Beruflich Dokumente
Kultur Dokumente
GDPR:
Fundamentals
Anand Krishnan
Senior Analyst-Policy
CIPP/E,CIPM, DCPP
Introduction
The EU General Data Protection Regulation (GDPR) replaces the Data Protecti
on Directive 95/46/EC and was designed to harmonize data privacy laws a
cross Europe, to protect and empower all EU citizens data privacy and to
reshape the way organizations across the region approach data privacy.
4. Sensitive data.
6. Individual’s rights.
The entity that, alone or jointly with The entity that processes personal data:
others, determines:
-In the case of joint control, several parties jointly determine the p
urposes and means of one or more processing activities.
-In such cases, each party is independently (yet fully) responsible for e
nsuring compliance of its own processing activities. In principle, the li
ability exposure of each party is also strictly limited to the processing
activities under its own control.
Legal Grounds for Processing
Vital interests
of a person
Public
Legal
Interest/Official
Obligation
Authority
Legitimate
interests of
Performance
the
of a contract
controller or a
third party
Data Subject’s
Consent
Consent
Freely given -Consent must be a genuine and free choice, and individuals must be
able to refuse or withdraw it at any time without detriment.
-Consent not valid when there is a clear imbalance between the
individual and the controller.
-Presumption that consent is not freely given when:
• Individual is not allowed to give separate consent to different
processing activities.
• The provision of service depends on consent while it is not necessary
for the performance.
Legitimate Interests
-Biometric data: personal data resulting from specific technical processing relating
to the physical, physiological or behavioral characteristics of an individual, which
allow his or her unique identification (e.g., facial images or dactyloscopic data).
Is there a Identification
Assessment of of the If Remains
high risk
risks for mitigation consult the
for the DPA
individuals measures
individual
-Cooperates with DPAs and acts as a contact point (in case of DPA consultation).
DPIA,DPO, Privacy by Design and Default
Notification of
data breach
if “high risk”
Within
without undue delay
72hrs
Controller to Processor
-Mandatory contract (data processing agreement) between the controller and
processor.
-The contract must oblige the processor to only process data on the instruction
of the controller and to assist the controller to comply with the GDPR.