 to this webinar writing sprints about GDPR and training, how to organize GDPR-compliant events. And it's an event which is organized by a community of practice training coordinators. And if you're not part of this community yet, please consider joining. If you coordinate training activities in your organizations or projects, that's a page on the open air website which describes this community. It has a calendar of our meetings. We have a slack channel and join us if you're not a member yet. And here is an agenda for today. So we'll have two presentations. Pradhromas Talvas, legal advisor of Asina Research and Innovation Center Open Air, and Walter Schulger from Austrian Center for Digital Humanities University of Kratz, who will talk about GDPR and consent form wizard that Walter with his colleagues developed that includes training activities. And then we'll go to three breakout rooms and we'll spend half an hour working on checklists and model voting for three types of activities. Sir, when we think about training events, so usually we have some activities before the event, during the event and after the event. So that's how we suggest to organize our second half of the hour. So please think about the room you'd like to go, whether it's just one, two or three, whether you want to talk about since before, during or after the event. And I'll explain when we move closer to breakout rooms, I'll explain what exactly we'll be coloring in those breakout rooms. But I think you can actually guess. So then I'll stop in sharing and if pro is here, then it's over to pro with some introductions to GDPR and training. Or if he's not here yet. So maybe you go with your presentation, Walter. Sure. Second, and I'll get right into the... Can you hear me now? Ah, good. Excellent. Sorry, I had a problem with my other laptop and it's a switched laptop. Is that over to you, pro? Okay. Let me start. I don't know to what extent it doesn't... Everyone listened. You can hear us now. Are we starting? We already started, yes. Excellent. So apologies for that. I was trying to basically make sure my computer works. So what I will do is to actually, in the next 10 minutes, to go very quickly through the basics of GDPR. But truly some fundamentals just to make sure that we all talk about the same thing. So I'll point at specific slides, but I can share with you later a more generic presentation, which I think is useful to have it as a basis for items you would like to explore further. Plus from previous webinars we have introduced here. I also have a collection of cases which may be relevant, not just in relation to what we're discussing today, but in relation to the broader concepts and question of data protection for researchers and open research. I don't know if you can see it now. You should be able to see it. Yes. Okay. I'm not going to go full screen just to go to the first item. So the first thing which I wanted to say is that if we see the data protection, the general data protection regulation, GDPR, and we read the title, we will see that this is very much about a piece of legislation that has to do not just the protection of natural persons, as you can see here, but also the free movement of data. So one of the key elements of this regulation is how to support the free flow, the free movement of data within the digital single market. And this is an important thing to take into consideration because we have to read it as a legal instrument that actually tells you how to share data effectively. That's what it does. And in this process how to protect, of course, the natural persons of whose data we are processing. So we always have this kind of link between protection and flow of data that this regulation tries to balance and to create. Now, before moving to the mechanics of GDPR, I just wanted to share with you a couple of four definitions, which I think are quite useful. First thing, when we talk about personal data, we talk about any information related to a person that can be identified or is identified. And that gives us a very wide spectrum of data which can be linked to a natural person and constitute personal data. So if we see a list of things that we see as personal data, of course, his name and last name, addresses, email, IP addresses, etc. And what is interesting here is that precisely when we're doing an event, there are certain things we certainly see. For instance, a name and last name, we will require them for the event we are developing. And in that sense, they're classic personal data, but it's very frequently, very frequent that we are finding personal data within documents. And now this is not entirely, this is not the subject of today's presentation, but it's important for you as a general knowledge. It's very, not it's very rare, but it's not the common thing that you find that personal data as such. You don't find them as data. Very frequently, they exist in other documents, and that's what creates issues. Even if you think about registration forms now because also COVID, but also because of non-national, face-to-face events, these would happen through online registration forms. But imagine the past, we would have registration forms themselves and the data would be included. So it's very frequent that we don't find the personal data as such, but rather included in other documents. And also another important thing to remember is that whenever we have an online transaction, especially in relation to a website, when we have cookies, these cookies contain personal data, and they have to be treated accordingly. It practically means if we run a website for an event and contains cookies, we have to make sure, and this is the most recent guidelines by the European Commission, we have to make sure that we specify which the cookies are, which of them are essential, which improve performance, which are being used for marketing purposes, and be able to differentiate between essential cookies for the operation of the webpage and non-essential cookies and provide at the same level the ability to the data subject to choose whether she wants to get personal data to be processed or not. And this is a major departure from what we have seen in the past, which was basically at the best notification about their personal data being processed. So what do we mean when we talk about processing data? By the way, we have two categories of personal data. We have simple personal data, and we have what is now called special category, special categories of personal data, which is what we used to call sensitive data. And here, these are relevant to us when we have a registration form, and we ask again people to provide some of this data that you see on the screen, on your screens. And it's not that we're normally going to ask about genetic data or biometric data unless they are somehow linked to the attendance, because we don't have now physical attendance. So even in high security places, we're not going to ask these things. This happens only online. But it could be that we're asking other questions, mostly in terms of demographics or other types of things we want to know. We have to be careful if we provide health data. A classic thing we would see in the past. And again, I'm talking about physical events would be we would ask about dietary preferences or we would ask about health conditions. This would be sensitive data. And in that sense, we have to be more careful with them. Now, the other element which is interesting is the processing. What is processing? Processing, if you see here the list that the the GDPR provides as a definition, you see it's pretty much everything under the sun. So it is whatever you do with the data accessing, recording, collecting, altering, whatever you do basically with the data. So it's really wide. But what is really useful for us is to actually think them in terms of three distinct phases. And I use that as an analytic method in order to ensure that for each type of processing, you have as we will see later a legal basis and an objective. And that's the crucial thing. So normally the data, the life cycle of data has to be stages as it happens with any type of data set, not just personal data. The first thing is to collect the data. And there are two ways to do it. One is by the data subject. The other thing is by a third policy, which operates as a data controller or as a data processor. And I'll explain to you what that means or to find them publicly. Now, why this is relevant to us? Let's say that you want to actually send an invitation to a mailing list to a number of people. How would you do that? You need to have the emails at the list to say of the persons to which you want to send the invitation. How have you compiled this mailing list is quite important. So is it something that the data subject has given to you directly as an institution? And when you obtain that, did you explain to them what you're going to do with this data? And very frequently we have mailing lists. It used to be very monthly case before 2018, the last two years, there has been very extensive cleaning within organizations. But in the past, we would have mailing lists. We wouldn't even know what their provenance was. But it's quite important if we actually obtain the data from the data subject to pretty be extremely clear as to what we do with the data throughout their life cycle. So I'll go back to the collection of data. But that's the fact of collecting the data is itself a form of processing. Once you've collected the data, you do things with it. So one simple thing is that you store them, you sort them, you clean them. And these are different types of data management actions. And you can think of them in classic computing approach. You would see them as read, writes, and arrays. So either you just access them or you change them or you delete them. And each one of these actions constitutes a form of processing, which again has to be justified. It means you have a legal basis and then we'll return to this one in a couple of minutes. And finally, it could be that you're actually sharing this data with someone else. A classic example would be that you are in a consortium for a European project, you have collected data for a seminar X. And then another research institute in another country was to do a seminar Y. And you want to share with them the mailing list in order to share information. Now this constitutes a form of data sharing. And it's a different form of processing. So you have to have a legal basis again, and an objective for this one. What is important here is that whichever is the data, the legal basis you have for processing the data, it has to run across the lifecycle. So it has to be there for the collection. It has to be there for the processing. It has to be there for the sharing. And it has to be very specific. You cannot change the legal basis unless you cannot perform a different type of processing, unless you have a legal basis for this. And that will return to that. So what I want us to remember now in terms of processing, processing is pretty much any action, any act you perform in relation to the personal data. It's extremely useful to think of it analytically in three stages. This is an analytic device. This is not something that GTPR asks you to do. But it's very helpful because you need to ask time to have a legal basis for performing a processing of that particular type. Now, two more concepts are very important. Data controller. Data controller is the entity which is actually responsible for setting out the terms and conditions and the purposes for the processing of data. They have the control as to how the data processing is going to take place. And these are in our cases, our universities, our recess performing organizations, they are not the natural persons that perform the processing. So it's not the head of the IT services. It's not the X person. It is the organization as it is expressed by its administrative council, its board of directors, whatever it is that actually takes the decisions in accordance to its legal regime. Now, the data controller is the one that determines the purposes and means of processing of the data. But it's very frequent that the actual processing doesn't take place within the data controller. It's not a data controller that performs the processing. It normally has someone else, another entity that does the actual processing and that's the data processor. And the data processor is normally an entity that takes instructions from the data controller. And these instructions now, they have to be writing and they have to be extremely specific. And it has to be to the level of the obligations of the data controller. So for instance, if there is a university and performs and actually contacts a seminar again, the same scenario we had before, this is a webinar, and it has too many webinars each once because it's COVID, everyone runs webinars, every single professor wants to run a webinar. So they said, look, instead of us doing the whole thing, let's outsource this one to this fantastic little company we have in our town that does these webinars really well. And they will do the registration and the marketing and everything for us. Now, these are the data processors and the university is the data controller. And the university has to make sure that the data processor follows all the conditions and all the standards that the data controller does. You cannot hide behind your contractor. Another classic example of a data processor is a cloud provider, where you store your data. So Azure or Google or your national information infrastructure provider, they constitute data processors. And you also have to be careful with the contracts you have with them in terms of the storage of the data. So it could be that in our scenario, you have a contractor that does the collection and the management and the sharing. The sharing is something that you do as a university and the storage, the long-term storage is being done at least in the technical level by, it's being conducted by, let's say, Azure or another company. It could be even be more layers in the stack. It could be an IT company that uses Azure and provides users to that. All of them are data processors. You need to understand within a data journey from the attendant to the actual completion of the whole event, who are the entities are being involved and whether all of them adhere to the rules of GDPR. Now, very- Maybe a couple more minutes, sir. Yeah, I'll just go to one more thing, which I think is really useful. Let me go this one here. I said before about the three stages. It's very a classic situation is where I obtain the data. I have obtained the data under legal basis one, which is, for example, consents. I process them again or contract. I keep processing them out to the data management under this contract. And finally, I may be sharing them either under the contract or under a legal obligation. For instance, this is an obligation against which the European commission has pushed me to have. Now, before I close, I want us to see very quickly the legal lawful basis for processing. We normally think that the normal one is the consents. Let me show you their aids, legal lawful basis. There are six important ones and two more specialized ones, the six generic ones. Normally, we obtain data from our audience either through consent or through contracts, depending on whether the purpose of the processing is something which actually depends on a contractual relationship or is just a consent. So when someone just attends a webinar, the legal basis is a consent. When someone pays in order to receive a webinar because this is a service that she receives, then the legal basis is a contract. Now, when I have received the data, but not directly from the data subject, but probably from another databases, I may have, we could stretch the legal basis and say the legal basis is the legitimate interest of the Resets Performing Organization because when you were giving your email address to the university for a specific event, you may have, you may have accepted the possibility that it's going to be used for other similar webinars. So this is really important when you use email contacts that come from, that you have obtained in different circumstances, you have to make sure that they somehow relate their relevant to what you do. It cannot be that you obtain the data from a data subject to go back to sociological resets and then you invite them to an event to listen to a computer science lecture. So it has somehow to link. And then, of course, there are obligations following the, there is the legal obligation, lawful basis for processing, which means this is something the law tells you to do. For instance, you have to keep a record of who entered the building because of COVID restrictions. For example, in Greece, in a number of institutions right now, you cannot enter the building unless you actually give, you provide your ID. And then when you go out, you also sign out because that's a legal obligation, could be asked by the Ministry of Health in order to actually resolve issues. I think these are the, I'm not going to go to the other lawful basis for processing, because I think these are the most relevant in our context today. I'll share this presentation. It's a very generic presentation, but it gives you insights as to different aspects of the GDPR, which you may find useful in your daily activities. Thank you. Thanks a lot for that was very useful, very good background. And now Walter will show Consent Wizard. So he and his colleagues developed. Okay. Yeah. So thanks for the opportunity to show it off. Also the Darya Consent Form Wizard. Also thanks to Prodromus for the introduction of the data protection principles and so on, because much of this is now already clear. So I have to briefly do some advertising. We are the working group elder, which stands for ethics and legality in the digital arts and humanities. We are working group out of the S3 Eric Darya EU, which is probably familiar to many of you and certainly to anyone at the Athena Research Center, because there are many colleagues there that we are in very close touch with. If you need more information about this European research infrastructure, you can find it at this URL. Now in Darya, there are a number of working groups, which are basically recruited from all the various members in various member states. But the elder working group currently has people from I think 18 different countries under its roof, which is great because it also gives us a very good overview of on one hand national problems and also on disciplinary problems because we have a wide range of people from actual lawyers down to, for example, cultural heritage experts and so on. So it's a very diverse group. What we're trying to do is we're trying to give recommendations, training materials, workshops and stuff like that regarding primarily intellectual property rights and licensing, open licensing to be precise, and also data protection and privacy, and research ethics and scholarly conduct because, as you can see in our designation, it's not just about legality, but also about ethics. And that's also in a sense how we understand our tool, the consent form wizard. The consent form wizard was developed as a tool for GDPR compliant consent forms for research purposes. But we know by now that it's also being used, for example, by people in South Africa and in Australia because they think that while they are not obliged to do it legally, the consent form wizard still asks all the right questions. And you give that kind of information to your data subjects, because it's also ethically the right thing to do and not just legally the right thing to do. If you want to have a look at what we do, you can find us at the urll.epotes.org. You can also find material from us there. And if you want to get in touch, you'll find our email addresses and our presentations as well. Programmers already told us about the principles of data processing to some extent and also about the rights of the data subject. And those are the two things that we want to reconcile with the consent form wizard. So that's kind of the outset of the whole thing. I'm sure you've heard about that before. Those are the principles for data processing as defined in the GDPR. So that's the only basis on which you can actually process personal data. If you take care of lawfulness, fairness and transparency of the process, there has to be a purpose limitation. So it has to be clearly defined purpose. It's about data minimization. It's about accurate data minimization means you're only supposed to collect the kind of data that you actually need for your purpose. Accuracy, the data has to be accurate. It can only be stored until the purpose is fulfilled. There has to be certain security measures and integrity around it. And there has to be accountability on behalf of the controller, for example, by providing documentation and registries and stuff like that. On the other hand, we have the rights of the data subject. Information access, rectification, erasure, restriction of processing, data portability, and objection. Now, the most important thing obviously for us is information because information has to be given to the data subject at the point where you collect the data. And that's a very important thing. And that's basically what the consent form also helps you to do. Now, the grounds on which most of our reasoning is based in the consent form wizard itself is Article 89, which is kind of the flagship of GDPR exemptions for research purposes, which specifically states that for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, Union or member state law may provide for derogations from the rights of the data subject. And I've already given the rights that are concerned here. Insofar as such rights are likely to render impossible or seriously impaired the achievement of the specific purposes, which means that, for example, if you gather data for a specific research study, it can, as long as it's for research purposes, obviously, not be withdrawn as it normally could be, which would be the restriction of processing, for example, if that renders your purpose invalid or basically would impair your purpose or make the achievement of your purpose impossible. And much of this also goes into the scenario that we are going to look at in the coming few minutes. So we developed the consent form wizard out of this general need that was brought to us by our research community and our scholarly community in Daria, that the GDPR kind of generated a lot of insecurity about these topics. The interesting thing is that the protection of personal data is nothing new. There's nothing new about this. It has been in national legal codes forever, and it has also been part of the European Union principles forever. However, obviously the GDPR kind of changed the game in the terms that it on one hand defined a lot of stuff much more closely and much more precisely. And it also made it a lot more, let's say, expensive, basically, not to take care of it, which was one of the major reasons why there was such a big attention and uproar about all of this. As we said, there are a couple of scenarios in research context or academic context, which seem to be more prevalent than others. And those were particularly gather data from and or about living people for research purposes in terms of a study, for example, in terms of an interview, which might be online or with a video interview or audio interview, gather data and consent for communication purposes, like mailing lists, newsletters and stuff like that, which Brodon was already mentioned briefly. And of course, there's also gather data and consent for hosting academic events, which is what we are going to look at in a little bit more detail in the next couple of minutes. Having said that, I mean, what we originally thought we were doing was addressing the scenario when you're hosting an academic event in terms of a conference, for example. So very much a larger context in that sense. But of course, an academic event also applies to teaching. And it's in keeping in many respects, at least with Article 89 of the research purposes, because at least those who are learning, not so much those who are teaching, but those who are learning actually do that for their own individual research purposes. At least that's the way, for example, also in copyright law or intellectual property law in Austria, Germany and other European countries. These exceptions are actually defined that for personal research reasons, you are allowed to do a lot of things. And in the same kind of, let's say, terminology, a teaching event or learning event can certainly be considered within the research purpose. So at this point, I'm going to switch over to the wizard itself. The URL for the wizard, I've shown it here, consent.daria.eu. You're very welcome to try it out yourselves, of course. I'll go along. I'll just briefly show you the way it starts. You can see here at the entry page that we explain specifically what the tool is and what it isn't, because that's kind of important. We are trying to give you a tool that will be valid and observing the articles of the GDPR. So it should apply to any research context or scenario that we provide here within the European member states, European Union member states. And if you look at it from an ethical perspective, as I said before, it should actually go farther than that. However, there are some very specific regulations, national regulations, etc. And you might end up, as you use the consent form wizard, at that end, if certain situations were either a consent, a regular or general consent form wouldn't really cover your purposes anymore, or if the situation is so specific, for example, because you are processing sensitive data, as it used to be called, specific data categories now, where the general form might not be sufficient. So that's also something that the wizard does. It kind of tries to explain some of the steps as you go along, some of the terminology as well, and kind of introduce you also to the thought process behind-