GDPR Flashcards
GDPR Fines
e based on an organization’s revenue, rendering a substantial impact,
regardless of its size.
Territorial scope of GDPR
Territorial scope relies on three criteria as set out in Article 3 of the GDPR. Only one of these
criteria must be met for the GDPR to be applicable.
• One: Processing of personal data when a controller or processor is established in the
EU (regardless of whether or not the actual processing takes place in the EU)
• Two: Processing of personal data of data subjects in the EU relating to offering goods
or services or monitoring behavior (regardless of whether or not the controller or
processor is established in the EU)
• Or three: Processing of personal data by a controller not established in the EU but in a
place where member state law applies
Material scope of GDPR
Activities must also fall within the material scope of the GDPR, as set out in Article 2. These
activities include:
• Processing personal data wholly or partly by automated means. This is any processing
operation performed without or partly without human intervention. It should not be
confused with automated decision-making, which has rigid restrictions under the
GDPR.
• The material scope also covers personal data that forms part of a filing system. This
applies even if the processing is not conducted by automated means.
GDPR processing definition
“any operation or set of operations which is performed on personal data or on sets of
personal data, whether or not by automated means, such as collection, recording,
organization, structuring, storage, adaptation or alteration, retrieval, consultation,
use, disclosure by transmission, dissemination or otherwise making available,
alignment or combination, restriction, erasure or destruction”
Consumer rights under GDPR
Notice/be informed
Withdraw consent
erasure of personal data (right to be forgotten)
access and correction
restriction of processing
Request a copy of their personal data
right to object to processing
Right not to have decisions based solely on automated decision making
Data portability
Rights/obligations of orgs under GDPR
Provide notice to process personal data
Provide notification of breaches (sometimes)
Conduct DPIAs (sometimes)
Consult regulators before processing (sometimes)
Follow rules for processing children’s data
Implement data protection by design and by default
Ensure compliance of data transfers
Take responsibility for vendor processing
Maintain appropriate data security
Keep records and demonstrate compliance
Appoint a DPO (sometimes)
Rights/obligs of regulators under GDPR
Enforce penalties up to 20 million pounds or 4% of total revenue
Impose temporary processing bans
Mechanisms that allow orgs to transfer personal data across borders - out of EU
- Adequacy decisions - of a legal regime or an agreement companies can sign on to (Privacy Shield was an adequacy agreement)
- Ad hoc contracts - must receive prior supervisory approval, so not as helpful
- Standard Contractual Clauses (SCCs) aka model clauses =
• Binding Corporate Rules (BCRs)
Legally binding internal corporate privacy rule for transferring personal information within a corporate group - reqs approval from supervisory auth.
• And codes of conduct or self-certification mechanisms - like self-regulatory programs
Privacy Shield Process
Commit to the U.S. Department of Commerce to adhere to the Privacy Shield
Principles
• Publicize that commitment
• Publicly disclose the organization’s privacy policy
• Implement the Principles
• And annually renew the certification, including the verification of ongoing compliance
with the Principles.
Privacy Shield Principles
Notice
• Choice
• Accountability for onward transfers (to countries outside the European Economic Area) and vendor agreements - ensure PS compliance
• Security
• Data integrity and purpose limitation
• Access
• And recourse, enforcement and liability
Note: PS reviewed annually by EU and Dept of Commerce
Privacy Shield: Notice and Choice Principle
- mandated information to data subjects: controller identity dets re. recourse ability to complain notice of PS list location
Privacy Shield: Recourse Mechanism
- Complaint follow internal process.
- If not resolve, then to to independent dispute resolution provider - either appoint one or default to the European supervisory authority (must be latter for HR data)
- If still not resolved, go to binding arbitration.
4.
Privacy Shield: Limits on Surveillance
US committed to no more bulk surveillance of individuals, unless for international crime or terrorism.
GDPR Accountability
Article 24(1) of the GDPR mandates that the controller have a data protection program. It states should be risk based, taking into account "the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons."
In practice, this means:
- Implementing data protection by design and data protection by default
- Conducting data protection impact assessments
- Maintaining data processing records
- And possibly needing to appoint a data protection officer
DPO role
- Must have one if core activities involve processing
personal data on a large scale, or who consistently process highly sensitive data or data
relating to criminal convictions and offenses,
Art29WP reccs erring on side of appointing DPO
must be filled with someone “designated on the basis of professional
qualities” with “expert knowledge of data protection law and practices
Tasks:
- Work with regulators to ensure compliance.
- train staff on proper data-handling practices
- keep informed upon changes in law and tech.
- Build, implement and manage privacy programs.
.
