Source folder: Data Protection - GDPR
Source file: 20180503 DPO Course - Session 1.pdf
File type: PDF document
08/05/2018
Data Protection Officer Course
08/05/2018
Background on the GDPR Background on the GDPR
RECITAL 6 : Rapid technological developments and
globalisation have brought new challenges for the
protection of personal data. The scale of the collection
and sharing of personal data has increased
significantly. [...] has transformed both the economy
and social life, and should further facilitate the free flow
of personal data within the Union and the transfer to
third countries and international organisations, while
ensuring a high level of the protection of personal data.
technology
neutral
Background on the GDPR Background on the GDPR
.
Background on the GDPR Background on the GDPR
GDPR RECITAL 9
"The objectives and principles of
Directive 95/46/EC remain sound,
but it has not prevented
fragmentation in the
implementation of data protection
across the Union"
.
2
08/05/2018
Background on the GDPR Background on the GDPR
1.WIDER REACH WIDER BUT
08/05/2018
Background on the GDPR Background on the GDPR
CRIMINAL OFENCE
Imprisonment/fines
Background on the GDPR Background on the GDPR
Recital 13 -GDPR
The aim is:
"To provide natural persons in all Member
€20 million States with the same level of legally
enforceable rights and obligations and
Or responsibilities for controllers and processors,
4% of global group to ensure consistent monitoring of the
turnover processing of personal data, and equivalent
sanctions in all Member States
Whichever is the higher EQUIVALENCE
Background on the GDPR Background on the GDPR
1.HIGHER POTENTIAL FINES
Art. 29 W.P.: Authorities are
encouraged to use a considered and
REPUTATION
balanced approach ...
BUT"the point is not [to] qualify
the fines as a last resort, nor to shy
away from issuing fines"
4
08/05/2018
Background on the GDPR Background on the GDPR
The Right to Privacy The Right to Privacy
Article 32 of the Constitution of Malta
Every person in Malta is entitled to the fundamental
rights and freedoms of the individual, that is to say, the
right, whatever his race, place of origin, political opinions,
colour, creed, sex, sexual orientation or gender identity, but
subject to respect for the rights and freedoms of others
and for the public interest, to each and all of the following,
namely [...] respect for his private and family life.
Background on the GDPR Background on the GDPR
The Right to Privacy The Right to Privacy
Article 8 of theEuropeanConvention on HumanRights. EU Charter of Fundamental Human Rights
(an international agreement between the 47 States of the (applies to EU Institutions & its M-States when implementing EU law)
Council of Europe)
Article 7: Respect for private and family life
therightto respect for one's "private and family life, E a v n e d r c y o o m ne m h u a n s i c th at e i o r n ig s h . t to respect for his or her private and family life, home
his home and his correspondence", subject to certain
restrictions that are "in accordance with law" and
"necessary in a democratic society".
Background on the GDPR Background on the GDPR
The Right to Privacy The Right to Privacy
European Convention Act (Chap 319) EU Charter of Fundamental Human Rights
(applies to EU Institutions & its M-States when implementing EU law)
Transposes the ECHR into Maltese Law
Article 8 : Protection of Personal Data
08/05/2018
Background on the GDPR Background on the GDPR
The Right to Privacy & the GDPR
The 1stParagraph of the GDPR :
"The protection of natural persons in relation to the So if there already is a right to
processing of personal data is a fundamental right. Article privacy, why have GDPR ?
8(1) of the Charter of Fundamental Rights of the European
Union (the 'Charter') and Article 16(1) of the Treaty on the
Functioning of the European Union (TFEU) provide that GDPR RECITAL 11 : Effective protection of personal data
everyone has the right to the protection of personal data throughout the Union requires the strengthening and setting out
concerning him or her." in detailof the rights of data subjects and the obligations of those
who process and determine the processing of personal data, as
well as equivalent powers for monitoring and ensuring compliance
with the rules for the protection of personal data and equivalent
sanctions for infringements in the Member States.
Background on the GDPR Background on the GDPR
So if there already is a right to So if there already is a right to
privacy, why have GDPR ? privacy, why have GDPR ?
GDPR is having an impact on "the right to
privacy"
Ref. Bărbulescuv. Romania (Sept. 2017)
Background on the GDPR Background on the GDPR
Ref. Bărbulescuv. Romania (Sept. 2017)
So if there already is a right to
privacy, why have GDPR ? Co. Policy :No Personal Use = Zero Tolerance
Employee Confirmed: No Personal Use
GDPR is a tool used to implement and enforce the
right to privacy. Lower Chamber = monitoring was not a privacy violation
One is not a subset of the other -but they Dissenting Judge : Pinto de Albuquerque -GDPR !
complement each other. Upper Chamber = monitoring was a privacy violation as the employee was
not informed of the parameters within which monitoring could take place.
6
08/05/2018
Background on the GDPR Background on the GDPR
Ex. L.H. Vs Latvia (E.C.H.R.)
08/05/2018
2. What constitutes personal data ? 2. What constitutes personal data ?
'personaldata'meansanyinformationrelatingto
anidentifiedoridentifiablenaturalperson('data
subject');
anidentifiablenaturalpersonisonewhocanbe
identified, directly or indirectly, in particular by
referencetoanidentifier
(suchasaname,anidentificationnumber,location
data,anonlineidentifierortooneormorefactors
specific to the physical, physiological, genetic,
mental,economic,culturalorsocialidentityofthat
naturalperson);
2. What constitutes personal data ? 2. What constitutes personal data ?
AnonymisedDataVSPseudonymisedData
Personal data that has been pseudonymised -egkey-
coded -typically falls within the scope of the GDPR.
Fully anonymiseddata is not personal data
2. What constitutes personal data ? 2. What constitutes personal data ?
YES NO
AnonymisedDataVSPseudonymisedData
ID 489292M Think of the Employment Relationship...
What personal data is stored in that context?
8
08/05/2018
2. What constitutes personal data ? 2. What constitutes personal data ?
AnonymisedDataVSPseudonymisedData
The person who is directly or indirectly
identified is = the DATA SUBJECT
Think of the Employment Relationship...
What personal data is stored in that context?
2. What constitutes personal data ? 2. What constitutes personal data ?
AnonymisedDataVSPseudonymisedData
Whosoever decides the means & purposes
of processing of personal data of that Data
Think of the CV ...
What personal data is stored in a CV? Subject = the DATA CONTROLLER
2. What constitutes personal data ? 2. What constitutes personal data ?
The GDPR applies to both If a Data Controller uses a 3rdparty to
process personal data on its behalf, that
automated personal data
third-party is a = Data Processor
and to
manual filing systems where personal data are accessible
according to specific criteria. This could include chronologically
ordered sets of manual records containing personal data.
9
08/05/2018
2. What constitutes personal data ? 2. What constitutes personal data ?
Controller VS Joint Controller
So what do we mean by processing ?
any operation or set of operations which is
performed on personal data or on sets of
Processor VS Sub-Processor personal data, whether or not by automated
means, such as collection, recording,
organisation, structuring, storage, adaptation or
alteration, retrieval, consultation, use, disclosure
Authorised Persons by transmission, dissemination or otherwise
making available, alignment or combination,
restriction, erasure or destruction;
2. What constitutes personal data ? 2. What constitutes personal data ?
The GDPR does not apply to :
Note 1 : Special Categories of Personal Data
i. Certain activities including processing covered by the Law
Enforcement Directive;
ii. processing for national security purposes;
iii. processing carried out by individuals purely for
personal/household activities;
iv. processing about deceased persons;
2. What constitutes personal data ? 2. What constitutes personal data ?
So what do we mean by processing ? Note 1 : Special Categories of Personal Data
PersonalDatarevealing:
08/05/2018
2. What constitutes personal data ? 3. The Data Protection Principles
Note 2 : Criminal Convictions
Each of the 6 principles must
Personal data relating to criminal convictions and offences are special
categories of data, but extra safeguards apply to its processing. be satisfied cumulatively
3. The Data Protection Principles 3. The Data Protection Principles
There are 6 Principles
NB There is a difference between the
Principles Vs Grounds
3. The Data Protection Principles 3. The Data Protection Principles
Article 5(2) GDPR
NB There is a difference between the
"the controller shall be
responsible for, and be able
Principles Vs Grounds
to demonstrate, compliance
with the principles." HOW WHY
11
08/05/2018
3. The Data Protection Principles 3. The Data Protection Principles
Principle No. 3 : Data Minimisation
Personal Data must be
adequate, relevant and limited to what is necessary in
relation to the purposes for which they are processed;
3. The Data Protection Principles 3. The Data Protection Principles
Principle No. 1 : Lawfulness + Transparency Principle No. 4 : Accuracy
Personal Data must be
accurate and, where necessary, kept up to date; every
Personal Data must be
processed lawfully, fairly and in a transparent reasonable step must be taken to ensure that personal data
manner in relation to individuals; that are inaccurate, having regard to the purposes for
which they are processed, are erased or rectified without
delay;
3. The Data Protection Principles 3. The Data Protection Principles
Principle No. 2 : Purpose Limitation Principle No. 5 : Storage Limitation
Personal Data must be Personal Data must be
collected for specified, explicit and legitimate purposes + kept in a form which permits identification of data subjects
not further processed in a manner that is incompatible for no longer than is necessary for the purposes for which
with those purposes; the personal data are processed;
personal data may be stored for longer periods insofar as the personal data will be
further processing for archiving purposes in the public interest, scientific or p re r s o e c a e r s c s h e d p u s r o p le o l s y e f s o o r r a r s c t h at iv is in ti g c a p l u p r u p r o p s o e s s e s in s t u h b e je p c u t b t l o ic i m in p te le re m s e t, n s t c a i t e io nt n i f o ic f o th r e h a is p to p r r i o c p a r l iate
historical research purposes or statistical purposes shall not be considered to technical and organisational measures required by the GDPR in order to safeguard the
be incompatible with the initial purposes; rights and freedoms of individuals;
12
08/05/2018
3. The Data Protection Principles 4. The Data Protection Officer (DPO)
New Feature
Principle No. 6 : Integrity & Confidentiality o No DPO's under Directive 95/46
08/05/2018
4. The Data Protection Officer (DPO) 4. The Data Protection Officer (DPO)
(a)theprocessingiscarriedoutbyapublicauthorityorbody,exceptfor "PublicAuthorityorBody"
courtsactingintheirjudicialcapacity;
08/05/2018
4. The Data Protection Officer (DPO) 4. The Data Protection Officer (DPO)
Supermarket Bank (b)thecoreactivitiesofthecontrollerortheprocessorconsistofprocessing
operationswhich,byvirtueoftheirnature,theirscopeand/ortheirpurposes,
requireregularandsystematicmonitoringofdatasubjectsonalargescale;or
4. The Data Protection Officer (DPO) 4. The Data Protection Officer (DPO)
'Regularandsystematic'monitoringofdata (c)thecoreactivitiesofthecontrollerortheprocessorconsistofprocessing
subjectsincludesallforms oftracking and onalargescaleofspecialcategoriesofdatapursuanttoArticle9orpersonal
profiling,bothonlineandoffline.Anexample datarelatingtocriminalconvictionsandoffencesreferredtoinArticle10.
of this is for the purposes of behavioural
advertising.
4. The Data Protection Officer (DPO) 4. The Data Protection Officer (DPO)
'LargeScale'needstofactorin:
08/05/2018
4. The Data Protection Officer (DPO) 4. The Data Protection Officer (DPO)
Howmany?
08/05/2018
4. The Data Protection Officer (DPO) 4. The Data Protection Officer (DPO)
"The data protection officer shall be "The controller and processor shall
designated on the basis of professional ensure that the data protection officer
qualitiesand, in particular, expert does not receive any instructions
knowledge of data protection law and regarding the exercise of those tasks.
practices and the ability to fulfil the
tasks referred to inArticle 39." He or she shall not be dismissed or
penalisedby the controller or the
May be staff or external processor for performing his tasks.
Once designated -DPO details must be The data protection officer shall
published and communicated to IDPC directly report to the highest
management level of the controller or
the processor."
4. The Data Protection Officer (DPO) 4. The Data Protection Officer (DPO)
"The controller and processor shall
support the data protection officer in
performing the tasks referred to in Article "Data subjects may contact the data
39 by providing resources necessary protection officer with regard to all
to carry out those tasks and access to issues related to processing of their
personal data and processing operations, personal data and to the exercise of
and to maintain his or her expert their rights under this Regulation.
knowledge"
4. The Data Protection Officer (DPO) 4. The Data Protection Officer (DPO)
"The controller and the processor shall
ensure that the data protection officer is
involved, properly and in a timely "The data protection officer shall be
manner, in all issues which relate to bound by secrecy or confidentiality
the protection of personal data." concerning the performance of his or
her tasks, in accordance with Union or
Member State law.
17
08/05/2018
4. The Data Protection Officer (DPO) 4. The Data Protection Officer (DPO)
Job Description
"to monitor compliance with this Regulation,
with other Union or Member State data
"The data protection officer may fulfil protection provisions and with the policies of
other tasks and duties.The controller the controller or processor in relation to the
or processor shall ensure that any protection of personal data, including the
such tasks and duties do not result in assignment of responsibilities, awareness-
a conflict of interests." raising and training of staff involved in
processing operations, and the related
audits;"
4. The Data Protection Officer (DPO) 4. The Data Protection Officer (DPO)
Job Description
"to provide advice where requested as regards
the data protection impact assessment and
monitor its performance pursuant to Article
35"
Vs
4. The Data Protection Officer (DPO) 4. The Data Protection Officer (DPO)
Job Description Job Description
"to inform and advise the controller or the "to cooperatewith the supervisory authority;"
processor and the employees who carry out
processing of their obligations pursuant to this
Regulation and to other Union or Member
State data protection provisions;"
18
08/05/2018
4. The Data Protection Officer (DPO)
Job Description
""to act as the contact point for the
supervisory authority on issues relating to
processing, including the prior consultation
referred to in Article 36, and to consult, where
appropriate, with regard to any other matter."
4. The Data Protection Officer (DPO)
4. The Data Protection Officer (DPO)