GDPR Overview and Use Cases AGENDA Overview Terms

  • Slides: 17
Download presentation
GDPR Overview and Use Cases

GDPR Overview and Use Cases

AGENDA • Overview • Terms • Rights and Obligations within the GDPR • Use

AGENDA • Overview • Terms • Rights and Obligations within the GDPR • Use Cases and Compliance

Nature of the GDPR Directive • Implementation in Member States is required • National

Nature of the GDPR Directive • Implementation in Member States is required • National Laws ought to fulfil the purpose of directives • Previous Data protection was a Directive Regulation • Immediately applicable in each Member State • Implementation is not required • GDPR is a Regulation

General Facts • Applicable in all EU Member States from 25 May 2018 •

General Facts • Applicable in all EU Member States from 25 May 2018 • GDPR applies to the processing of personal data by a data controller or a data processor • Increased compliance obligations • Enhanced rights for individuals • Increased regulatory powers and sanctions • Directly effective, but Member States may introduce domestic provisions in a number of areas (Öffnungsklauseln) • AUSTRIA: Datenschutzgesetz (2018)

Terms of GDPR Processing - almost anything you can do with personal data collecting,

Terms of GDPR Processing - almost anything you can do with personal data collecting, recording, organising, storing, adapting, altering, retrieving, consulting, using, disclosing, disseminating, erasing, destroying Personal Data - any information relating to an identified or identifiable living person (data subject) identifiable means the person can be identified, directly or indirectly, a name, an identification number, location data, an online identifier (IP Address), or factors specific to a person’s identity Special categories of personal data (sensitive data) - data revealing racial/ethnic origin, political opinions, religious/philosophical beliefs, trade union membership; genetic data; biometric data; data concerning health; data concerning a person's sex life or sexual orientation Data Controller – decides how and why personal data is processed Data Processor – processes personal data on behalf of a data controller

The DATA CONTROLLER • Must implement appropriate technical and organisational measures ensuring • Processing

The DATA CONTROLLER • Must implement appropriate technical and organisational measures ensuring • Processing of personal data must have a legal basis + comply with the 6 data protection principles • • • Must be able to demonstrate compliance (‘accountability’) Mandatory records of processing activities Mandatory data breach notification Appoint a Data Protection Officer, where required Data Protection Impact Assessment prior to likely high-risk processing Restrictions on transfers of personal data outside the EEA

The DATA PROCESSOR • Must implement appropriate technical and organisational measures • Mandatory records

The DATA PROCESSOR • Must implement appropriate technical and organisational measures • Mandatory records of processing activities • Only process in accordance with documented instructions of the data controller • Processing must be based on a contract • GDPR provides a list of mandatory terms that must be included • Not engage sub-processor without prior written authorisation • Notify data controller without undue delay of a personal data breach • Appoint a Data Protection Officer, where required • Restrictions on transfers of personal data outside the EEA

The DATA PROTECTION OFFICER • DPO appointment is mandatory for - Public bodies (except

The DATA PROTECTION OFFICER • DPO appointment is mandatory for - Public bodies (except courts), and - Data controllers and data processors that, as a core activity, monitor individuals systematically and on a large scale, or that process sensitive data on a large scale • Appointment, position and tasks of DPO are set out in GDPR - Expertknowledge of data protection law and practice - Report directly to highest level of management - Operational independence, no conflicts of interest, confidentiality - Inform and advise; monitor compliance; point of contact for individuals/DPC • If DPO is not mandatory or if in doubt, on a voluntary basis the GDPR requirements still apply • Do not use titles ‘Data Protection Officer’ or ‘DPO’.

Requirements for the processing of personal data LEGAL BASIS (Art 6) 6 PRINCIPLES OF

Requirements for the processing of personal data LEGAL BASIS (Art 6) 6 PRINCIPLES OF THE GDPR (Art 5) Consent Lawfulness Fairness Transparency Contract Purpose Limitation Legal Obligation Data Minimisation Protection of Vital Interests Accuracy Public Interest or Official Authority Storage Limitation Legitimate Interests Security, Integrity and Confidentiality

Information (Privacy Notice) Access their own personal data (Subject Access Request) Correct their personal

Information (Privacy Notice) Access their own personal data (Subject Access Request) Correct their personal data (rectification) Erase their personal data (right to be forgotten) Rights of Data Subjects Restrict data processing Object to data processing Export their personal data to another data controller (data portability) Not be subject to automated decision-making, including profiling Be notified of a data security breach Make a complaint to the supervisory authority (DPC) Sue data controller or data processor for material or non-material damages resulting from breach of GDPR

USE CASES • Data Privacy Notice • Newsletters and Cookies • Facebook • Processor

USE CASES • Data Privacy Notice • Newsletters and Cookies • Facebook • Processor outside the EU

Data Privacy Notice Data controller identity and contact details DPO contact details, where applicable

Data Privacy Notice Data controller identity and contact details DPO contact details, where applicable Purpose of processing Legal basis for processing Legitimate interests, where applicable Recipients or categories of recipients Data retention period, or criteria used to determine it Individual’s rights including access, correction, erasure, restriction, objection, data portability • Where processing based on consent, right to withdraw it at any time • Right to complain to DPC • Whether data controller uses automated decision-making (including profiling), information about the logic involved, and the consequences for the individual • •

NEWSLETTER • Is the recipient a customer or not? • E-mails addressed to +50

NEWSLETTER • Is the recipient a customer or not? • E-mails addressed to +50 subjects need consent • Best practice: Double-Opt-In • Consent + confirmation • Mandatory for valid consent: Disclosure of right of withdrawal • Alternative: link to the Data Privacy Notice

NEWSLETTER • EXISTING BUSINESS RELATIONSHIP EXCEPTION • Customer provided the Email (eg. ecommerce order)

NEWSLETTER • EXISTING BUSINESS RELATIONSHIP EXCEPTION • Customer provided the Email (eg. ecommerce order) • Solely for direct advertisement of own and similar products to the previous order • Recipient was giving the opportunity of Opt -Out

COOKIES • What are Cookies? • Principally consent for cookies is needed • User

COOKIES • What are Cookies? • Principally consent for cookies is needed • User can change cookie settings in browser = consent • Cookie notice is always needed • Must also be part of the Data Privacy Notice • Best Practice: Cookiebot. com

Third Countries • Data processed outside the EEA potentially loses its protection • Special

Third Countries • Data processed outside the EEA potentially loses its protection • Special conditions for the Data Transfer to third countries: • Countries attested adequate protection by the European Commission: Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (limited to the Privacy Shield framework) • Third countries without adaquate protection: • EU standard contractual clauses under EU Directive 95/46 • The data subject has given his/her consent to the transfer • The transfer is necessary for the performance of a contract

Popular Processors in the US • Mailchimp, Google Analytics, Matomo, Slack, Magento • Privacy

Popular Processors in the US • Mailchimp, Google Analytics, Matomo, Slack, Magento • Privacy Shield Participants (https: //www. privacyshield. gov/welcome) • Regular Data Processing Agreement ONLY • Cave: Google Analytics requires DPA also

GDPR Overview GDPR Overview GDPR Individuals Rights ToGDPR Overview GDPR Overview GDPR Individuals Rights To
Chapter 9 Use Cases Use Cases Use casesChapter 9 Use Cases Use Cases Use cases
GDPR GDPR GDPR The European Commission support forGDPR GDPR GDPR The European Commission support for
Writing Use Cases Use Case use cases areWriting Use Cases Use Case use cases are
Use Cases Casos de Uso Use Cases UseUse Cases Casos de Uso Use Cases Use
Use Cases UML Use Cases What are UseUse Cases UML Use Cases What are Use
Relating Use Cases popo Relating Use Cases UseRelating Use Cases popo Relating Use Cases Use
Use cases Dr X Overview Use cases areUse cases Dr X Overview Use cases are
Terms 1 Terms 2 Terms 3 Terms 4Terms 1 Terms 2 Terms 3 Terms 4
Terms 1 Terms 2 Terms 3 Terms 4Terms 1 Terms 2 Terms 3 Terms 4
Terms 1 Terms 2 Terms 3 Terms 4Terms 1 Terms 2 Terms 3 Terms 4
A Terms CD Terms EFG Terms LP TermsA Terms CD Terms EFG Terms LP Terms
A Terms B Terms C Terms D TermsA Terms B Terms C Terms D Terms
Repository Use Cases and CRUD Repository Use CasesRepository Use Cases and CRUD Repository Use Cases
HEP GRID use cases Common GRID use casesHEP GRID use cases Common GRID use cases
Agile Use Cases Writing Effective Use Cases meetsAgile Use Cases Writing Effective Use Cases meets