GDPR – Legal Aspects Right to access (extended) Right of rectification Right to erasure (right...
Transcript of GDPR – Legal Aspects Right to access (extended) Right of rectification Right to erasure (right...
GDPR – Legal AspectsDesislava Krusteva, Attorney-at-Law, CIPP/E
Law firm Dimitrov, Petrov & Co., Partner
Law and Internet Foundation, Senior Legal Expert
Sofia, November 20 2017
The Reform in the EU
Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free
movement of such data
Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and
on the free movement of such data (General Data Protection Regulation; GDPR)
General Data Protection Regulation
What constitute personal data?
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.Чл. 4(1) от Регламента
Personal Data - Definition
• Any information – What is information?
• Relating to – When is the information relating to a natural person? (content, purpose, impact…)
• Identified or identifiable natural person – What is identity? When can someone be identified? (directly or indirectly)
• Natural person – What is natural person?
Personal Data - Assessment
The fines to be imposed under the Regulation:
• Effective, proportionate and dissuasive• “Infringements … shall, … be subject to administrative fines
up to 20 000 000 EUR, OR in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year,
whichever is higher.”
What is New in the New Legal Framework?
What is New in the New Legal Framework?
• Parallel with the concept of “undertaking” in the competition law and still not the same
• Goal – „piercing of the corporate veil“ or „extension of the enforcement of the Regulation beyond the EU borders“
It is possible to provide rules on other penalties on the national level for violations which are not subject to specific penalties in the Regulation.
What is New in the New Legal Framework?
Determines the purposes and means of the processing of the personal data
• Purposes: Why do we process the data? What do we need the data for?
• Means: How do we process the data? In which way?• What kind of data do we process? • For what period of time are we going to process the data? • Where are we going to process the data? Where are we going to
store the data? • Who is going to process the data?
A person, who determines the purposes and means of the processing of personal data, is CONTROLLER
Controller
Do we use data processors?
Accountancy services
Colocations
Cloud services and infrastructure
Others
Date § call -centers
IT & Maintenance
Group of undertakings / Group of companies: • Relations Controller – Controller• Relations Controller – Processor
Processors
Legal obligations and responsibilities for the data processors
• Contract between the controller and the processor (written)• Reassigning of the processing activity to another processor only after prior
written concrete or general consent / approval by the controller• Must inform the controller of any planned change of the reassigning• Must process data only upon documented assignment by the controller• Obligation of confidentiality of their personnel• Must immediately inform the controller if, in its opinion, an
instruction infringes any applicable provisions• Must maintain register of any categories of activities on data
processing, commenced on behalf of the controller
Processors
Principles, related to data protection
F perPrinciples, related to the processing of personal data
Purpose Limitation
Storage Limitation
Data Minimalization Accuracy
Integrity and Confidentiality
(Measures for Rrotection)
Principles, related to data protection
ACCOUNTABILITY
Lawful, Fairand Transparent
The controller must be able to demonstrate compliance with the requirements laid down in Article
5 (1) of the Regulation
Plan/ Analysis
Register of the processing
activities (written)
Written form (declarations,
contracts and etc.)
ACCOUNTABILITY
Fundamental Rights of Data Subjects
Right to information (extended) – Principle of transparency
Right to access (extended)
Right of rectification
Right to erasure (right „to be forgotten“)
Right to restriction of processing
Notification of any rectification, erasure or restriction the processing of personal data
Right of data portability.
Right to object
Right not to be subject to a decision which produces legal effects concerning him or her or significantly affects him or her and which is based solely on automated processing of data including profiling
Security of Personal Data
Appropriate technical and organisational measures Ensuring an adequate level of protection
Confidentiality
Integrity
Availability
Sustainability of systems
Security of Personal Data
• Immediate notification of the CPDP
• Notification of the data subjects, if there are present specific risks for their rights and freedoms
Security Breach
?