmission of login codes and passwords on Facebook or Whatsapp groups;
- The use of communication methods between school and students without complying with art. 28 of the GDPR, respectively the conclusion of written agreements between the school (personal data operator) and the IT solution provider (authorized person);
- Use of free yahoo or gmail accounts by schools for professional purposes;
- Use by teachers in communication with students and parents of personal e-mail addresses.
- Lack of information about the personal data storage spaces of teachers, students and their parents;
- Lack of operational procedures leading to a lack of transparency in the teaching of tele-education lessons.
- Capturing and storing images (photo / video) with students in order to demonstrate support for online classes without unitary procedures regarding the management of equipment that can be stored, storage time, where data is transmitted, etc.);
In the scenario in which the term “bazaconia” was used to refer to EU Regulation 2016/679 (GDPR) would mean that the Romanian state violates the provisions of the Treaty on the Functioning of the European Union, which in art. 16 clearly stipulates that every European citizen has the right to the protection of personal data.
European Regulation 679/2016 is a normative act, unitary and valid in all EU Member States, which protects the fundamental rights of European citizens, being created in accordance with Article 16 TFEU, as well as Articles 6, 7 and 8 of the Charter of Fundamental Rights of the European Union: The right to liberty and security, the right to respect for private and family life and the right to the protection of personal data.
We are concerned about the way in which data subjects and personal data controllers might draw wrong conclusions from this statement, given the poor awareness of the importance of personal data protection in Romania and the even lower degree of compliance with the Regulation in Romania.
We would like to emphasize, once again, the need for the Romanian authorities to launch a large-scale campaign on the rights of data subjects and the obligations of data controllers, in the context of the fast implementation of digitization , especially during this current epidemiological crisis .
" Unfortunately, we needed this virus to pay more attention to the benefits of digitization and today we talk more than ever about tele-work, telemedicine, tele-education and especially about fake news. We must also realize that all this digitization, on fast forward, comes with the assumption of risks that I would like to be aware of from the beginning. I don't think we are ready yet to embrace digitalization and make the most of its benefits. Following the recommendations of the Romanian authorities, several companies and institutions decided to accept, overnight, that their employees should work from home. From a legal point of view, we were prepared, the Romanian legislation had clear provisions regarding telework, and most companies have now signed with each employee only one additional act to the employment contract, in order to fulfill this bureaucratic formality. Very few organizations have invested in securing equipment and communication channels, often choosing the fastest and cheapest solutions, most often using employees' own equipment. We watched as the number of security incidents increased, with an estimated increase of over 300%, usually through phishing campaigns, affecting thousands of computers, based on the naivety of users who now read any email related to this Coronavirus. I would have liked to talk about the digitalization of the Romanian business environment, as well as of the public administration, in other conditions than today ” , declares Marius Dumitrescu, President of ASCPD.
“ Romania, being a signatory to the Treaty on the Functioning of the European Union, which represents the Constitution of Europe, has assumed the responsibility of complying with all the provisions of this European document as well as the subsequent acts. This responsibility must not only be a formal one, through the coercion of these provisions, but also a moral one, which the national actors must assume at the level of discourse and promoted values. ”, declares Cristiana Deca, Vice President of ASCPD.
Finally, we emphasize that there are solutions for all these problems reported and ASCPD supports the process of digitization of Romanian education, in compliance with the provisions of Art. 32 of the GDPR. In this way, we remind school institutions that they have the obligation to appoint a Data Protection Officer, and his role is to advise and guide the organization in compliance with the provisions and principles of GDPR and ensure that this balance between legal obligations and public and commercial interests.
In the same time, ASCPD expresses its willingness and desire to invite to the dialogue the Ministry of Education, school institutions and their representatives to provide support in creating a coherent operational framework, to provide a safe educational climate for students and teachers and to agree with the provisions of Regulation 679/2016 (GDPR).
About the Romanian Association of Specialists in Privacy and Data Protection (ASCPD)
The Association of Privacy and Data Protection Specialists (ASCPD) is created to inform and bring together professionals wishing to successfully manage the implementation of the General Data Protection Regulation 2016/679 and related legislation, acting as an advisory body. professional for individuals and organizations. ASPDC is a non-governmental, autonomous, apolitical and non-profit organization that helps to define, support and improve the profession of Data Protection Officer and other specialists in the field and operates in accordance with the provisions of GO no. 26/2000.
The ASCPD guides data protection officers and other data privacy specialists in resolving many legal, technical and organizational issues in order to strike an appropriate balance between the interests of data subjects, who need protection, and those of operators.
The objective of the ASCPD is to provide concrete solutions to the problems faced by privacy and data protection specialists, to raise awareness of the legislation and to provide its members with a forum in which these topics can be debated, as well as a place continuous professional training. ASCPD advocates for raising awareness of privacy-threatening technologies and laws to ensure that the public is informed and involved.
After a period of 12 months of monitoring the activity of ASCPD in Romania, the members of the Confederation of European Organizations for Data Protection (CEDPO) approved in April 2020, the accession of the Romanian organization, thus becoming the tenth full member.
The Confederation of European Data Protection Organizations (CEDPO) is an “umbrella organization” that brings together the most representative national data protection associations in the European Union. CEDPO was founded in September 2011 by the French Association of Correspondents for the Protection of Personal Data (AFCDP, France), Asociación Profesional Española de Privacidad (APEP, Spain), Gesellschaft fur Datenschutz und Datensicherheit eV (GDD, Germany) and the Netherlands Genootschap van Functionarissen voor de Gegevensbescherming (NGFG, The Netherlands). From the moment of its founding in 2011 until the accession of the Association of Specialists in Confidentiality and Data Protection (ASCPD) , only five other organizations were invited to join the Confederation: ADPO from Ireland, ARGE Daten from Austria, ASSO DPO from Italy, SABI from Poland and AEPT from Portugal
The purpose of this Confederation is to promote the role of the Data Protection Officer (DPO) and to advocate for a balanced data protection system based on practical experience and efficiency. In addition, CEDPO actively contributes to better harmonization of data protection legislation and practices in the European Union (EU) and the European Economic Area (EEA), uniting all member organizations in one voice and thus capitalizing on the rich and diverse experience. of CEDPO member associations, who have practical knowledge of the issues surrounding the role and position of the DPO, as well as the day-to-day challenges they face.CEDPO is also an active interlocutor for European decision-makers and data protection authorities in the context of the adoption and implementation of the General Data Protection Regulation (GDPR), its proposals playing an important role in defining current legislation, in particular as regards position regulation and the role of the Data Protection Officer (DPO). The EDPS also participated in the modernization of Council of Europe Convention 108 ("Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data"), supporting better recognition of the crucial role that the DPO plays in data protection in the days to come. our. More details about the association's projects can be found on www.ascpd.ro
Contact: Marius Dumitrescu, firstname.lastname@example.org, 0769041200