eu data protection
play

EU Data Protection Monday 18 November 13 1 Table of Contents 1. - PowerPoint PPT Presentation

Dec 06, 2023 •580 likes •1.26k views

Presentation to IAPP November 18, 2013 EU Data Protection Monday 18 November 13 1 Table of Contents 1. Introduction 2. Scope 3. Substantive Obligations 4. Formal Obligations 5. International Transfers 6. Enforcement 7. Sanctions,

  1. Presentation to IAPP November 18, 2013 EU Data Protection Monday 18 November 13 1

  2. Table of Contents 1. Introduction 2. Scope 3. Substantive Obligations 4. Formal Obligations 5. International Transfers 6. Enforcement 7. Sanctions, Remedies, Liability 8. What Next? 2 Monday 18 November 13 2

  3. INTRODUCTION to the draft Regulation 3 Monday 18 November 13 3

  4. Legislative Agenda The race to Spring 2014 January 2012 Draft Regulation Proposal by Commission January 2012 – European Parliament and European Council separately October 2013 debated the draft text 21 October 2013 LIBE Committee ‘orientation vote’ on compromise text Expected timeline: e: October - European Council formulates its position on text for December2013 negotiation with Parliament and Commission Dec 2013/Jan ‘Trialogue’ negotiations between Commission, Council 2014 and Parliament April 2014 Parliament intends to have ‘first reading’ vote in plenary session, based on agreement from trialogue if possible May 2014 European Parliament elections. 5 Monday 18 November 13 4

  5. Legal Instrument: Regulation or Directive? • Regulation has direct e fg ect. • Legal certainty (?). • Remaining political divide Regulation or Directive. 4 Monday 18 November 13 5

  6. SCOPE of the draft Regulation 7 Monday 18 November 13 6

  7. Territorial and Personal Scope Old Directive New Draft Regulation Processing carried out in the Processing of personal data in context of the activities of an the context of the activities of establishment of the controller an establishment of the on the territory of the Member controller or a processor in State the Union The controller is not Processing of personal data of established on Community data subjects residing in the territory and, for purposes of Union by a controller not processing personal data established in the Union, makes use of equipment, where the processing activities automated or otherwise, are related to: situated on the territory of the (a)The o fg ering of goods or said Member State, unless services to such data subjects such equipment is used only in the Union; or for purposes of transit (b)The monitoring of their through the territory of the behavior Community 8 Monday 18 November 13 7

  8. Territorial Scope Broader application than Directive.  More non EU-based companies o fg ering services on internet within reach of Regulation.  LIBE Committee: also non-EU based processors are in scope.  Not clear: “monitoring”; “individuals residing in EU”; “o fg ering goods or services”. 13 Monday 18 November 13 8

  9. Personal Scope Changes to the existing legal framework.  Obligations directly imposed on processors.  Processors subject to sanctions provided in the Regulation. 9 Monday 18 November 13 9

  10. Personal Scope Specific obligations for processors. Directly liable for: • Maintaining documentation concerning processing activities. • Cooperating with supervisory authority. • Implementing appropriate technical and organizational information security measures. • Appointing a data protection o ffj cer. • Informing data controller immediately of a data breach. 10 Monday 18 November 13 10

  11. Personal Scope Specific new obligations for processors. • Conducting data protection impact assessment. • Prior DPA authorization or consultation (where required). • Complying with the requirements regarding international data transfers. • LIBE Committee additions: privacy by design, data protection compliance reviews (bi-annually). 11 Monday 18 November 13 11

  12. Personal Scope Practical implications. • Significant increase of enforcement risks and administrative burden. • Contract negotiations between controllers and processors will become more di ffj cult and important (high sanctions and controllers/processors will be jointly and severally liable). 12 Monday 18 November 13 12

  13. Material Scope • No fundamental changes. • Updates of definitions in light of Working Party positions and online processing (e.g., means of identifying an individual to include location data and online identifiers). • LIBE Committee: “gender identity” is sensitive information. 14 Monday 18 November 13 13

  14. SUBSTANTIVE OBLIGATIONS in the draft Regulation 15 Monday 18 November 13 14

  15. Accountability Responsibilities and paper trail. • Data controllers will be obliged to adopt policies and implement measures not just to ensure compliance, but to be able to demonstrate compliance, including: Documentation of all processing operations (also Ps); ― Appropriate information security (also Ps); ― Privacy impact assessments (Cs or Ps); ― Consultation and authorization of DPAs (Cs or Ps); ― Designation of a DPO where relevant (also Ps). ― 16 Monday 18 November 13 15

  16. Accountability 1. Documentation of processing. - Documentation must be kept available to DPAs. - Also for processors. - Obligation watered down by LIBE Committee: “documentation necessary in order to fulfill the requirements laid down in the Regulation”. 17 Monday 18 November 13 16

  17. Accountability Exemptions to documentation. • Commission proposal – exemption for companies of fewer than 250 people and processing activities are ancillary activity. • LIBE Committee: removes exemption. 18 Monday 18 November 13 17

  18. Accountability 2. Privacy Impact Assessment. • For processing considered “risky” (e.g. large-scale monitoring or sensitive data processing). • Controllers or processors. • LIBE Committee: Risk assessment + privacy impact assessment (stress on information lifecycle management). 19 Monday 18 November 13 18

  19. Data Minimization Clarification of Fundamental Principle. • Personal data ‘shall only be processed if, and as long as, the purposes could not be fulfilled by processing information that does not involve personal data.’ 20 Monday 18 November 13 19

  20. Privacy by Design/Default New Principles. • Design: Taking into account state of the art and cost of implementation, controller obliged to implement measures to ensure compliance with Regulation and protection of data subject rights. • Default: Mechanisms must ensure that default situation is minimum data collection for that purpose – both data amount/retention. • LIBE Committee: broadens obligation to processors. Obligations apply regardless cost. 21 Monday 18 November 13 20

  21. Right to be Forgotten Right to request (i) erasure of personal data, and • (ii) abstention from further dissemination. Only in certain cases: (i) data no longer serves • purposes; (ii) consent based processing; (iii) right to object (e.g. direct marketing); (iv) illegal processing. Obligations to delete and inform third parties • without delay. Restrictions: e.g. if alternative legal basis to keep • the data. 22 Monday 18 November 13 21

  22. Right to be Forgotten Concerns. • LIBE Committee: “obtain from third parties the erasure of any links to, or copy or replication of that data”. • Technical di ffj culties/investment and anticipate requirement with processors. 23 Monday 18 November 13 22

  23. Right to Data Portability • Right to obtain a copy of data which allows further use by the data subject; and • Right to transmit personal data and other information processed in automated processing system into another system (e.g. when switching service provider) without hindrance of data controller. 24 Monday 18 November 13 23

  24. Right to Data Portability Restrictions. • Right to obtain a copy of data: only when data are processed by electronic means and in a structured and commonly used format (?) => Commission may clarify; and • Right to transmit personal data: only if (i) data subject has provided the personal data and (ii) processing is contract or consent based. 25 Monday 18 November 13 24

  25. FORMAL OBLIGATIONS in the draft Regulation 27 Monday 18 November 13 25

  26. New Formal Obligations 1) Notification to national DPA abolished.  Replaced by obligations regarding accountability. 28 Monday 18 November 13 26

  27. New Formal Obligations 2) Formal requirements for consent. Explicit by default (for sensitive and non- • sensitive data). Presented distinguishable (e.g. in terms and • conditions). Withdrawal at any time. • Not if imbalance in position between controller • and data subject (e.g., employment context). 29 Monday 18 November 13 27

  28. New Formal Obligations 3) Requirement to have clear and easily accessible policies regarding data processing and for the exercise of data subjects' rights. 30 Monday 18 November 13 28

  29. New Formal Obligations LIBE Committee Proposal.  Introduction of two-step notice procedure with display of basic information at first stage. 38 Monday 18 November 13 29

  30. New Formal Obligations 4) Data breach notification obligation.  Extreme broad definition data breach.  Obligation for data controller to inform (a) the supervisory authority, and (b) the a fg ected data subjects.  Obligation for data processor to inform data controller.  LIBE Committee: removed 24 hours deadline => without undue delay. EDPB to issue guidance. 34 Monday 18 November 13 30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

5 THINGS HR MUST DO IN THE ROLE OF THE DATA PROTECTION OFFICER GILLIAN ACHESON DATA PROTECTION

5 THINGS HR MUST DO IN THE ROLE OF THE DATA PROTECTION OFFICER GILLIAN ACHESON DATA PROTECTION

5 THINGS HR MUST DO IN THE ROLE OF THE DATA PROTECTION OFFICER GILLIAN ACHESON DATA PROTECTION DEIRDRE ALLISON RECORDS MANAGEMENT YEARN2LEARN TRAINING GENERAL DATA PROTECTION REGULATION What is it? GDPR represents the most significant

172 views • 14 slides
The Data Protection Landscape Before and aft fter GDPR: General Data Protection Regulation Data

The Data Protection Landscape Before and aft fter GDPR: General Data Protection Regulation Data

The Data Protection Landscape Before and aft fter GDPR: General Data Protection Regulation Data Protection regulations across Europe Current regulations & guidance European Directives 95/46/EC (Data Protection) and 2002/58/EC

440 views • 19 slides
Data Protection Reform preparing for the General Data Protection Regulation By Philip Brining

Data Protection Reform preparing for the General Data Protection Regulation By Philip Brining

Data Protection Reform preparing for the General Data Protection Regulation By Philip Brining Data Protection People 18 th April 2016 Agenda Introduction Current Rules (DPA 98 & PECR) Overview of GDPR Business-wide impact Practical

479 views • 28 slides
GDPR T owards Compliance 25 May 2018 Wha hat t is GDPR? EU Data Protection Directive EU

GDPR T owards Compliance 25 May 2018 Wha hat t is GDPR? EU Data Protection Directive EU

GDPR T owards Compliance 25 May 2018 Wha hat t is GDPR? EU Data Protection Directive EU General Data Protection 1995 Regulation 2016 Data Protection Act 1998 Data Protection Bill 2017-19 Fines DPA GDPR Maximum Fine 500k Two

622 views • 17 slides
Data Protection & Availability Kaushal Devater Data Protection & Availability Discipline

Data Protection & Availability Kaushal Devater Data Protection & Availability Discipline

Plan & Deploy Data Protection & Availability Kaushal Devater Data Protection & Availability Discipline Lead - RDC Planning & Deploy Data Protection & Availability Industry Typical Data Retention Requirements Patient

662 views • 9 slides
Data protection in the EU Area of Data protection in the EU Area of ection tection freedom,

Data protection in the EU Area of Data protection in the EU Area of ection tection freedom,

isor visor Superv Super Data protection in the EU Area of Data protection in the EU Area of ection tection freedom, security and justice under the Lisbon Treaty d th Li b T t ta Prot ta Pro ean Da an Da Bndicte Havelange

739 views • 10 slides
Introduction to Data Protection and the General Data Protection Regulation Address: Contact: 11

Introduction to Data Protection and the General Data Protection Regulation Address: Contact: 11

Introduction to Data Protection and the General Data Protection Regulation Address: Contact: 11 Staple Inn Tel: +44 (0)20 7209 2000 London Fax: +44 (0)20 7209 2001 WC1V 7QH DX 0001 London Chancery Lane Myth Busting GDPR doesnt apply to

657 views • 8 slides
DATA PROTECTION and SCRA www.scra.gov.uk Data Protection Act 1998 (DPA) DPA is the main

DATA PROTECTION and SCRA www.scra.gov.uk Data Protection Act 1998 (DPA) DPA is the main

DATA PROTECTION and SCRA www.scra.gov.uk Data Protection Act 1998 (DPA) DPA is the main legislation in the UK governing information on individuals. It places obligations on organisations that hold and use information on

518 views • 37 slides
Data Protection and Privacy & Impact of Personal Data Protection Bill (PDPB) 1 November, 2019

Data Protection and Privacy & Impact of Personal Data Protection Bill (PDPB) 1 November, 2019

CONSUMER AWARENESS WORKSHOP on Data Protection and Privacy & Impact of Personal Data Protection Bill (PDPB) 1 November, 2019 Kolkata OBJECTIVE Engage with the consumer and civil society organisations (CSOs) in tier II locations to

623 views • 50 slides
Protection Issues I/O protection Protection and System Calls Prevent users from

Protection Issues I/O protection Protection and System Calls Prevent users from

Protection Issues I/O protection Protection and System Calls Prevent users from performing illegal I/Os Memory protection Otto J. Anshus Prevent users from modifying kernel code and data (including slides from Kai Li,

350 views • 6 slides
Briefing on 25 Jan 2016 at ERA@MBSq 1 Data Protection Officer (DPO) Under the Personal Data

Briefing on 25 Jan 2016 at ERA@MBSq 1 Data Protection Officer (DPO) Under the Personal Data

Briefing on 25 Jan 2016 at ERA@MBSq 1 Data Protection Officer (DPO) Under the Personal Data Protection Act 2012 (PDPA), organisations are required to develop and implement policies and practices that are necessary to meet its obligations under

1.02k views • 24 slides
Sav aviour CACHIA IA - Commissione ner Office of the Information and Data Protection

Sav aviour CACHIA IA - Commissione ner Office of the Information and Data Protection

General Data Protection Regulation (GDPR) Sav aviour CACHIA IA - Commissione ner Office of the Information and Data Protection Commissioner Regulation (EU) 2016/679 ... on the protection of natural persons with regard to the processing of

504 views • 13 slides
Big data and the new EU data protection Regulation The role of Big Data in Healthcare Sophie

Big data and the new EU data protection Regulation The role of Big Data in Healthcare Sophie

Big data and the new EU data protection Regulation The role of Big Data in Healthcare Sophie LOUVEAUX London 14-15 November 2016 Big Data Means Opportunities More Knowledge, Large Computing and Large Availability of Better Personal Data

377 views • 18 slides
Ewan Robson Director, IG Compliance ltd 1 Todays Training Look at the History of the Data

Ewan Robson Director, IG Compliance ltd 1 Todays Training Look at the History of the Data

Data Protection Act 1998/General Data Protection Regulation 2016 Freedom of Information Act Ewan Robson Director, IG Compliance ltd 1 Todays Training Look at the History of the Data Protection Act/General Data Protection

575 views • 40 slides
Proposed EU Data Protection Regulation: Impact on Handling of Data Breach, DPOs and Staff

Proposed EU Data Protection Regulation: Impact on Handling of Data Breach, DPOs and Staff

Proposed EU Data Protection Regulation: Impact on Handling of Data Breach, DPOs and Staff Surveillance by non-EEA Financial Services Firms Cross Border Group 28 February 2013 39 Offices in 19 Countries Agenda 1) Proposed EU Data Protection

664 views • 25 slides
DATA PROTECTION ACT 2017 Tuesday 06 March 2018 from 08.30 hrs 15.30 hrs InterContinental

DATA PROTECTION ACT 2017 Tuesday 06 March 2018 from 08.30 hrs 15.30 hrs InterContinental

The Ministry of Technology, Communication and Innovation and The Data Protection Office Workshop On DATA PROTECTION ACT 2017 Tuesday 06 March 2018 from 08.30 hrs 15.30 hrs InterContinental Mauritius Resort, Balaclava Fort, Coastal Road,

931 views • 80 slides
General Data Protection Regulation (GDPR) Sasha Hewitt Associate Director, HQIP www.hqip.org.uk

General Data Protection Regulation (GDPR) Sasha Hewitt Associate Director, HQIP www.hqip.org.uk

General Data Protection Regulation (GDPR) Sasha Hewitt Associate Director, HQIP www.hqip.org.uk What is the GDPR and why is it important? GDPR is the new legal framework for the EU Applies to personal and sensitive personal data

502 views • 15 slides
General Data Protection Regulation FSSU Workshops June 2018 Presented by Bernadette Kinsella

General Data Protection Regulation FSSU Workshops June 2018 Presented by Bernadette Kinsella

General Data Protection Regulation FSSU Workshops June 2018 Presented by Bernadette Kinsella Assistant General Secretary JMB Bernadette Kinsella, JMB, FSSU Workshops 2018 New Resource! www.gdpr4schools.ie The GDPR emphasises

691 views • 44 slides
Municipal Groundwater Municipal Groundwater Monitoring in Waterloo Monitoring in Waterloo

Municipal Groundwater Municipal Groundwater Monitoring in Waterloo Monitoring in Waterloo

Municipal Groundwater Municipal Groundwater Monitoring in Waterloo Monitoring in Waterloo Region Region Tammy Middleton, M.Sc. P.Geo. Senior Hydrogeologist Regional Municipality of Waterloo Presentation Overview Presentation Overview

495 views • 45 slides
GDPR Webinar Guide Overview and key points Part 1 of our series on GDPR and its impact on the

GDPR Webinar Guide Overview and key points Part 1 of our series on GDPR and its impact on the

1 GDPR Webinar Guide Overview and key points Part 1 of our series on GDPR and its impact on the recruitment industry 2 Introduction The rules which underpin the storage of personal data have changed dramatically. The new EU-US Privacy Shield

998 views • 35 slides
Scale Dependency Analysis of Atmospheric Pollutants with EMEP MSC-W Model Semeena Valiyaveetil

Scale Dependency Analysis of Atmospheric Pollutants with EMEP MSC-W Model Semeena Valiyaveetil

Scale Dependency Analysis of Atmospheric Pollutants with EMEP MSC-W Model Semeena Valiyaveetil Shamsudheen Bias % = Model - Obs Model Validation 100 Obs Component No. of Obs Bias% Bias% Bias% Bias% Corrn Corrn Corrn Corrn Stns

297 views • 8 slides
PREMI S: I m plem entation and Preservation Metadata Robin L. Dale RLG I nternational

PREMI S: I m plem entation and Preservation Metadata Robin L. Dale RLG I nternational

PREMI S: I m plem entation and Preservation Metadata Robin L. Dale RLG I nternational Conference on Preservation of Digital Objects iPRES 1 5 -1 6 Septem ber 2 0 0 5 Digital preservation: progress & rem aining challenges Gradual shift

409 views • 17 slides
National Coronial Information System What is the NCIS? The best source of mortality data

National Coronial Information System What is the NCIS? The best source of mortality data

National Coronial Information System What is the NCIS? The best source of mortality data youve never heard about History Coronial death data What we do Collection, quality and access Research Outcomes What is the

525 views • 18 slides
AETR Group of Experts Smart Tachograph Geneva, 15/10/2018 JRC Presentation Amendment to

AETR Group of Experts Smart Tachograph Geneva, 15/10/2018 JRC Presentation Amendment to

AETR Group of Experts Smart Tachograph Geneva, 15/10/2018 JRC Presentation Amendment to COMMISSION IMPLEMENTING REGULATION (EU) 2016/799 of 18 March 2016 implementing Regulation (EU) No 165/2014 of the European Parliament and of the

574 views • 18 slides

More recommend