GDPR application for establishment in EU
The GDPR will apply directly in all Member States of the European Union and in Iceland, Liechtenstein and Norway, which are part of the European Economic Area (EEA)
GDPR application for non-establishment in EU
Applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
Scope of GDPR
GDPR Art 3 covers scope. Applies to processing of personal data of any controller or processor in the union regardless of whether the processing takes place in the union or not.
- You are established in EU as a process or a controller
Should be interpreted with a wide scope. If HQ is in one country but team making decisions is in the EU, you are in the scope - You offer goods or services to data subjects in the union
Website simply accessible to global audience is not enough. - You monitor (or profile) behavior of EU citizens such as location, wellness monitoring, CCTV, OBA, home automation…
Name the Data 8 Subject Rights
- Right of transparent communication and information
- Right of Access
- Right to recitifcaiton
- Right to erasure
- Right to restriciton on processing
- Right to data portability
- Right to object
- Right not tho be subject to automated decision making or profiling
Right of Access
Individuals have right to obtain copy of their personal data and supplementary information.
If a request is made, there is a one month window to respond. Company can ask for 2 month extension if needed. Under GDPR, you generally cannot charge but you can charge a reasonable fee if the request is unless, unfounded, or excessive.
Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
Right of Rectification
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Right of Erasure
Also known as the Right to be Forgotten. Not absolute and only applies if:
- Personal data no longer necessary for original purpose it was collected for
- Individual the info is about withdraws consent
- No legitimate interest any more
- Direct marketing purposes and the individual objects to the processing
- The data was unlawfully processed
- Information involves children
Does not apply to processing done for following reasons:
- Data collected in public interest or due to legal obligation
- To exercise or protect legal claims
- If it is necessary for public health purposes/preventative or occupational medicine
Right to Restriction of Processing
Individual has right to restrict processing of personal data in limited circumstances. This is an alternative to erasure.
In most cases you only need to have the restriction in place for certain period of time.
Can request restriction if:
- They contest the accuracy and entity is now confirming it
- The data was unlawfully processed
- The individual needs you to keep data
- The individual has objected to you processing and you are evaluating claim.
Right to Data Portability
Right to receive the personal data they have provided to controllers in a structured and commonly used, machine readable format
Right to Object
Individuals can ask that their data stop being processed.
Absolute right: Direct marketing and profiling
Right to be evaluated: tasks carried out in public interest, official authority, or for legitimate interest. Processing must be stopped until dispute is resolved.
Right to not be subject to automated decision making or profiling
he data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
Examples: Online decision for loan, recruitment tests…
Restrictions on Privacy Rights
Member states can restrict obligations under GDPR hen such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:
- national security/defense
- public security
- prevention of crime
- other important interests of the member state
- protection of judicial independence
GDPR Security Obligations
Mirror the requirements from the Data Protection Directive.
Data Breach Notifications
Controller needs to notify DPA and data subjects
Processors only need to notify controllers
Controller needs to notify DPA without undue delay which is subject to 72 hour limit
Provide contact details of DPA contact person
Also, information regarding the categories and approx number or data subjects concerned
A description of the nature of the breach
Likely consequence of the breach
Measures the organization has taken or proposed to take to address the breach.
Controllers must provide notification to data subjects if the breach is high risk to their rights and freedoms
Exceptions to Controller Requirement to Notify Data Subjects of Breach
- Data is unintelligible such as encryption
- Controller took steps to prevent high risks from materializing
- Notification would involve disproportionate effort: in such cases some effort must be made such as a public announcement.
Signs of Proper Accountability
Regulators want to see data protection embedded within corporate DNA
- Need to have in place appropriate technical and organizational efforts
- Data protection policies
- Data protection by design and default
- Documentation of processing activities
- Appropriate security measures
- Data protection officers and impact assessments.
Data Protection by Design/Default
1) Proactive not reactive
2) Privacy as the default setting
3) Privacy embedded into design
4) Full functionality
5) End to end security
6) Visibility and transparency
7) Respect for user privacy
By default:
- Most protective option is the default option. No action by the data subject will result in the most privacy.
- Data retention period being kept at minimum amount is a similar option
Vendor Contracts
When a controller uses a processor they must have a contract in place with certain requirements specified by GDPR
Controllers are liable for their compliance with GDPR and should only apoint processors that adhere to GDPR standards.
Processors have direct responsibilities
Contracts must set out the subject matter and duration of the processing along with the nature and purpose of the processing, type of data and categories of data subject, and obligations and rights of the controller.
Processor Responsibilities Under GDPR
- Controller authorization to use sub-processor
- Co-operate with supervisory authorities
- Ensure security
- Keep records of processing
- Notify data breaches to the controller
- Employ a data protection officer
- Appoint a representative within the EU if established outside of EU.
Data Protection Impact Assessment (DPIA)
Required under GDPR. GDPR requires DPIA before carrying out process likely to result in high risk
Consult DPA if high risk
DPIAs are mandatory in some situations
Must do a DPIA if:
- Systematic and extensive profiling with significant effects
- Special category or criminal offence data on a large scale
- Systematically monitor publicly accessible places on a large scale.
DPIA must contain at least:
- Processing operation, purposes and legal basis
- Necessity and proportionality of processing
- Assessment of risks
- The measures, safeguards, security.
Data Protection Officer (DPO)
Recognized by GDPR but not required for every company
Mandatory if:
- Controller is a Public authority
- Core activities involve systematic monitoring on a large scale
- Large scale = number of subjects, range of data, duration of permanence of processing, geographic coverage.
Code of Conduct Must be submitted to DPA for authorization
Cross Border Transfers
Personal data may only be transferred beyond the EEA if done so in compliance with GDPR under these conditions:
1) Adequacy decisions: European Commission can issue a decision that the county or territory in question has an 2) Appropriate Safe Guards
3) Derogation
Exceptions for Cross Border Transfers
Also known as Derogations:
- Informed consent
- Performance of contract
- Public interest
- Exercise or defence of legal claims
- Vital interest of the data subject
Certification is not a valid derogation. If you wish to use a derogation, must notify DPA.
Must be non-repetitive, for a limited number of data subjects, and for “compelling” legitimate interest. Controller must inform the DPA of the derogation-based transfer and compelling legitimate interest.
6 Bases for Legal Processing
- Consent - Most unreliable because data subject can withdraw at any time.
- Contract
- Legal Obligation
- Vital Interest
- Public Interest
- Legitimate Interest
