GDPR Module 2 Individuals Rights 160 Please select
- Slides: 59
GDPR Module 2: Individual’s Rights 1/60
Please select the required option… To start the module, click on this box To resume from a previous session (or go back and revise a specific section) click this box. 2/60
Please click on the section from which you wish to resume Right to be informed Right to erasure Automated processing Right to object Right to rectification Right to portability Right to restrict processing Subject access 3/60
Module 2: Introduction In Module 2 we’ll learn about the new rights data subjects have under the GDPR and examine how the Regulation will impact on the data subject’s existing rights under the DPA… The subjects covered are… • The right to be informed • The right to erasure • Rights around automated processing • The right to object • The right to rectification • The right to portability • The right to restrict processing • Subject access Click on this box to continue 4/60
First, we will look at the new requirements around fair processing… 5/60
…In the GDPR the obligation to provide fair processing is part of a new ‘right to be informed’… …The requirements of this right are consistent with the fair processing obligations of the DPA. However, the GDPR is more explicit about how the fair processing information should be presented. . . click on this box for more details 6/60
…the GDPR states that the information must be… • concise • transparent • intelligible • in an easily accessible form • in clear and plain language 7/60 …so in essence there is a specific …if the fair processing information requirement for the fair processing is directed attoa be child thenupfront the data information clear, and controller must take particular care written in a way that is easy to read to makeand surecomprehend… its written in a way the child will understand… …so the last requirement will be especially important… …click on this box to continue
Examples of further fair processing information required under the GDPR …the GDPR also requires the data controller to provide some fair processing information over and above that required by the DPA… (click this box to continue) Information on retention periods The existence of automated decisions Information on the data subject’s right to withdraw consent 8/60 Name of DC’s data protection officer The safeguards the DC applies to international transfers Click on this box when ready to continue Click on the images…
Proceed Back to section menu 9/60
The next right we will look at is the right to erasure… 10/60
Under the GDPR data subjects have a right to have data deleted where the data controller has no compelling reason for processing it… …this right to erasure is sometimes also called the ‘right to be forgotten’… …but it’s not an absolute right and only applies in certain circumstances. (click on this box to continue) 11/60
…some examples of circumstances where the right to erasure will apply are when… …the data subject withdraws consent… …the data is no longer necessary in relation to the purpose for which it was originally collected… …the data needs to be erased to comply with a legal obligation… 12/60 Click on this box to continue
…if the data controller has disclosed the data to other organisations then it must inform those organisations about the erasure… …unless to do so would involve a disproportionate effort (click on this box to continue) 13/60
…data controllers in online environments that make personal data public (e. g. social networking sites) must inform other organisations who process the personal data in question of the erasure. This is so that those other organisations can also erase links to, and copies or replications of that data. . . …however , those other organisations won’t have to comply with the request to erase links and copies if they are processing the data for certain reasons such as exercising their freedom of expression. . . Click on this box to continue 14/60
…similarly, there are some circumstances in which the data controller can refuse to comply with the data subject’s request for erasure… Click this box to continue 15/60
…for example a request to erase personal data can be refused where the information concerned is being processed… …to exercise the right of freedom of expression …for archiving purposes in the public interest, scientific research, historical research or statistical purposes. …for the exercise of defence of legal claims Click on this box to continue 16/60
Proceed Back to section menu 17/60
The next section covers the data subject’s rights regarding automated decisions… 18/60
…the GDPR has safeguards for data subjects against the risk of potentially damaging decisions being taken without human intervention… …these rights work in a similar way to the data subject’s rights under the DPA… Click on this box to continue 19/60
…it means that individuals have a right not to be subject to a decision where… …that decision is based on automated processing… 20/60 …it produces a legal effect or similarly significant effect on the individual. . . and… Click on this box to continue
Under the GDPR the data controller must allow the data subject certain rights around automated processing. Click on the question marks for details. Click on this box when ready to continue Automated decision ? ? ? Right to obtain human intervention. Right to express their point of view. Right to an explanation of the decision and to challenge that decision. 21/60
The data subject’s rights are qualified however… …for example they don’t apply to automated decisions that are… Necessary for the performance of a contract between the data subject and data controller …they also won't apply if the decision only affects the individual in a trivial or negligible way. Click on this box to continue 22/60 authorised by law
A data controller must not make a decision by automated means if… • It concerns a child, or… • …it is based on the processing of special categories of personal data… …unless… …or… …that data controller has the data subject’s explicit consent. . . 23/60 Click on this box to continue …the processing is necessary for reasons of substantial public interest.
Proceed Back to section menu 24/60
The next section covers the ‘right to object’ to processing… 25/60
Under the GDPR, data subjects have the right to object to certain types of processing… …they can use this right to require the data controller to stop processing personal data that falls into one of the three categories below… The data subject can object to processing to‘stop processing that …clickobject on the buttons’ to learn based on legitimate is being undertaken more… for interests or the scientific, historical, performance of tasks in research or statistical the public purposes. interest/official authority (including profiling). 26/60 Click on this box when ready to continue The data subject can object to processing for direct marketing purposes (similar to section 11 of the DPA) The data controller must stop the processing immediately and free of charge.
If the objection falls into one of these first two categories then the data subject must have “grounds relating to his or her particular situation” in order to exercise their right to object. The data subject can object to processing based on legitimate interests or the performance of tasks in the public interest/official authority (including profiling). 27/60 The data subject can object to processing that is being undertaken for scientific, historical, research or statistical purposes. Click on this box to continue The data subject can object to processing for direct marketing purposes (similar to section 11 of the DPA) The data controller must stop the processing immediately and free of charge.
…but are there any further qualifications to these rights? Click on the images to find out more. Legitimate interests Yes! The data controller won’t have to stop processing if there are compelling legitimate grounds for processing, that override the individual’s interests, rights and freedoms, or if the processing is to establish, exercise or defend legal claims. Click on this box when ready to continue Scientific, historical, research and statistical purposes. Direct marketing Yes! This is an absolute right. The data controller won’t have to stop processing if the processing is necessary for the performance of a public interest task. No! There are no exemptions or grounds to refuse to stop the processing. 28/60
Proceed Back to section menu 29/60
In this next part we’ll take a look at the ‘right to rectification’… 30/60
The DPA gives a data subject the right to apply to the courts to have their personal data rectified (Section 14)… . . . but they don’t have a right to serve notice on the data controller to rectify information… Click on this box to continue 31/60
Under the GDPR , however, the data subject can apply to a data controller to… …have inaccurate data amended without delay… …have incomplete data completed… …this new right is called the ‘right to rectification’. 32/60 Click this box to continue
…if the data controller has disclosed the data to other organisations then it must inform those organisations about the rectification where possible… …and it must also inform the data subject about the third parties to whom the data has been disclosed (where appropriate). Click on this box to continue. 33/60
The data controller must respond to a request for rectification within a month. This can be extended by a further two months for complex requests. If the data controller decides not to comply it must tell the data subject why and inform them of their right to… 34/60 1. Complain to a supervisory authority 2. Seek judicial remedy Click on this box to continue
Proceed Back to section menu 35/60
Now we are going to take a look at the right of ‘data portability’… 36/60
…the idea behind this is that data subjects will be able to move Datatheir portability is one the new rightsdata brought in personal dataofeasily between controllers in a safe and by the GDPR… secure way, without hindering usability. Data subject …it allows data subjects to obtain and reuse their personal data for their own purposes across different services…(click onthisbox to Click on continue) to continue Data controller The data subject receives the data in a commonly used form… …meaning that any other organisations they pass it on to should be able to access and process that data… 37/60 Data controller
The data subject can also request for their personal data to be transferred directly to another data controller… …provided this would be technically possible. Data subject …click on this box to continue Data controller 38/60 Data controller
However, the right to data portability won’t cover all the data subject’s personal data. It only applies to… Information the data subject themselves has provided to the data controller. Processing based on the individual’s consent or for the performance of a contract. Processing carried out by automated means. 39/60 Click on this box to continue
Now let’s look at data controller’s responsibilities around data portability…Click on the data controller image to find out more. Data controller 40/60 3. It must respond within a month of the request. 1. It must provide the data inconcerns a structured, commonly the personal data thanforone used It 4. If can extend this to another twomore months 2. It must provide service free of charge (click on and machine form sowhether organisations can individual, itnumerous mustthe consider providing the complex andreadable requests. Click on this box to continue) extract and use the data. (click on this box toof continue) information would prejudice the rights the to continue. other data subjects (click on this box to continue)
Proceed Back to section menu 41/60
The next section covers the ‘right to restriction’… 42/60
This is another new right under the GDPR. It enables data subjects to restrict the processing of their personal data… …it works in a similar way to the DPA Section 10 right to block or supress personal data … …i. e. the data controller may continue to hold the information but cannot process it further… 43/60 …however, the key difference is that this right can be used in a wider range of circumstances than Section 10 (which only covers processing likely to cause substantial damage and distress)… Click on this box to continue.
So when can a data subject use their right to restrict processing? (click on the files for more information) If the data subject has exercised their general right to object to processing. If the data subject has contested the accuracy of the information. If the data controller doesn't need the data anymore but the data subject requires it for legal claims. If the processing is unlawful but the data subject prefers restriction to erasure. 44/60 Click on this box when ready to continue
If the data controller has disclosed the personal data in question to third parties, then it must inform those third parties about the restriction … …provided that this would not require disproportionate effort (click on this box to continue). 45/60
When the data controller decides to lift the restriction on processing… Data subject …it must tell the data subject that it has done so… Click on this box to continue 46/60
Proceed Back to section menu 47/60
Now we will look at how the right of subject access under the GDPR compares with the right of subject access under the DPA. . . 48/60
DPA GDPR The scope of the GDPR right of subject access is broadly similar to Section 7 of the DPA…(click this box to continue) Right to know whether your personal data is being processed. Right of access to personal data. Description of the purposes for which the data is being processed. Description of the recipients or classes of recipients to whom the data is disclosed. 49/60 …click on this box to continue…
…but under the GDPR the data subject also has a right to some …this means, for example, that the data additional information…. subject will be entitled to information such as… …this roughly corresponds to the information that should be provided in a fair processing notice under the GDPR…(click to continue) …and… …the existence of automated decisions. …safeguards applied to international transfers. Click on this box to continue 50/60
Under the DPA a data controller has 40 calendar days to respond to a SAR… 51/60
Under the DPA a data controller has 40 calendar days to respond to a SAR… …however, the GDPR gives data controllers less time to respond…. (click on the calendar) …it says that they must respond within a month at the latest (click here to continue…) 52/60
But a key change under the GDPR is that data controllers can extend the time may limit only for responding SAR by up to a …but an authority claim such to anaextension 2 months…. where itfurther needs to account for… …click on the calendar to continue… …or… Volume 53/60 …and even where claiming an extension it must still write back to the requester within a month of receipt to explain the reasons for the delay. Complexity Click on this box to continue
…under the DPA, a data controller can charge a maximum fee of £ 10 for responding to a request… Data subject 54/60 Data controller
So what about under the GDPR. . . ? Data subject …however it can charge a reasonable fee for administrative costs in certain circumstances. More on this in a moment… Data controller Click on this box to continue …the GDPR says that the data controller must provide the information free of charge… 55/60
Data subject 56/60 Under Section 8 of the DPA data controllers can refuse repeat requests and requests where providing the information in a permanent form would involve disproportionate effort …(click on this box to continue) Data controller
…whilst the GDPR doesn’t have a direct equivalent of these provisions it does say that data controllers can refuse requests that are… …Alternatively, the data controller can choose to comply with the excessive/manifestly unreasonable request… Data controller Data subject …but charge the requester a …particularly if that or account the reasonable fee, excessive taking into manifestly unfounded cost request is administrative of providing the repetitive in character…(click on information… manifestly the hand to continue) excessive unfounded 57/60 Click on this box to continue Bill ------------- Photocopying £ 2. 00 ---------------Postage £ 3. 28 ---------------Total £ 5. 28
When refusing a request under the GDPR, the data controller must inform the requester of its reasons …alsoa within time itofmust the within monththat of receipt thatinform request…(click on the data subject of their to…. calendar to right continue) Data controller Data subject 1…complain to the supervisory authority 2…seek judicial remedy Click on this box to continue 58/60
Proceed Back to section menu 59/60
Select * from select
Select * from select
Select * from select
Nemuadmin
Will you please be quiet please summary
Negative right
Littoral vs riparian rights
Positive vs negative rights
Conclusion of rights
Negative right
Legal rights and moral rights
Negative right
Positive rights vs negative rights
C device module module 1
Kire vonatkozik a gdpr
Gdpr for idiots
Edpo gdpr
Gdpr denetim
Navigating gdpr compliance on aws
Arkivering personalhandlingar gdpr
Gdpr refresher training
Slido gdpr
Gdpr public sector
Varonis blog
Varonis gdpr patterns
Ssl inspection gdpr
Managing personal data post gdpr
Gdpr
Gdpr principles
Gdpr case studies
Gdpr church exemption
Tietosuojamalli
Gdpr privacy
Gdpr compliance aws
Gdpr principles
Gdpr acerta
Nis gdpr
Codeigniter gdpr
Gdpr algorithmic bias
Dynamics ax gdpr
Gdpr privacy
Gdpr implementation timeline
160 ke
160 656 rounded to the nearest hundred thousand
Objectifs tensionnels
160/60
160*3/60
160 5th avenue
180000/160
70'in yüzde 60 kaçtır
Wac 296-800-160
160 euros
Rd n° 160-2015/digesa/sa
I am 160 cm tall
Capr 160-1
Dd640
6280/160
1/4 to decimals
Rounding to one decimal place
160/60
