Presentation is loading. Please wait.

Presentation is loading. Please wait.

This project is funded by the European Union

Published byAlaina Kelley Modified over 5 years ago

Similar presentations

Presentation on theme: "This project is funded by the European Union"— Presentation transcript:

1 This project is funded by the European Union
Recommendations for GDPR rules implementation in the legislation of Moldova EU Twinning Project Expert: D.Voitiņa Project Activity: 1.3 Date: This project is funded by the European Union

2 Main requirements that have to be implemented
Principles of data processing Lawfulness of processing Communication with data subject Data subject rights Rights and duties of controller Rights and duties of processor Record-keeping of processing activities by the controller Data breach Impact assessment

3 Data processing principles
Personal data shall be: a) processed lawfully, fairly and transparently with regard to the subject (”lawfulness, equity and transparency”). b) collected for determined, explicit and legitimate purposes and shall not be processed in a way that is incompatible with such purposes. The subsequent processing for archiving purposes in the public interest, for scientific or historic research or for statistical purposes shall not be deemed incompatible with the initial purposes pursuant to Article 10(6) of this law (” purpose-related limitations”) c) appropriate, relevant and limited to what is necessary in relation to the achievement of the purposes for which it is processed (”data minimization”) d) accurate and, where required, updated. All the required actions shall be taken in order to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (accuracy) e) kept in a form that enables to identify the subjects for a period that does not exceed the period required to achieve the purposes for which the data are processed. Personal data may be stored for longer periods of time insofar as they will be processed exclusively for archiving purposes in the public interest, for scientific or historic research purposes or for statistical purposes pursuant to Article 10 (6) of this law, subject to the application of the adequate technical and organizational measures provided for in this regulation, in order to safeguard the subject’s rights and freedoms (”storage-related limitations”) f) processed in a manner that ensures adequate security of personal data, including protection against unauthorized or illegal processing and against accidental loss, destruction or damage by taking the appropriate technical or organizational measures (”integrity and confidentiality”)

4 Lawfulness of processing
The processing shall be deemed legal only if and insofar as at least one of the following requirements applies: a) the subject has given his/her consent to the processing of his/her personal data for one or several specific purposes; b) the processing is required for the performance of a contract to which the subject concerned is a party or in order to make arrangements, at the subject’s request, before a contract has been concluded; c) the processing is required for fulfilling the controller’s legal obligation; d) the processing is required in order to protect the vital interests of the subject or of any other natural person; e) the processing is required in order to carry out a task that serves a public interest or resulting from the exercise of the public authority’s powers vested in the controller; f) the processing is required for the legitimate interests pursued by the controller or a third party, except for the case where the subject’s interests or fundamental rights and freedoms prevail, which requires the protection of personal data, in particular when the subject is a child. Letter (f) shall not be applicable if the processing is carried out by public authorities in order to fulfil their duties.

5 Transparency of information, communications and methods to exercise the subject’s rights
The controller shall take appropriate measures in order to provide the subject with any of the information about data proecessing and any disclosure any communication under data subject rights concerning the processing in a concise, transparent, intelligible and easily accessible form by using a clear and simple language in particular for any information addressed specifically to a child. The information shall be provided in writing or by other means, including in electronic form, where appropriate. At the subject’s request, the information may be provided orally, provided that the subject’s identity is proved by other means. The controller shall provide the subject with information on the arrangements made as a result of the request, without any unjustified delay and, in any case, within 1 month from the receipt of the request. This period may be extended by 1 month where required, taking into account the complexity and number of requests. The controller shall inform the subject of such extension within one month of receipt of the request, submitting also the reasons for such delay. Where the data subject submits a request electronically with electronic signature, the information shall be provided in an electronic format, where possible, except for the case when the data subject requests another format.

6 If no action is taken with regard to the data subject’s request, the controller shall inform the subject, without delay and within one month from the receipt of the request, of the reasons for which they do not take action and of the possibility to submit a complaint to the Centre or and seeking a judicial remedy. The information provided shall be free of charge. Where the requests by a subject are clearly unfounded or excessive, in particular because of their repetitiveness, the controller may: a) either charge a reasonable fee, considering the administrative costs for the provision of information or communication or for the action to be taken as requested; b) or refuse to deal with the request. In these cases, it shall be for the controller to prove the clearly unfounded or excessive nature of the request. If the controller has justified doubts regarding the identity of the natural person who submits the request under this Chapter, the controller may request additional information, as required in order to confirm the subject’s identity.

7 Information of data subject
Where the personal data is collected directly from the data subject, the controller or processor must provide the following information free of charge: the identity of the controller/joint controllers or, where applicable, of the controller`s representative; the contact details of the data protection officer, where applicable; the purposes of the processing for which the personal data are intended as well as the legal basis for the processing; the legitimate interests pursued by the controller or a third party, where the processing is carried out under Article 4 (3)(f); the recipients or categories of recipients of the personal data; the fact that the controller intends to transfer personal data to other country or international organisation and the existence or absence of adequate level of protection.

8 the right to lodge a complaint with a supervisory authority.
The controller shall at the time when personal data is obtained provide the data subject if it is necessary to ensure fair and transparent processing such additional information the personal data storage period or, where this is not possible, the criteria used to establish such a period including the action taken with regard thereto upon reaching the purposes for which it was processed; the existence of rights of access to data, interference with the data and objection, as well as the conditions under which such rights may be exercised; the existence of the right to request the controller access to the personal data, rectification or erasure of personal data or restriction of processing concerning to the data subject or to object to processing, right to the data portability; where the processing is based on the data subject’s consent or point a) of Article 6 (2),the existence of the right to consent withdrawal at any time, without affecting the lawfulness of processing activities based on consent before its withdrawal; whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data; the existence of an automated decision-making process including profiling, and relevant information on the logic used, the importance and consequences of such processing for the subject. the right to lodge a complaint with a supervisory authority. The personal data subject is informed in written or electronic form or any other format, provided the controller can prove that the data subject received this information.

9 Right of access to personal data
The personal data subject shall be entitled to obtain upon request, free of charge and without unjustified delay: the information about processing; the communication of any information available with regard to the origin of such data; the existence of automated decision-making, including profiling, and at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. information on the legal consequences produced by the processing of personal data for the subject of those data including the action taken with regard thereto upon reaching the purposes for which it was processed; information on the means to exercise the right of intervention and objection with regard to the personal data. the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing. Where personal data are transferred to other country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 48 relating to the transfer. The right to obtain a copy referred to in paragraph (3) shall not adversely affect the rights and freedoms of others.

10 Right to rectification
The personal data subject shall be entitled to obtain upon request and without unjustified delay, from the controller: the rectification of any inaccurate or untruthful data concerning him/her; the supplementation of any incomplete data. the update of the personal data concerning him/her.

11 Right to data erasure The personal data subject shall be entitled to obtain from the controller erasure of the personal data concerning him/her, and the controller must erase the personal data without unjustified delay in the event that any of the following reasons applies: the personal data is no longer required to achieve the purposes for which they were collected or processed; the subject withdraws his/her consent based on which the data are processed and there is no other legal ground for processing; the subject expresses his/her right to object to the processing and there are no prevailing legitimate grounds as regards processing; the personal data have been processed illegally; the personal data must be erased in order to ensure compliance with a legal requirement placed on the controller under the law; the personal data have been collected in relation to the offer of information society, especially if these services target minors.

12 Right to data erasure Where the controller has published the personal data, he must erase it, considering the available technology and the implementation cost, shall take reasonable action, including technical measures in order to inform controllers processing personal data that the data subject requested the erasure by said controllers of any links to the data in case or of any copies or of any reproductions of such personal data. Paragraphs (1)-(3) shall not be applicable insofar as the processing is justified and required for: processing to perform freedom of expression; compliance with a legal obligation or for the performance of a task carried out in the public interest or in exercise of official authority vested in the controller; ascertaining, exercising or defending a right in court legal claims for reasons of public interest in area of public health for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with law provisions in so far as the right to data erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing.

13 Right to restriction of processing
The personal data subject shall be entitled to obtain from the controller the restriction of processing where any of the following cases applies: the subject contested the accuracy of the data for a period required for the controller to check the accuracy of such data; the processing is illegal and the subject challenges opposes the erasure of personal data, requesting in exchange a restriction on their use; the controller does not need any longer the personal data for the purpose of processing, but they are requested from the subject in order to ascertain, exercise or defend a right in court; or the data subject has objected to processing pursuant to right to object pending the verification whether the legitimate grounds of the controller override those of the data subject; Where processing has been restricted, such personal data may, with the exception of storage, be processed solely with the subject’s consent or in order to ascertain, exercise or defend a right in court, to protect the rights of another natural or legal person or for reasons of important increased public interest.

14 Right to portability of personal data
The data subject shall be entitled to receive the personal data concerning him/her, which he or she has provided to a controller, in a commonly used, structured and machine-readable format form, which is legible in an automated form and shall be entitled to send transmit such data to another controller, without hindrance from the controller to whom his/her personal data have been provided, if where: the processing is based on a consent or a contract; and the processing is carried out by automated means. The exercise of this right shall be without prejudice to right to erasure. The said right shall not be applicable to the processing required for fulfilling a task carried out in the public interest or in the exercise of an official authority vested in the controller. This right shall be without prejudice to the rights and freedoms of other persons.

15 Right to object At any time, the personal data subject shall be entitled to object, for grounded reasons, related to his/her particular case, the processing of personal data based on public interest or legitimate interests, including profiling based on those provisions, concerning his/her person, including profiling which is based on grounds of the respective provisions. The controller shall no longer process personal data, except for the case when the controller proves demonstrate that they controller have legitimate and stringent reasons justifying the processing, which prevail over the subject’s interests, rights and freedoms or that the purpose is to ascertain, exercise or defend a right in court. Where the data subject objects the processing for the purpose of direct marketing, personal data shall no longer be processed for this purpose. In the context of use of information society services, the data subject may exercise his/her right to object by automated means using technical specifications. Where the personal data are processed for scientific or historical purposes or for statistical purposes, the data subject shall, for reasons related to his/her particular case, be entitled to object the processing of personal data concerning him/her, except for where the processing is required in order to fulfill a task for reasons of public interest.

16 Individual automated decision-making process, including profiling
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. This shall not be applicable when the decision: is necessary for concluding or performing a contract between the subject and a data controller; is authorized by the law, which applies to the controller and which also provides appropriate measures to protection safeguard of the data subject’s rights, freedoms and legitimate interests; is based on the explicit consent of the data subject. The controller shall implement appropriate measures for the protection to safeguard of the data subject’s rights, freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

17 The controller’s responsibility
Taking into account the nature, scope, context and purposes of the processing, and the risks at various degrees of probability and seriousness for the rights and freedoms of natural persons, the controller shall implement technical and organizational measures that are appropriate to safeguard and to prove that the processing is carried out in accordance with the requirements of this law and/or other relevant regulatory acts. The respective measures shall be revised and updated as required. Controller shall process the data according to Law and ensure compliance of data processing activities with provisions of Law. Controller is responsible for data processing except situations when controller can prove that processor disregard the requirements of agreement. If the legislation does not provide expressly for the conditions and terms of storage and use of personal data controller shall define conditions, terms and use for data processing according to Law. Personal data processed by the controllers can be transmitted to another controller or an joint controller for processing for similar purposes or others than those for which were collected only based on legal basis referred in the Law and regard to data protection principles with the personal data subject’s consent. Controller has to process personal data only for for determined, explicit and legitimate purposes and shall not process the personal data in a way that is incompatible with such purposes. Controller shall process personal data based on legal basis referred in Law.

18 Joint controllers Where two or several controllers jointly determine the purposes of and the means of processing to process personal data, they shall be joint controllers. They shall in a transparent manner determine their respective establish clearly the responsibilities of each of them as regards complying with their obligations under this law, in particular as regards exercising the subjects’ rights and the duties of each of them to provide the information to the data subject, through an agreement between them and in so far as the respective responsibilities of the controllers are determined by law or to which the controllers are subjects. The agreement may designate a contact point for data subjects. The agreement or other legal act shall reflect appropriately the respective roles and relations of joint controllers with regard to such subjects. The essence of this agreement is brought to the knowledge of the subject within the limit of the information that does not present a risk for the security of data processing.

19 The processor Processor shall process data under the liability of the controller ensuring and proving compliance of every processing operation with the provisions of Law. Processing by a processor shall be governed by a contract or another legal act that is binding on the processor in relation to the controller. Contract between controller and processor or another legal act provides at least: a) the subject-matter; b) period of the processing; c) the nature of the processing; d) purpose of the processing; e) the type of personal data; f) categories of data subjects; g) the obligations and rights of the controller and processor. The processor shall not contract another processor without the prior written authorization of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes. The contract or the other legal act referred to in paragraphs (3) and (4) shall be formulated in writing, including in electronic format. The Centre may provide for standard contractual clauses for contract the aspects

20 The respective contract or legal act provides, in particular, that the processor:
shall process personal data solely on documented instructions from the controller, including as regards transfers of personal data to other country or an international organisation, except for the case when this obligation pertains to the processor. In this case, the processor shall notify the controller of this legal obligation before processing, except for the case when that right prohibits such notification for important reasons related to public interest; shall ensure that the persons authorized to process personal data have undertaken to respect confidentiality or have a proper statutory obligation to confidentiality; shall implement appropriate technical and organisational measures according to Article 33 to ensure a level of security appropriate to the risk; shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes. The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes; considering the nature of processing, the processor shall provide assistance to the controller by appropriate technical and organizational measures insofar as this is possible, so that the controller meets their obligation to satisfy requests on the exercise by the data subject of the rights under Chapter III; assists the controller in ensuring compliance with this law (inform controller in the case of a personal data breach, make data protection impact assessment, shall consult the supervisory authority prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk); at the controller’s request the processor shall erase or return all the personal data to the controller after it has ceased to provide the processing services and shall remove the existing copies, unless otherwise provided for by the law; shall make available to the controller all the information required to prove compliance with the obligations under this Article, shall enable the conduct of the audit, including inspections, by the controller or another authorized auditor and shall contribute thereto. As regards the first paragraph of letter (h), the processor shall inform the controller immediately where, in their opinion, there is an instruction that breaches this law or other regulatory acts in the area of personal data protection.

21 Civil liability of controller and processor
The controller or processor shall hold civil liability for material or non-material damage as a result of an infringement of this law before any person who claims such damage. Any controller involved in processing shall be liable for the damage caused by processing which infringes this law. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this law specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller. A controller or processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage. Where more than one controller or processor are involved in the same processing they hold joint and several liability, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject. Where a controller or processor has paid full compensation for the damage suffered, that controller or processor shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage. The claim for damages shall be lodged in the Court where the seat of controller or processor is. Data subject may choose to lodge the application in the Court of his habitual residence. If the controller or processor is a public authority acting in the exercise of its public powers, the application shell be lodged in the country on whose behalf the public authority is acting.

22 Record-keeping of processing activities by the controller
The controllers and processors shall keep records of the personal data processing activities placed under their responsibility. That record shall contain all of the following information: in case of automatic processing of personal data, the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer; the purposes and the legal basis of the processing; a description of the categories of data subjects and of the categories of personal data; the categories of recipients to whom the personal data have been or will be disclosed including recipients in other countries or international organisations; where applicable, transfers of personal data to other country or an international organisation, including the identification of that other country or international organisation and, in the special case of transfers, the documentation of suitable safeguards; where possible, the envisaged time limits for erasure of the different categories of data; where possible, a general description of the technical and organisational security measures.

23 Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing activities carried out on behalf of a controller. The controller or the processor and, where applicable, the controller's or the processor's representative, shall make the record available to the supervisory authority on request. The obligations of record-keeping shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data or personal data relating to criminal convictions and offences.

24 Notification of a personal data breach to the Centre
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the Centre, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay. The processor shall notify the controller without undue delay after becoming aware of a personal data breach. The notification shall at least: a) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained; c) describe the likely consequences of the personal data breach; d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay. The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.

25 Data protection impact assessment
Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks. A data protection impact assessment shall in particular be required in the case of: a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; processing on a large scale of special categories of data referred to in Article 6 (1), or of personal data relating to criminal convictions and offences referred to in Article 7; or a systematic monitoring of a publicly accessible area on a large scale.

26 Data protection impact assessment
The Center may also establish and make public a list of the kind of processing operations for which no data protection impact assessment is required. The assessment shall contain at least: a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller; an assessment of the necessity and proportionality of the processing operations in relation to the purposes; an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the present law taking into account the rights and legitimate interests of data subjects and other persons concerned. When assessing the impact of the processing operations carried out by the controllers or processors, it is envisaged that they will comply with the normative acts in the field of personal data protection. Where necessary, the controller shall carry out a review to assess if processing is performed in accordance with the data protection impact assessment at least when there is a change of the risk represented by processing operations.

27 Thank you!

Download ppt "This project is funded by the European Union"

Similar presentations

DATA PROTECTION and Research University Research Ethics Committee – 30.05.2008 David Cauchi David Cauchi Office of the Commissioner for Data Protection.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi David Cauchi Office of the Commissioner for Data Protection.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
DATA PROTECTION and Research University Research Ethics Committee – 08.05.2006 David Cauchi Office of the Data Protection Commissioner.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi Office of the Data Protection Commissioner.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview

Data Protection Overview
Data Protection Act AS Module 1 10.8 Heathcote Ch. 12.

Data Protection Act AS Module Heathcote Ch. 12.
Data Protection Corporate training 2012. Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.

Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
The Framework for Privacy Policies in the UK: Is telling people what information is gathered about them part of the framework? Does it need to be? Emma.

The Framework for Privacy Policies in the UK: Is telling people what information is gathered about them part of the framework? Does it need to be? Emma.
DATA PROTECTION ACT 1998. INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March 2000. It is more far reaching than its predecessor,

DATA PROTECTION ACT INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March It is more far reaching than its predecessor,
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
Data protection—training materials [Name and details of speaker]

Data protection—training materials [Name and details of speaker]
Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.

Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.
Protection of Personal Information Act An Analysis on the impact.

Protection of Personal Information Act An Analysis on the impact.
Www.clarkholt.com Clark Holt Limited (Co. No. 8774683), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.

Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
Agencija za zaštitu ličnih/osobnih podataka u Bosni i Hercegovini Агенција за заштиту личних података у Босни и Херцеговини Personal Data Protection Agency.

Agencija za zaštitu ličnih/osobnih podataka u Bosni i Hercegovini Агенција за заштиту личних података у Босни и Херцеговини Personal Data Protection Agency.
Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna.

Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna.
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)
GDPR 12 POINTS 679/2016 DATA LEX 2016.

GDPR 12 POINTS 679/2016 DATA LEX 2016.
DIRECTIVE (EU) 2016/680 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing.

DIRECTIVE (EU) 2016/680 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing.

Similar presentations

Ads by Google