INSPIRE Community Forum

GDPR & INSPIRE Directive

105 Views

As on 25 May the GDPR Directive will come into force and few information can be found in relation with INSPIRE Directive, does anyone made a more deep research to know what a data/service provider should change in order to comply to GDPR ?

If looking at the metadata files there are at least the email addresses of the point of contact and of responsible parties that in some cases contains emails such as surname.name@organisation. Is the assumption correct that those email addresses should change into something as for example inspire@organisation ?

Assuming that the service provider is not monitoring the IPs from where the services are accessed, are there any other changes that need to be performed except the email addresses ?

Searching on Google about INSPIRE and GDPR only few resources are found. There are any INSPIRE guidelines, PPTs, or any other documents related to GDPR and INSPIRE that can be read ?

Iurie

Replies

    • Public

    By Katharina SCHLEIDT

    Hi Iurie,

    thanks for bringing this up!

    I like your approach of providing generalized mail addresses for contacts, although leaving those clean should also be possible, as not private mail address but company one (would be different if employees were required to provide their private mail address).

    Things get even trickier as some aspects of the GDPR are then redefined in national legislation (the Austrian legislation is still work-in-progress, but from what I've been reading in the media, the current approach is to lock down all governmental data under privacy considerations, while making personal data of individual citizens fairly open (plans for "anonymizing" personal medical data by replacing the name by an "anonymous" number, oh dear!!!))

    What worries me more is the data itself, from what I've been picking up, the GDPR can be interpreted to imply that all spatial data could impinge on somebodies privacy, thus all INSPIRE data must be restricted just in case.

    And yes, some official statements would be most valuable!!!

    :)

    Kathi

     

    • Public

    By Iurie MAXIM

    Hi Kathi,

    Email addresses of the point of contact and of responsible parties in the metadata files are mandatory according to EC Regulation, so they cant be left empty (see http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32008R1205&from=EN).

    Related to data, at least for the data themes that I know, I do not see any element/attribute that can contain personal data that fall under GDPR.

    I asked this question related to GDPR & INSPIRE as all media in our country is touching this subject and there are a lot of people talking about this subject right now, while at least for INSPIRE I have no clue what is necessary to be done in order to fulfill both INSPIRE and GDPR directives.

    Iurie

    • Public

    By Thorsten REITZ

    Hi Kathie, Hi Iurie,

    We happen to have a workshop session on this topic today (right in time ;)). I have uploaded the presentation my colleague Kate prepared here:

    https://www.wetransform.to/downloads/iab2018/Kate_Lyndegaard_IAB2018_GDPR_INSPIRE.pdf

    GDPR states that if there is a different legal requirement why personal data needs to be processed it is still legal to do so and not in conflict with GDPR. In other words, since INSPIRE requires contact data in the metadata, it would still be acceptable to publish such information in that context. Whether it would be allowed to harvest contact data from the metadata and use it for a different purpose that is not in the assumed interest of the contact persons would be questionable though.

    As Kathie points out, there are complementary national laws in the making in most EU countries which will affect the actual implementation.

    All the best,

    Thorsten

    • Public

    By Giacomo MARTIRANO

    Dear all,

    I would say that at least the Data Protection Officers in charge of the privacy policies used by the national geoportals should update these policies to GDPR rules.

    And it seems not so trivial ...

    • Public

    By Iurie MAXIM

    Thank you Thorsten for sharing the document, it is useful in this stage.

    Thank you Kathi and Giacomo for pointing that GDPR in conjunction with INSPIRE is not so trivial.

    Not sure that MS and data/service providers appointed ”Data Protection Officers in charge of the privacy policies used by the national geoportals”, but I can guess the current situation based on Google search.

  • By Vlado CETL

    Dear all,

    there is currently ongoing work on study regarding location data and GDPR under ELISE action. You can find on the web page also a publication from 2016: EULF Guidelines for public administrations on location privacy that is helpful.

    Best,

    Vlado

    • Public

    By Raymond BOGUSLAWSKI

    Dear All

    The ELISE location privacy guidance from 2016 touched on GDPR and outlined actions for data publishers.  ELISE has a current action on 'GDPR and location data' which is reviewing preparations and discussing issues with stakeholders to gain a better practical understanding of the implications of GDPR for location data publishers, re-users and data subjects. DG JUST has plenty of materials on GDPR, including a growing body of guidance. ELISE will point you towards location-specific materials it produces during the current activity.

    If you have any particular issues you wish us to comment on please let us know through this thread. 

    We are planning various events on the topic of GDPR and location data you may be interested in. These include:

    • A public webinar on GDPR and location data in late June / early July (details will be shared through this thread)
    • A workshop at the INSPIRE Conference 2018 in Antwerp in September, entitled "GDPR - Trusting the use of your personal location data"

    Remember: Location data is not inherently personal data. It becomes personal data when it is linked to an individual (data subject). These links may be direct or indirect. GDPR strengthens protections for data subjects. It also gives clarity that can increase trust and consistency of approach. What do you think? 

    Ray Boguslawski

    ELISE team  

    • Public

    By Katharina SCHLEIDT

    Hi Ray, all,

    very glad that this discussion is finally out in the open! (though again illustrates why we need cross-thematic discussions, this discussion has almost nothing to do with the biodiv Cluster!)

    To your statement "Remember: Location data is not inherently personal data. It becomes personal data when it is linked to an individual (data subject). These links may be direct or indirect. GDPR strengthens protections for data subjects. It also gives clarity that can increase trust and consistency of approach. What do you think?" - to my understanding the crux of the matter is that once one has spatial aspects attached to the data, it becomes far easier to combine with data from other sources, which can then rapidly impinge on personal rights.

    Where I find it gets truely troublesome is the personal right to property and wealth; I've seen cases where site contamination wasn't published due to property issues (it would reduce the value of the property, reason NO soil data is available online). This personal right to property value was deemed more important than neighbor's health issues. Do you have insights for us as to how the GDPR deals with this aspect of privacy?

    Thanks!

    :)

    Kathi

     

     

    • Public

    By Iurie MAXIM

    Hi all,

    Thank you all for info. I had a look at the documents related to GDPR that were sugested. I would not touch at this stage the geospatial data required by INSPIRE in relation with the GDPR because no data theme include personal data as defined in GDPR.

    But I see at least in the metadata of the dataset/service there are email addresses of the point of contact and of responsible parties & in the GetCapabilities documents there are a lot of elements that are subject of GDPR:

    <ows:ServiceProvider>
    <ows:ProviderName/>
    <ows:ServiceContact>
    <ows:IndividualName/>
    <ows:PositionName/>
    <ows:ContactInfo>
    <ows:Phone>
    <ows:Voice/>
    <ows:Facsimile/>
    </ows:Phone>
    <ows:Address>
    <ows:DeliveryPoint/>
    <ows:City/>
    <ows:AdministrativeArea/>
    <ows:PostalCode/>
    <ows:Country/>
    <ows:ElectronicMailAddress/>

     

    Can someone provide more information related to such very clear examples of personal data that is provided in the frame of INSPIRE Directive and how to cope with this ?

    For example can we assume that in the GetCapabilities documents all this personal data info should not be completed or if would be completed then the information provided should not link to a certain person, but rather to a position ?

    Iurie

    PS: Looking in this INSPIRE Thematic Cluster platform I can find a lot of information related to GDPR but this is another topic and will be necessary to be addressed by somebody else. I just want to know what a data/service provider should change as soon as possible.

     
     
     
    • Public

    By Giacomo MARTIRANO

    Dear Iurie,

    I would not recommend to adopt solutions that ultimately decrease the overall level of transparency of the information provided in the metadata.

    Again, IMHO, an action to be taken by the responsible persons of the National Geoportals, explaining how theycomply with GDPR, should be encouraged!

    Even because I'm not 100% sure that functional (i.e. non personal) e-mails are out-of-scope of GDPR.

    Kind regards

    Giacomo

Biodiversity & Area Management

Biodiversity & Area Management

Thematic Biodiversity and Management Areas Cluster. If themes like Protected Sites, Area Management/Restriction/Regulation Zones and Reporting Units, Habitats and Biotopes, Species Distribution, Bio-geographical Regions matters to you, join these groups!