GDPR/European Data Protection Crash Course

1. Introduction: Hello, my name is Andre Berlin and I would like to welcome you to this GDPR Made Easy course. During this course we shall go over the important aspects of the general data protection regulation for further study, if you will have attached in this course a document containing more detailed information on European Data Protection. So please give that a read. Now let's start by telling you a bit about myself. I am a data privacy and information security specialist with experience in creating and developing privacy related programs and also training. I work both as a consultant in these fields and also as a trainer. I am CIP slash E CAPM, CIPD certified on the privacy side and from the security side, I'm CompTIA Security Plus certified, among other things. So now that you know a bit about me, let me tell you about the course and what we shall cover. During this course, we shall take a pretty detailed look at the pure version of the GDPR as it was drafted by the European Commission. First, we will look at the scope of the regulation to see where does it apply from both a territorial and material point of view. Afterwards, we shall learn about the types of data under the scope of deregulation. Next, we shall look at data protection roles and their responsibilities. Here we shall discover what are the main differences between controllers and processors. In the fourth module, we shall dive into processing. We shall learn about fair processing principles of the regulation and also about what processing is. In the fifth module, we shall go into lawful basis for processing personal data and special categories of data. Next, we shall study a very important part of the regulation, more specifically data subject rights. We shall see what they are and what they entail afterwards, which we'll look at cross-border transfers and ways in which we can legally transfer data from within the European Economic Area, outside the European Economic Area. Lastly, we will finish this course by going into security and compliance. Here we will see what does the GDPR say about security and also, how can we demonstrate compliance with the regulation as a whole? By the end of the course, you should have a very good understanding of the GDPR and what it asks of organization and also enough information to take your CPP slash E certification from the EAPP. So without further ado, let's get started. 2. Scope of the GDPR: Within the first module, we shall be looking at the scope of the GDPR and we will understand where the GDPR applies from both a material and territorial point of view. So let's continue. From a territorial point of view, there are three criteria which define the territorial scope of deregulation. The first is the following processing of personal data where a controller or processor is established within the European Union. This means that if we are established within the European Union, then by default we are in the scope of the regulation, plain and simple. The next one is a bit more interesting processing of personal data, of data subjects in the EU relating to offering goods or services or monitoring behavior in the EU. This means that if we are a controller or processor outside the European Economic Area, but targeting the European single market with the intent of offering goods or services, then we are under the scope of the regulation. I would like to underline the fact that we should specifically target the European Union single market. So occasional processing does not trigger this criteria. As an example, if you are a Japanese hotel and are collecting EU citizen data randomly because they booked your hotel, then you are not under the scope of the GDPR. But if you are a Japanese hotel advertising your services on the European Union single market and the large amount of your turnover is due to European customers, then indeed you are under the scope of the GDPR. Lastly, we have processing of personal data by a controller not established within the European Union, but in a place where members take law applies by virtue of public international law, I know it sounds complicated, but it's quite easy actually. This refers to embassies and consulates which are outside the European Economic Area. But European law applies by virtue of public international law. Now that we have a good understanding of whether GDPR applies from a territorial point of view. Look at the material scope of deregulation. So let me make it simple. The GDPR applies to all data, all digital data that is, and all physical data which is sufficiently structured as to form part of a filing system like an archive. In terms of exclusions to the material scope of deregulation, we have the following, which should be interpreted narrowly, not broadly, activities outside the scope of union law, like national security, border checks, asylum and immigration related activities, household activities. As an example, if I take a picture of my children or friends, then that is outside the scope of the regulation. And lastly, law enforcement and public security as detailed by local member state law. Now let's look at an interesting case relating to the material scope of the GDPR. Here we have the case of Mrs. Linguist, who created a public facing page for her own private charity, which was only accessible for people who had the link directly. The website contains information on members of that charity, including contact details and sometimes even medical details. The Court of Justice of the European Union argued that this activity is not exempted from data protection law under the domestic slash household exclusion. And also that loading personal data on an Internet page is still considered processing. 3. Data Types: Now that we understand what falls within the scope of the General Data Protection Regulation, Let's also look at the types of data which are regulated by the GDPR. The GDPR regulates the use and processing of personal data. But what is personal data? Well, personal data is defined as any information relating to an identified or identifiable natural person. So what is a natural person? You might ask it, simple and natural person is someone who is not dead. So a living individual, irrelevant of age. Next, I would like to ask you, what is the difference between identified and identifiable information can single out an individual? Well, some information can single out an individual by itself, like my national ID number. By national ID number is unique and it clearly points to me and only me. But sometimes information about an individual does not single that individual out, like my age and date of birth, which relates to multiple people, not just me. Now, if you take my agent date of birth and combine it with my postal address and shoe size. Then all of these combined will single me out with reasonable effort, which means I am identifiable at that point. So that information is also considered personal data under the GDPR. Thus, there is no exhaustive list of what is considered personal data due to this fact. Now, if personal data is any information which can single out a living individual than anonymous data is the opposite. Statistical data or company email addresses. Anonymous data is not related to an identified or identifiable natural person or which has been rendered unidentifiable. This is not under the scope of the GDPR or other data protection laws. If you are processing statistical data or anonymous data, you can do anything with anonymous information, keep it how long you like. Now between personal data, which can be used to single out an individual and anonymous data, which is the opposite. We have pseudonymous data. Normalization is a technique that replaces or removes information in a dataset that identifies an individual. So the realization may involve replacing names or other identifiers which are easily attributed to individuals with a reference number or anything else. As an example goes, employee numbers, account numbers, reference numbers, etc. Pseudonymous data can be used to identify a person, and that means that it's still remains personal data, pseudonymous data thus is under the scope of the GDPR and is subject to data protection laws and regulations. Let's look at an example. A courier firm processes personal data about its drivers, mileage, journeys, and driving frequency. It holds this personal data for two purposes, to process expensive claims for mileage and to charge their customers for the service. A second team within the organization also use the data to optimize the efficiency of the courier fleet. For this, the identification of the individual is not necessary. The firm ensures that the second team can only access data in a form that makes it impossible for them to identify the individual couriers. It says minimize is this data by replacing the identifiers such as names, jobs, titles, locations, driving history with a non identifying equivalent, such as a reference number, which on its own has no meaning. So normalization is highly recommended by the General Data Protection Regulation as a security measure. The last category of data covered by the GDPR is spatial data, also known as sensitive data or special categories of data. Because in the European Union, Data Protection is seen as a fundamental human rights. The types of data seen as special are things which are closely related to us as human beings, not as consumers. Things such as racial or ethnic origin, political opinions, trade union membership, religious or philosophical beliefs. Bio-metric data for the unique purpose of identifying an individual. Genetic data, health data up, sex life, and sexual orientation. Financial data, or social security numbers are not considered special categories of data, nor are criminal convictions. The main difference between personal data and special categories of data is that by default, organizations are prohibited from processing special categories of data. There are exceptions to this rule, which we shall discuss in the following modules. So now let's look at some examples of special categories of data. A photo from our businesses, holiday parties showing an employee with a broken leg, patient records from a hospital detailing diseases which the individual suffers from. A sports application that reveals information about an athlete's health party membership applications, detailing the individual's political beliefs, fingerprints used to access a secure office building, and information detailing the individual's religious beliefs. All of these, as you can see, our data, which are considered special under the scope of the General Data Protection Regulation. 4. Data Protection Roles: Previously we learned about the types of data with the GDPR regulated. Now let's look at the data protection rules. These rules are present also in the former data protection directive and have been transposed within the GDPR with minimal modifications. So let's get started. Now, there are four main data protection roles within the regulation. First, we have the data subject. This is an individual about whom information is being processed. Like me, a human being. We have the data controller. This is an organization, individual or public body, which decides on the purposes and means of processing or answers the how and why personal data is being processed. Questions. Next we have the data processor. This is an organization, individual or public body that processes data on behalf of the data controller, kind of like outsource. And lastly, we have the supervisory authority or Data Protection Authority, which is chartered to enforce privacy or data protection laws and regulations within the member states of the European Union. That is one essay or DPA per member states of the European Union. For the UK, we have the ICO for friends, we have the CNI, l, et cetera. So now let's go a bit more in depth into the differences between a controller and the processor. The data can turn, determines the purposes for which the means by which personal data is being processed, the controller can answer the following questions. Why, how, for how long, where, and by whom the data processor, on the other hand, processes personal data only on behalf of the controller. Usually the data processor is a third party, or it's an external company, acts on behalf of the controller, processes the data on their written instructions of the controller only obtains authorization when subcontracting the processing to another sub processor and provides a service to the controller. As an example, an outsourced mail marketing company, which does mail marketing on behalf of the controller. When your organization works together with another organization to conduct a processing activity similar to a banking blacklist, then you are considered joint controllers when two or more organizations determine the why and the how personal data should be processed questions, joint controllers must enter into an arrangement setting out their respective responsibilities for compliant with the GDPR rules, the main aspects of the arrangements must be communicated to the individuals. Data is being processed. So now let's look at some examples for a data processor data controller type relationship and a joint controller relationship. Now for the data processor controller configuration, we have the following example. A brewery has many employees. It signs a contract the payroll company to pay wages. The brewery tells the payroll company when the wages should be paid, when an employee leaves or has a pay rise and provides all other information for the salary slip and payments. The payroll company provides the IT system and stores the employee's data. The brewery company is the data controller and the payroll company is the data processor. Now let's look at an example for joint controllers. Your company or organization offers babysitting services via an online platform. At the same time, your company has a contract with another company allowing you to offer value added services. Both companies are involved in the technical setup of the website. In that case, the two companies have decided to use the platform for both purposes, babysitting and also DVD or games rental, and will often share clients names as they are working together and they share the same technical database. That means that they become joint controllers. An arrangement is needed between them to satisfy the data subject needs and requirements. Now, as previously stated, processors will only process data on the written instructions of the controller only. But if they do something independently, that means if the process is determined the means for purposes of processing for a specific activity, they will automatically become a data controller for that processing activity. Here, I would like to underline the fact that the label of controller and processor are given per activity basis, not necessarily PR company basis. You can be a procedure for some activities and the controller for others. Now, in order to legitimize a controller processor configuration, a data processing agreement, or DPA, has to be signed between the controller and the processor. And the points of that DPA are written within the regulation. The processor must process personal data only on documented instructions from the controller, including cross-border data transfers. The processor must implement appropriate technical and organizational measures to secure the data. They have to seek the controllers consent if engaging a subcontractor and flow down all of the terms of the contract with the controller to the subcontractor, they must assist the controller in reporting and notifying supervisory authorities and data subjects of data breaches. They also have to assess the controller in responding to requests for exercising data subject rights. They have to delete or return personal data if instructed by the controller or upon termination of the contract, they need to submit two audits by the controller or another auditor chosen by the controller. And they have to make all information necessary to demonstrate compliance with the General Data Protection Regulation available to the controller. All of these points should be in any data processing agreement between the controller and the processor as it is mandated within the regulation. 5. Processing: Now that we have a good understanding of data protection roles and responsibilities, let's look at the regulations, fair processing principle and what processing is defined as. We've been talking about processing for quite a long time. But what is processing? Well, processing means any operation or set of operations performed upon data or data sets, whether or not by automated means. Now to put it, simple processing is everything. Anything you do with data is considered processing and there is no exhaustive list of activities because of this collection, storage, access, used, destruction, disclosure. All of them enter into the definition of processing. So just think of it as anything done on data is processing, and that's it. So now that we know that processing means anything done on data, any operation, we have to also know that the GDPR regulates the processing of personal data and does this through fair processing principles. So let's look at each principle and what it means for us. Lawfulness means that we have to have a legal basis for collecting and processing data. Fairness means that we have to process the data in ways in which it is fair to the data subject transparency refers to clarity, and it means that we have to be clear and honest with people from the start about how we will use their data. Purpose limitation means that we are allowed to process data only for the purpose mentioned at the moment of collection or strongly related purposes, data minimisation refers to the fact that we have to collect and use the least amount of data to fulfill the purpose. Accuracy means that we have to take reasonable efforts to ensure data is accurate. Storage limitation refers to the fact that data should be kept for a limited period of time. We can have either a static or dynamic storage period. As an example, a static period would be ten years after collection. A dynamic would be 30 days after your last pizza order. You keep ordering pizza as it keeps getting refreshed. Confidentiality and integrity ensures that we have adequate security controls in place. And lastly, accountability. This means that we have to be able to demonstrate compliance with all of the above and the general data protection regulation as a whole and have all the documents to demonstrate this compliance. The accountability principle was not present in the data protection directive and has switched the GDPR to what is called an accountability framework. That is why notifying the supervisory authority of processing activities is no longer required of controllers and processors as it was during the data protection directive. 6. Lawful Bases: Previously, we saw that one of the most important processing principles is lawfulness, which mandates that all processing of personal data should have a legal basis. Within this module, we shall see what are the legal basis for processing personal data and also special categories of data. So let's get started. Now, there are six lawful basis for the processing of personal data, consent, legal obligation, public interests, contractual requirement, vital interests, and legitimate interests. The least reliable of these is consent. And we shall see why in the next slide. Now, then we have legal obligation. This means that if there is a law, then we have to respect the law. If local labor law permits us to process personal data, then we will process that personal data in accordance with labor law or financial law or whatever law. Afterwards, we have contractual requirement if processing of personal data is needed for the fulfillment of a contract or before entering into a contract. Then we will process that data for this purpose. Then we have vital interests of the individual. This means that we are posting the data in the individual's best interests, in the interest of saving his life. As an example, afterwards, we have public interests. This is used by public authorities to enhance the scope of the authority given to them by law. And lastly, we have legitimate interests, which is used by private entities to further their own legitimate interests. Let's go more in-depth into consent. So why is consent the least reliable basis for processing? Well, for two reasons, actually, because it is hard to obtain valid consent and that consent can be as easily withdrawn as it was given. There can be no limitation placed on the withdrawal of consent. So if somebody consents the proceeds of their personal data through a click of a button, they can withdraw that same consent, just as easy. Now let's look at the conditions for valid consent. First. It has to be freely given, which means that there should be no imbalance of power between the one who asked for consent and the one who gives IT employee employer consent thus is not that valid as the employee might feel compelled to provide it. The same logic applies for the relationship between the citizen and a state authority. Next, it has to be specific, uninformed, which means that we need to have correctly informed the data subject before he gives his consent and ensure that his Consent is specific to the processing involved. Using only one single checkbox for multiple different purposes is a breach of this criteria. Afterwards, consent has to be unambiguous. Thus, no use of technical or legal language is recommended. The information provision should be as clear as daylight that even a ten year old can understand. It, can send can be obtained in any format, written or oral. It has to be demonstrated and as easily withdrawn as it was given. Lastly, in order to be considered valid, consent should be a clear affirmative act. That means opt-in consent is valid while opt-out consent is not. As an example, when installing software, the application as the data subject for consent to use non-animal just crash reports to improve the software. Alert privacy notice providing the necessary information, accompanies that request for consent by actively taking the optional box stating I can send, the user is able to validly perform a clear affirmative act to consent to the processing. Now, for children's consent, it varies a bit. The age of consent can be chosen by the member state in the bracket of 1316. So some member states within the European Economic Area might have an age of consent of 14. Some might have 50 and some might have 16. When it comes to children's consent, consent should be given by a parent or guardian for children which have not reached the age of consent, which is below the age of 16, regulated by local member state law, consent should be demonstrated that it has been obtained from a parent or guardian. As an example, when a child is creating a Facebook account or YouTube account for which the parents have a certain grade of control. Lastly, let's go a bit into legitimate interests. What do they mean? Now, the definition is the following. Processing will be lawful if it is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of data subjects which require protection of personal data, in particular, where the data subject is a child. Now let's also look at an example. As specified in its IT governance policies. A mail-order company moderators access to accounts containing personal data by named users within the organization to prevent theft of data by employees. The mail order company regards this as an essential processing activity to protect its customers. What are legitimate interests? Now the function is similar as a scale. On one side of the scale we have the legitimate interests of the organization. On the other side of the scale, we have the rights and freedoms of individuals. If we believe that our legitimate interests are more important or more valid and do not pose a risk to the rights and freedoms of individuals, then we can conduct that processing activity, like in the example within the materials for this course, I have also attached a very good guide for the use of legitimate interests, which also contains benchmark examples. For practical purposes, you should look it up and read about it. There, it goes into a lot more detail. And in certain situations, legitimate interests are a very good legal basis for processing. Because unlike consent, they cannot be withdrawn. People can object to the use of your legitimate interests, but that objection might not necessarily be valid. Now that we know the types of legal basis we can use for processing personal data. Let's also look at the exemptions which permit us to process special categories of data. First, we have explicit consent with the same conditions as previously stated for normal consent in the context of employment in accordance with local labor law. So if labor law states that you can process health data for hiring purposes, of course you can do it vital interests of the individual, as long as you can demonstrate that the processing of the data was done with the best interests of the data subject in mind, Let's say I fall unconscious on the street, then the hospital can process my health-related data to treat me. Political, philosophical, and religious organizations can process political, philosophical and religious data in accordance with their activity, but they cannot use it for any other non-related purpose, such as sharing it with marketing companies, etc. Without informing the data subject and obtaining their approval. Data made public by the data subject can be used, such as information posted on social networking sites or in the media. In the court of law, special categories of data can be used for the establishment, exercise, or defense of legal claims. Special categories of data can also be processed in accordance with a substantial public interests as defined by member state law or European Union law. For the purposes of medicine and social health care, or for the purposes of public health as defined by member state law of the European Union. These were also the legal basis which were used for the corona measures which we used in the corona pandemic. The lactic assumption refers to the use of special categories of data for public archives, scientific or statistical purposes. But they have to have adequate security measures in place and be proportionate to the risk to the rights and freedoms of individuals. 7. Data Subject Rights: In the previous module, we spoke about legal basis for processing. Now let's move on and talk about the rights of data subjects. Most of these rights were imported from the data protection directive, but with the GDPR, new ones have been added and some of the existing ones have been extended. So let's take a look at what we can do as data subjects and what are our rights within the regulation? Now first let's look at right of access. By making a right of access requests, we can obtain confirmation that an organization is processing our personal data and also what type of data is being processed and obtain access to it. We can also ask for a copy of the personal data being processed from the controller. We can ask about information regarding the processing activities carried out by the controller on our information. The controller may charge a reasonable fee for further copies of the data. If we request further copies of the data, either very short timeframe, we can also ask about transfer of information. To whom is our information being sent, and to which countries is it being sent? The timeframe for responding to a right of access request is 30 days, but the controller can ask for an additional 60 days if they have adequate justification. Data. Subjects also have access to the right of rectification. Individuals have the right to have personal dicta rectified. You can rectify personal data if it is inaccurate or incomplete, and it applies to both subjective and objective based data, you must rectify any inaccurate personal data that relates to the individual without undue delay and in any event within one month. So it has the same timeframe as a right of access request. As an example, there may be inaccuracies in the details of a criminal conviction held on the national police computer. An individual may receive a copy of their criminal record and request that an incorrect entry for grievous bodily harm is corrected to actual bodily harm or vice versa. To reflect the correct conviction, the controller mirrors the right of rectification. If, for example, it obstructs an investigation such as a request to rectify the content of a witness statement. Now, keep in mind that even if they are rights, organization should still make sure that they respond to adequate requests only. So before responding to any write-up access requests or any right to request for that matter, we should first authenticate the person making the request without proper authentication, we could give access to data, the wrong individual, thus causing a data breach, which is not something we want. Next, we should ensure that by fulfilling a write request, we are not infringing on the rights and freedoms of others. The term others refers to both other people and also other entities such as our own company or third party companies. So if you receive a right of access request where an individual requests a copy of his personal data, but that data would contain information on other individuals or trade secrets patterns which could be detrimental to your organization. Then you would either filter out that information or get approval from other affected people before sharing the information with the data subject. Lastly, any unfounded requests or abuse of rights such as making the same request ten times in the same week should be filtered out. Now, need to create operational problems because of my level and people. One new right which was added in the GDPR was the right to data portability. That means that me as a data subject, can ask for my data to be transferred from one controller to another controller in an universal structured, commonly used machine readable format. This right is only possible when the data is being processed under the legal grounds of consent or contractual requirement. It applies to digital data only. And it applies to data which is collected from the data subject or about the data subject, the timeframe for responding to a write-up data portability is the same as with write-up access, without undue delay or within 30 days. So it has the same timeframe for response. The data controller transferring the data is not responsible for the processing activities conducted by the recipient of that data. Individuals also have the right to request the deletion or removal of their personal data. Right to be forgotten is an extension of right of Eurasia. And that means that not only the controller should destroy this data, but also for the request to all recipients, thus ensuring that all replications of the data are destroyed and all links the data are also destroyed. Now the conditions for Eurasia are quite strict. You can only ask for eurasia if data is no longer necessary for the purpose for which it was collected, if the data was being processed on the basis of consent, and consent has been withdrawn. If the data was being processed on the basis of legitimate interest or public interests that data subject have objected to processing. And the objection was valid if the data was collected in relation to information societies services from a child on the basis of consent, and that child has reached the age of consent if the processing was unlawful to begin with or to be in compliance with European Union or member state law. So you cannot ask for eurasia if there is a legal basis to keep that data or if there is an adequate legitimate interests to keep that data and process that data. So it is quite limited, right? Right of restriction is a new right within the GDPR and it is an alternative to the right of Eurasia. That means that we are marking the data within our systems and the data will be stored and no additional processing will be performed upon it. This is usually used when accuracy of the data is contested or when the data subject has objected to processing until the objection is either deemed valid or invalid, or it is an alternative to eraser when the data subject might not want the data destroyed, maybe they want to use it in the court of law. When the restriction is lifted, the data subject must be notified and they have the opportunity to object to the lifting of the restriction. Now, individuals also have the right to object processing based on public or legitimate interests. It is the controllers burden to demonstrate that it's compelling interests override the individual's rights and freedoms. We can also object to research and statistical purposes, but public tasks such as censuses, are exempted from this end. Lastly, we can object to profiling for direct marketing purposes. This is an absolute right under the GDPR. If we use our right to object in this fashion, the marketing or profiling will automatically stop. Now the last row should talk about is the right not to be subject to automated decision-making. Individuals have the right not to be subject to a decision when it is based on automated processing and it produces an adverse legal effect or significantly affect the individual. Now there are exceptions to this right? All requiring appropriate safeguards if the protein is necessary to enter into the performance of a contract such as evaluating credit risk or insurance risk. Authorization by member state law or the data subjects explicit consent. Automated decision-making is not permitted on special categories of data unless we have explicit consent or substantial public interests based on union or member state law or suitable measures to protect that individual. Now, if you are using automated decision-making, you must still ensure that individuals are able to obtain human intervention if need be, or obtain an explanation of the decision. Challenge it. As an example, an automated processing system could include an ID database of criminal records or prosecution history is where data is input or access by staff via automated means, automated decision-making only comes into play where the controller takes significant decision based solely on an algorithm upon automated processing, often without human interaction. This is a decision that produces an adverse legal effect concerning the individual or affect them significantly. Now that we've finished with data subject rights, let's look at transparency. Transparency means that a specific set of information must be provided to the data subject by the controller. Now, in order to do this, the controller will use a privacy notice. A privacy notice is a set of enforceable promises made by the controller to the data subject about how data will be used and protected while it is being processed, the privacy notice or information provision should be intelligible and easily accessible. So if I'm collecting data in physical format, I should have a physical privacy notice. If I'm collecting it in digital format, I should have a digital privacy notice. That is what easily accessible for means. It should be clear and plain language. That means that a language which a 10-year-old can understand is good enough. It should be concise and the European Commission recommends the use of visualization. The privacy notice or information provision should be free of charge unless it is an unfounded or excessive. All right. More specifically, the right to be informed. And it should also contain various types of information which we will go into in the next slide, and also information on other data, subject rights, and how to access them. Let's look at an example privacy notice. As you can see, the language is clear and simple. The font and font style are easy to understand. It is very specific. That means that the individual has a clear opportunity to agree to marketing and the channels of marketing for that matter. It seeks prior consent for marketing to other companies. And at the end we have the signature and the date to make sure it is demonstrate double. So this is a best practice privacy notice as issued by the ICO. So now that we know that we should provision information to data subjects in a clear and easily accessible form. We should also look at what information should be given correct? Now, the GDPR has a managed list of information which should be provided to the data subjects so that the protein is considered transparent. The law regulates both direct and indirect collection. In the case of direct collection, we should specify the identity and contact details of the controller and the P0, the purpose and legal basis for processing the recipients of the personal data. If there is an intention to transfer data to a third party country or international organization. And what are the safeguards for transferring the data if we're posting on the legal basis of legitimate interests, what are those legitimate interests? Access to data subject rights. And what are the data subject rights of the individual if we are processing on the basis of contractual requirement, what is that contractual requirement? And if there is automated decision-making present, what is the logic behind that automated decision-making algorithm and the consequences for the data subject. All of these should be provided in a clear, easily accessible, and concise form. In the case of indirect collection, the source of the data and the types of data being processed should be additionally specified. Now, in the case of indirect collections, such as buying a marketing database or collecting data from public sources, the privacy notice will not be given at the moment of collection. So the GDPR mandates a timeframe for informing the data subject that his data is being processed. The timeframe is 30 days or one month, or upon first communication with the data subject when personal data is being used to communicate with him. Or if I disclosure to another recipient is envisioned or at the latest when the personal data is first disclosed. Now there are exceptions to this particular rule. It the data subject has already been informed and there is no significant change in the processing activity, then there is no need to inform him or her. Again, if it would render impossible or seriously impaired the purpose of the data processing, such as an internal investigation, I would not inform the suspect of the investigation and what is happening if it is impossible or requires disproportionate effort. But this should be interpreted narrowly as an example. A hospital which receives a high influx of patients and all those patients give information on a next of kin to be contacted. In the case of an emergency, then that hospital would not have the resources to inform all next of kin because of the high rotation of patients or high influx of patients. Another exception is if there are national or European Union laws which require the personal data remains secret. Or if there are national or European laws which require obtaining or disclosing data and provide appropriate measures to protect the individual interests. As previously stated, the European Commission recommends the use of visualization to make information provision a lot easier and user-friendly for the data subjects. Within this course, I will be presenting the concept of the privacy nutrition label. The privacy nutritional label is inspired from food nutrition labels and has the aim of giving an user user-friendly and visual overview of what type of processing will happen on the data subjects information. On the vertical axis we can see the types of data being used. On the horizontal axis is the purposes for which they are being used. The color-coding will explain the data subject. If that type of processing happens, red doesn't happen till or happens based on consent, either opt-in or opt-out. Using the privacy nutritional label as the first page of your privacy notice will make it easier for your data subject to at least understand what will happen with their information. And if they would like to learn more, they can just read the full privacy notice or the lead privacy notice. Pretty neat. Right. 8. International Transfers: Previously we spoke about data subject rights and what each right entails. Now, let's look at cross-border transfers and how we can legitimize transfers from within the European economical area, outside the European Economic Area. Now cross-border transfers are defined as transfers of personal data from a member state to a third party country or international organization outside the European Economic Area. It also applies to onward transfers from 1 third country or international organization to another outside the European Economic Area. All of these transfers have to be legitimized. And there are three ways in which we can legitimize a cross-border data transfer through either adequacy decisions, appropriate safeguards, or derogations, such as exemptions from the law. So let's look at them individually. Now, adequacy decisions are actually a list of countries to which you can transfer data based on their presence on that list. This list is created and approved by the European Commission. The European Commission can repeal a man or suspended and have the cost decision and adequate decisions are reviewed every four years. What does the European Commission take into account when deciding if a country is adequate? Respect for justice, access to justice, respect for fundamental human rights, social stability, political stability, etc, on the adequacy list. At this point we have the following countries. Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Japan, Jersey, New Zealand, Switzerland, or South Korea actually added recently. And the UK with a provisional adequacy decision. If you are transferring to any of these countries, you do not need to take any additional measures except in forming the data subjects that their data will be transferred to these countries. And the data is being secured through the use of an adequacy decision issued by the European Commission. What happens if we are transferring data to a third party outside the European Economic Area in a country which is not considered adequate by the European Commission. In the absence of an adequacy, decision, controllers and processor can use appropriate safeguards for data transfers. This ensures that the third party has a similar level of data protection European counterpart. And there are six ways which are considered appropriate safeguards, standard data protection clauses at how contractual clauses, VCRs, codes of conduct, certification mechanisms, and international agreement. Now standard Data Protection Clause is also known as modal closes. This, either adopted by the commission or by national supervisory authority, which then are approved by the Commission. They are for a company in the European Economic Area which wants to send data outside the European Economic Area. There are different types of standard data protection clauses for both controllers and processors. The fact that they are standard means that the form is standard and it is non negotiable. It is the most commonly used tool for appropriate safeguards. In the wake of the shrimps took case, the legality of the SEC's was upheld. However, companies must conduct a case-by-case assessment on the laws in each recipient country to ensure essential equivalents to European Union Law for personal data being transferred under SEC or VCRs. If the laws are not essentially equivalent, companies must provide additional safeguards or suspend transfers. Such additional safeguards can involve additional technical controls such as encryption and contractual obligation on how to manage on what transfers and compelled disclosures to authorities, at how contractual clauses must have the authorization of the supervisory authority of the member state. They allow for individual tailoring to company needs. Provisions for such clauses might differ at member state level. Lastly, we can also use international agreements to legitimize the cross-border data transfer. When two countries enter into an agreement between themselves to provide for protection of personal data, such as a mutual legal assistance treaty. Now codes of conduct are created and revise by associations or other bodies representing controllers or processors. They are compliance signaling tools for them and they helped both controllers and processors in demonstrating GDPR compliance. They also facilitate the free flow of personal data from the European Union outside the European Economic Area. Approved codes of conduct must enable the mandatory monitoring of compliance with its provisions by accredited monitoring body. When a controller or processor infringes on the code. And accreditation body can suspend or exclude the infringing party from the code, notifying the supervisory authority of the proceeding, adherence with the code is a factor to be considered when assessing an administrative fine. Certifications are also recognized by the GDPR as acceptable mechanism for demonstrating compliance. They are voluntarily and available via a process that is transparent. They do not reduce responsibility of the controller or processor for compliance. They can be issued by accreditation bodies, competent supervisory authorities, the ADP B, and they assist the controller and processor, the same as a Code of Conduct demonstrating compliance and also demonstrating compliance with Article 25. Data protection by default and data protection by design. They are valid for no more than three years and maybe renewed and have to be reviewed on a yearly basis. As you would expect, there are consequences for non-compliance and certification bodies are responsible for withdrawing certification in the event of noncompliance, they must inform the supervisory authority and provide reasons why the certification has been invalidated. Again, like in the case of codes of conduct, certification is a factor that is considered in assessing an administrative fine. Lastly, we have derogation in the absence of an adequacy decision or appropriate safeguards. Derogations may be used for international data transfers. They are one-offs from the regulation and should be used with prudence and interpreted strictly in order to use a derogation, we need a legal basis. And these are the following. Explicit consent from the data subject. And the data subject must understand the possible risks to transferring their personal data outside the EEA performance of a contract with the data subject, as an example, I am a travel agency and I need to book a hotel in Nicaragua because Nicaragua is not an adequate country and they have no standard contractual clauses with the hotel in Nicaragua, I will use a derogation to fulfill the booking. There must be no way to fulfill the contract unless the data is transferred. Public interest as defined under local member state law, vital interests of the individual, such as saving his life. If I have health problems in Thailand, the hospital in Romania can transform my data to Thailand to treat me, to save my life for the establishment defense of legal claims in a third party country. Very strong legitimate interests of the controller which should be interpreted narrowly. And transfer from a public register, protecting the data subject rights, and ensuring that only the data that needs to be transferred is transferred. 9. Security and Compliance: And now with this module, we shall be concluding the course within this module, which will cover both security requirements of the regulation as well as other thing we should take into account to ensure compliance. At the end of this module, which will also speak a bit about the fines which can be used in relation with data protection infringements within the European Union. What does the GDPR say in relation to security? Here we have Article 32, also the most quoted article in relation to find Article 32 says the following. The controller and processes shall provide appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Taking into account state of the art cost of implementation, scope of processing, nature of the data, context, and purposes of processing. So what does each factor mean? State-of-the-art means taking into account professional opinions on the security controls. If I'm implementing an antivirus from the year 2004, that would be disregarding the state of the art factor. Cost of implementation refers the fact that implementing security controls should reflect good management decisions. As an example, if I am a five employee company implementing $10 thousand DLP type solution for protecting personal data, such as e-mail addresses might be a bit irresponsible. Nature refers to the type of data being processed. Is it personal data or special categories of data such as medical data, which might need stricter security controls. Scope refers to the direction of processing and the number of records. It's one thing to secure ten records, it's an secure 100 thousand records. Context refers to the context in which the processing is taking place. While purpose defines what type of purposes the data is being processed for. It's one thing to process data for the purposes of emailing my customers. It's another to process data for the purposes of accounts security. I would like to underline the fact that all of these security measures should be taken appropriate the risk, that means having a risk-based approach similar to information security. So it is recommended to both use a risk methodology when choosing D controls. So what is a personal data breach then? Well, a personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data being processed. This means that the personal data breach definition is quite comprehensive. So if you lose records, that is a personal data breach. If they were altered, that is a personal data breach accessed by unauthorized third party is a personal data breach, deliberate or accidental action or inaction by our controller processor is data breach. Sending personal data to an incorrect recipient is a data breach. Computing devices containing personal data being lost or stolen is a data breach. Alteration of personal data without permission is a data breach. And even loss of availability of personal data is a data breach. So anything which has an impact on individuals is a data breach and anything which is done in an unauthorized fashion is a personal data breach. So let's move on and see what are the triggers for actually notifying both the supervisory authorities and the data subjects. These are given in accordance with the risk of the breach to the rights and freedoms of individuals. If there is a risk to the rights and freedoms of individuals, then notification is given from the controller to the supervisory authority without undue delay or within 72 hours after becoming aware of it. If the breach is unlikely to result in a risk to the rights and freedoms of natural person, then no notification is necessary. If the breach is likely to result in a high risk to the rights and freedoms of individuals, then the controller will notify both the essay within 72 hours. Also the data subjects without undue delay after becoming aware of it. There are exceptions to this rule. If data is encrypted or unintelligible, no notification to the data subject is required if post breach actions greatly reduce the risks. Again, no notification to the data subjects is required. And if there are high amount of individuals affected, thus requiring disproportionate effort to notify all individuals, then the controller will issue a public statement on the internet or in the media. So let's look at some examples. A group is moving to another building. Movers find the locker of HR archive open and multiple folders. Missing folders contain health data and digital backup is available. As you can see, this is a confidentiality and integrity bridge which will trigger notification both to the SA and the data subject. The explanation being the following. As the folders contain sensitive data, there is a higher risk to the rights and freedoms of individuals. Another example is the following. An agency with a Network File System of European Union's patients with rare diseases is running its own infrastructure. A colleague detects a ransomware after a personal USB stick is used and after a while, no one can access data from the file servers. It both a confidentiality and availability breach, which would trigger notifications to both the essay and the data subject. The sensitive nature of the data present a high risk to the affected individuals. Of course, going into a hospital and having no treatment options because the data was encrypted does have an impact on me as an individual when assessing privacy risk is good to look at it from the perspective of the individual. What does he feel? How would they react? How would you react if you were in their position? Now within the GDPR, we also have the concept of DPI, which is meant to both demonstrate compliance and integrate data protection considerations into an organization. A DPA is required by law, unlike the PIA. So when is it actually required? From a legal perspective, it is required when a specific processing activity carries with it a high risk to the rights and freedoms of individuals. Essays may also set out specific processing activities which qualified by default as high risks such as mounting cctv cameras. What does a DPI contain? Now? A DPI contains a description of the processing being analyzed, an assessment of the necessity, proportionality, and risk to the rights and freedoms of data subjects and the measures to address the risk. If residual risk is high, that means risks which have not been reduced to an acceptable level are still high, then the controller is obligated to consult with the essay before moving forward with that specific processing activity. I would like to point out that a DPI can also address one processing activity, also a set of similar processing operations. Now the GDPR has also mandated the creation of the job known as DPO or Data Protection Officer. So what are the conditions for naming a DPO, the legal one, at least the core activities of the controller or procedure include the following. Processing activities that require regular and systematic monitoring of data subjects on a large scale. Processing of special categories of data on a large scale. Processing by public bodies except courts acting in judicial capacity or if members state law or European Union law mandate naming a DPO. Certain countries within the European Union, such as Germany, had their own rules for mandating DPOs additional to the ones in the GDPR in terms of job responsibilities so deep, your monitors compliance of the organization, the advice both controllers and third parties in ensuring compliance. They serve as a point of contact and cooperate with both the essay and data subjects. They contribute to the DPI creation. They manage processing activities and they are independent. That means that they should report the highest level of management and there should be no conflict of interests between their role as DPO and other roles they might have within your organization. They are also a protected position, which means that the organization can not order a DPO on how to do his or her job and cannot dismiss the DPO for DPR related activities. Now, the most heavily advertised aspects of the GDPR were the huge fines. There are brackets for the files, the first being up to the sum of €10 million or two per cent of global turnover, whichever is higher, or €20 million, or 4% of global turnover, whichever is higher, the 20 million bracket is for infringement of processing principals, data subject rights, international transfer obligations, member state law or noncompliance with an essays order. The two per cent fine, or €10 million bracket is for any other type of infringements such as data protection by design or data protection by default infringements. Now, I would like to point out that it is national supervisory authorities which issue fines. They have autonomy on the fines which they issue. The Article 29 Working Party, also known as the EDP B now has issued guidance on factors that essays will take into account when issuing a file, such as neglect or intent, scale of the infringement, compliance with the essay, etc.. But it is still left to the local supervisory authority, which will establish the sum of the fine. Congratulations, we have finished the GDPR Made Easy course, they will have taken your first steps in understanding European Data Protection and the general data protection regulation. I would like to thank you for your attendance. Keep in mind that I have attached some documents to this course to help you in implementing a GDPR compliance privacy program. Cheers.