IAPP CIPP/E – General Data Protection Regulation (GDPR)

1. Data Processing Concepts

Data Processing Concepts welcome to the first lecture of this section. In this lecture, we will start learning the terminology used in data protection laws Personal Data. Personal Data only includes information relating to natural persons who can be identified or who are identifiable directly from the information, or who can be indirectly identified from that information in combination with other information. Personal data may also include special categories of personal data or criminal conviction and offenses data. These are considered to be more sensitive, and you may only process them in more limited circumstances. pseudonym zed data can help reduce privacy risks by making it more difficult to identify individuals, but it is still Personal Data.

If Personal Data can be truly anonymized, then the Anonymized data is not subject to the GDPR. Information about a deceased person does not constitute Personal Data and therefore is not subject to the GDPR. Information about companies or public authorities is not Personal Data. However, information about individuals acting as sole traders, employees, partners and company directors, where they are individually identifiable and the information relates to them as an individual may be considered Personal Data. An individual is identified or identifiable if you can distinguish them from other individuals. A name is perhaps the most common means of identifying someone. However, whether any potential Identifier actually identifies an individual depends on the context. A combination of Identifiers may be needed to identify an individual.

The GDPR provides a no exhaustive list of Identifiers, including name, identification number, location data, and Identifiers, including IP addresses and cookie ideas. Sensitive personal data. The regulation identifies certain types of personal data as special categories of personal data. These are Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership and genetic data.

Biometric Data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex, life or sexual orientation. The related recitals say that the processing of photographs should not systematically be considered as biometric Data as long as they are not processed through a specific technical process allowing unique identification or authentication of a natural person controller and processor. Controller is defined in the Regulation Article Four as the natural or legal person, public authority, agency or other body which alone or jointly with others, determines the purposes and means of the processing of Personal Data.

Where the purposes and means of such processing are determined by union or member state law, the Controller or the specific criteria for its nomination may be provided for by union or Member State law. We can summarize the definition in three blocks one the natural or legal person, public authority, agency, or any other body. Two, which alone or jointly with others three determines the purposes and means of processing of Personal Data. For the second building block, it is better to have examples. For example, if a person books a holiday with a travel agency and the agency forwards the person’s details to the airline and hotel. The airline and the hotel are holding identical data, but separately and for different purposes. They will each determine how long they need to hold the data and they will have different purposes to hold the data.

Therefore, they are not joint controllers but independent controllers. However, if they were to use the same website and database so run as shared operation, then they are likely to be evaluated as joint controllers. The last block in the definition is important when it comes to separate processors from controllers. It is important to know that the contract between controller and processor is not the final word in this decision. It is the authority who will decide on that based on the practical implementation of the processing.

Article 28 says that if a processor infringes the regulation by determining the purposes and means of processing, the processor will be considered to be a controller with respect to that processing. The regulation defines a processor as natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. The controller, however, can delegate the determination of the means of processing to a processor. As far as technical or organizational decisions are concerned, such as deciding on which technology to use or how commonalities of controllers and processors are, they can be a natural person or body. They are both accountable. They are responsible for personal data security.

They are responsible for international data transfer laws. They can be subject to fines and compensations. Processors are not responsible for the legal basis and purpose of the controller’s data processing obligations relating to purpose, ensuring the processing has a lawful ground, and respecting data subject rights are only imposed on the data controller. We have such learned some fundamental definitions in GDPR. In the next lecture, we will study how to find out if you are in the scope of GDPR or not. GDPR or not, are or not not.

2. Territorial and Material Scope of GDPR

Tutorial and material scope of GDPR is your company in the territorial scope of GDPR? This has been one of the most misunderstood parts of GDPR. Some companies work on GDPR compliance even if they are not bound by it, as well as some companies not aware that they are in the scope GDPR. Article Three gives a broad definition of the territorial scope of one this regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. Two. This regulation applies to the processing of personal data, of data subjects who are in the union by a controller or a processor not established in the union where the processing activities are related to a the offering of goods.

Or services, irrespective of whether a payment of the data subject is to such data subjects in the union or b the monitoring of their behavior as far as their behavior takes place within the union. Three this regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law. So what does that mean? I will try to explain it with more practical criteria. Criteria One you are established in the EU as a processor or a controller. The establishment should be interpreted with a wide scope.

For example, the headquarters might be in another country, but if the team that is responsible to make decisions on that processing activity is in the EU, then you are in the scope. Criteria Two you offer goods or services to data subjects who are in the Union. Looking further into the GDPR recital 23 to 20 better information of how it’s interpreted according to the regulation, a website that is simply accessible by a global audience in itself would not indicate intention of offering goods and services to EU citizens. For example, it should support language of a member country or have international phone numbers for contact the court. Justice of the European Union offers good clarification on the topic of intention in relation to offering your product to EU citizens and how it can be demonstrated under the following conditions patent evidence, such as the payment of money to a search engine to facilitate access by those within a member state or where targeted member states are designated by name.

Other factors, possibly in combination with each other, including the international nature of the relevant activity, e. G, certain tourist activities, mention of telephone numbers with an international code, use of a top level domain name other than that of the State in which the trader is established, such as De or EU the description of itineraries from Member States to the place where the service is provided and mentions of an international clientele composed of customers domiciled in various Member States. Criteria Three you monitor the behavior of EU citizens and their behavior takes place within the union.

Monitoring in the GDPR framework is also referred to as profiling and is defined as the automated analysis or predicting of behavior, location, movements, reliability, interests, personal preferences, health, economic situation, performance, et cetera. It’s also important to note that Article 29 Working Party does provide other examples of monitoring, including, but not limited to, online behavioral based advertising travel data of individuals using a GE, tracking via travel cards, profiling and scoring for purposes of risk assessment, e. G for purposes of credit scoring, establishment of insurance premiums, fraud prevention, detection of money laundering, location tracking, for example, by mobile apps and monitoring of wellness, fitness and health data via wearable devices. Article Working Party 29 suggests that organizations should consider all forms of behavior monitoring, including CCTV, smart cars, home automation, etc. With the wide scope of profiling behavior, organizations should evaluate their current online and offline operations to determine if they will be classified under the monitoring requirement. This was all about the territorial scope of GDPR.

So what about the material scope? Is your company in the material scope of GDPR? This one is relatively easy and clear to understand because the scope is wide. There are Article Two states this regulation applies to the processing of personal data wholly or partly by automated means, and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

Basically, any digital data processing, even things like keeping an email list in a spreadsheet or any paper filing system, is in the scope. It will be easier to tell what is not in the scope. If you are using paper files which will not be part of a filing system, the processing is not systematic and not on scale, then this data processing is not in the scope. An example of a filing system can be as simple as chronologically ordered sets of paper records containing personal data.

Activities which fall outside the scope of union law like public security or defense and national security are out of scope of GDPR. Household activities like holding to drink private address books for personal purposes, or activities on social networks for personal purposes are out of scope too. However, if information is made public in a social network rather than sharing only with a specific set of people, then this activity may fall into the scope of GDPR. The prevention and investigation of criminal offenses also falls under the Law Enforcement Data Protection Directive, not in scope of GDPR.

3. Data Processing Principles

Data processing principles. Hello, everyone. In this lecture, we will define data processing and the processing principles under GDPR. To convey the scope of data processing rules and regulations, the term processing must be defined. Data processing includes much more than just collecting. Personal Data Processing is defined by the regulation as follows any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination or otherwise making available alignment or combination, restriction, erasure and destruction.

This broad definition makes it almost impossible to find a scenario with personal data that is not a processing convention. 108 was eight was the first international legally binding document which prescribed the data protection principles. From European Union perspective, data protection directive incorporated the fundamental data protection principles too. Finally, with GDPR, the principles are listed as one. Lawfulness fairness, transparency. Two, purpose limitation. Three data minimization and accuracy. Four. Storage limitation. Five integrity and confidentiality. Six. Accountability. Starting from the first principle, we will start learning what these actually mean in practice. Starting with lawfulness fairness, transparency.

4. Lawfulness, fairness, transparency

Lawfulness fairness transparency lawfulness means that the personal data must only be processed when data controllers have a legal ground. There are six available lawful basis for processing. A single basis is better or more important than the others. Which basis is most appropriate to use will depend on your purpose and relationship with the individual. Most lawful basis require require that processing is necessary if you can reasonably achieve the same purpose. Without the processing, you won’t have a lawful basis. You must determine your lawful basis before you begin processing, and you should document it. Take care to get it right first time. You should not swap to a different lawful basis at a later date without a good reason.

Your privacy notice should include your lawful basis for processing as well as the purposes of the processing. If you are processing special category data, you need to identify both a lawful basis for general processing and an additional condition for processing this type of data. If you are processing criminal conviction data or data about offenses, you need to identify both a lawful basis for general processing and an additional condition for processing this type of data. The biggest change in GDPR is for public authorities who now need to consider the new public task basis first for most of their processing and have more limited scope to rely on consent or legitimate interests. The lawful basis for processing are set out in article Six of the GDPR.

At least one of these must apply whenever you process personal data. A. Consent the individual has given clear consent for you to process their personal data. For a consent from a data subject provides the Controller with permission to process the individual’s personal data for a specific purpose. It must be clearly distinguishable from other matters, intelligible and in a clear and plain language. The consent has to be given freely, which is why it is not suggested for employers to use consent. Member States may set a minimum age of consent less than 16 years, but not lower than 13. Minimum age of consent rule is valid only in the context of information services offered directly to children, and Controller can only rely on consent. B. Contract the processing is necessary for a contract you have with the individual or because they have asked you to take specific steps before entering into a contract. C. Legal Obligation The processing is necessary for you to comply with the law. It should be noted that it does not include contractual obligations.

This legal obligation is around the context of specific laws, such as employment laws. D. Vital Interest The processing is necessary to protect someone’s life. For example, the data subject might be unconscious and medical treatment requires the processing of health data. E. Public Task The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. F. Legitimate interests the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. Public authorities can no longer use legitimate interest profiling and direct marketing can rely on legitimate interest, but in that case, the data subjects will have absolute right to object if a contrives on legitimate interest, informing the user about this becomes even more important.

The lawful basis of your processing can also affect which rights are available to individuals. For example, some rights will not apply for some legal bases. This figure illustrates the elimination of some data subject rights for legal basis. In addition to being lawful, the processing must be fair. The fairness of the processing is essentially linked to the idea that data subjects must be aware of the processing or would expect the processing to happen, including how the data is collected, kept and used. For example, using browsing history data to increase the price of a product for that data subject would not be fair. However, salary information reported by the employer to the tax authority would be fair. Directly linked to fairness transparency means that a controller must be open and clear towards data subjects, processing personal data and inform them.

The regulation exempts data controllers from the duty to inform in cases where the data was obtained directly from the data subject and data subject is already aware of the information or when providing information will involve disproportionate effort or can be considered impossible to protect data subject’s legitimate interest. To preserve the confidentiality of processing when mandated by law, the information provided by the controller has to be concise and easy to understand.

In order to achieve this, controllers can use the following methods layered Privacy Notice with a short summary in the first layer and more detail in the second layer, and the Full Privacy Policy in the third layer. Just in time, notice by appearing on the individual screen at the point where they input personal data, providing a brief message explaining how the information they are about to provide will be used, or using visual icons approved by the local authority. Before proceeding to the next lecture, please read the articles about consent and legitimate interest in the resources and the links. In our next lecture, we will study the purpose limitation principle.

5. Purpose limitation

Purpose Limitation purpose limitation means that data controllers must only collect and process personal data to accomplish specified, explicit and legitimate purposes. As a result, the first thing for a controller to do is to decide on the purpose and the legal basis of it. The data collected for that specific purpose can only be used for statistical purposes.

Public interest. Scientific or historical research purposes can be considered as secondary purposes within the limits set out by the union or member. State law controllers should take into account the following if the use of data is compatible with the purposes at the time of collection any link between the purposes at the time of collection and the intended purpose the context in which the data has been collected, in particular, the reasonable expectation of the data subject, the nature of personal data the consequences of the intended further processing the existence of appropriate safeguards.

If all these conditions are met, then the processing is considered compatible with the original purpose. For example, if a doctor collects personal data to assess and treat the patients, and then shares this data with an insurance company to allow them to offer their services, this will be incompatible with the purpose, and a new legal basis is required for the new processing. In the next lecture, we will learn about data minimization and accuracy. Principle.

• Category: Uncategorized