Presentation is loading. Please wait.

Presentation is loading. Please wait.

The General Data Protection Regulation

Published byMerry Day Modified over 6 years ago

Similar presentations

Presentation on theme: "The General Data Protection Regulation"— Presentation transcript:

1 The General Data Protection Regulation
The General Data Protection Regulation...an overview of the new data protection legal framework Office of the Information and Data Protection Commissioner

2 Overview of the Data Protection Authority
1 Overview of the Data Protection Authority 2 Brief background to the GDPR 3 Main operational change for the DPA 4 New obligations under the GDPR 5 Concluding Remarks

3 Overview of the Data Protection Authority
Chapter 6 of the GDPR – MS shall provide for the establishment of an independent supervisory authority (in principle, current provisions of the DPA are in line with Chapter 6) The Commissioner is the sole National Supervisory Authority, regulating both the private and public sector. Appointed by the Prime Minister after having consulted the Leader of the Opposition. Holds office for a period of 5 years and is eligible for reappointment on the expiration of his term of office. The Commissioner enjoys independence similar to that of a judge. May not hold any other office of profit and is free from any form of external influence, whether direct or indirect. Has a distinct legal personality and is, inter alia, capable of entering into contracts, suing and being sued.

4 Overview of the Data Protection Authority
MAIN POWERS Investigative powers - access personal data being processed; - obtain information on the processing of personal data and its security; enter and search any premises with the same powers as are vested in the executive police; carry out reviews on certifications. Corrective powers - issue warning and reprimands to the controller and processor; order rectification or erasure of personal data; impose temporary or definitive ban on the processing activity; impose administrative fines [a.83 of the GDPR – effective, proportionate and dissuasive – up to a maximum of 4% of annual turnover or 20 Million Euro].

5 Overview of the Data Protection Authority
MAIN POWERS Authorisation and advisory powers - authorise processing which is subject to a prior checking requirement; - issue opinions and approve draft codes of conduct; - advise the Parliament, Government and the general public on any issue related to the protection of personal data; - accredit certification bodies. Engage in legal proceedings - any person aggrieved by a decision of the Commissioner may appeal to the Data Protection Appeals Tribunal; - recourse to the Court of Appeal shall also lie to a party or to the Commissioner where they feel aggrieved from a decision of the Tribunal (only on a question of law); - Commissioner may institute proceedings in a Court of law against any person.

6 Brief Background to the GDPR
- Technological progress and globalisation have changed the way personal data is collected, accessed and used. - Information is becoming increasingly exposed and vulnerable leading to security breaches, hacking or other unlawful action especially on the online environment. - Data protection and privacy challenges are on the increase. - Modernising the existing set of data protection rules was part of the EC’s Digital Single Market strategy. - The main objective was to strengthen online privacy rights, boost Europe’s digital agenda and ensure a harmonised environment across the EU. - The EC proposed a comprehensive reform of the 1995 Data Protection Directive. - A regulation was considered to be the most appropriate legal instrument; direct applicability reduces legal fragmentation and provides more legal certainty.

7 Brief Background to the GDPR
Timeline of events in the Council Date Development 25th January 2012 EC presented a proposal for a GDPR 15th June 2015 Council agrees on general approach 18th December 2015 Council confirms agreement with European Parliament 8th April 2016 Council adopts position at first reading 4th May 2016 GDPR published in OJ of the EU 24th May 2016 GDPR enters into force 25th May 2018 GDPR applies

8 Main operational change for the DPA
General principle set out by the GDPR to establish mechanisms to create consistency in the application of data protection law across the EU. applicable in cross-border cases where a company has several subsidiaries in MS. Mechanism to achieve this principle The company deals with the DPA in the MS of its main establishment. “...the place of its central administration in the Union...” One Stop Shop

9 Main operational change for the DPA
The DPA will act as the Lead Supervisory Authority; Shall cooperate with other concerned supervisory authorities for the purpose of exchanging the necessary information (Mutual assistance or Joint operations); Draft Decision taken by the LSA – A.60 of the GDPR provides for the procedure where one or more concerned SAs expresses a relevant and reasoned objection. - Where the LSA decides not to follow such objection, it shall refer the case to the EDPB for a binding opinion.

10 New obligations under the GDPR
Security of processing (A.32) Data controller shall implement adequate organisational and technical measures to ensure a level of security appropriate to the risk including: pseudonymisation and encryption of data ability to ensure ongoing integrity and resilience of processing systems ability to restore the availability of processing systems in a timely manner in the event of an incident the regular testing, assessing and evaluating the effectiveness of security measures To demonstrate compliance with the security requirements, the controller may adhere to: an approved code of conduct (prepared by associations or bodies representing the sector) an approved certification mechanism

11 New obligations under the GDPR
Certification (A.42) Data protection certification mechanisms and data protection seals and marks which may used to demonstrate compliance with the GDPR; Voluntary and shall not diminish the compliance responsibilities of controllers and processors for compliance; Issued by the DPA or a certification body accredited by the DPA or by a national accreditation body; Certification is valid for a maximum of 3 years (maybe renewed) and issued on the basis of criteria approved by the competent supervisory authority; Is certification only applicable to processing operations or also to products and services?

12 New obligations under the GDPR
Notification of personal data breach (A.33 – 34) Notify DPA Nature of data breach (categories and no of data subjects and records effected) Likely consequences Measures taken or proposed to be taken to address the breach High risk to ds rights? YES Personal Data Breach suffered by controller >72 hrs No Without undue delay Notify data subjects - Contact details of DPO Likely consequences Measures taken or proposed to be taken Take any necessary measures to mitigate any possible effects on personal data No notification required if: Measures are implemented which render the data unintelligible High risk not likely to materialise Involve a disproportionate effort

13 New obligations under the GDPR
Data Protection by design and by default (A.25) Considerations should be made at an early stage and throughout the lifecycle (e.g. developing IT systems, introducing legislation or measures affecting privacy); Data protection embedded in the design; Proactive and preventive privacy-friendly measures (e.g. pseudonymisation, data minimisation); Default measures tailored to automatically protect individual’s privacy (e.g. preset storage periods, limited data collection and accessibility, user-friendly options).

14 New obligations under the GDPR
Data Protection Impact Assessment (A.35) Required by the Controller in the following cases: Processing operation is likely to result in high risk; Systematic and extensive evaluation of data subjects based on automated processing (including profiling); Processing of special categories of personal data on a large scale. ISO provides the methodology on how to conduct a Privacy Impact Assessment

15 New obligations under the GDPR
When carrying out the impact assessment, data controllers shall consider the following: Envisaged processing operations; Purpose(s) of processing; Legitimate interest of controller; Necessity and proportionality; Risks posed to rights and freedoms of data subjects; Security measures to protect personal data. Prior consultation with the DPA shall only be required if the Data Protection Impact Assessment still indicates the presence of residual risks to data subjects.

16 New obligations under the GDPR
Records of processing activities (A.30) GDPR introduces new requirement to keep a record of processing activities. - Applicable to both controllers and processors; - Substitutes the notification currently submitted to the DPA; In the case of controllers, the new obligation applies for organisations employing 250 persons or more; or when: - Processing involves special categories of data; - Processing likely to involve risks for data subjects. Records of processing activities shall be made available to the DPA upon request.

17 New obligations under the GDPR
Record shall contain the following information: Details of controller (including DPO, joint controllers and representatives where applicable); The purposes of processing; Description of the categories of data subjects, personal data and recipients; Details of international transfers where applicable; Envisaged time limits for the erasure of data; Security measures.

18 New obligations under the GDPR
Role of data processor (A.28) GDPR strengthens the current obligations by introducing more prescriptive rules on processors Controllers shall only use processors providing sufficient guarantees to comply with the GDPR; - Sub-processing only allowed with prior written authorisation from data controller; Processing shall be regulated by means of a binding contract in line with the terms provided under A.28; Standard contractual clauses may be developed by COM or MS DPAs.

19 New obligations under the GDPR
The responsibilities of data processor are not limited to the contractual obligations established by the controller. GDPR is generally applicable and extends specific obligations to processors as well. Record keeping; Cooperation with DPAs; Security of processing; Designation of DPO; Adherence to codes of conduct issued under GDPR; International data transfers; Subject to DPAs powers.

20 New obligations under the GDPR
Role of Data Protection Officer (A.37-39) Mandatory designation in the following cases: processing carried out by public authorities/ bodies; regular and systematic monitoring of data subjects on a large scale; processing of special categories of data on a large scale. A single DPO may be appointed to serve for a group of undertakings or public authorities/ bodies. GDPR requires DPO to have expert knowledge of data protection law.

21 New obligations under the GDPR
Position and Tasks Staff member or engaged on service contract; Should be able to work independently; Involvement in Data Protection Matters; Informing and Advising Controller/ Processor; Monitoring compliance; Providing advice and monitoring DP Impact Assessment; Cooperate with the DPA; Act as contact point for Data Subjects and DPAs.

22

23 Concluding Remarks - It shall be the legal duty of the data controller to observe compliance with the GDPR (ignorantia iuris nocet). - OIDPC assists whenever requested and where necessary; Interpretative guidance material is being and will continue to be issued by the WP29 in accordance with its the work plan. Online guides providing checklists to assist data controllers in complying with the GDPR. - Breaches, depending on nature and other key criteria, will be punishable with fines ; for the purpose of avoiding forum shopping certain guidelines must be followed). - Compliance with the current legal framework should already be in place. - Get ready and be prepared to implement the new obligations deriving from the GDPR.

24 Contact Details Thank you! Office of the Information and
Data Protection Commissioner Tel: (+356) Portal:

Download ppt "The General Data Protection Regulation"

Similar presentations

1 The Data Protection Officer at work Experience, good practices and lessons learnt Pierre Vernhes – former DPO at the Council of the EU Workshop on Data.

1 The Data Protection Officer at work Experience, good practices and lessons learnt Pierre Vernhes – former DPO at the Council of the EU Workshop on Data.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
COMNET Conference Legal Frameworks for ICTs Legal Frameworks for ICTs Regulating Privacy COMNET 2013 - MALTA - 07.03.2013 Ian Deguara Head - Technical.

COMNET Conference Legal Frameworks for ICTs Legal Frameworks for ICTs Regulating Privacy COMNET MALTA Ian Deguara Head - Technical.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Asta Sihvonen-Punkka Director General of EMA Vice-Chair of ERGEG Baltic Electricity Mini-Forum 24 th of April, 2009 Riga The 3 rd Package – implied changes.

Asta Sihvonen-Punkka Director General of EMA Vice-Chair of ERGEG Baltic Electricity Mini-Forum 24 th of April, 2009 Riga The 3 rd Package – implied changes.
Data Protection Act AS Module 1 10.8 Heathcote Ch. 12.

Data Protection Act AS Module Heathcote Ch. 12.
©2012 Morrison & Foerster (UK) LLP | All Rights Reserved | mofo.com Data Protection Masterclass: The New Draft EU Data Protection Regulation 19 September.

©2012 Morrison & Foerster (UK) LLP | All Rights Reserved | mofo.com Data Protection Masterclass: The New Draft EU Data Protection Regulation 19 September.
1 The Future Role of the Food and Veterinary Office M.C. Gaynor, Director, FVO EUROPEAN COMMISSION HEALTH & CONSUMER PROTECTION DIRECTORATE-GENERAL Directorate.

1 The Future Role of the Food and Veterinary Office M.C. Gaynor, Director, FVO EUROPEAN COMMISSION HEALTH & CONSUMER PROTECTION DIRECTORATE-GENERAL Directorate.
The New Legislative Framework

The New Legislative Framework
CMG Events 2016 Cybersecurity Briefing 24 February 2016 John Magee William Fry.

CMG Events 2016 Cybersecurity Briefing 24 February 2016 John Magee William Fry.
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
Harmonised use of accreditation for assessing the competence of various Conformity Assessment Bodies Dr Andreas Steinhorst, EA ERA workshop 13 April 2016,

Harmonised use of accreditation for assessing the competence of various Conformity Assessment Bodies Dr Andreas Steinhorst, EA ERA workshop 13 April 2016,
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)
GDPR 12 POINTS 679/2016 DATA LEX 2016.

GDPR 12 POINTS 679/2016 DATA LEX 2016.
Data Protection Officer’s Overview of the GDPR

Data Protection Officer’s Overview of the GDPR
Accountability & Structured Privacy Management

Accountability & Structured Privacy Management
GDPR (General Data Protection Regulation)

GDPR (General Data Protection Regulation)
GDPR Module 3: Accountability and Governance

GDPR Module 3: Accountability and Governance
Running a Privacy Impact Assessment (PIA)

Running a Privacy Impact Assessment (PIA)
(Portfolio Committee on Justice and Correctional Services)

(Portfolio Committee on Justice and Correctional Services)

Similar presentations

Ads by Google