Presentation is loading. Please wait.

Presentation is loading. Please wait.

GDPR Overview and Use Cases.

Published byJohn Newman Modified over 6 years ago

Similar presentations

Presentation on theme: "GDPR Overview and Use Cases."— Presentation transcript:

1 GDPR Overview and Use Cases

2 AGENDA Overview Terms Rights and Obligations within the GDPR
Use Cases and Compliance

3 Nature of the GDPR Directive Regulation
Implementation in Member States is required National Laws ought to fulfil the purpose of directives Previous Data protection was a Directive Regulation Immediately applicable in each Member State Implementation is not required GDPR is a Regulation

4 General Facts Applicable in all EU Member States from 25 May 2018
GDPR applies to the processing of personal data by a data controller or a data processor Increased compliance obligations Enhanced rights for individuals Increased regulatory powers and sanctions Directly effective, but Member States may introduce domestic provisions in a number of areas (Öffnungsklauseln) AUSTRIA: Datenschutzgesetz (2018)

5 Terms of GDPR Processing - almost anything you can do with personal data collecting, recording, organising, storing, adapting, altering, retrieving, consulting, using, disclosing, disseminating, erasing, destroying Personal Data - any information relating to an identified or identifiable living person (data subject) identifiable means the person can be identified, directly or indirectly, a name, an identification number, location data, an online identifier (IP Address), or factors specific to a person’s identity Special categories of personal data (sensitive data) - data revealing racial/ethnic origin, political opinions, religious/philosophical beliefs, trade union membership; genetic data; biometric data; data concerning health; data concerning a person's sex life or sexual orientation Data Controller – decides how and why personal data is processed Data Processor – processes personal data on behalf of a data controller

6 The DATA CONTROLLER Must implement appropriate technical and organisational measures ensuring Processing of personal data must have a legal basis + comply with the 6 data protection principles Must be able to demonstrate compliance (‘accountability’) Mandatory records of processing activities Mandatory data breach notification Appoint a Data Protection Officer, where required Data Protection Impact Assessment prior to likely high-risk processing Restrictions on transfers of personal data outside the EEA

7 The DATA PROCESSOR Must implement appropriate technical and organisational measures Mandatory records of processing activities Only process in accordance with documented instructions of the data controller Processing must be based on a contract GDPR provides a list of mandatory terms that must be included Not engage sub-processor without prior written authorisation Notify data controller without undue delay of a personal data breach Appoint a Data Protection Officer, where required Restrictions on transfers of personal data outside the EEA

8 The DATA PROTECTION OFFICER
DPO appointment is mandatory for Public bodies (except courts), and Data controllers and data processors that, as a core activity, monitor individuals systematically and on a large scale, or that process sensitive data on a large scale Appointment, position and tasks of DPO are set out in GDPR Expertknowledge of data protection law and practice Report directly to highest level of management Operational independence, no conflicts of interest, confidentiality Inform and advise; monitor compliance; point of contact for individuals/DPC If DPO is not mandatory or if in doubt, on a voluntary basis the GDPR requirements still apply Do not use titles ‘Data Protection Officer’ or ‘DPO’.

9 Requirements for the processing of personal data
LEGAL BASIS (Art 6) 6 PRINCIPLES OF THE GDPR (Art 5) Consent Lawfulness Fairness Transparency Contract Purpose Limitation Legal Obligation Data Minimisation Protection of Vital Interests Accuracy Public Interest or Official Authority Storage Limitation Legitimate Interests Security, Integrity and Confidentiality

10 Rights of Data Subjects
Information (Privacy Notice) Access their own personal data (Subject Access Request) Correct their personal data (rectification) Erase their personal data (right to be forgotten) Restrict data processing Object to data processing Export their personal data to another data controller (data portability) Not be subject to automated decision-making, including profiling Be notified of a data security breach Make a complaint to the supervisory authority (DPC) Sue data controller or data processor for material or non-material damages resulting from breach of GDPR Rights of Data Subjects

11 USE CASES Data Privacy Notice Newsletters and Cookies Facebook
Processor outside the EU

12 Data Privacy Notice Data controller identity and contact details
DPO contact details, where applicable Purpose of processing Legal basis for processing Legitimate interests, where applicable Recipients or categories of recipients Data retention period, or criteria used to determine it Individual’s rights including access, correction, erasure, restriction, objection, data portability Where processing based on consent, right to withdraw it at any time Right to complain to DPC Whether data controller uses automated decision-making (including profiling), information about the logic involved, and the consequences for the individual

13 NEWSLETTER Is the recipient a customer or not?
s addressed to +50 subjects need consent Best practice: Double-Opt-In Consent + confirmation Mandatory for valid consent: Disclosure of right of withdrawal Alternative: link to the Data Privacy Notice

14 NEWSLETTER EXISTING BUSINESS RELATIONSHIP EXCEPTION
Customer provided the (eg. e- commerce order) Solely for direct advertisement of own and similar products to the previous order Recipient was giving the opportunity of Opt-Out

15 COOKIES What are Cookies? Principally consent for cookies is needed
User can change cookie settings in browser = consent Cookie notice is always needed Must also be part of the Data Privacy Notice Best Practice: Cookiebot.com

16 Third Countries Data processed outside the EEA potentially loses its protection Special conditions for the Data Transfer to third countries: Countries attested adequate protection by the European Commission: Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (limited to the Privacy Shield framework) Third countries without adaquate protection: EU standard contractual clauses under EU Directive 95/46 The data subject has given his/her consent to the transfer The transfer is necessary for the performance of a contract The transfer is necessary for legal defence or enforcement

17 Popular Processors in the US
Mailchimp, Google Analytics, Matomo, Slack, Magento Privacy Shield Participants ( Regular Data Processing Agreement ONLY Cave: Google Analytics requires DPA also

Download ppt "GDPR Overview and Use Cases."

Similar presentations

DATA PROTECTION and Research University Research Ethics Committee – 08.05.2006 David Cauchi Office of the Data Protection Commissioner.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi Office of the Data Protection Commissioner.
Class 13 Internet Privacy Law European Privacy.

Class 13 Internet Privacy Law European Privacy.
Data Protection Overview

Data Protection Overview
Lawyer at the Brussels Bar Lecturer at the University of Strasbourg Assistant at the University of Brussels Data Protection & Electronic Communications.

Lawyer at the Brussels Bar Lecturer at the University of Strasbourg Assistant at the University of Brussels Data Protection & Electronic Communications.
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
Data protection—training materials [Name and details of speaker]

Data protection—training materials [Name and details of speaker]
Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.

Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.
Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna.

Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna.
Students’ Unions 2011 Data Protection and Students’ Unions Mairead O’Reilly 19 July 2011.

Students’ Unions 2011 Data Protection and Students’ Unions Mairead O’Reilly 19 July 2011.
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)
GDPR 12 POINTS 679/2016 DATA LEX 2016.

GDPR 12 POINTS 679/2016 DATA LEX 2016.
Data Protection Officer’s Overview of the GDPR

Data Protection Officer’s Overview of the GDPR
Key changes with the GDPR

Key changes with the GDPR
Industry 4.0 – New ways of cooperative working – are we prepared?

Industry 4.0 – New ways of cooperative working – are we prepared?
The future of data protection: General Data Protection Regulation

The future of data protection: General Data Protection Regulation
Issues of personal data protection in scientific research

Issues of personal data protection in scientific research
General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR)
Presentation to GTMC on GDPR

Presentation to GTMC on GDPR
GDPR – Legal Aspects Desislava Krusteva, Attorney-at-Law, CIPP/E

GDPR – Legal Aspects Desislava Krusteva, Attorney-at-Law, CIPP/E
Data Protection The Current Regime

Data Protection The Current Regime

Similar presentations

Ads by Google