Presentation is loading. Please wait.

Presentation is loading. Please wait.

GDPR Workshop MEU Symposium Prague 2018

Published byAmadeu Santiago Soares Modified over 6 years ago

Similar presentations

Presentation on theme: "GDPR Workshop MEU Symposium Prague 2018"— Presentation transcript:

1 GDPR Workshop MEU Symposium Prague 2018
Vincent Miča, Data Protection Office, BETA Europe

2 Disclaimer I am not a lawyer and do not qualify as legal council
This is not an exhaustive exploration of the GDPR Meant to give an overview and practical information and to raise awareness Please take consideration of local legal requirements (Member States may modify / expand upon some of these regulations)

3 Overview Definitions (Special) Personal Data Data Processing Consent
Data Controller Data Processor Third Parties Principles of Data Protection Obligations of Data Controllers Data Protection Officer Data Subject Data Protection Data Breach Protocol Exercise - GDPR in Practice

4 Definitions

5 Personal Data ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; Art. 4(1) Ex. Name, , D.O.B., address

6 Special Personal Data “Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.” (Art. 9(1) ) Not applicable with explicit consent (Art. 9(2)) Legitimate purpose for appropriate associations (Art. 9(2)(d))

7 Data Processing ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; Art. 4(2)

8 Consent ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her; Art. 4(11)

9 Data Controller ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; Art. 4(7)

10 Data Processor ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; Art. 4(8)

11 Third Parties ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data; Art. 4(10)

12 Questions?

13 Principles of Data Protection

14 Lawful Processing Art. 6(1)(a) Consent Contractual Obligation
Legal Obligation Vital Interest of the Data Subject Public Interest / Official Authority Legitimate Interest

15 Purpose Limitation Art. 6(1)(b)
Collection for “specified, explicit, and legitimate purposes” Processing of data is limited only to the purposes that it was collected for

16 Data Minimisation Art. 6(1)(c) Personal data shall be:
“adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”

17 Accuracy Art. 6(1)(d) Data should be accurate Kept up-to-date
Inaccuracies must be rectified / erased

18 Storage Limitation Art. 6(1)(e)
Data should be retained for as long as “necessary for the purposes for which the personal data are processed” What is “necessary”?

19 Integrity & Confidentiality
Art. 6(1)(f) Processing in a secure manner Prevent unauthorised processing Protect against loss, destruction, or damage Appropriate technical and organisational measures

20 Questions?

21 Obligations of Data Controllers

22 Informing the Data Subject I
Art. 13(1): When you collect data you must inform the data subject about: Identity and contact for the controller DPO contact if you have one Purpose of processing and its legal basis If legitimate interest is your legal basis, explain it Any other recipients of data personal data (third parties) If the data is to leave the EU, why and what are the precautionary measures

23 Informing the Data Subject II
Art. 13(2) Retention period (if not specific, then criteria thereof) Existence of data subject rights If any automated “decision-making” processes are used Consequences of failure to provide personal data if based on contractual basis

24 Data Subject Rights Chapter III Right to withdraw consent
Right to lodge a complaint with a supervisory authority Right of Access Rectification (and notification thereof) Erasure (and notification thereof) Restriction of Processing (and notification thereof) Portability Object (especially “automated-decision making”)

25 Data Protection by Design
Art. 25 Secure options should be the default Secure organisational structure planned ahead of time Adherence to data protection principles throughout

26 Data Processing Record
Details in Art. 30 Mostly in the case of an inspection by / reporting to supervisory authority Depends on the interpretation of “special personal data” as there is an exception for organisations below 250 people.

27 Data Breach Protocol Notification of a personal data breach to a supervisory authority (Art. 33) Notification of a personal data breach to the data subjects (sort of not required with encryption - Art. 34(3)(a)) “Undue delay” is 72 hours

28 Interactive Exercise

Download ppt "GDPR Workshop MEU Symposium Prague 2018"

Similar presentations

Re-use of PSI Data Protection Issues Cécile de Terwangne Professor at the Law Faculty, Research Director at CRIDS University of Namur (Belgium) 2 nd LAPSI.

Re-use of PSI Data Protection Issues Cécile de Terwangne Professor at the Law Faculty, Research Director at CRIDS University of Namur (Belgium) 2 nd LAPSI.
Data Protection & Privacy in the Information Age COMNET – Legal Frameworks for ICTs Malta 2013 Dr Antonio Ghio Dr Jeanine Rizzo.

Data Protection & Privacy in the Information Age COMNET – Legal Frameworks for ICTs Malta 2013 Dr Antonio Ghio Dr Jeanine Rizzo.
DATA PROTECTION and Research University Research Ethics Committee – 30.05.2008 David Cauchi David Cauchi Office of the Commissioner for Data Protection.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi David Cauchi Office of the Commissioner for Data Protection.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Data Protection.

Data Protection.
DATA PROTECTION and Research University Research Ethics Committee – 08.05.2006 David Cauchi Office of the Data Protection Commissioner.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi Office of the Data Protection Commissioner.
Attorney at the Bars of Paris and Brussels Database exploitation & Data protection Thibault Verbiest Amsterdam 1 April 2005

Attorney at the Bars of Paris and Brussels Database exploitation & Data protection Thibault Verbiest Amsterdam 1 April 2005
Data Protection Overview

Data Protection Overview
Lawyer at the Brussels Bar Lecturer at the University of Strasbourg Assistant at the University of Brussels Data Protection & Electronic Communications.

Lawyer at the Brussels Bar Lecturer at the University of Strasbourg Assistant at the University of Brussels Data Protection & Electronic Communications.
Data Protection Corporate training 2012. Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.

Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
DATA PROTECTION ACT 1998. INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March 2000. It is more far reaching than its predecessor,

DATA PROTECTION ACT INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March It is more far reaching than its predecessor,
© University of Reading 2007 www.reading.ac.uk/data_protection Lee Shailer 06 June 2016 Data Protection the basics.

© University of Reading Lee Shailer 06 June 2016 Data Protection the basics.
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.

Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.
Www.clarkholt.com Clark Holt Limited (Co. No. 8774683), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.

Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
TRANSBORDER DATA FLOWS INA MEIRING. THE PROTECTION OF PERSONAL INFORMATION ACT (“POPI”) > 'personal information' means information relating to an identifiable,

TRANSBORDER DATA FLOWS INA MEIRING. THE PROTECTION OF PERSONAL INFORMATION ACT (“POPI”) > 'personal information' means information relating to an identifiable,
Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna.

Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna.
Students’ Unions 2011 Data Protection and Students’ Unions Mairead O’Reilly 19 July 2011.

Students’ Unions 2011 Data Protection and Students’ Unions Mairead O’Reilly 19 July 2011.
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)

Similar presentations

Ads by Google