PowerPoint homework

profileSirmhna
DATAPROTECTIONARCNAMPart1.pdf

CYBER LAW Data Protection

PART 1

Arnold Rouah

January 2021

Data protection regulation and marketing 1. Introduction, Key legal

definitions and concepts (3h) A. GDPR and other Data

Protection regulations B. Personnal Data C. Processing D. Data Subject E. Data Processing / Data

Controller

2. Principles (3h) A. Lawfulness, fairness and

transparency B. Purpose limitation C. Data minimisation D. Accuracy E. Storage limitation F. Integrity and confidentiality

(security) G. Accountability principle

3. Lawful basis for processing (3h)

A. Consent B. Contract C. Legal obligation D. Vital interests E. Public task F. Legitimate interests G. Special category data H. Criminal offence data

4. Individual rights (3h) A. Right to be informed B. Right of access C. Right to rectification D. Right to erasure E. Right to restrict processing F. Right to data portability G. Right to object H. Rights related to automated

decision making including profiling

5. Accountability and Gouvernance (3h)

A. Contracts B. Documentation C. Data protection by design

and default D. Data protection impact

assessments E. Data protection officers F. Binding Corporate Rules /

Codes of conduct G. Certification

5. International Data Transfer (1h)

7. Security (1h) A. Encryption B. Passwords in online services

8. Personnal Data Breaches (1h)

1. Introduction, Key legal definitions and

concepts A. GDPR and other Data Protection regulations

B. Personnal Data

C. Data Subject

D. Data Processing / Data Controller

1.A. GDPR and other Data Protection regulations

The General Data Protection Regulation entered into force in April 2019 is the European legal framework for the processing of personnal data but it is also a worldwide reference and now a common inspiration for many rulers abroad.

Theoritical or actual risk ?

The law

Art. 83(5) GDPR, the fine can be up to 20 million euros, or in the case of an undertaking, up to 4 % of their total global turnover

6

The life

100 m€

35 m€

… and many others

… Reputational damage

… Loss of customers

confidence

1.B. Personnal Data

Personal data is only information relating to natural persons who:

• can be identified or who are identifiable, directly from such information;

or

• who can be indirectly identified from that information combined with other information.

•Licence plate; •national insurance number; •passport number; •IP address; •Cookie identifier, or

•a combination of significant criteria (eg age, occupation, place of residence).

•Name •Picture •Location data or address

BE CAREFUL !

Very sensitive Personnal Data

• Race

• ethnic origin

• political opinions and trade union membership

• religious or philosophical beliefs

• genetic data;

• biometric data (where this is used for identification purposes)

• health data

• sex life or sexual orientation

• criminal offences data

BE MORE THAN CAREFUL !

1.C. Processing Art.4 (2) GDPR

‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.D. Data Subject

It is ‘natural’ human person or individual who is the subject of personal data

But not:

• deceased person

• legal person

• Animal

1.E. Data Processing / Data Controller

Data Controller

The natural or legal person, public authority or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data

(where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law)

Data Processor The natural or legal person, public authority or other body which processes personal data on behalf of the controller

order

You are the Data Controller (or joint Controller) if : ❑ You decided:

❑ to collect or process the personal data

❑ what the purpose or outcome of the processing was to be

❑ what personal data should be collected

❑ which individuals to collect personal data about

❑ You obtain a commercial gain or other benefit from the processing (except for any payment for services from another controller)

❑ You process the personal data as a result of a contract between you and the data subject

❑ The data subjects are your employees

❑ You make decisions about the individuals concerned as part of or as a result of the processing

❑ You exercise professional judgement in the processing of the personal data

❑ You have a direct relationship with the data subjects

❑ You have complete autonomy as to how the personal data is processed

❑ You have appointed the processors to process the personal data on our behalf

You are the Data Processor if : ❑ You follow instructions from someone else regarding the processing of

personal data.

❑ You were given the personal data by a customer or told what data to collect.

❑ You do not decide:

❑ to collect personal data from individuals.

❑ what personal data should be collected from individuals.

❑ the lawful basis for the use of that data

❑ what purpose or purposes the data will be used for

❑ whether to disclose the data, or to whom

❑ how long to retain the data.

❑ You may make some decisions on how data is processed but implement these decisions under a contract with someone else.

❑ You are not interested in the end result of the processing

Useful distinction Controller / Processor Controller has the highest responsibility in term of compliance

• it must comply with, and demonstrate compliance with, all the data protection principles as well as the other GDPR requirements. It is also responsible for the compliance of your processor(s).

• Data Protection Authority and individuals may take action against the controller for a breach of its obligations.

14

Processor has less obligations and exposure as controllers under the GDPR. However, the processor has a number of own direct obligations under the GDPR.

Both DPA and individuals may take action against a processor regarding a breach of those obligations.

If you don’t like the cake, better yell at the Chef than at the whisk

Q & A

15