Higher education institutions are subject to the General Data Protection Regulation (GDPR). In addition, the Data Protection Act of the respective Federal States applies to state higher education institutions; the Federal Data Protection Act applies to private higher education institutions. As the responsible bodies, the higher education institutions must check whether the transfer of personal data contained in the application documents, in particular in CVs, to the German Accreditation Council is lawful. They must also carry out the necessary data protection clarifications. They must confirm both when submitting the application in the electronic application processing system ELIAS.
FAQ-Kategorie: 12 Data protection
According to § 29 sentence 2 MRVO, the publication of data is based on the consent of the peer review reports. Higher education institutions must therefore confirm in ELIAS that the peer reviewers have consented to the publication of their data when submitting an application for program or system accreditation. One way in which higher education institutions can ensure this is through a provision in the review contract with the Agencies, according to which the Agency guarantees that consent has been given. The consent should not only refer to the publication, but also to the processing of the data in other respects.
For system-accredited higher education institutions and higher education institutions that have carried out an Alternative Procedures according to § 34 MRVO as an equivalent to a system accreditation, the obligations according to § 29 MRVO to publish the accreditation reports apply accordingly (see § 29 sentence 3 MRVO and the resolution of the Accreditation Council of 24.09.2018 on the reporting obligations for system-accredited higher education institutions). Therefore, when submitting an application for system accreditation in ELIAS, they must undertake to obtain the consent of the peer reviewers used in the internal accreditation procedures to process and publish their data and also to publish the corresponding data.
When submitting an application for program or system accreditation in ELIAS, higher education institutions must confirm that no further personal data is included in the accreditation report, unless,
- the data subject has consented or
- obtaining the consent of the data subject is not possible or only possible with disproportionate effort and it is obvious that the disclosure is in the interest of the data subject (cf. Section 29 sentence 2 MRVO).
One way in which higher education institutions can ensure this is through a provision in the assessment contract with the Agencies, according to which the Agency guarantees this. The aforementioned requirements also apply to the internal accreditation reports of system-accredited higher education institutions (cf. § 29 sentence 3 MRVO).
As a public body, the German Accreditation Council is subject to the provisions of the GDPR and the NRW Data Protection Act.
It requires the data of applicants for the following purposes:
- for creating and managing the user account in ELIAS,
- for the identification of the user when logging into the system,
- for communication with the user within the system and
- for ensuring the traceability of administrative actions.
As a rule, the applications and attached documents submitted in ELIAS, the messages sent to the German Accreditation Council via the system as well as the date, time, sender and e-mail address of the application or message are stored for eight years from the expiry of the validity period of the respective accreditation or from the notification of a negative decision. This serves to ensure the traceability of the actions and decisions of the German Accreditation Council. The data will only be stored for longer if further storage of the application file is necessary for legal accreditation procedures that have not yet been completed.
Otherwise, user data (surname, first name, title if applicable, e-mail address(es), telephone number(s) and university address) and the current password (in encrypted form) will be stored for as long as the user account exists and deleted immediately if the account is deleted.
This information also applies to Agencies that assume university functions in the system. The legal basis for data processing is Art. 6 para. 1 lit. e GDPR; data processing is therefore necessary for the performance of the public task of the German Accreditation Council.
Further information on the processing of user data can be found at https://antrag.akkreditierungsrat.de/datenschutz/
You can reach the officially appointed Data Protection Officer of the German Accreditation Council, Mr. Andreas Braun, as follows:
German Accreditation Council
Data Protection Officer
Andreas Braun
Adenauerallee 73
53113 Bonn
Phone +49 (0) 228-338306-0
E-mail: braun@akkreditierungsrat.de
Data from higher education institutions are generally contained in the self-evaluation reports and/or annexes to these reports, which the higher education institutions must attach to the accreditation application in accordance with Section 23 (1) of the specimen decree (MRVO) or the corresponding state ordinances.
The higher education institution submitting the application is responsible for checking the legality of the transfer of the personal data contained in the application documents and for obtaining the necessary clarifications in accordance with the GDPR, state data protection laws and, if applicable, the Federal Data Protection Act. The Foundation collects the data on the basis of Art. 6 para. 1 e) GDPR in conjunction with Section 3 para. 1 DSG NRW, i.e. the data processing is necessary for the performance of a task carried out in the public interest.
The data is stored in ELIAS. Members of the Accreditation Council and/or members of the Board of the Foundation (this depends on the type of application) can access this data via their account. They have undertaken to do so,
- not to store applications, including all documents or attachments contained therein, on data carriers outside ELIAS for purposes other than application processing;
- not to pass on the applications, including all documents and attachments, to third parties unless it is absolutely necessary to pass them on to their own employees in order to process the application. If the applications are passed on to the company’s own employees, the latter are obliged to treat the documents confidentially and not to pass them on themselves.
The data will not be passed on and will not be published.
The aforementioned data is contained in the application files. As a rule, these are kept for eight years from the expiry of the validity period of the respective accreditation or, as a rule, eight years from the announcement of a negative decision. This serves to ensure the traceability of the actions and decisions of the German Accreditation Council. A longer storage period only takes place if the further storage of the application file is necessary for legal accreditation procedures that have not yet been completed.
Members of the Accreditation Council and/or members of the Board of the Foundation as well as their employees are obliged to delete any downloaded applications including all documents or attachments from data carriers outside of ELIAS as soon as they no longer need them for the evaluation of accreditation applications.
The processor is ProUnix Gesellschaft für Softwareentwicklung mbH, Heinemannstr. 34, 53175 Bonn. ELIAS is operated by ProUnix on the servers of Claranet GmbH, which is used by ProUnix as a subcontractor. You can find more information on order data processing by ProUnix at https://antrag.akkreditierungsrat.de/datenschutz/.
The following data is collected: Name, title, function and institution of peer reviewers appointed by system-accredited higher education institutions.
This data is entered by the higher education institutions in the data field provided for this purpose in ELIAS; as a result, the peer review report data is visible in the public database of accredited study programmes. In addition, this data is included in the Quality Reports (i.e. in the reports that serve as the basis for internal accreditations) written by the higher education institutions and also entered by them in the public database. When submitting an application, higher education institutions must check a box to obtain the consent of the peer reviewers to the processing and publication of the aforementioned data and then publish the corresponding data. The legal basis for data collection is therefore Art. 6 para. 1 a) GDPR.
The accreditation data records, accreditation reports regarding program and system accreditations as well as Quality Reports on internal accreditations are stored and published for 24 years from the expiry of the validity period of the respective accreditation or 30 years from the announcement of a negative decision. The reason for this is that the public (in particular graduates and employers) may also require information about accreditations dating back longer.
The processor is ProUnix Gesellschaft für Softwareentwicklung mbH, Heinemannstr. 34, 53175 Bonn. ELIAS is operated by ProUnix on the servers of Claranet GmbH, which is used by ProUnix as a subcontractor. You can find more information on order data processing at https://antrag.akkreditierungsrat.de/datenschutz/.