IAPP CIPP/E – GDPR in Practice

1. Supervision and Enforcement

Supervision and enforcement. In this lecture, we will discuss the role, powers and procedures of supervisory authorities, the composition and tasks of the European Data Protection Board, the role of the European Data Protection supervisor, and remedies liabilities and penalties for noncompliance supervisory authorities, also known as data protection authorities, promote, promote, monitor and enforce the GDPR. As an example, ICO is the supervisory authority for UK.

They promote awareness by helping organizations understand their obligations under the GDPR and by serving in an advisory capacity so organizations may approach them for advice on data protection issues. They conduct investigations on GDPR compliance. They protect fundamental human rights, including raising public awareness by providing information to individuals who have requested information and by managing data subjects complaints.

They draw up annual reports that explain the data protection in their country, current issues and the agenda for the following year. And they facilitate the free flow of personal data within the EU. This supports the fundamental role of the EU to promote free trade and the free movement of data.

Supervisory authorities have three categories of powers as set out in Article 58 investigative, corrective, and authorization and advisory. Investigative powers includes the power to audit. Corrective power includes suspension of processing or administrative fines. A lead supervisory authority is the primary regulator responsible for dealing with the cross border processing activities of a controller or processor. This includes coordinating operations of all supervisory authorities concerned.

According to article four, cross border processing is defined as processing of personal data which takes place in the context of the activities of establishments in more than one member state of a controller or processor in the union where the controller or processor is established in more than one member state or processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the union, but which substantially affects, or is likely to substantially affect data subjects in more than one member state.

If the processing is in fact cross border processing, how does the controller identify the lead supervisory authority? If the organization has a single establishment in the EU, then the lead supervisory authority will simply be that of the place of establishment. If the organization has more than one establishment in the EU, then the lead supervisory authority will be that of the place of central administration.

That is, unless decision decisions about purposes, means and implementation of processing takes place at a different location. If this is the case, then the essay of that location where the processing decisions take place will be the lead. This makes it possible for a company to have several lead essays if it conducts several crossborder activities whose related decisions take place in more than one location. The same criteria apply for identifying a processor’s lead supervisory authority unless the controller is also involved in the processing, in which case the controller’s lead supervisory authority would be the processor’s lead as well the processor’s supervisory authority would then be considered the supervisory authority concerned. Chapter Seven of the GDPR provides mechanisms to support cooperation and consistency between supervisory authorities.

Cooperation is needed between the lead supervisory authority and other concerned supervisory authorities to reach consensus. Mutual Assistance provision of relevant information between supervisory authority’s joint operations joint supervisory authority investigations and enforcement measures of controllers or processors in several member states or when data subjects are in more than one-member state. Consistency Mechanism A specific collaborative process between supervisory authorities, the Commission and the European Data Protection Board for adopting certain measures and ensuring consistent GDPR application. Dispute Resolution A mechanism to dispute a decision if not jointly agreed on by the supervisory authorities and the issuance of binding decisions. Urgency. Procedure. Procedure for the immediate adoption of provisional measures within a member state. The European Action Board.

The GDPR replaces the Article 29 Working Party with the European Data Protection Board. EDPB. It comprises a representative of every member state supervisory authority. The Article 29 Working Party’s opinions will still be valid under the GDPR to the extent that they align with the regulation, and the EDPB will decide which opinions must be updated. Each of the 31 member states of the EEA will appoint a representative to sit on the EDPB.

However, only the representatives from the 28 EU member states may vote. The EDPS oversees the European Commission’s and Parliament’s compliance with the GDPR, playing an ambassadorial role and often issuing opinions. The EDPB must act independently. Its roles are to monitor for the correct application of the GDPR and oversee the consistency. Mechanism for ensuring a consistent approach to data protection by the various supervisory authorities issue guidance and advice to the Commission for personal data protection on a pan European basis and preside over the dispute resolution process.

Remedies liabilities and Penalties one of the most discussed topics relating to the entering into force of the GDPR are the administrative fines that may be imposed by a supervisory authority in the event of noncompliance with the GDPR and not without reason. The administrative fines that may possibly be imposed are substantial. Administrative fines may, depending on the infringed provisions of the GDPR, amount to a maximum of €20 million or, if this is a higher amount, 4% of the total worldwide annual turnover of an organization.

Such fines may be imposed on both the controller and the processor. Fortunately, not all infringements of the GDPR will lead to those serious fines. Besides the power to impose administrative fines as described above, a supervisory authority also has the power to issue warnings, reprimands and orders. Further, the GDPR provides data subjects with the explicit right to lodge a complaint with a supervisory authority if they consider that any processing of their personal data infringes the requirements of the GDPR controllers are even obliged to explicitly inform the data subjects of this right.

Further to a complaint, a supervisory authority may decide to further investigate this company’s processing activities. In the event that a supervisory authority does not inform a data subject on the progress or outcome of a complaint lodged within three months, a data subject shall have the right to an effective judicial remedy.

The GDPR also gives data subjects the right to compensation of any material and or nonmaterial damages resulting from an infringement of the GDPR. Both controllers and processors are liable for any damages resulting from an infringement of the GDPR. However, processors shall only be liable for damages that are caused as a result of the processor’s actions that were contrary to the controller’s instructions or a breach of the GDPR requirements, particularly addressing processors such as the data security obligations.

A controller or processor will be exempted from liability if he can prove not to be in any way responsible for the event causing the damage. The GDPR explicitly indicates that data subjects have the right to have their rights to lodge a complaint or to claim damages exercised by a non for-profit body organization or association on their behalf. This opens the door for mass claims in cases of large scale infringements.

2. Business Compliance

Business Compliance welcome to the last video lecture of this course. In this lecture, we will explain some key business cases and the GDPR compliance for these cases. Processing employee personal Data the mix of EU data protection law with local employment law can make compliance in the context of employment complicated. And in addition to EU data protection law or Member States may, by law or collective agreements, provide for more specific rules for processing employee personal data.

But first, under the GDPR, there must be a lawful basis for collecting and processing personal data. The legal basis are the grounds employers rely on to process employee personal data can be any of the followings fulfillment of an employment contract collecting and using bank account information to process salaries legal obligation sharing salary information with tax authorities legitimate interests of the employer migrating information from one data management system to another.

The legitimate interest cannot be adverse to employees rights and freedoms, and it cannot be used as a grounds for processing special categories of data. Consent freely given consent will be difficult to prove because of the unequal distribution of power between the employer and the employee. However, under some local labor laws, employers are obligated to get consent from employees to process their personal data. And if collecting and processing special categories of data, an employer must rely on explicit consent or an obligation.

Under employment law, the GDPR’s transparency principle requires notification to data subjects when their personal data is being processed. Employers must provide notice to employees when processing their data. This may be accomplished as part of the onboarding process in a variety of ways, for example, as part of a staff handbook, staff handbook, employment contract code of conduct, or Elearning orientation course.

Lawful employee monitoring, member State data protection law and local employment law may have specific requirements restricting the use of employee monitoring systems. Under the GDPR, employees rights and freedoms must be balanced against the rights of the employer, and alternatives to monitoring should always be considered. Prevention, for instance, is often a better approach than detection. For example, blocking websites the employer does not want the employee to visit. To monitor employees lawfully, an employer must ensure that the monitoring is necessary, proportional, transparent, and legitimate necessary. Can we demonstrate that the monitoring is required? In other words, would another, less intrusive method fulfill the need? Proportional is the monitoring proportional to the issue? Is it reasonable? Transparent? Legitimate?

Do we have lawful grounds for collecting and using the personal data? Bring your own device BYOD to comply with EU and Member State data protection law as well as local employment law, employers should take into account the entire employee lifecycle from application to termination and beyond. Bring your own device BYOD is an issue relevant to every stage in the employee lifecycle. More and more, employers are allowing and encouraging their employees to use their own devices, such as smartphones, tablets and laptops, for work related activities.

While convenient and potentially cost effective to operations. BYOD programs open the door to greater risks to data protection, including data breaches, which could result in substantial penalties and fines under the GDPR. To avoid this, as well as loss of trust and a tarnished reputation, effective management of bring your own device programs is imperative. Heritage this starts with a BYOD policy. Policy goals should align with employment law and the GDPR protect personal data of individuals such as employees, customers, patients and sponsors. Protect organizational data such as intellectual property, financial information, and trade secrets.

Enable employee productivity. Utilize mobile device management of issues such as lost and stolen devices, misuse devices and termination of employment, and mitigate network risks. In addition to a BYOD policy, employees must be provided with notice explaining the consequences of signing up to, BYOD and outlining the information the organization will be able to access. Again, the employer must have a lawful basis for processing personal data. Whistleblowing Schemes Whistleblowing schemes have increased in use since the passing of the US. Sarbanes. Oxley act.

Two Sox under Sox, companies must have a system in place to receive anonymous complaints about potential wrongdoing, including fraud, misappropriation of assets, and or material misstatements in financial reporting. US. Companies with EU subsidiaries or affiliates are bound to both Sox and EU Data Protection Law, thus potentially leading to conflicting obligations. Specifically in regards to protecting the identity of the whistleblower under Sox versus protecting the personal data of the employee accused of wrongdoing under EU Data Protection Law.

The major difference is that anonymous whistleblowing is not favored by GDPR, whereas in US. Sox it is mandatory to align with both. Companies should enable anonymous reporting, but for GDPR, they should mention that it should be the last resort. Direct Marketing in the context of Data Protection Law direct marketing can be defined as personal data processed to communicate a marketing or advertising message. This definition includes messages from commercial organizations as well as from charities and political organizations.

Direct marketing is one of the most complex areas of EU law. It is regulated both by the GDPR and the Eprivacy Directive. Under the GDPR, there is an absolute right to object to any form of direct marketing at any time. In addition, the E Privacy Directive has different rules for different channels used for direct marketing. In some cases, allowing individuals to opt out of marketing communications is sufficient. In other circumstances, individuals must opt in to receive direct marketing communications post.

For postal marketing, opt out is sufficient. Phone for telemarketing, opt out is generally sufficient. However, before engaging in phone marketing, the call list first must be screen sale, stroke, SMS for business to consumer, emailing and text messaging, opt in is required. However, the opt out rule provides an exception.

The exception stipulates that the recipient’s contact details are collected in the context of a sale. The marketing is related to first party products and services. Opt out is offered at the point of data collection and opt out is offered in every subsequent communication. Please read the document in the Resources section of this lecture to learn more about Eprivacy directive in practice.

Cloud Computing The EU does not have specific legislation regarding cloud computing. However, the technology neutral GDPR where replicable sets out controller and processor obligations because the controller has significantly more obligations under the GDPR. Distinguishing between the controller and the processor in a customer cloud services supplier relationship is essential. Relationship is essential.

However, this distinction may not always be clear. So when may a cloud services supplier be considered a controller? In some circumstances? When it determines substantial and essential elements of the means of processing. For example, data retention periods when it processes data for its own purposes. When it determines aspects of the processing outside the controller’s instruction. However, a cloud service supplier may determine technical and organizational means of processing, for example, the hardware and remain a processor.

• Category: Uncategorized