Please enable JavaScript.
Coggle requires JavaScript to display documents.
Session 6 - The data controller’s liability - Coggle Diagram
Session 6 - The data controller’s liability
Source of Liability
Principle of Liability
Article 24
- "DC shall implement appropriate
technical & organizational measures
to ensure and to be able to demonstrate that processing is performed in accordance w/ Regulation."
DC is
liable
with GDPR, and to 3rd parties like the DP & others DC to whom data is transferred
Non-compliance
to the
GDPR
will lead him to
sanctions
Transfer issues
National/DSA
DSA
(Data Sharing Agreement)
Sets out the purpose of the data sharing
Sets standards
Helps all the parties be clear about their roles
Covers what happens to the data at each stage
International transfer
International PD transfer
(IPDT) =
“Any transfer of PD which are undergoing processing or are intended for processing after transfer to a 3rd country or to an international organization”
Ex
: An EU DC use the services of a DP that is established outside of the EU to store its clients files
Ex
: An EU company share its
clients/employees data bases
with other members of the same group of companies established outside of the EU
3 Conditions for the lawfulness of IPDT
Adequacy decision
The
European Commission
(EC) decides which countries have sufficient national DP laws so that the transfer of PD does not need additional protection
The countries concerned are under the continuous scrutiny of the Commission which should renew its examination at least every 4 years
The list of adequate countries can expand, or be reduced (cf US)
Adequate countries
= Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man; Japan; Jersey; NZ; Corea; Switzerland; UK; *US; Uruguay
US Case
Privacy Shield
was an
informal agreement
between the U.S. & EU intended to ensure compliance with European DP standards for data transfers to the U.S.
July 10, 2023
: EC accepted the
EU-US Data Privacy Framework
=> USA was reinstated back as an adequate country
New decision of Commission
3 more items...
Appropriate safeguards
Article 46
:
“a DC or DP may transfer PD to a 3rd country or an international organization only if the DC or DP has provided appropriate safeguards, & on condition that enforceable DS rights & effective legal remedies for DS are available"
Transfer authorized without any prior authorization from the SA if the following safeguard exist
a legally binding and enforceable instrument between public authorities or bodies
BCR
- Binding Corporate Rules
(adherence by each of the companies that is part of the group after approval by the authority)
SDPC
: standard data protection clauses adopted by the Commission, or adopted by a SA and approved by the Commission (template clauses between EU controller + Non EU controller or EU controller + Non EU processor)
an approved
code of conduct
an approved
certification mechanism
Derogations for specific situations
Article 49
-
Several derogations
: • Explicit consent by DS • Contractual necessity (travel agents) • Public interest • Legal claim necessity • Protecting the vital interests of the DS • Open register
(public registers e.g. land title ownership)
If none of the above applies: • Compelling legitimate interest of the DC
Stake
= The recipient who is not in EU has no obligation to comply with the GDPR
Reminder
:
Data transfer
is a kind of data processing so all the
data controller’s obligations
apply (lawfulness, ex of the DS rights, records, …)
Article 28
- DC should only use DP that provide sufficient measures to meet the requirements of the Regulation + protect PD's rights
DP cannot engage any other DP without DC authorization
Article 29
- DP can only process data on DC's instructions, unless required to do so by Union or Member State law.
Sanctions
Administrative sanctions
Breach of the basic rights of DS or transfer in a 3rd country or non compliance with an order of a SA
= 20 000 000 EUR fine or up to 4 % of the total worldwide annual turnover of the preceding financial year
Breach of the obligation of limitation, security & accountability
= 10 000 000 EUR fine or up to 2 % of the total worldwide annual turnover of the preceding financial year
Torturous liability
Article 82
- Right to compensation & liability
Institutions
French CNIL
CNIL’s missions
• Information & Rights protection
• Compliance support & Guidance
• Anticipation & Innovation
• Investigations & sanctions
EDPB
(The European Data Protection Board)
= Monitors & ensures the consistent + correct application of the GDPR (especially by issuing guidelines). It also promotes the cooperation between the diff. member states authorities (article 70 GDPR)
Procedures
Right to a complaint with a supervisory authority
if the DS considers that the processing of PD relating to him or her infringes this Regulation
Right to an effective judicial remedy
Right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them