Beruflich Dokumente
Kultur Dokumente
DATA PROTECTION
Data protection is the process of safeguarding important information from corruption,
compromise or loss.
Data Protection refers to the set of privacy laws, policies and procedures that aim to minimize
intrusion into one's privacy caused by the collection, storage and dissemination of personal data.
Personal data generally refers to the information or data which relate to a person who can be
identified from that information or data whether collected by any Government or any private
organization or an agency.
The importance of data protection increases as the amount of data created and stored continues to
grow at unprecedented rates. There is also little tolerance for downtime that can make it
impossible to access important information. Consequently, a large part of a data protection
strategy is ensuring that data can be restored quickly after any corruption or loss. Protecting data
from compromise and ensuring data privacy are other key components of data protection.
The term data protection is used to describe both the operational backup of data and business
continuity/disaster recovery
1
(RSA, 2017)
2
(Michael Nadeau, 2018)
in today. That data protection act has now been finalized. It is called the General Data Protection
Regulation (GDPR) and will replace local data protection laws, such as the ones mentioned
above, being valid in every country of the EU.3
A key part of the regulation requires consent4 to be given by the individual whose data is held.
Consent means “any freely given, specific, informed and unambiguous indication of his or her
wishes by which the data subject, either by statement or by a clear affirmative action, signifies
agreement to personal data relating to them being processed”. Organisations will need to be able
to show how and when consent was obtained. This consent does not need to be explicitly given,
it can be implied by the person’s relationship with the company. However, the data obtained
must be for specific, explicit and legitimate purposes. Individuals must be able to withdraw
consent at any time and have a right to be forgotten; if their data is no longer required for the
reasons for which it was collected, it must be erased.
When companies obtain data from an individual, some of the areas that must be made clear are:
The identity and contact details of the organization
The purpose of acquiring the data and how it will be used
Whether the data will be transferred internationally
The period for which the data will be stored
The right to access, rectify or erase the data
The right to withdraw consent at any time
The right to lodge a complaint.
The regulations demand that individuals must have full access to information on how their data
is processed and this information should be available in a clear and understandable way.
Individuals can make requests, and these must be executed “without undue delay and at the latest
within one month of receipt of the request”. Where requests to access data are manifestly
unfounded or excessive then small and medium‑sized enterprises will be able to charge a fee for
providing access.
3
(Siddhesh Hedulkr, 2017)
Does GDPR apply to my country?
The GDPR applies more broadly than might be apparent at first glance. Unlike privacy laws in
some other jurisdictions, the GDPR is applicable to organizations of all sizes and all industries.
Specifically, the GDPR applies to:
1. Processing of anyone’s personal data, if the processing is done in the context of the
activities of an organization established in the EU (regardless of where the processing
takes place);
2. Processing of personal data of individuals who reside in the EU by an organization
established outside the EU, where that processing relates to the offering of goods or
services to those individuals or to the monitoring of their behavior.
The EU is often viewed as a role model on privacy issues internationally, so we also expect to see
concepts in the GDPR adopted in other parts of the world over time.
A presence in an EU country.
No presence in the EU, but it processes personal data of European residents.
More than 250 employees.
Fewer than 250 employees but its data-processing impacts the rights and freedoms of data
subjects, is not occasional, or includes certain types of sensitive personal data. That effectively
means almost all companies.5
The GDPR regulates the collection, storage, use, and sharing of “personal data.” Personal data6 is
defined very broadly under the GDPR as any data that relates to an identified or identifiable
natural person. “Personal data” includes any data that relates to an identified or identifiable
individual. This can include data such as online identifiers (e.g., IP addresses), employee
information, sales databases, customer services data, customer feedback forms, location data,
biometric data, CCTV footage, loyalty scheme records, health and financial information and
5
(Michael Nadeau, 2018)
6
Article 4, General Data Protection Regulations(GDPR), 2016
much more. Indeed, the term is so broad that it can even include information that does not appear
to be personal – such as a photo of a landscape without people – where that information is linked
by an account number or unique code to an identifiable individual. And even personal data that
has been pseudonymized can be personal data if the pseudonym can be linked to a particular
individual. You should also be aware that the processing of certain “special” categories of
personal data – such as personal data that reveals a person’s racial or ethnic origin, or concerns
their health or sexual orientation – is subject to more stringent rules than the processing of
“ordinary” personal data.
Yes. Although the rules differ somewhat, the GDPR applies to organizations that collect and
process data for their own purposes (“controllers”) as well as to organizations that process data
on behalf of others (“processors.”) This is a shift from the previous Directive, which applied
primarily to controllers.
Fines are assessed by supervisory authorities, or Data Protection Authorities (DPAs). These
are the entities appointed to implement and enforce the European privacy laws in each member
nation. This is not new with the GDPR; the Directive that came before it addressed the
appointment, responsibilities, jurisdiction of DPAs, providing that each DPA enforces data
protection law at the national level and is also tasked with providing organizations with guidance
regarding how the privacy laws are to be interpreted.
The roles and responsibilities are generally the same after the replacement of the Directive with
the GDPR. GDPR requires that “each Member State shall provide for one or more independent
public authorities to be responsible for monitoring the application of this Regulation.”10
Both the Directive and the Regulation require that the persons acting as DPA must have the skills
and experience necessary to perform the role and be subject to a duty of professional secrecy.
7
Article 51, General Data Protection Regulations(GDPR), 2016
8
Article 83(4), 83(5), 83(6), General Data Protection Regulations(GDPR), 2016
9
Article 33 r/w Article 55, General Data Protection Regulations(GDPR), 2016
10
Article 51, General Data Protection Regulations(GDPR), 2016
The GDPR adds that each DPA must be created through a transparent procedure, although such
procedure isn’t described.
DPAs have a great deal of power in enforcing the GDPR. They are authorized to hear claims
brought by data subjects, investigate alleged violations of the GDPR and to institute legal
proceedings against violators. They are required to keep records and publish reports of their
activities and enforcement actions.
DPAs operate independently, but they also work together, with the head of one supervisory
authority per member state making up the European Data Protection Board (EDPB). The primary
task of the Board is to ensure consistent application of the Regulation across the EU states.
Chapter 7 11is all about cooperation and consistency and this is where the Board’s responsibilities
are defined.
Because each nation has its own DPA, this can complicate matters if your organization processes
personal data across multiple EU countries. You would generally only deal with a DPA if your
organization has been reported to have engaged in a serious violation of the privacy law. In that
case, your legal representatives should have experience in EU privacy law in general, the GDPR
in particular, and dealing with DPAs.
Data controller,
Data processor and
The data protection officer (DPO)
The data controller defines how personal data is processed and the purposes for which it is
processed. The controller is also responsible for making sure that outside contractors comply.
Data processors may be the internal groups that maintain and process personal data records or
any outsourcing firm that performs all or part of those activities. The GDPR12 holds processors
liable for breaches or non-compliance. It’s possible, then, that both your company and processing
partner such as a cloud provider will be liable for penalties even if the fault is entirely on the
processing partner.13
The GDPR requires the controller and the processor to designate a DPO14 to oversee data
security strategy and GDPR compliance. Companies are required to have a DPO if they process
or store large amounts of EU citizen data, process or store special personal data, regularly
12
Articles 60-76, General Data Protection Regulations(GDPR), 2016
13
(Michael Nadeau, 2018)
14
Article 37, General Data Protection Regulations(GDPR), 2016
monitor data subjects, or are a public authority. Some public entities such as law enforcement
may be exempt from the DPO requirement.
How does the GDPR requirements effect the working of the companies?
The GDPR requirements will force companies to change the way they process, store, and protect
customers’ personal data. For example, companies will be allowed to store and process personal
data only when the individual consents and for “no longer than is necessary for the purposes for
which the personal data are processed.” Personal data must also be portable from one company
to another, and companies must erase personal data upon request.
15
Article 3, General Data Protection Regulations(GDPR), 2016
16
Article 7, General Data Protection Regulations(GDPR), 2016
17
Article 8, General Data Protection Regulations(GDPR), 2016
That last item is also known as the right to be forgotten. There are some exceptions. For
example, GDPR does not supersede any legal requirement that an organization maintain certain
data.
1. The data subject shall have the right to obtain from the controller the erasure of personal data
concerning him or her without undue delay and the controller shall have the obligation to
erase personal data without undue delay where one of the following grounds applies:
the personal data are no longer necessary in relation to the purposes for which they were
collected or otherwise processed;
the data subject withdraws consent on which the processing is based according to point
(a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground
for the processing;
the data subject objects to the processing pursuant to Article 21(1) and there are no
overriding legitimate grounds for the processing, or the data subject objects to the
processing pursuant to Article 21(2);
the personal data have been unlawfully processed;
the personal data have to be erased for compliance with a legal obligation in Union or
Member State law to which the controller is subject;
The personal data have been collected in relation to the offer of information society
services referred to in Article 8(1).
2. Where the controller has made the personal data public and is obliged pursuant to paragraph 1
to erase the personal data, the controller, taking account of available technology and the cost
of implementation, shall take reasonable steps, including technical measures, to inform
controllers which are processing the personal data that the data subject has requested the
erasure by such controllers of any links to, or copy or replication of, those personal data
3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
Several requirements will directly affect security teams. One is that companies must be able to
provide a “reasonable” level of data protection and privacy to EU citizens. What the GDPR
means by “reasonable” is not well defined.
What could be a challenging requirement is that companies must report data breaches to
supervisory authorities and individuals affected by a breach within 72 hours of when the breach
was detected. Another requirement, performing impact assessments, is intended to help mitigate
the risk of breaches by identifying vulnerabilities and how to address them.
18
Article 17, GDPR (General Data Protection Regulations),2016
IN INDIA
Current Position
India presently does not have any express legislation governing data protection or privacy.
However, the relevant laws in India dealing with data protection are the Information Technology
Act, 2000 and the (Indian) Contract Act, 1872. A codified law on the subject of data protection is
likely to be introduced in India in the near future.
The (Indian) Information Technology Act, 2000 deals with the issues relating to payment of
compensation (Civil) and punishment (Criminal) in case of wrongful disclosure and misuse of
personal data and violation of contractual terms in respect of personal data.
Under section 43A of the (Indian) Information Technology Act, 2000, a body corporate who is
possessing, dealing or handling any sensitive personal data or information, and is negligent in
implementing and maintaining reasonable security practices resulting in wrongful loss or
wrongful gain to any person, then such body corporate may be held liable to pay damages to the
person so affected. It is important to note that there is no upper limit specified for the
compensation that can be claimed by the affected party in such circumstances.
Under section 72A of the (Indian) Information Technology Act, 2000, disclosure of information,
knowingly and intentionally, without the consent of the person concerned and in breach of the
lawful contract has been also made punishable with imprisonment for a term extending to three
years and fine extending to Rs. 5,00,000 (approx. US$ 8,000).
It is to be noted that s 69 of the Act, which is an exception to the general rule of maintenance of
privacy and secrecy of the information, provides that where the Government is satisfied that it is
necessary in the interest of:
The Government has notified the Information Technology (Reasonable Security Practices and
Procedures and Sensitive Personal Data or Information) Rules, 2011. The Rules only deals with
protection of "Sensitive personal data or information of a person", which includes such personal
information which consists of information relating to:-
Passwords;
Financial information such as bank account or credit card or debit card or other payment
instrument details;
Physical, physiological and mental health condition;
Sexual orientation;
Medical records and history;
Biometric information.
Data processing is, generally, "the collection and manipulation of items of data to produce
meaningful information.” In this sense it can be considered a subset of information processing,
"the change (processing) of information in any manner detectable by an observer."19
GDPR regulates how ‘Personal Data’ of European citizens is managed and processed not just in
Europe, but anywhere in the world. Any organization that is dealing with the personal data of
European citizens comes under the ambit of GDPR.20
While European Parliament’s General Data Protection Regulation (GDPR) is slated to have
global and far-reaching ramifications, a degree of uncertainty looms amongst Indian companies,
especially those which are engaged in outsourced data processing activities (whether captive or
otherwise) and consequently deal with personal data of data subjects in the European Union
(EU). This uncertainty is mainly with respect to the applicability of GDPR and its implications
on their businesses. The penalty scheme prescribed under the GDPR is also a cause of concern
for such companies since GDPR permits enforceability against a data processor directly.
The definition of data processor under GDPR has a very wide connotation. It means any
operation performed on personal data such as collecting, recording, structuring, storing, using,
disclosing by transmission and even includes erasing and destroying. Article 3 (Territorial scope)
of GDPR21 makes it clear that it will be applicable regardless of whether the processing takes
place in EU or not.
19
https://en.wikipedia.org/wiki/Data_processing
20
(Rajiv Kumar, 2018)
21
https://gdpr-info.eu/
Changes to be expected by Indian Data Processing Units
Prior to undertaking any processing activity, Indian companies will be required to enter into a
contract with their customer (generally, a data controller). Such contract will, inter alia, stipulate
the subject-matter and duration of processing activity, its nature and purpose and the type of
personal data and categories of data subjects.
By way of such contract, a customer (the data controller) will seek from an Indian company a
flow down of the following obligations:
A keystone of GDPR is the stipulation of ‘adequacy requirements’23 which restrict the transfer
of personal data to any third country or international organization that does not “ensure an
adequate level of protection.”
The Supreme Court’s judgment24 last year establishing privacy as a fundamental right has put
India on the same page as the EU in terms of their outlook on privacy. The country’s data
22
(Harsh Walia and Shobhit Chandra, 2017)
23
Article 45, General Data Protection Regulations(GDPR), 2016
24
Writ Petition (Civil) No. 494 of 2012, JUSTICE K. S. PUTTASWAMY (RETD.) AND ANR. VS UNION OF
INDIA AND ORS.
protection law, being drafted by a government-appointed committee, is being closely monitored
by the European Union and could be a major deciding factor for getting the adequacy status for
the domestic IT industry.
To add to this, whether or not India will meet the ‘adequacy requirements’ will be discerned by
the manner and profundity with which the Forthcoming Legislation deals with these ‘adequacy
requirements’. While Privacy Judgment has presented several anecdotes for the legislature to
consider while framing this legislation, it will be interesting to see to what extent they are
adopted. Many experts anticipate that the Forthcoming Legislation will be on the lines of GDPR
and this may aid its acceptance by the European Commission.25
India’s demonetization move was followed by the Union Budget for 2017 that outlines an
ambitious goal of achieving 25 billion digital transactions in 2017-18 -- which means the
Government will need to ensure security and regulatory compliance of unprecedented number of
websites and web applications offering digital transaction services. With the Goods and
Services Tax or GST coming into effect recently, all businesses will now have to maintain
electronic invoices on the cloud. India could draw on an over-arching data protection regime by
building on GDPR. However, data protection cannot be in the government sphere alone.
Businesses in India can also take cognizance and bring in strong data protection measures akin to
GDPR that will only enable their growth in the long run.26
One area to be considered is the electronic consent architecture in India, which is a global first,
but this needs to be extrapolated further. For instance, Indian citizens should be able to claim
penalties, if businesses failed to obtain clear consent to use their personal data. In the horde of
digital marketing, consumer right to opt-out is often not delineated or respected. Also, there is
the question of what constitutes as personal and sensitive data. Freely available data like a
person’s name and email ID could be classified as personal data, while information about a
person’s net worth or investment decisions, should be treated as sensitive data, which requires
stronger governance and compliance measures. Digital marketers should be able to leverage
technology to classify data categories based on such rules.
GDPR, which replaces a 20-year-old system, allows specific industries to be tagged with the
‘data adequate’ status under European law as compared to entire countries being tagged if they
are fully complaint.
Gagan Sabharwal, senior director, global trade development at Nasscom, said it is difficult to
estimate an opportunity cost from GDPR because India is not a ‘data adequate’ country as per
European law. “There are some negatives in the new regulation but the positive is that now there
is a legal framework available where they can categorize the Indian IT sector as ‘data adequate’
without having to stamp all over India.”27
25
(Harsh Walia and Shobhit Chandra, 2017)
26
(Rajiv Kumar, 2018)
27
(Surabhi Agarwal, 2018)
The Indian information technology and IT-enabled services industry would be the most affected
by the new law since it derives almost 30% of its revenues from Europe.28
28
(Surabhi Agarwal, 2018)
References
Harsh Walia and Shobhit Chandra. (2017, December 20). Impact of GDPR on Indian data processing
companies. Retrieved from Data Quest: http://www.dqindia.com/impact-general-data-
protection-regulations-indian-data-processing-companies/
Michael Nadeau. (2018, April 13). CSO. Retrieved from General Data Protection Regulation (GDPR)
requirements, deadlines and facts: https://www.csoonline.com/article/3202771/data-
protection/general-data-protection-regulation-gdpr-requirements-deadlines-and-facts.html
Rajiv Kumar. (2018, March 22). GDPR: What does it mean to india? Retrieved from Nasscom Community:
https://community.nasscom.in/community/discuss/policies/gdpr/blog/2018/03/22/general-
data-protection-regulationgdpr-what-it-means-for-india-and-the-world
RSA. (2017). Data Privacy and Security. France, Germany, Italy, the United Kingdom and the United.
Siddhesh Hedulkr. (2017, November 22). Impact od GDPR on indian organizations. Retrieved from CTA
Profesional Network: http://ctapn.com/archives/755
Surabhi Agarwal. (2018, April 13). The Economic Times. Retrieved from Europe's data protection law may
have severe implications for India’s IT industry :
https://economictimes.indiatimes.com/tech/internet/europes-data-protection-law-may-have-
severe-implications-for-indias-it-industry/articleshow/63741020.cms