The EWP infrastructure itself only facilitates the exchange of data and does not handle any storage or processing of data. The local handling of these processes takes place in the student information system at the universities.
Legal basis for processing of data
Each university is responsible for ensuring the informed consent of their students prior to exchanging their personal information with partner institutions through EWP.
Data controller’s responsibility to assess GDPR-compliance
Each university is responsible for assessment of GDPR-compliance when implementing services for student mobility (including the EU-products).
The following subjects should be assessed:
The purpose of the data processing.
The legal basis for the data processing (including the need of Data Processing Agreement).
The obligation to inform the data subjects (students) about the processing (Privacy Statement).
Solutions and procedures for rectification, erasure or restricting of the data processing.
Risk assessment of the data processing.
Data protection measures and procedure for discrepancy processing.
Data protection measures in the EWP infrastructure
Further efforts involving the European Commission and National Authorities are underway to ensure that the data minimization is systematically applied to the EWP data dictionaries, which are based on the official templates set out by EU.