Presentation is loading. Please wait.

Presentation is loading. Please wait.

Welcome IITA Inbound Insider Webinar: An Introduction to GDPR

Published byJulius Claude Griffith Modified over 5 years ago

Similar presentations

Presentation on theme: "Welcome IITA Inbound Insider Webinar: An Introduction to GDPR"— Presentation transcript:

1 Welcome IITA Inbound Insider Webinar: An Introduction to GDPR
October 31, 2018 Thank you for joining us! The Webinar will begin in a few minutes. A few reminders… Please place your phone on MUTE. Do not place the call on hold. If you need to leave the presentation please hang up and dial back in. Please save your questions until the end of the session.

2 Farina Azam Partner, Travlaw LLP

3 Farina Azam – Partner, Travlaw LLP
International Inbound Travel Association Webinar: An introduction to GDPR 31st October 2018 Farina Azam – Partner, Travlaw LLP

4 Territorial Scope Applies directly in all EU member states;
Applies to any controller or processor established in the EU (regardless of whether processing is in the EU); OR If not established in the EU BUT related to the offering of goods/services to data subjects in the EU (irrespective of payment); Monitoring of the behaviour of data subjects so far as their behaviour takes place in the EU.

5 Key Definitions (1 of 3) Personal Data: “any information relating to a data subject”. Data Subject: identified or identifiable person to whom the personal data relates. Identifiable: if he/she can be "can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity" of that person.

6 Key Definitions (2 of 3) Data Controller: “determines the purposes and means of the processing of personal data” Data Processor: a "natural or legal person, public authority, agency or other body which processes personal data on behalf of a data controller" Most obligations fall on the controller however GDPR also imposes specific and separate duties and obligations on processors.

7 Key Definitions (3 of 3) What is Processing?
Processing means “…any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction."

8 Data Processing Principles (1 of 5)
Lawfulness, fairness and transparency; Purpose limitation; Data minimisation; Accuracy; Storage limitation Integrity & confidentiality Accountability.

9 Data Processing Principles (2 of 5)
1. Lawfulness, fairness and transparency: Personal data must be processed “lawfully, fairly and in a transparent manner”; For processing to be lawful under the GDPR, you need to identify a legal basis, known as “conditions for processing” (Article 6). 2. Purpose limitation: Personal data shall be collected for specified, explicit and legitimate purposes and not processed in a manner that is incompatible with those purposes.

10 Data Processing Principles (3 of 5)
3. Data minimisation: Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (Article 5(1)(c), GDPR). 4. Accuracy: Personal data shall be accurate and, where necessary kept up to date.

11 Data Processing Principles (4 of 5)
5. Storage limitation: Retention periods. Article 5 of the GDPR requires that personal data shall be: “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed”. 6 years but may be able to justify a longer period. Also consider, which data you’re storing and why – only store that data which is required (data minimisation).

12 Data Processing Principles (5 of 5)
6. Integrity & confidentiality: Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. 7. Accountability: Under the GDPR, controllers are not only responsible for compliance with the general principles of the GDPR, but must also be able to demonstrate that compliance.

13 Legal Conditions for Processing Data
For processing to be lawful under the GDPR, you need to identify a legal basis, known as “conditions for processing”: Consent; Contract; Compliance with a legal obligation; Protect vital interest; Public interest; Legitimate interest.

14 Consent Processing will be legal where the data subject has given his or her consent to processing of their personal data for one or more specific purpose(s). Consent vs. Explicit Consent. Freely given, specific, informed, unambiguous. Some form of clear, affirmative action. Silence, pre-ticked boxes or inactivity does not constitute consent. Unbundled. Verifiable. Right to withdraw consent.

15 Contract Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract. E.g. tour operator passing information on to a supplier for fulfilment of a travel booking (or travel agent to tour op).

16 Legitimate Interest Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject. Controllers will need to be able to demonstrate how they balanced the legitimate interests against the fundamental rights and freedoms of the individual. Recital 47 provides some examples of a controller's legitimate interest, for example: Where there is a relevant and appropriate relationship between the individual and the controller in situations such as where the individual is a client or in the service of the controller. The processing is strictly necessary for fraud prevention. Pre-amble specifically mentions direct marketing as a possible legitimate interest which companies can rely on to contact customers.

17 Other legal conditions
Compliance with a legal obligation - processing is undertaken in order to comply with a legal obligation, e.g. legal obligations as an employer. Protect vital interest - This legal basis should, in principle, take place only where the processing cannot be manifestly based on another legal basis. It is usually relied on in cases where the processing is essential to protect the life of the data subject or another person. Public interest - necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

18 Additional Q&A Thank you! Farina Azam, Travlaw LLP
E: W:

Download ppt "Welcome IITA Inbound Insider Webinar: An Introduction to GDPR"

Similar presentations

Data Protection & Privacy in the Information Age COMNET – Legal Frameworks for ICTs Malta 2013 Dr Antonio Ghio Dr Jeanine Rizzo.

Data Protection & Privacy in the Information Age COMNET – Legal Frameworks for ICTs Malta 2013 Dr Antonio Ghio Dr Jeanine Rizzo.
DATA PROTECTION and Research University Research Ethics Committee – 30.05.2008 David Cauchi David Cauchi Office of the Commissioner for Data Protection.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi David Cauchi Office of the Commissioner for Data Protection.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
DATA PROTECTION and Research University Research Ethics Committee – 08.05.2006 David Cauchi Office of the Data Protection Commissioner.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi Office of the Data Protection Commissioner.
What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.

What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview

Data Protection Overview
 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.

 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.
The Data Protection Act 1998 The Eight Principles.

The Data Protection Act 1998 The Eight Principles.
Data Protection Corporate training 2012. Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.

Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
INTERNATIONAL E-DISCOVERY: WHEN CULTURES COLLIDE Alvin F. Lindsay Hogan & Hartson LLP.

INTERNATIONAL E-DISCOVERY: WHEN CULTURES COLLIDE Alvin F. Lindsay Hogan & Hartson LLP.
WHOIS data The EU legal principles ICANN - GNSO meeting 2 March 2004 George Papapavlou, European Commission ICANN - GNSO meeting 2 March 2004 George Papapavlou,

WHOIS data The EU legal principles ICANN - GNSO meeting 2 March 2004 George Papapavlou, European Commission ICANN - GNSO meeting 2 March 2004 George Papapavlou,
The Data Protection Act 1998. What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;

The Data Protection Act What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;
DATA PROTECTION ACT 1998. INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March 2000. It is more far reaching than its predecessor,

DATA PROTECTION ACT INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March It is more far reaching than its predecessor,
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.

Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.
Www.clarkholt.com Clark Holt Limited (Co. No. 8774683), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.

Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)
The Data Protection Act 1998

The Data Protection Act 1998

Similar presentations

Ads by Google