Please enable JavaScript.
Coggle requires JavaScript to display documents.
Session 5 - The Data protection regime under the GDPR - Coggle Diagram
Session 5 - The Data protection regime under the GDPR
The
data controller’s obligations
=> 2.
Limitation
Purpose Limitation
PD shall be collected for
specified
,
explicit
&
legitimate
purposes
The purpose must be
clearly identified
&
communicated
to the DS
The DC
cannot
process PD for purposes other than those for which the PD were initially collected
Exception
= only where the processing is compatible with the purposes for which the personal data were initially collected
(≠ never when based on contractual performance or legal obligation in Art. 6)
Data Minimization
The data has to be
adequate
,
relevant
&
limited
to what is
necessary
in relation to the purposes for which they are processed
The DC can only
collect
the data that he needs to achieve the declared legitimate purpose
You collect only what you need =>
Double advantage
Easier to keep the data updated
Limit the risks in case of a breach of security
ex: Collection of your date of birth for a promotional offer on your birthday => no need to give your year of birth !
Case Paris - CNIL 2021
The Parisian public transportation services company was sanctioned for including the data concerning the days of strikes in the days of absences of employees when considering who would deserve a promotion. The SA considered that this was including unecessary data and, as such, that this had to be considered as unjustified data processing !
⇒ The RAPT was sanctioned to a 400 000 Euros fine.
Storage Limitation
PD
cannot be kept forever
The DC has to
set a duration of storage
considering the purposes for which the data were collected
The
data controller's obligations
=> 3.
Security
(Art. 32 GDPR)
CIA Triad
= a principal for info. security created in the 1980’s
Integrity
Safeguarding the accuracy & completeness of info + processing method
Confidentiality
Ensuring that info. is accessible only to those authorized to have access
Availability
Ensuring that authorized users have access to info & associated assets when required
Data Breach
Art. 4 (12)
Personal data breach
= a
breach of security
leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to PD transmitted, stored or otherwise processed
Ex of data protection breach
:
Sending an email to the wrong recipient
Losing an encrypted back up USB drive with client’s data
Accidentally deleting client’s details
Denial-of-service (DDoS) attack
A university sends an email to alumni in cc instead of bcc
More ex of DPB
:
Power fail
(It might disrupt access to data but doesn't necessarily expose it);
Unavailability due to planned maintenance
(Similar to a power failure, planned maintenance might cause temporary inconvenience but shouldn't expose data)
Obligation of notification
by the DC in case of a breach
To the
SA
(supervisory authority)
Timing
DC should justify the notif. after 72h
DP shall notify the DC without undue delay after becoming aware of a PDB so that the DC can notify it to the authority
Content
(nbr of DS; conseq. of the DB; DPO contact)
To the
DS
When the PDB is in
high risk to the rights & freedoms of natural persons
= the DC shall communicate the PDB to the DS without undue delay
Exception
: notif. not necessary if the DC has taken measures to prevent this risk
Accountability
DC must keep
evidence
of his
GDPR compliance
for inspection
(keep evidence of providence of the privacy notice to the DS; consent of the DS; DPIAs; LIAs; records of all the data processing...)
Records
DC with more than 250 employees must keep a record of all processing activities
(Art. 30 RGPD)
Contact info of DC, joint C, representative; DPO
Purpose of the processing
Description of the categories of the DS/PD
Transfers of personal data to international organizations/third countries
Description of technical & organizational security measures
Company < 250 employees may be exempted if all the following conditions are gathered
no high risk for the rights/freedoms of DS
only occasional DP
no processing of special cat. of data
(sensitive datas or criminal convictions)
Tools of the compliance
Actors
DPO
Designation
(Art. 37):
DPO may be a staff member of the DC or DP, or on a service contract
The DC or DP shall publish the contact details of the DPO & communicate them to the supervisory authority
Tasks
Article 38
-
The DC & DP shall ensure that the DPO is involved, properly and in a timely manner, in all issues which relate to the protection of PD
Article 39
-
DPO shall have at least the following task
s
to inform & advise the DC or DP & employees
to to monitor compliance with this Regulation
to provide advice where requested as regards the DP impact assessment and monitor its performance
to act as the contact point for the supervisory authority
Missions of the DPO
Inform & advice the DC or DP of their obligations for DP
Take some decisions about the feasibility of a processing (DPIA)
Set processes for the compliance with the GDPR and check their implementation
Be the contact point for data protection issues for the SA as well as the DS
EU Representative
(if not settled in the EU)
Article 27 GDPR
Where
Article 3(2)
applies, the DC or DP shall designate in writing a representative in the Union
The obligation laid down in paragraph 1 of this Article shall not apply to
processing which is occasional (≠ large scale of data, sensitive data, criminal records)
or
a public authority or body
Solutions
DPIA
(Data protection impact assessment(Article 35 GDPR)
Scope
= Mandatory if you believe that processing certain PD will involve a high risk to the rights & freedoms of the data subjects •
Consideration
: Look at nature, scope, context, purpose of processing. Are you using new tech like AI?- Systemic and extensive evaluations based on automated processing- Processing large scale special-category data/criminal conviction data- Systematic monitoring of public areas – CCTV (ICO guidance available)
Exceptions
= Data processing lawfulness is based on
legal obligation necessity
&
public interest necessity
DPIA & prior consultation (art. 36 GDPR)
The DC has to consult its
supervisory authority
(SA) if after conduction the DPIA, he comes to the conclusion that the processing still results in high risk for the rights & freedoms of the DS even after mitigating the risks
SA must provide written advice in 8 weeks after receiving consultation request (can be extended 6 weeks)
Codes of conduct
(Art. 40)
The EU encourages the creation of codes of conduct to help organizations comply with the regulation
They must be approved & published by the
national SA
(national code of conduct) or by
EDPB
(transnational code of conduct) before they can be used by DC
Organizations can choose to follow a code (voluntary compliance) or in some cases, it may become mandatory (compulsory compliance)
Approved bodies can be tasked with monitoring of the compliance of to these codes of conduct.
Certifications
(Art. 42)
Article 42 of the GDPR promotes creating data protection certifications and seals. These certifications would show that businesses (both large and small) follow the GDPR rules for handling personal information.
= Easier to demonstrate compliance w/ the regulation