IAPP CIPP/E – General Data Protection Regulation (GDPR) Part 3

12. Right to restriction of processing

Right to restriction of processing article 18 of the GDPR gives individuals the right to restrict the processing of their personal data in certain circumstances. This means that an individual can limit the way that an organisation uses their data. This is an alternative to requesting the erasure of their data. Individuals have the right to restrict the processing of their personal Data where they have have a particular reason for wanting the restriction.

This may be because they have issues with the content of the information you hold or how you have processed their data. In most cases you will not be required to restrict an individual’s Personal Data indefinitely, but will need to have the restriction in place for a certain period of time. Individuals have the right to request you restrict the processing of their Personal Data in the following circumstances the individual contests the accuracy of their personal Data and you are verifying the accuracy of the data. The data has been unlawfully processed and the individual opposes AirAsia and requests restriction instead.

You no longer need the Personal Data, but the individual needs you to keep it in order to establish, exercise or defend a legal claim, or the individual has objected to you processing their data under Article 21 and you are considering whether your legitimate grounds override those of the individual.

The GDPR suggests a number of different methods that could be used to restrict data, such as temporarily moving the data to another processing system, making the data unavailable to users, or temporarily removing published data from a website flagging the data as restricted in the system. You must not process the restricted data in any way except to store it, unless you have the individual’s consent or it is for the establishment, exercise or defense of legal claims, or it is for the protection of the rights of another person, or it is for reasons of important public interest.

13. Right to data portability

Right to data portability. The Right to Data Portability gives individuals the right to receive Personal Data they have provided to a Controller in a structured, commonly used and machine readable format. It also gives them the right to request that a Controller transmits this data directly to another Controller. The Right to Data Portability only applies when your lawful basis for processing this information is sent, or for the performance of a contract, and you are carrying out the processing by automated means which excludes paper files. Information is only within the scope of the Right to Data Portability if it is Personal Data of the individual that they have provided to you. The Right to Data Portability entitles an individual to receive a copy of their Personal Data and or have their Personal Data transmitted from one Controller to another Controller. In the next lecture, we will study the Right to object. It will be a slightly shorter lecture compared to other Data subject rights.

14. Right to object

To object. Article 21 of the GDPR gives individuals the right to object to the processing of their Personal Data. This effectively allows individuals to ask you to stop processing their Personal Data. The right to object only applies in certain circumstances. Whether it applies depends on your purposes for processing and your lawful basis for processing. Individuals have the absolute right to object to the processing of their Personal Data if it is for direct marketing purposes or profiling.

Individuals can also object if the processing is for a task carried out in the public interest, the exercise of official authority vested in you or your legitimate interests. In these circumstances, the right to object is not absolute and can be be challenged by the Controller. However, during the dispute, the processing should be restricted until the dispute is resolved. We have covered all data subject rights except one. We will study the last data subject right in our next lecture, which is related with automated decision making and profiling.

15. Right not to be subject to automated decision making or profiling

Not to be subject to automated decision making or profiling. Automated individual decision making is a decision made by automated means without any human involvement. Examples of this include an online decision to award a loan and a recruitment test which uses preprogrammed algorithms and criteria. Automated individual decision making does not have to involve profiling, although it often will do. The GDPR Recital 71 says that profiling is any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular, to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

The right not to subject to automated decision making applies only if such a decision is based solely on automated processing and produces legal effects or similarly significant effects concerning the data subject. If a decision making process falls within these conditions, processing of data is allowed if it is authorized by law or necessary for the preparation and execution of a contract, or explicit consent is given by the data subject. For such processing, the controller must have a way for the data subject to ask for human validation of the decision.

If your processing falls under these conditions, then you are responsible for giving individuals information about the processing, introducing simple ways for them to request human intervention, or challenging a decision, carrying out regular checks to make sure that your systems are working as intended. Before finishing the data subject rights section, it is important to state that these rights can be overridden for national security, defense or public security, depending on the member state law. In the next lecture, we will dive deep into the security obligation of controllers and processors.

16. Security

Hello everyone. In this lecture, we will study one of the most important topics of GDPR security. The GDPR requires you to process personal data securely. This is not a new data protection obligation. It replaces and mirrors the previous requirement to have appropriate technical and organizational measures under the Data Protection Directive. Article 32 of GDPR addresses controller and processor security obligations. It states taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural petrol persons. The controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. State of the art does not mean the most cuttingedge technology. As part of the risk assessment, controllers or processors should reflect upon the consensus of security specialists. If a body or a security specialist consider a particular control appropriate in a particular context, this option should be preferred. When deciding on the appropriate security measures. The cost of implementation should be taken into account.

Organizations are not required to choose the most expensive cuttingedge security controls. GDPR does not explain what the phrase appropriate technical and organizational measures, but it lists some important measures such as pseudonymization, encryption, confidentiality, integrity availability and resilience.

Confidentiality individuals, entities, systems and applications access data on a need to know basis. Integrity controls are in place to ensure data is accurate and complete. Availability data is accessible when needed. Resilience data is able to withstand threats and recover. GDPR also suggests to use a risk based approach and run a risk assessment to decide on the appropriate technical and organizational measures.

The risk assessment will reflect the nature of the data that is processed, the context, purpose and scope of processing, threats, vulnerabilities, and the impact. We have covered what GDPR requires us to do for security in theory, but security in practice within an organization needs more than that. And according to GDPR, organizations should take a holistic approach. Considerations for a holistic approach include management and worker buy in, security policy, physical environment security measures, information technology security measures, incident detection and response. GDPR also asks controllers to cascade all requirements to processors.

The contracts between controllers and processors should include the following compulsory terms the processor must only act on the written instructions of the controller. The processor must ensure that people processing the data are subject to a duty of confidence. The processor must take appropriate measures to ensure the security of processing. The processor must only engage a subprocessor with the prior consent of the data controller and a written contract.

The processor must assist the data controller in providing subject access and allowing data subjects to exercise their rights under the GDPR. The processor must assist the data controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments.

The processor must delete or return all personal data to the controller at the end of the contract, and the processor must submit to audits and inspections. Provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the GDPR or other Data Protection Law of the EU or a member state. It has been a long lecture already, and thanks for listening to this end. I want to stop here and take a break before we start learning the next subject related with the Security, which is the Data Breach Notifications in GDPR.

• Category: Uncategorized