GDPR Workshop MEU Symposium Prague 2018 Vincent Miča, Data Protection Office, BETA Europe

Disclaimer I am not a lawyer and do not qualify as legal council This is not an exhaustive exploration of the GDPR Meant to give an overview and practical information and to raise awareness Please take consideration of local legal requirements (Member States may modify / expand upon some of these regulations)

Overview Definitions (Special) Personal Data Data Processing Consent Data Controller Data Processor Third Parties Principles of Data Protection Obligations of Data Controllers Data Protection Officer Data Subject Data Protection Data Breach Protocol Exercise - GDPR in Practice

Definitions

Personal Data ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; Art. 4(1) Ex. Name, email, D.O.B., address

Special Personal Data “Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.” (Art. 9(1) ) Not applicable with explicit consent (Art. 9(2)) Legitimate purpose for appropriate associations (Art. 9(2)(d))

Data Processing ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; Art. 4(2)

Consent ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her; Art. 4(11)

Data Controller ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; Art. 4(7)

Data Processor ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; Art. 4(8)

Third Parties ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data; Art. 4(10)

Questions?

Principles of Data Protection

Lawful Processing Art. 6(1)(a) Consent Contractual Obligation Legal Obligation Vital Interest of the Data Subject Public Interest / Official Authority Legitimate Interest

Purpose Limitation Art. 6(1)(b) Collection for “specified, explicit, and legitimate purposes” Processing of data is limited only to the purposes that it was collected for

Data Minimisation Art. 6(1)(c) Personal data shall be: “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”

Accuracy Art. 6(1)(d) Data should be accurate Kept up-to-date Inaccuracies must be rectified / erased

Storage Limitation Art. 6(1)(e) Data should be retained for as long as “necessary for the purposes for which the personal data are processed” What is “necessary”?

Integrity & Confidentiality Art. 6(1)(f) Processing in a secure manner Prevent unauthorised processing Protect against loss, destruction, or damage Appropriate technical and organisational measures

Questions?

Obligations of Data Controllers

Informing the Data Subject I Art. 13(1): When you collect data you must inform the data subject about: Identity and contact for the controller DPO contact if you have one Purpose of processing and its legal basis If legitimate interest is your legal basis, explain it Any other recipients of data personal data (third parties) If the data is to leave the EU, why and what are the precautionary measures

Informing the Data Subject II Art. 13(2) Retention period (if not specific, then criteria thereof) Existence of data subject rights If any automated “decision-making” processes are used Consequences of failure to provide personal data if based on contractual basis

Data Subject Rights Chapter III Right to withdraw consent Right to lodge a complaint with a supervisory authority Right of Access Rectification (and notification thereof) Erasure (and notification thereof) Restriction of Processing (and notification thereof) Portability Object (especially “automated-decision making”)

Data Protection by Design Art. 25 Secure options should be the default Secure organisational structure planned ahead of time Adherence to data protection principles throughout

Data Processing Record Details in Art. 30 Mostly in the case of an inspection by / reporting to supervisory authority Depends on the interpretation of “special personal data” as there is an exception for organisations below 250 people.

Data Breach Protocol Notification of a personal data breach to a supervisory authority (Art. 33) Notification of a personal data breach to the data subjects (sort of not required with encryption - Art. 34(3)(a)) “Undue delay” is 72 hours

Interactive Exercise