GDPR 2022/2023

Natural Persons One who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Data Subject Identified or identifiable natural person. 00:00 01:10 Personal Data Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; Processing Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; Controller The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; Processor A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; Recipient A natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing; Third Party A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data; Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Article 2: Material Scope IN: - Personal data the is processed wholly or partly by automated means. - Personal data that is part of a filing system, or intended to be. OUT: - Personal data used in the course of an activity outside of EU law. -Personal data used in border checks, asylum and immigration status. - Personal data used in relation to a purely personal activity. - Personal data used for the purpose of crime prevention, etc. Territorial Scope - The Regulation applies to controllers and processors in the EU irrespective of where processing takes place. - It applies to processing activities that are related to goods or services, irrespective of whether payment is required and the monitoring of data subjects' behaviour within the EU. Article 77: Right to lodge a complaint with a supervisory authority - Every data subject has the right to launch a complaint with a supervisory authority. - The supervisory authority shall inform the complainant of progress, including the possibility of judicial remedy. Article 78: Right to an effective judicial remedy against a supervisory authority - Right to judicial remedy against a legally binding decision. - Right to a judicial remedy where the supervisory authority does not handle a complaint or does not inform data subject of progress or outcome. - Judicial remedy shall be brought before the courts of the Member State where the supervisory authority is established. Article 79: Right to an effective judicial remedy against a controller or processor - Right to judicial remedy where their rights have been infringed as a result of the processing of personal data. - Proceedings shall be brought before the courts of the Member State where the controller or processor has an establishment. Article 82: Right to compensation and liability - Any person who has suffered material or non-material damage shall have the right to receive compensation from the controller or processor. - The controller shall be liable only for damage cause by processing or where it has acted contrary to lawful instructions of the controller. - The processor is liable only for damage cause by processing. - Joint and several liability to ensure effective compensation. - Compensation clawback provision. Article 83: General conditions for imposing administrative fines - Imposition of administrative fines will in each case be effective, proportionate and dissuasive. - Must take account of: the nature, gravity and duration of the infringement; the intentional or negligent character of the infringement; any action taken by the controller or processor to mitigate the damage suffered by data the degree of responsibility of the controller or processor taking into account technical and organisational any relevant previous infringements the degree of cooperation the categories of personal data affected by the infringment the manner in which the infringement became known where corrective powers have previously been ordered against the controller or processor adherence to approved codes of conduct or approved certification mechanisms and any other aggravating or mitigating factors Administrative Fines Tier 1: 10 million EUR, or 2% of annual turnover, whichever is greater. Tier 2: 20 million EUR, or 4% of annual turnover, whichever is greater. 8th April 2016 The Council adopted the Regulation. 14th April 2016 The Regulation was adopted by European Parliament. 4th May 2016 The Official text of the Regulation was published in the EU Official Journal in all official languages. 24th May 2016 The Regulation entered into force. 25th May 2018 GDPR went live and applies in all EU Member States. Articles 1 - 4 Summary Degree of change: Medium Risk: High - The definition of personal data is broader - The GDPR has greater territorial reach. How to demonstrate compliance: - Establish and maintain a data inventory. Articles 77 - 84 Summary Degree of change: High Risk: High - Supervisory authorities are empowered to impose significant administrative fines on both data controllers and processors. How to demonstrate compliance: - Consider an audit of internal controls and processes - Review privacy risks - Review supplier relationships (e.g. liabilities) Six Principles for processing personal data 1. Processed lawfully, fairly and in a transparent manner. 2. Collected for specified, explicit and legitimate purposes. 3. Adequate, relevant and limited to what is necessary. 4. Accurate and, where necessary, kept up to date. 5. Retained only for as long as necessary. 6. Processed in an appropriate manner to maintain security. Article 6: Lawfulness of processing - Data subject gives consent for one or more specific purposes. - Processing is necessary to meet contractual obligations entered into by the data subject. - Processing is necessary to comply with legal obligations of the controller. - Processing is necessary to protect the vital interests of the data subject. - Processing is necessary for tasks in the public interest or exercise of authority vested in the controller. - Processing is for the purposes of legitimate interests pursued by the controller. Article 7: Conditions for consent - Controllers must be able to demonstrate that consent was given, - Written consent must be clear, intelligible and easily accessible, otherwise not binding. - Consent can be withdrawn any time, and it must be as easy to withdraw consent as give it. - Consent to processing data is not necessary for the performance of a contract. - Ticking a box or coshing appropriate technical settings is till valid. Article 8: Conditions applicable to child's consent for information society services - If consent is given and the child is at least 16 years old. - Below the age of 16 years old, parental authorisation is required. - Member States may reduce the definition, but not below 13 years. - Controller shall make reasonable efforts to verify authorisation. - Rules on the validity, formation or effect of a contract in relation to a child shall not be affected. - Information Society Services - Google. eBay etc. Article 9: Processing of special categories of personal data - Race - Ethnic origin - Political opinions - Religion - Philosophical beliefs - Trade Union membership - Geneticdata - Biometric data - Health data - Concerning a natural person's sex life - Sexual orientation Article 9: Exceptions - The data subject has given explicit consent - It is necessary to fulfil the obligations of controller or of the data subjects - It is necessary to protect the vital interests of the data subject - Processing is carried out by a foundation or not-for-profit organisation - The personal data has manifestly been made public by the data subject - Establishment, exercise or defence of legal claims - Reasons of public interest in the area of public health - Archiving purposes in the public interest - A Member state has varied the definition of a special category Articles 5 - 9 Summary Degree of change: Medium. In general, the principles remain similar to the Data Protection Directive. Risk: High. The principles form the core of the Regulation. Non-compliance with these principles is likely to have the highest impact in terms of monetary penalty and reputational damage. How to demonstrate compliance: - Risk assess the impact of new rules (e.g. for processing children's data, consent, etc.) - Consider the effectiveness of your organisation's control framework (e.g. gap analysis against a good practice framework such as ISO 27001 or BS 10012). Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject The controller shall provide any information or communication referring to the data subject in a - Concise - Transparent - Intelligible and - Easily accessible form - Using clear and plain language - In particular for any information addressed specifically to a child. The controller must facilitate the exercise of data subject's rights (Data Subject Access Request) - Time period reduced from 40 days to 1 month - Fees abolished Article 13.1: Information to be provided where personal data collected from the data subject - The identity and contact details of the controller and their representative. - The contact details of the data protection officer. - The purposes of the processing as well as the legal basis for the processing. - The legitimate interests pursued by the controller or by a third party. - The recipients or categories of recipients of the personal data, if any. - The fact that the controller intends to transfer personal data to a third country and the existence of adequacy conditions. Article 13.2: Information to be provided where personal data collected from the data subject. - The period of time that the data will be stored. - The right to rectification, erasure, restriction, objection. - The right to data portability. - The right to withdraw consent at any time. - The right to lodge a complaint with a supervisory authority. - The consequences of the data subject's failure to provide data. - The existence of automated decision-making, including profiling, as well as the anticipated consequences for the data subject. Article 14: When obtaining personal data other than from the data subject, the controller shall provide the data subject with all of the following information (privacy notice) - The identity and contact details of the controller and their representative. - From which source the personal data originate, and if applicable, whether it came from publicly accessible sources. - The identity and contract details of the controller and their representative. - The contact details of the data protection officer, where applicable. - The purposes as well as the legal basis of the processing. - The categories of personal data concerned. - The recipients of the personal data, where applicable. - The fact that the controller intends to transfer personal data to a third country and the existence of adequacy conditions. Article 15: Right of access by the data subject - The purposes of the processing. - The categories of personal data concerned. - The recipients to whom the personal data have been or will be disclosed. - The period for which the personal data will be stored. - The right to rectification, erasure, restriction or objection. - The right to lodge a complaint with a supervisory authority. - Where the personal data are not collected from the data subject, any available information as to their source. Article 16: Right to rectification - Right to have incomplete data complete - Including by means of a supplementary statement. Article 17: Right to erasure (right to be forgotten) - The data are no longer necessary in relation to the purposes for which they were collected or otherwise processed. - The data subject withdraws the consent on which the processing is based and where there is no other legal ground for the processing. - The data subject objects to the processing and there are no overriding legitimate grounds from the processing. - The personal data have been unlawfully processed. - The personal data have to be erased for compliance with a legal obligation. - The personal data have been collected in relation to the offer of information society services. Article 18: Right to restriction of processing - The accuracy of the personal data is contested by the data subject. - The processing is unlawful, and the data subject opposes the erasure of the personal data, and requests the restriction of their use instead. - The controller no longer needs the personal data for the purposes of the original processing, but the data is required by the data subject for the establishment, exercise or defence of legal claims. - The data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject. Article 20: The right to data portability - The data controller must provide the data subject with a copy of personal data in a structured, common used and machine-readable format. - The data controller must not hinder the transmission of personal data to a new data controller. - The right of data portability only applies where: data is processed by automated means; an the data subject has provided consent to the processing or the processing is necessary to fulfil a contract; and the data was provided by the data subject. Article 21: Right to object - Processing for a task in the public interests; - Processing based on legitimate interests: processing of personal data for direct marketing; processing of data for profiling; processing of data by automated means; processing for scientific or historical purposes. Article 21: Exceptions The controller must demonstrate compelling legitimate grounds for the processing that override the interests, rights and freedoms of the data subject, of for the establishment, exercise of defence of legal claims. Article 23: Restrictions - National security - Defence - Public security - All activities related to prosecution of criminal offences. - Economic or financial interests of the Union of of a Member State, including public health and social security. - The protection of judicial independence and judicial proceedings. - The prevention, investigation, detection and prosecution of breaches of ethics for regulate professions. - A monitoring, inspection or regulatory function connected with the aforementioned activities. - The protection of the data subject or the rights and freedoms of others. - The enforcement of civil law claims. Article 12 - 18, 20, 21 & 23 Summary Degree of Change: Medium Risk: Medium - Existing rights remain the same. - New right - the right to be forgotten. - New right - the porting of personal data. How to demonstrate compliance: - Establish/review processes, procedures and training. Article 24: Responsibility of controller - Implement appropriate technical and organisational measures. - Implement data protection policies. - Adhere to codes of conduct to demonstrate compliance. Article 25: Data protection by design and by default - The controller shall implement appropriate technical and organisational measures. - Only data necessary for each specific purpose is processed. - The obligation applies to the following: the amount of data collected; the extent of the processing; the period of storage; the accessibility to that data. - Personal data may not be made accessible to an indefinite number of natural persons without the individual's intervention. - Pseudonymisation and minimisation are recognised techniques in data protection by design. Pseudonymisation The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. Encryption Making data inaccessible without the specific decryption key. Anonymisation Making it impossible to identify a specific data subject. This effectively places the data outside the GDPR. Article 27: Representatives of controllers or processors not established in the Union - They shall designate in writing a representative in the Union. - A representative shall be established where data processing or profiling resides. - The representative shall be mandated to be addressed by supervisory authorities and data subjects for the purposes of the Regulation. - Designation of a representative does not absolve controller or processor from legal liabilities. Article 28: Processor - Processes the personal data only on documented instructions from the controller; - Ensures that persons authorised to process the personal data observe confidentiality; - Takes appropriate security measures; - Respects the conditions for engaging another processor; - Assists the controller by implementing appropriate technical and organisational measures; - Assists the controller in ensuring compliance with the obligations in respect of security of processing; - Deletes or returns all the personal data to the controller after the end of the provision of services; and - Makes available to the controller all information necessary to demonstrate compliance with the Regulation. Article 30: Records of processing activities - The name and contact details of the controller, joint controller, controller's representative and data protection officer.