D4.3 RAYUELA data protection handbook


This Deliverable contains guidance for the RAYUELA consortium on how to deal with data protection in the project, applying the GDPR. 

It deals with the following topics: 

  • Section 1.1 presents the definition of personal data and how this should be applied in the context of RAYUELA. The main findings are that personal data is a broad concept and partners should be aware of this, rather overapplying the GDPR than underapplying it. 
  • Section 1.2 presents how the GDPR assigns responsibility and explains how these roles should be applied in the context of RAYUELA. In most cases, RAYUELA partners will be controllers for their own research activities and project activities that involve the processing of personal data. This means that the GDPR is directly applicable to them for those activities., which highlights the importance of this Deliverable. 
  • Section 1.3 presents the general data processing principles and applies these as general requirements of the GDPR to the research in RAYUELA. Various topics (e.g. the re-use of data, providing information to the data subject) are discussed by way of connecting them to the basic principles underlying the GDPR. 
  • Section 1.4 presents specific additional requirements for the processing of personal data in certain situations, which may be of relevance in the RAYUELA project, namely: o When dealing with data of children (in general). 

o When working with consent in the case of children. 

o When dealing with special categories of data (in relation to children). 

o When processing data relating to criminal convictions (in relation to children). 

In those cases, special rules apply, which need to be taken into account by the partners. This section elaborates on what to take into account and what to look out for. 

  • Section 1.5 explains the GDPR requirements relating to profiling, both under Article 22 GDPR and in general. This is of relevance to the RAYUELA serious game and should be taken into account during game development and piloting. 
  • Section 1.6 elaborates on when to carry out a DPIA. This builds on the guidance provided in WP9 and illustrates for the partners when they may need to conduct a DPIA or ask legal partner Timelex for assistance. 
  • Section 1.7 summarizes the mentioned GDPR rules in a practical application, namely an indicative checklist to apply in relation to processing personal data. It covers all steps in the data lifecycle.